SERVER : IPKungfu (Firewall configuration utility)
Tuesday, 9. January 2007, 11:38:40
The default linux firewall installed by Ubuntu is configured using the IPTables. I've never managed to understand the exact syntax for that, so I've ended up using a 3rd party script that configures the IPTables using some very simple rules.
To install IPKungfu you must do this :
After IPKungfu finished installing you can modify it by modifying the files found in /etc/ipkungfu
Here are the files I've changed (with comments about what the change is for) :
the ipkungfu.conf file :
If you're paranoid, you can enable certain services only from certain computers, so for example of you want WebMin to be accessible only from a computer who's IP is 123.456.789.1 you'll have to first remove WebMin's port from ALLOWED_TCP_IN and then edit the /etc/ipkungfu/accept_hosts.conf file, and add in somethings like this :
If you need to accept an entire range of IP's, you can add this line :
Since i use DC++ i also had to enable some forwarding for it, si here's my vhosts.conf file :
In DC++ enter firewall (not passiv) and enter any port from the 4100 to 4150 range, it should work without a hitch (at least it does for me
)
Now start ipkungfu by executing this :
If IPKungfu complains about the shell, edit /usr/sbin/ipkungfu and change the first line to be
Now just like for NO-IP, if you restart the server, the ipkungfu program won't run automatically, so we need to ad it to /etc/rc.local which is executed each time the computer boots. Just run this command :
Whenever you edit any of IPKunfu's files, you'll have to execute IpKungfu again, since it doesn't run in the background, it only creates the IPTables Chains when it's executed and after that it exits.
To install IPKungfu you must do this :
sudo aptitude install ipkungfuIf it complains about some missing libraries then try this :
sudo apt-get -f install
After IPKungfu finished installing you can modify it by modifying the files found in /etc/ipkungfu
Here are the files I've changed (with comments about what the change is for) :
the ipkungfu.conf file :
# Please read the README and FAQ for more information # Some distros (most notably Redhat) don't have # everything we need in $PATH so we specify it here. # Make sure modprobe, iptables, and route are here, # as well as ordinary items such as echo and grep. # Default is as shown in the example below. PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin # Your external interface # This is the one that connects to the internet. # Ipkungfu will detect this if you don't specify. EXT_NET="ppp0" # Your internal interfaces, if any. If you have more # than 1 internal interface, separate them with # spaces. If you only have one interface, put "lo" # here. Default is auto-detected. INT_NET="eth0" # IP Range of your internal network. Use "127.0.0.1" # for a standalone machine. Default is a reasonable # guess. LOCAL_NET="192.168.1.0/255.255.255.0" # Set this to 0 for a standalone machine, or 1 for # a gateway device to share an Internet connection. # Default is 1. GATEWAY=1 # TCP ports you want to allow for incoming traffic # Don't add ports here that you intend to forward. # This should be a list of tcp ports that have # servers listening on them on THIS machine, # separated by spaces. Default is none. # 80 is for HTTP (Apache server) # 21 is for FTP # 22 is for SSH # 10000 is for WebMin ALLOWED_TCP_IN="80 21 22 10000" #... rest of file is unchanged (and commented by default)Of course, if you modified the webmin, FTP, HTTP or SSH to use another port you'll have to add that port instead.
If you're paranoid, you can enable certain services only from certain computers, so for example of you want WebMin to be accessible only from a computer who's IP is 123.456.789.1 you'll have to first remove WebMin's port from ALLOWED_TCP_IN and then edit the /etc/ipkungfu/accept_hosts.conf file, and add in somethings like this :
# Please see the README and FAQ for more information # # IP addresses of hosts or nets to always ACCEPT # and optionally, ports they are allowed to access # Format: host[:port:protocol] # accept WebMin connection only from 123.456.789.1 123.456.789.1:10000:
If you need to accept an entire range of IP's, you can add this line :
123.456.789.0/255.255.255:22:tcpthis will accept connection from any IP that starts with 123.456.789, but only on port 22 and only TCP type connections.
Since i use DC++ i also had to enable some forwarding for it, si here's my vhosts.conf file :
# enable UDP and TCP connection trough 4100-4150 ports towards 192.168.1.10 # it's used by DC++ 0/0:192.168.1.10:4100-4150:4100-4150:# DC++
In DC++ enter firewall (not passiv) and enter any port from the 4100 to 4150 range, it should work without a hitch (at least it does for me
)Now start ipkungfu by executing this :
ipkungfu
If IPKungfu complains about the shell, edit /usr/sbin/ipkungfu and change the first line to be
#!/bin/bashnow run IPKungfu, hopefully it won't give any errors.
Now just like for NO-IP, if you restart the server, the ipkungfu program won't run automatically, so we need to ad it to /etc/rc.local which is executed each time the computer boots. Just run this command :
sudo editor /etc/rc.localand modify the file to look like this :
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # start No-Ip si that our server is accessible with myname.no_ip_domain noip2 # Start IPKungfu (the firewall configuration utility) ipkungfu # don't remove the next line, or the server fill give some errors exit 0
Whenever you edit any of IPKunfu's files, you'll have to execute IpKungfu again, since it doesn't run in the background, it only creates the IPTables Chains when it's executed and after that it exits.
WIDGETIZE