[These instructions work with Red Hat 9 using the RPM versions listed below
I’ve also used psad-1.1.1, works fine. Later versions of psad don’t permanently block offending IPs, so I’ve not upgraded.]
HOWTO: Install/Config bridge with netfilter (iptables)
Q: Why am I using a bridge?
A: I have a LAN, with ‘real’, named ips. I don’t want to assign the machines inside the firewall private ips. I don’t have any control over routing, all routing is done externally. I don’t want to change ANYTHING on the internal lan.
So…I Google’d and stumbled across the Linux Bridge Project…it is perfect.
My LAN setup is:
EXTERNAL
|
Bridge/Firewall
|
GigaSwitch
|
Client A…Client B…Client C…etc.
Here is how to get bridge-ing to work:
Note: try the prebuilt kernel first, if it works, great, otherwise you’ll have to compile/patch your own.
#####RPM PREBUILT KERNEL#####
Download the prebuilt kernel. Obtain the one with netfilter, this will implement iptables.
kernel-2.4.18-10brnf0.0.7.i686.rpm
Also, get the bridge-utils-0.9.6-1.i386.rpm
rpm -ivh —oldpackage kernel2.4.18-10brnf0.0.7.i686.rpm
rpm -ivh bridgeutils-0.9.6-1.i386.rpm
reboot, select new kernel
#####
#####COMPILE KERNEL WITH BRIDGE PATCH#####
Get the kernel bridge patch: bridge-nf-0.0.7-against-2.4.19.diff
Get the kernel source rpm (hey, why not?), i got the newest one from RedHat
kernel-source-2.4.20-18.9
Also, get the bridge-utils-0.9.6-1.i386.rpm
rpm -ivh bridgeutils-0.9.6-1.i386.rpm
To compile/patch the kernel:
rpm -ivh kernelsource-2.4.20-18.9
This will place the source in: /usr/src/linux-2.4.20-18.9
cd kernel-source-2.4.20-18.9
cp bridge-nf-0.0.7-against-2.4.19.diff /usr/src/linux-2.4.20-18.9
patch p1 -b < bridgenf-0.0.7-against-2.4.19.diff
make clean
make mrproper
make menuconfig (dont run X11 on firewall, so no make xconfig!)
Go through the kernel components, and select what you need.
make dep
make bzimage
make modules
copy /usr/src/linux-2.4.20-18.9/arch/i386/boot/bzImage to /boot/vmlinuz-2.4.20-18.9-mybridge
cd /usr/src/linux-2.4.20-18.9
make modules_install
copy /usr/src/linux-2.4.20-18.9/System.map to /boot/System.map-2.4.20-18.9-mybridge
/sbin/new-kernel-pkg —install —mkinitrd —depmod 2.4.20-18.9-mybridge
Check /etc/grub.conf to see if the bridge kernel is the default boot.
reboot
#####
Turn off networking:
/etc/init.d/network off
Flush iptables rules:
iptables -F
iptables -X
‘chkconfig off’ almost everything (we really dont want RH to make iptables rules on startup)
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr mybridge
brctl addif mybridge eth0
brctl addif mybridge eth1
ifconfig mybridge up
Keep all the settings on client machines the same (isp gateway/dns/ip/etc).
Simply connect the clients to the switch, and you should get external connection.
From outside of the firewall, you should be able to get to the clients.
If you want to give the bridge an IP in order to ssh (for administration):
ifconfig mybridge x.x.x.x netmask x.x.x.x
You may need to add the default route:
ip route add default via x.x.x.x
Now, after bridge is setup, get an iptables rules script.
Edit the scipt, change to fit particular network, and then run it (depending on format):
chmod 755 fw_script ; ./fw_script
or
iptables-restore < fw_script
After setup/administration of the bridge is complete, disable remote access to the bridge:
ifconfig mybridge 0.0.0.0
To get Port Scan Attack Detector to work with bridge, install as described in previous post.
Change the following (this is because iptables LOGs are different with bridge, need to modify psad/kmsgsd to look for the ‘right’ things in log file):
#####/usr/sbin/kmsgsd#####
#First:
my $LOCAL_IPS = $Config_href->{‘LOCAL_IPS’};
#Second:
### main loop
for (;;) {
open FIFO, “< $PSAD_FIFO� or die “Can’t open file : $!n�;
my $service = ; ### don’t chomp for better performance
if (defined $service
1. Need to get rid of this line so MAC is not searched for
2. && ($service =~ /Packetslog/ || $service =~ /IN.+?OUT.+?MAC/)
&& ($service =~ /Packetslog/ || $service =~ /IN.+?OUT/)
&& $service =~ /$FW_MSG_SEARCH/
3. We need this for looking for scans on local IPs (see below)
&& $service =~ /$LOCAL_IPS/) {
### log to the fwdata file
#####/usr/sbin/psad#####
##First:
sub check_fw() {
my $line = shift;
### Pound out all this crap, force iptables without checking MAC condition
### ipchains log messages do not have a MAC address field
#if ($line !~ /MAC=/) {
1. $USE_IPCHAINS = 1;
#} else {
$USE_IPTABLES = 1;
#}
}
#####
##Second:
1. Change the autoblock rule to FORWARD instead of $inchain (INPUT)
system “$Cmds{‘iptables’} -I FORWARD 1 -s $src � .
#####/etc/psad/psad.conf
1. List inside IPs here, so we only look for port scans on these
2. Dont forget the ; at the end!
LOCAL_IPS 1.2.3.4|4.3.2.1;
Note: new versions of psad has integrated some of the above changes, so they may not be needed.
[DONE]
[These instructions work with RH 8 & 9]
This is HOWTO setup sendmail and imap on RH 8. I am using the rpm’s since I don’t need to do anything ‘special’ that needs the source.
rpm’s –
aumber:~>rpm -qa | grep sendmail
sendmail-8.12.5-7
sendmail-cf-8.12.5-7
imap-2001a-15
spamassassin-2.31-16
In the file /etc/mail/sendmail.mc
find this line and comment it using sendmail comment (dnl):
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)
Run sendmail m4 to save the changes into the sendmail config file:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
In the file /etc/mail/relay-domains
add all the domains/hosts/IP’s that you want to allow IMAP from
(this is for smtp relaying).
In /etc/hosts.allow add the following to allow anyone from anywhere to send us mail, and IMAP to the machine (you could just change imapd line to particular hosts, but I’m not that paranoid):
sendmail: ALL
imapd: ALL
Turn on imap from xinetd:
/etc/xinetd.d/imap
disable=no
Start up sendmail and spamassassin:
/etc/init.d/sendmail start
/etc/init.d/spamassassin start
For spamassassin, you need to put the following in the user’s .procmailrc file so incoming mail for the user gets ‘scanned’:
:0fw
| /usr/bin/spamc -s 256000
:0:
* ^X-Spam-Status: Yes
spam
To allow mail from certain domains NOT to be marked as spam, edit the user_prefs file in the user home dir:
~/.spamassassin/user_prefs:
whitelist_from *@alloweddomain.com
[DONE]
[These instructions work with Red Hat Linux release 7.3 & 8.0,
using the RPM for vsftpd-1.1.0-1]
vsftpd is a ‘secure, fast’ FTP daemon/server
I am using the rpm since no special compiling is needed.
rpm : vsftpd-1.1.0-1
The is vsftpd’s xinetd listing (cat /etc/xinetd.d/vsftpd):
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
nice = 10
per_source = 5
instances = 50
log_on_success += PID HOST DURATION
log_on_failure += HOST
}
The following is vsftpd’s TCP Wrapper entry (/etc/hosts.allow):
vsftpd:
To setup virtual users, begin by creating a login/passwd file.
Make a plain txt file (i.e. logins.txt) containing username and passwd on seperate lines. For example:
foo
bar
Issue the db command to create a hashed file.
db_load -T -t hash -f logins.txt /etc/vsftpd_login.db
Set the correct file permissions on the passwd file:
chmod 600 /etc/vsftpd_login.db
Replace /etc/pam.d/vsftpd with same filename containing:
#%PAM-1.0
auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login
Setup the location for virtual user dir
useradd -d /home/ftpsite virtualusername
For my setup, /etc/passwd looks like the following:
virtualusername:x:505:505::/ftpuploads:/sbin/nologin
Edit vsftpd’s config file (/etc/vsftpd.conf):
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=077
chroot_local_user=YES
pam_service_name=vsftpd
user_config_dir=/etc/vsftpd_user_conf
guest_enable=YES
guest_username=virtual (or whatever you setup)
Create the user configuration dir. This is where per-user config files are placed:
mkdir /etc/vsftpd_user_conf
Create a file with the same name as the vitualusername that was created above.
/etc/vsftpd_user_conf/foo (foo is from logins.txt):
anon_world_readable_only=NO
write_enable=YES
anon_upload_enable=YES
anon_umask=007
restart xinetd
If you have a firewall, enable highport access to the IP’s that you allow to connect via vsftpd.
[DONE]
[These instructions work on RH 8 using scponly-3.5.tar source]
./configure —enable-chrooted-binary —disable-wildcards
(I disable wildcard since i dont ‘trust’ the code)
make; make install
might get gcc warnings, but thats ok.
add to /etc/shells:
/usr/local/sbin/scponlyc
make jail
prompts for what dir? /home/
prompts for what user?
passwd
make jail will start doing some copying and will give errors, do following to complete:
cd /home//lib
cp /lib/i686/libc.so.6 .
cd /home//usr/lib
cp /usr/kerberos/lib/libcom_err.so.3 .
cp /usr/kerberos/lib/libk5crypto.so.3 .
cp /usr/kerberos/lib/libkrb5.so.3 .
[These instruction work with RH 7.3, 8.0 & 9.0.
I’ve also used psad-1.1.1, works fine. Later versions of psad don’t permanently block offending IPs, so I’ve not upgraded.]
gShield-2.8.tgz
psad-0.9.9.tar.gz
cp gShield-2.8.tgz /etc
tar zxvf gShield-2.8.tgz ; rm rf gShield2.8.tgz
mv gShield-2.8 firewall
edit gShield.conf
read everything in conf file, change to your network
example:
LOCALIF=�eth1�
STATIC=�YES�
INTIF=�eth0�
TCP_RESPONSE=�DROP�
UDP_RESPONSE=�DROP�
load the tables with /etc/firewall/gShield.rc
want to start firewall on boot
rm -rf /etc/init.d/iptables
ln -s /etc/firewall/gShield.rc iptables
cp psad-0.9.9.tar.gz
tar zxvf psad-0.9.9.tar.gz
rm -rf psad0.9.9.tar.gz
edit psad.conf
EMAIL_ADDRESSES (root@localhost);
ENABLE_AUTO_IDS Y;
FW_MSG_SEARCH DROP|REJECT|DENY|drop;
gSheild logs dropped packets as ‘default drop’
so need to add ‘drop’ string
AUTO_IDS_DANGER_LEVEL 1;
makes autoblock more strict
./install.pl
/etc/init.d/psad start
firewall works, psad autoblocks IPs that portscan
del.icio.us
digg it
