rc.firewall Linux Firewall

  >> PROJECT HOMEPAGE

Installation Instructions
  1. Download the latest rc.firewall [wget http://lfw.sf.net/rc.firewall]
  2. Edit the options at the beginning of the file with your favorite text editor. The script comes pre-configured to deny all incoming connections. This is suitable for a typical workstation installation. Refer to the configuration page for in depth explanation of available options.
  3. Make the script executable [chmod +x rc.firewall]
  4. Become root [su]
  5. Optional: Change ownership of the script to root [chmod root:root rc.firewall]
  6. Optional: Remove world read, write, and execute permissions [chown o-rwx rc.firewall]
  7. Run the script [./rc.firewall]
  8. After you verify that the firewall runs without errors, you may want it to be run automatically on boot. To accomplish this, move the script to the appropriate startup script directory for your distribution [/etc/rc.d/ for Slackware, /etc/init.d/ for Gentoo] and add the following lines in your startup scripts at some point after your ethernet interfaces are configured [for example /etc/rc.d/rc.local for Slackware, and /etc/conf.d/local.start for Gentoo].

    Slackware 
    if [ -x /etc/rc.d/rc.firewall ]; then
  /etc/rc.d/rc.firewall
fi
    Gentoo 
    if [ -x /etc/init.d/rc.firewall ]; then
  /etc/init.d/rc.firewall
fi
  9. If you are using this firewall on a machine to which you do not have physical access, but can reboot remotely (for example a collocated server or a Linux router at a computer illiterate friend's house), you might want to think about putting in a short delay between the time the machine boots and the initialization of the firewall. This would give you a chance to log in and disable the firewall [chmod -x] if something goes wrong. A good example might be if you have the script configured to allow you to connect from a specific remote IP address and your address changes. If you choose to implement this idea, it can be done with the following code in rc.local: 
    if [ -x /etc/rc.d/rc.firewall ]; then
  sleep 30 && /etc/rc.d/rc.firewall | logger -t rc.firewall &
  echo "Firewall init in 30 seconds.  Check syslog for results."
fi
System Requirements
  1. You need the iptables user-space tools installed. Every distribution should have a package that includes these tools.
  2. You need proc filesystem support. Everyone should already have this unless you are doing something strange.
  3. In addition to basic networking options such as TCP/IP support and drivers for your network cards, your kernel must have support for the options listed below. Most distributions already have support for all required options. The script should report a problem if a required component is missing.
Note:In 2.6.16+ many of the below module names below have changed from CONFIG_IP_NF_* to NETFILTER_XT_*. Their functionality is the same. Additionally with version 2.6.16+ you must have the following enabled:
  • NETFILTER_XTABLES
    Networking options -> Network packet filtering
Base configuration:
  • CONFIG_NETFILTER
    Networking options -> Network packet filtering
  • CONFIG_IP_NF_CONNTRACK   (Required, even if you aren't doing NAT, since the script performs stateful inspection.)
    Networking options -> IP: Netfilter Configuration -> Connection tracking (required for masq/NAT)
  • CONFIG_IP_NF_IPTABLES
    Networking options -> IP: Netfilter Configuration -> IP tables support (required for filtering/masq/NAT)
  • CONFIG_IP_NF_MATCH_STATE   (This script is virtually entirely based upon the state matching module of netfilter.)
    Networking options -> IP: Netfilter Configuration -> Connection state match support
  • CONFIG_IP_NF_FILTER
    Networking options -> IP: Netfilter Configuration -> Packet Filtering
  • CONFIG_IP_NF_TARGET_REJECT   ('graceful' reject target)
    Networking options -> IP: Netfilter Configuration -> REJECT target support
Required only if you are doing NAT or port forwarding:
  • CONFIG_IP_NF_NAT
    Networking options -> IP: Netfilter Configuration -> Full NAT
  • CONFIG_IP_NF_FTP   (Since FTP uses two ports, one for control and one for data, connection tracking requires special helpers provided by this kernel option.)
    Networking options -> IP: Netfilter Configuration -> FTP protocol support
  • CONFIG_IP_NF_IRC   (Allows IRC clients to initiate DCC chats and file transfers through a Linux firewall.)
    Networking options -> IP: Netfilter Configuration -> IRC protocol support
Required only if you have dynamic (dial-up) interfaces:
  • CONFIG_IP_NF_TARGET_MASQUERADE
    Networking options -> IP: Netfilter Configuration -> MASQUERADE target support
Required only if you enable logging:
  • CONFIG_IP_NF_TARGET_LOG
    Networking options -> IP: Netfilter Configuration -> LOG target support
  • CONFIG_IP_NF_MATCH_LIMIT
    Networking options -> IP: Netfilter Configuration -> limit match support
Required only if you are doing port forwarding:
  • CONFIG_IP_NF_MATCH_MARK
    Networking options -> IP: Netfilter Configuration -> netfilter MARK match support
  • CONFIG_IP_NF_MANGLE
    Networking options -> IP: Netfilter Configuration -> Packet mangling
  • CONFIG_IP_NF_TARGET_MARK
    Networking options -> IP: Netfilter Configuration -> MARK target support
Required only if you are using TTL stealth router mode: (Note: For older kernel version this will require a kernel patch.)
  • CONFIG_IP_NF_TARGET_TTL (Not to be confused with CONFIG_IP_NF_MATCH_TTL aka "TTL match support")
    Networking options -> IP: Netfilter Configuration -> TTL target support