Korseby Online - Firewall

About Korseby Firewall

Korseby iptables Firewall (kiptables) is a simple but secure shell-script that configures your Linux iptables firewall in an easy manner. It should be simple to change the config for personal needs.

How to use Korseby Firewall

First of all you need to edit the script in order to get it to work.

Change LANIP (and LANIF if you're using a different interface than eth0) to the ip address of your computer.
LAN contains the address of your local network.
Use the line LAN_ALLOW_HOST_TCP to enter the TCP ports which are accepted. For example, if you want to connect from your LAN via ssh to your local computer simply add this: "${LAN}#32768:#22". UDP ports have the same syntax.
LOGPORTS contains all ports that should be explicitely logged.
LOGICMP contains all ICMP packets that should be logged.
DONTLOG contains specific ports that should not be logged.

If you want NAT or Masquerading you have to start the second script after the first one. That really makes sense if you're using a ppp-connection to the internet. You can add that script to /etc/ppp/ip-up.d/ (and /etc/ppp/ip-down.d/). Every time you connect the additional forwarding rules will be loaded.

A Forwarding configuration has some additional parameters to change:

INETIF - the name of the interface connected to the internet.
INET_ALLOW_HOST_TCP - same syntax as the appropriate rule for LAN.
INET_TCP_FW - set port forwards from the internet to a computer inside your local network.
BOGONS - a list of bogus addresses. 127.0.0.1 normally won't appear on the internet and could be a security risk if you would accept it.
MANGLE_OPTIMIZE - optimize traffic on specific ports. You normally want the highest throughput for FTP etc..

However, since both scripts won't work right away, they are probably a good orientation how to write a firewall script for yourself.

Download kiptables 1.2.0-rc4

You can download the scripts here. Please note that you need both scripts for doing NAT or Masquerading.

Download kiptables local rules (12 KB)
Download kiptables Forwarding rules (17 KB)

More Information about Firewalling

If you really want to understand how firewalls work you need to read some additional resources. Below are a lot of links that should help you:

iptables-Documentation:
Netfilter FAQ
Networking Concepts
Packet Filtering
NAT Howto
Routing with 2.4 kernels

procfs-Documentation:
/usr/src/linux/Documentation/filesystems/proc.txt
/usr/src/linux/Documentation/networking/ip-sysctl.txt

EGRESS-Addresses:
BGP on Cisco Routers

Remote Security Testers:
My CGI Server
lfd Niedersachsen
it-sec
Remote Portscan

QoS (Quality of Service) & Fair Queueing:
IP Routing
QoS Server

License

Korseby iptables Firewall is published under the terms of GNU General Public License (GPL). Visit GNU for more details.

Changelog

I'm using those scripts since 2001. A lot of changes were made over the years. Here you can find only the latest additions and changes:

1.2.0-rc4: (Apr 17 2004) minor update
- all: fixed minor name vs. ip glitches
- adlib: updated special nfs/portmap host settings
- korseby: updated special nfs/portmap server settings

1.2.0-rc3: (Apr 16 2004) minor update
- adlib: fixed bug where no connection to outside of LAN could be established

1.2.0-rc2: (Apr 16 2004) minor update
- adlib: REJECT proxy ACK packets
- korseby: DROP IPP from LAN without logging
- adlib: allow IPP cups-server on LAN
- adlib: fixed some sysctl glitches
- all: added port 445 to LOGPORTS
- adlib: updated to new version

1.2.0-rc1: (Apr 03 2004) major update, complete rewrite
- korseby: there are now two independent configurations for local and forwarding
- korseby: forwarding now done via NAT
- korseby: sysctl now included in script instead of own sysctl-file

1.0.8 (Dec 27 2002)
0.9.15 (Mar 16 2002)
0.9.0 (Aug 31 2001)
0.0.1 (Aug 07 2001)