Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Documentatie: Firewall met MySQL frontend
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Dutch
View previous topic :: View next topic  
Author Message
ews99
n00b
n00b


Joined: 10 Aug 2003
Posts: 16

PostPosted: Mon Sep 01, 2003 8:04 pm    Post subject: Documentatie: Firewall met MySQL frontend Reply with quote

Ik heb een document gemaakt, wat een beschrijving geeft hoe je mysql kunt gebruiken als input voor iptable regels.
Vooral voor de beginnende gebruiker kan het handig zijn om deze regels via mysqladmin op te bouwen. Maar ook om even snel de firewall aan te kunnen passen, kan dit zeer ideaal zijn.

Hier het document: http://papasmurf.ews99.2y.net/~wiki/docs/index.php?pagename=firewall

Het document is via het wiki systeem geschreven, en kan dus door iedereen aangepast worden. Uiteraard stel ik het zeer op prijs als je eventuele fouten aanpast of aanvullingen toevoegd.
Back to top
View user's profile Send private message
garo
Bodhisattva
Bodhisattva


Joined: 15 Jul 2002
Posts: 860
Location: Edegem,BELGIUM

PostPosted: Tue Sep 02, 2003 5:41 pm    Post subject: Reply with quote

Ik weet dat het veel werk is, maar als je het naar het Engels vertaalt kan je het bij "documentation, tips & tricks" posten en daar zal je veel meer respons krijgen.
_________________
My favorite links this month:
- Surf Random
- Web-based SSH
- Stop Spam
Back to top
View user's profile Send private message
iKiddo
Guru
Guru


Joined: 27 Jun 2002
Posts: 341
Location: Europe?

PostPosted: Tue Sep 02, 2003 10:50 pm    Post subject: Reply with quote

Ik heb het even snel vertaald*:

* Ik heb de regels die beginnen met "!" niet vertaald omdat ik niet wist of dat een speciale betekenis had (geen ervaring met WiKi).
Code:
!!!Firewall met ~MySQL frontend

Create a database 'firewall' in mysql and make sure there is a user that can use it.
Create the tables blockip, opentcp, openudp and portforward via the following sql query:
<verbatim>
# Database : `firewall`
# --------------------------------------------------------

#
# Table structure for table `blockip`
#

CREATE TABLE blockip (
  ip varchar(15) NOT NULL default ''
) TYPE=MyISAM;
# --------------------------------------------------------

#
# Table structure for table `opentcp`
#

CREATE TABLE opentcp (
  port varchar(6) NOT NULL default ''
) TYPE=MyISAM;
# --------------------------------------------------------

#
# Table structure for table `openudp`
#

CREATE TABLE openudp (
  port varchar(6) NOT NULL default ''
) TYPE=MyISAM;
# --------------------------------------------------------

#
# Table structure for table `portforward`
#

CREATE TABLE portforward (
  port int(6) NOT NULL default '0',
  to_ip varchar(15) NOT NULL default '',
  to_port int(6) NOT NULL default '0',
  protocol set('tcp','udp') NOT NULL default ''
) TYPE=MyISAM;
</verbatim>

It's proabably a good idea to open ports 80 and 22, in case anything goes wrong or we can't log in again:
<verbatim>
USE firewall;
INSERT INTO opentcp VALUES ('80');
INSERT INTO opentcp VALUES ('21');
</verbatim>

Create the following files in /etc/firewall (assuming you're using the database 'firewall'):
block_ip:
<verbatim>
use firewall;
select ip from blockip;
</verbatim>

open_tcp:
<verbatim>
use firewall;
select port from opentcp;
</verbatim>

open_udp:
<verbatim>
use firewall;
select port from openudp;
</verbatim>

portforward
<verbatim>
use firewall;
select port, to_ip, to_port, protocol from portforward;
</verbatim>

Create the file 'firewall' in /etc/conf.d:

/etc/conf.d/firewall
<verbatim>
ENABLE_FORWARDING_IPv4="yes"
WAN="eth0"
LAN="eth1"
WAN_IP=`ifconfig $WAN | grep 'inet addr:' | cut -d : -f 2 | cut -d " " -f 1`
LAN_IP=`ifconfig $LAN | grep 'inet addr:' | cut -d : -f 2 | cut -d " " -f 1`
LAN_IPRANGE="$LAN/24"
MYSQL_USER=mysqluser
MYSQL_PASS=yourpassword
MYSQL="mysql -u $MYSQL_USER -p$MYSQL_PASS --skip-column-names -B "
MYOPEN_PORTS_TCP="/etc/firewall/open_tcp"
MYOPEN_PORTS_UDP="/etc/firewall/open_udp"
MYFORWARD="/etc/firewall/portforward"
MYBLOCK_IP="/etc/firewall/block/ip"
</verbatim>

Make sure you set LAN_IPRANGE correctly. It defaults to the 255.255.255.0 subnetmask.
Also make sure you insert your MYSQL account properties properly.

The most important bit: /etc/init.d/firewall. Can be found here: FirewallInitscript

In ideal circumstances the permissions on /etc/firewall and /etc/conf.d/firewall should be root: read write. /etc/init.d/firewall should also be flagged for executable use:

* cd /etc/firewall
* chown root:root *
* chmod 0600 *
* cd /etc/conf.d
* chown root:root firewall
* chmod 0600 firewall
* cd /etc/init.d
* chown root:root firewall
* chmod 0700 firewall

Before you start the firewall it's a good idea to test it with:
'/etc/init.d/firewall info'
It's output should be:

<verbatim>
 * IP adres WAN (eth0): 62.1##.###.###
 * IP adres LAN (eth1): 192.168.1.1
 * IP range LAN (eth1): 192.168.0.1/24
 * Enable forwarding IPv4: yes
 * Open TCP ports:
80
22
 * Open UDP ports:
 * Port Forwards:
</verbatim>

Pay attention to the following:
* The ethx values in brackets. Check if they match WAN and LAN
* The IP addresses matching your networks settings
* The Open TCP Ports should be displayed like they're in the mysqldatabase.

When you've checked everything you can start the firewall with the standard procedure and optionally add it to the booting sequence:

* /etc/init.d/firwall
(* rc-update add firewall default)

The firewall should work properly. With a portscanner you can now scan from the internet which ports are open. Using a Linux box you can use the nmap command:

* nmap 62.1##.###.###

If everything is O.K. only the ports listed in the 'opentcp' table should be open. Note that the forwarded ports in 'portforward' are opened automatically. Pinging the server is limited to time-out after approx. 8 pings.


With the mysqldatabase construction it should be easy to build a handy frontend with Apache & PHP. Restarting the firewall to re-read the rules will be the only possible piece of trouble. Here's a solution:

!!Voorbeeld PHP script voor het restarten van de firewall

This PHP examples uses the package sudo to restart the firewall with root privileges.

!Sudo

* Install the sudo package
* Add the next line to /etc/sudoers:
<verbatim>
   apache ALL = NOPASSWD: /etc/init.d/firewall
</verbatim>

In this example the PHP script will then look like this:

<verbatim>
  <?
    echo ("The firewall is being restarted.<br>");
    echo ("One moment please...<br><br>");
    flush;
    echo ("The firewallscript result:<br>");
    echo ("<pre>")
    system("sudo /etc/init.d/firewall restart");
    echo ("</pre>");
  ?>
</verbatim>

Pay attention to the security of this script!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Dutch All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum