≡ Menu

linux firewall

deluge-logo.png

A long time ago I wrote about Linux command line bittorrent client. Recently I switched from command line client to a GUI based client called Deluge.

Deluge is a lightweight, open source free software and cross-platform BitTorrent client (bt client). A Bittorrent client written in Python/PyGTK which offers following benefits:

[a] Full Encryption - To avoid ISP's bandwidth throttling system (note encryption is not here to protect you from other users)

[b] Plugin System - Just like Firefox it has features rich plugin collection; in fact, most of Deluge's functionality is available in the form of plugins.

[c] In built RSS support to grab latest and greatest stuff.

[d] Global and per bittorrent bandwidth control.

[e] Support for selective file downloading - For example, it allows to grab a single file from 100 of files

[f] Ability to create torrent with Torrent Creator plugin

[g] Proxy support

[h] Network activity graph

[i] Network Health Monitor

[j] And much more

Quick Deluge Installation

Use apt-get command,
$ sudo apt-get install deluge-torrent
You can start Deluge by visiting Application > Internet > Deluge Bittorrent Client
Linux / MAC / WIndows / UNIX - Deluge Bittorrent client written in Python/PyGTK
(Fig. 01: Deluge Bittorent Client in Action)

Change port settings

The official ports for BitTorrent are 6881-6889, but most ISPs block or at least throttle those ports, so I recommend to use a port range of something between 50000 and 65535 or any other random range. You can change port range from Preference > Select Network tab > Setup new range > Close
Change port settings
(Fig. 02: Change Port Settings [ Image Credit Official Project])

Download Deluge Bittorrent Client

=> Visit Official Deluge Bittorrent Client project web site to grab latest version.

Iptables provides the option to log both IP and TCP headers in a log file. This is useful to:
=> Detect Attacks

=> Analyze IP / TCP Headers

=> Troubleshoot Problems

=> Intrusion Detection

=> Iptables Log Analysis

=> Use 3rd party application such as PSAD (a tool to detect port scans and other suspicious traffic)

=> Use as education tool to understand TCP / IP header formats etc.

How do I turn on Logging IP Packet Header Options?

Add the following command to your iptables script beo:

iptables -A INPUT -j LOG --log-ip-options
iptables -A INPUT -j DROP

How do I turn on Logging TCP Packet Header Options?

Add the following command to your iptables script:

iptables -A INPUT -j LOG --log-tcp-options
iptables -A INPUT -j DROP

You may need to add additional filtering criteria such as source and destination ports/IP-address and other connection tracking features. To see IP / TCP header use tail -f or grep command:
# tail -f /var/log/messages

Recommended readings:

Iptables allow CIPE connection request

From my mail bag:

How do I accept CIPE connection requests coming from the outside?

CIPE stands for Crypto IP Encapsulation (see howto Establishing a CIPE Connection) . It is used to configure an IP tunneling device. For example, CIPE can be used to grant access from the outside world into a Virtual Private Network (VPN). All you need to find out CIPE number, once you got the number (device name) append following two IPTABLE rules (add rule to your iptables script) to script:

Iptables rules:

Add the following rules to your iptables script or configuration file:

iptables -A INPUT -p udp -i cipcb0 -j ACCEPT
iptables -A OUTPUT -p udp -o cipcb0 -j ACCEPT

CIPE use its own virtual device. It is use to transmit UDP packets so the above rule allows the cipcb0 interface to incoming request (no need to use eth0).

Replace cipcb0 with your actual device name.

References:

If you're new to Linux, here's a simple firewall that can be setup in minutes. Especially those coming from a Windows background, often lost themselves while creating linux firewall.
This is the most common question asked by Linux newbies (noobs). How do I install a personal firewall on a standalone Desktop Linux computer. In other words "I wanna a simple firewall that allows or permits me to visit anything from my computer but it should block everything from outside world".
Well that is pretty easy first remember INPUT means incoming and OUTPUT means outgoing connection/access. With following little script and discussion you should able to setup your own firewall.

Step # 1: Default Firewall policy

Set up default access policy to drop all incoming traffic but allow all outgoing traffic. This will allow you to make unlimited outgoing connections from any port but not incoming traffic/ports are allowed.
iptables -p INPUT DROP
iptables -p OUTPUT ACCEPT

Step # 2: Allow unlimited traffic from loopback (lo) device

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT

Step # 3: Setup connection oriented access

Some protocol such as a FTP, DNS queries and UDP traffic needs an established connection access. In other words you need to allow all related connection using iptables state modules.
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Step # 4: Drop everything else and log it

iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT

But wait you cannot type all above commands at a shell command prompt. It is a good idea to create a script called fw.start as follows (copy and paste following script in fw.start file):

#!/bin/sh
# A simple
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

You can enhance your tiny firewall with

  • Create a script to stop a firewall
  • This is optional, if you wish to start a firewall automatically as soon as Debian Linux boots up use the instruction outlined here
  • Finally if you wanna open incoming ssh (port 22) or http (port 80) then insert following two rules before #DROP everything and Log it line in above script:

iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT

Easy to use Linux firewall programs/tools

  • GUI tools - firestarter :: A graphical interfaced Open Source firewall for Linux. (highly recommended for Linux desktop users)
  • IPCop Firewall and SmoothWall :: Setup a dedicated firewall box. (highly recommended for Linux server and LAN/WAN users)

One of my friend recently send me an email. It reads as follows:

"...My DSL service providers DNS server seems to be little slow, they have two servers it takes little time (some time upto 2 seconds) to resolve a domain name, once domain resolved, browsing speed remains the same, what should I do to improve DNS performance?...."

The answer is use a DNS proxy i.e. Dnsmasq. It is a a lightweight, easy to configure DNS forwarder and optional DHCP server. Dnsmasq is targeted at home networks using NAT and connected to the internet via a modem, cable-modem or ADSL connection but would be a good choice for any small network where low resource use and ease of configuration are important. The main use of the DNS proxy is to increase speed. Generally all computer send their request to ISP's DNS servers. But with DNS proxy request are cached. It stands between your local system and firewall server. Here is our sample network setup, 192.168.1.1-3 are all desktop system, 192.168.1.254 is our Linux firewall server:

Laptop | Desktop --> Linux Server --> ADSL Modem/Router
                   Firewall
192.168.1.1         192.168.1.254 -> Dynamic or
192.168.1.2                          Static IP assign
192.168.1.3                          by ISP

Login to your Linux firewall server and install Dnsmasq .

Step # 1 : Install Dnsmasq (Debian Linux)

# apt-get install dnsmasq

Fedora/Redhat/Centos user, use yum command to install dnsmasq:

# yum install dnsmasq

RedHat Linux user use rpm/up2date command to install it:

# up2date -i dnsmasq

Step # 2 Configure Dnsmasq

To be frank you don't have to change a single line in /etc/dnsmasq.conf. However you need to setup 127.0.0.1 as dns server name in /etc/resolve.conf file:

# vi /etc/resolve.conf

nameserver 127.0.0.1
nameserver 202.54.10.1
nameserver 202.54.20.1

Replace 202.54.10.1/202.54.20.1 with your actual ISP DNS server IPS. The dnsmasq should read the list of ISP nameservers from the automatically /etc/resolv.conf. You should list 127.0.0.1 as the first nameserver address in /etc/resolv.conf. So local desktop clients always gets cached queries.

Step # 3 Restart/start Dnsmasq

# /etc/init.d/dnsmasq start

Step # 4 Update DNS server IPS for all desktop systems

Point your windows XP or Linux Desktop client to IP of Linux firewall server i.e. 192.168.1.254 (see above network diagram)

It is easy to use Dnsmasq rather than setting up caching BIND server. But hold on it has some cool usage too. You can add domains which you want to force to specific IP address. For example, doubleclick.net displays ugly adds on many sites, just send this server it to our 127.0.0.1 (i.e. your local server ). Just open a file /etc/dnsmasq.conf and add following line to it:
address=/doubleclick.net/127.0.0.1

Restart Dnsmasq and make sure you runs local webserver at 127.0.0.1 with some default page. Read the Dnsmasq man page and docs for more information.