Kusprayitna Blogs

Hidup untuk berbagi ilmu :: IT Linux Windows Database Oracle PHP OpenSource

Firewall di linux dengan Vuulmuur

Posted by kusprayitna on February 9th, 2010

IPtables sebagai default firewall di OS linux sangatlah ampuh.

Untuk mempermudah penanganan firewall berbasiskan IPtabels secara Text UI terdapat aplikasi opensource Vuulmuur.

Produk ini mempunyai spesifikasi berikut:

  • Pengetahuan IPtable bukan keharusan
  • Sintak yang mudah dibaca orang
  • UI memakai Ncurses, tidak perlu GUI / X
  • Support portforwarding
  • Support NAT
  • Default securiti yang aman
  • Menejemen jarak jauh melalui SSH ataupun console
  • Bisa dibuat dalam bentuk scrip sehingga mudah diintegrasikan dengan aplikasi lain
  • Menghasilkan firewall berbasiskan  bash script
  • Fiture Anti-spoofing
  • Kill unwanted connections
  • Support Snort_inline using QUEUE or NFQUEUE
  • Real-Time log and connection viewing with filtering support
  • Traffic Volume Accounting
  • Old Log search
  • Audit log
  • New connections and Bad packets logging
  • Limit bandwidth usage on a per rule basis
  • Guaranteed minimum bandwidth on a per rule basis
  • Rule prioritisation

Tahapan instalasi yaitu :

# wget ftp://ftp.vuurmuur.org/releases/0.7/Vuurmuur-0.7.tar.gz
--22:12:56--  ftp://ftp.vuurmuur.org/releases/0.7/Vuurmuur-0.7.tar.gz
=> `Vuurmuur-0.7.tar.gz'
Resolving ftp.vuurmuur.org... 80.101.90.58
Connecting to ftp.vuurmuur.org|80.101.90.58|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /releases/0.7 ... done.
==> SIZE Vuurmuur-0.7.tar.gz ... 1787804
==> PASV ... done.    ==> RETR Vuurmuur-0.7.tar.gz ... done.
Length: 1787804 (1.7M)

100%[=======================================>] 1,787,804   5.54K/s   in 4m 9s

22:17:09 (7.01 KB/s) - `Vuurmuur-0.7.tar.gz' saved [1787804]

# cd Vuurmuur-0.7
# ./install.sh --install --defaults

svn: '.' is not a working copy
svn: Can't open file '.svn/entries': No such file or directory

Vuurmuur installation
=====================

Welcome to the installation of Vuurmuur. First you will be
asked a couple of questions about the location to install the
various parts of Vuurmuur. It is recommended that you choose
the defaults, by pressing just enter.

Installdir: /usr ...
Using Etcdir: '/etc/vuurmuur'.
Using Logdir: '/var/log/vuurmuur/'.

Ok, thank you. Going to build Vuurmuur now. Depending on your hardware
this process will take about 2 to 10 minutes.

Testing for the installation files...
Going to extract the files...
Extracting the files done...
Going to build libvuurmuur... (common code for all parts of Vuurmuur).
Building and installing libvuurmuur finished.
Going to build vuurmuur... (the daemons).
Building and installing vuurmuur finished.
Going to build vuurmuur_conf... (the Ncurses based user interface).
make   failed with returncode 2.

Installation Failed
===================

Please take a look at install.log. If you can't solve the problem
mail me at victor@vuurmuur.org. Please include the install.log.

# tail install.log

ERROR!  ncurses.h header not found!
Please install the development package of Ncurses.
make: *** No targets specified and no makefile found.  Stop.
make   failed with returncode 2.

# yum install ncurses ncurses-devel

Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
* rpmforge: fr2.rpmfind.net
* base: mirror.nus.edu.sg
* updates: mirror.nus.edu.sg
* addons: mirror.nus.edu.sg
* extras: mirror.nus.edu.sg
476 packages excluded due to repository priority protections
Setting up Install Process
Parsing package install arguments
Package ncurses-5.5-24.20060715.i386 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package ncurses-devel.i386 0:5.5-24.20060715 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package               Arch         Version                  Repository    Size
================================================================================
Installing:
ncurses-devel         i386         5.5-24.20060715          base         1.6 M

Transaction Summary
================================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
ncurses-devel-5.5-24.20060715.i386.rpm                   | 1.6 MB     06:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing     : ncurses-devel                                     [1/1]

Installed: ncurses-devel.i386 0:5.5-24.20060715
Complete!

# ./install.sh --install --defaults
svn: '.' is not a working copy
svn: Can't open file '.svn/entries': No such file or directory

Vuurmuur installation
=====================

Welcome to the installation of Vuurmuur. First you will be
asked a couple of questions about the location to install the
various parts of Vuurmuur. It is recommended that you choose
the defaults, by pressing just enter.

Installdir: /usr ...
Using Etcdir: '/etc/vuurmuur'.
Using Logdir: '/var/log/vuurmuur/'.

Ok, thank you. Going to build Vuurmuur now. Depending on your hardware
this process will take about 2 to 10 minutes.

Testing for the installation files...
Going to extract the files...
Extracting the files done...
Going to build libvuurmuur... (common code for all parts of Vuurmuur).
Building and installing libvuurmuur finished.
Going to build vuurmuur... (the daemons).
Building and installing vuurmuur finished.
Going to build vuurmuur_conf... (the Ncurses based user interface).
Building and installing vuurmuur_conf finished.

Setting up the Vuurmuur config for first-time use.

Installation Complete
=====================

Installing Vuurmuur completed successfully. Please run 'vuurmuur_conf' to
complete your configuration. The first step is to define one or more
interfaces and attach those to a network. After that rules can be created.

Example init.d and logrotate scripts are installed in:
'/usr/share/vuurmuur/scripts'.

# vuulmuur_conf

Tahapan setup vuulmuur

1. Definisikan interface

Interface yang ada yang centos saya yaitu eth0 dengan alamat IP dapat dari DHCP 192.168.100.128

2. Tentukan zone

Zone terdiri dari beberapa Network dan Network terdiri dari beberapa Host.

Zone inet (default)

Zone lan (disesuaikan)

Berisikan network VMWare --> jika sedang bekerja di VMWare

dan network bsi --> network lokal kantor BSI

Sebagai contoh isian dari network bsi yaitu :

sedangkan isian host kusprayitna di network bsi zone lan isiannya yaitu :

Pengenalan host di vuulmuur diidentifikasikan sebagai kusprayitna.bsi.lan

3. Membuat rule

Sebagai default seluruh paket oleh vuulmuur akan di drop

Format penulisan yaitu

<action> service <service> from <src> to <dst> options <options>

Contoh (diambil dari wiki):

Membuat rule agar firewall (OS linuxnya) dapat melakukan browsing ke internet (world.inet):

accept service dns from firewall to world.inet
accept service http from firewall to world.inet options log
accept service https from firewall to world.inet options log
accept service ftp from firewall to world.inet options log

Melakukan Source NAT atau Masquerade:

accept service dns from local.lan to world.inet
accept service http from local.lan to world.inet options log
accept service https from local.lan to world.inet options log
accept service ftp from local.lan to world.inet options log
snat service any from local.lan to world.inet

Mengijinkan SSH ke firewall:

accept service ssh from local.lan to firewall options log,logprefix="incoming ssh"

Layar untuk input yaitu :

Ini contoh sederhana firewall di centos ku:
- Bisa akses kemana saja
- Bisa diakses dari LAN lokal BSI
- Bisa diakses dari VMWare
- Tolak yang lainnya

4. Apply Changes

Kalau ada error bahwa vuulmuur belum jalan, maka ada contoh script untuk menjalankan vuulmuur
yaitu di /usr/share/vuurmuur/scripts. Sebagai contoh untuk start & stop (init.d)
# cd /usr/share/vuurmuur/scripts
# chmod +x *.sh
# ./vuulmuur-initd.sh start
Starting firewall: Vuurmuur:
Loading modules: ip_tables iptable_filter iptable_mangle iptable_nat ip_conntrack ipt_state ip_conntrack_ftp ip_nat_ftp ip_queue
Loading Vuurmuur: ok.
Loading Vuurmuur_log: ok.
Starting firewall: Vuurmuur: done

Hasil IPTables nya yaitu :

Chain INPUT (policy DROP)
target prot opt source destination
PRE-VRMR-INPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACC-eth0 all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe ALL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe SYN-FIN '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe SYN-RST '
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe FIN-RST '
DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe FIN '
DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
LOG tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe PSH '
DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
LOG tcp -- anywhere anywhere tcp flags:ACK,URG/URG limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe URG '
DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
LOG tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP no SYN '
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG all -f anywhere anywhere limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP FRAG '
DROP all -f anywhere anywhere
ESTRELNFQUEUE all -- anywhere anywhere state RELATED,ESTABLISHED CONNMARK match !0x0
ACCEPT all -- anywhere anywhere MARK match 0x0/0xff000000 state ESTABLISHED
NEWACCEPT all -- anywhere anywhere MARK match 0x0/0xff000000 state RELATED
QUEUE all -- anywhere anywhere MARK match 0x1000000/0xff000000 state ESTABLISHED
NEWQUEUE all -- anywhere anywhere MARK match 0x1000000/0xff000000 state RELATED
LOG all -- anywhere anywhere state INVALID limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP in INVALID '
DROP all -- anywhere anywhere state INVALID
BLOCKLIST all -- anywhere anywhere
ANTISPOOF all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 30/sec burst 60 state NEW LOG level info prefix `vrmr: DROP '
DROP all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 30/sec burst 60 LOG level info prefix `vrmr: DROP in policy '

Chain FORWARD (policy DROP)
target prot opt source destination
PRE-VRMR-FORWARD all -- anywhere anywhere
ACC-eth0 all -- anywhere anywhere
ACC-eth0 all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe ALL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe SYN-FIN '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe SYN-RST '
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe FIN-RST '
DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe FIN '
DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
LOG tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe PSH '
DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
LOG tcp -- anywhere anywhere tcp flags:ACK,URG/URG limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe URG '
DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
LOG tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP no SYN '
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG all -f anywhere anywhere limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP FRAG '
DROP all -f anywhere anywhere
ESTRELNFQUEUE all -- anywhere anywhere state RELATED,ESTABLISHED CONNMARK match !0x0
ACCEPT all -- anywhere anywhere MARK match 0x0/0xff000000 state ESTABLISHED
NEWACCEPT all -- anywhere anywhere MARK match 0x0/0xff000000 state RELATED
QUEUE all -- anywhere anywhere MARK match 0x1000000/0xff000000 state ESTABLISHED
NEWQUEUE all -- anywhere anywhere MARK match 0x1000000/0xff000000 state RELATED
LOG all -- anywhere anywhere state INVALID limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP fw INVALID '
DROP all -- anywhere anywhere state INVALID
BLOCKLIST all -- anywhere anywhere
ANTISPOOF all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 30/sec burst 60 LOG level info prefix `vrmr: DROP fw policy '

Chain OUTPUT (policy DROP)
target prot opt source destination
PRE-VRMR-OUTPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACC-eth0 all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe ALL '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe SYN-FIN '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe SYN-RST '
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe FIN-RST '
DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
LOG tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe FIN '
DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
LOG tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe PSH '
DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
LOG tcp -- anywhere anywhere tcp flags:ACK,URG/URG limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP probe URG '
DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
LOG tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP no SYN '
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG all -f anywhere anywhere limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP FRAG '
DROP all -f anywhere anywhere
ESTRELNFQUEUE all -- anywhere anywhere state RELATED,ESTABLISHED CONNMARK match !0x0
ACCEPT all -- anywhere anywhere MARK match 0x0/0xff000000 state ESTABLISHED
NEWACCEPT all -- anywhere anywhere MARK match 0x0/0xff000000 state RELATED
QUEUE all -- anywhere anywhere MARK match 0x1000000/0xff000000 state ESTABLISHED
NEWQUEUE all -- anywhere anywhere MARK match 0x1000000/0xff000000 state RELATED
LOG all -- anywhere anywhere state INVALID limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP out INVALID '
DROP all -- anywhere anywhere state INVALID
BLOCKLIST all -- anywhere anywhere
ANTISPOOF all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 30/sec burst 60 state NEW LOG level info prefix `vrmr: ACCEPT '
NEWACCEPT all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 30/sec burst 60 LOG level info prefix `vrmr: DROP out policy '

Chain ACC-eth0 (4 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain ANTISPOOF (3 references)
target prot opt source destination

Chain BLOCK (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP BLOCKED '
DROP all -- anywhere anywhere

Chain BLOCKLIST (3 references)
target prot opt source destination

Chain ESTRELNFQUEUE (3 references)
target prot opt source destination

Chain NEWACCEPT (4 references)
target prot opt source destination
SYNLIMIT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
UDPLIMIT udp -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere

Chain NEWNFQUEUE (0 references)
target prot opt source destination
SYNLIMIT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
UDPLIMIT udp -- anywhere anywhere state NEW,RELATED

Chain NEWQUEUE (3 references)
target prot opt source destination
SYNLIMIT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
UDPLIMIT udp -- anywhere anywhere state NEW
QUEUE all -- anywhere anywhere

Chain PRE-VRMR-FORWARD (1 references)
target prot opt source destination

Chain PRE-VRMR-INPUT (1 references)
target prot opt source destination

Chain PRE-VRMR-FORWARD (1 references)
target prot opt source destination

Chain PRE-VRMR-INPUT (1 references)
target prot opt source destination

Chain PRE-VRMR-OUTPUT (1 references)
target prot opt source destination

Chain SYNLIMIT (3 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 10/sec burst 20
LOG all -- anywhere anywhere limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP SYNLIMIT reach. '
DROP all -- anywhere anywhere

Chain TCPRESET (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain UDPLIMIT (3 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 15/sec burst 45
LOG all -- anywhere anywhere limit: avg 1/sec burst 2 LOG level info prefix `vrmr: DROP UDPLIMIT reach. '
DROP all -- anywhere anywhere

Selamat mencoba

One Response to “Firewall di linux dengan Vuulmuur”

  1. fin syn Says:

    [...] were trying to get Fin-Syn rescinded, says Franken, also a former liberal radio talk show host. ...Firewall di linux dengan Vuulmuur | Kusprayitna BlogsIPtables sebagai default firewall di OS linux sangatlah ampuh. Untuk mempermudah penanganan firewall [...]

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>