WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: dCore firewall install, anyone successful?  (Read 3779 times)

Offline nitram

  • Hero Member
  • *****
  • Posts: 1054
dCore firewall install, anyone successful?
« on: January 01, 2016, 05:33:27 PM »
UFW fail in dCore-jessie, appears to install okay, missing configuration files, can't enable or check status. Prefer UFW over plain iptables. Will play as time permits, advice appreciated. No obvious relevant old forum posts. Anyone running a firewall with dCore? Thanks.
Code: [Select]
tc@box:/tmp/tcloop/ufw/etc/init.d$ sudo /etc/init.d/ufw start
Could not find /etc/ufw/ufw.conf (aborting)
tc@box:/tmp/tcloop/ufw/etc/init.d$ sudo ufw status verbose
ERROR: Couldn't stat '/etc/ufw/after6.rules'

Offline nitram

  • Hero Member
  • *****
  • Posts: 1054
Re: dCore firewall install, anyone successful?
« Reply #1 on: January 01, 2016, 06:28:07 PM »
Dropped UFW. Learning iptables, works with preliminary testing. This guide has been helpful: http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/. Don't want to spend too time on this, just basic firewall configuration. If i can figure it out will start dCore wiki entry for system security or under existing dCore Server Applications. For basic use, may just need an  iptables --policy INPUT DROP  entry in bootlocal.sh. Still if anyone has iptables or dCore firewall feedback, appreciated. Thanks.

Offline nitram

  • Hero Member
  • *****
  • Posts: 1054
Re: dCore firewall install, anyone successful?
« Reply #2 on: January 02, 2016, 03:54:21 AM »
Unable to fully set up iptables in dCore-jessie. Best guess is the kernel is not configured for it. Basic commands like  sudo iptables -P INPUT DROP  work fine. Toggling INPUT, FORWARD and OUTPUT between DROP and ACCEPT allows/blocks internet connection. Some exception rules don't work, however, even rules that work fine in TC 6. This is an entry from the TC 6 iptables basic-firewall script.

Code: [Select]
tc@box:~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name.

Research indicates this is likely due to an unsupported kernel:
http://www.linux.org/threads/iptables-no-chain-target-match-by-that-name.4656/
http://www.linuxquestions.org/questions/linux-networking-3/iptables-no-chain-target-match-by-that-name-52034/

Running  lsmod | grep ip  outputs nothing:
Code: [Select]
tc@box:~$ lsmod | grep ip
tc@box:~$

Feeback appreciated. If fixable, guidance please. If kernel related, could i request a kernel that supports iptables?

Based on above link:
Quote
Sounds more like you're missing some modules, rather than a screwed up firewall script. Use lsmod and make sure that you have modules loaded for the iptables flags and chains. Looking at the modules I have loaded now that are relevent for iptables:

ipt_REJECT
ipt_LOG
ipt_state
ipt_MASQUERADE
iptable_nat
ip_conntrack
iptable_filter
ip_tables

I would bet that you're not loading one or more of them. Narrow down what your missing and make and install the lost modules.

What distro are you using? Most should have iptables support or at least ipchains/ipfwadmin built in out of the box. So it's kind of strange that you had to recompile the kernel just to get support.

Offline nitram

  • Hero Member
  • *****
  • Posts: 1054
Re: dCore firewall install, anyone successful?
« Reply #3 on: January 02, 2016, 06:03:31 AM »
lsmod | grep ip  from TC6:
Code: [Select]
iptable_nat            12288  0
nf_conntrack_ipv4      12288  2
nf_defrag_ipv4         12288  1 nf_conntrack_ipv4
nf_nat_ipv4            12288  1 iptable_nat
nf_nat                 16384  2 iptable_nat,nf_nat_ipv4
nf_conntrack           45056  6 xt_conntrack,nf_conntrack_ftp,iptable_nat,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11178
Re: dCore firewall install, anyone successful?
« Reply #4 on: January 02, 2016, 07:06:30 AM »
Hi nitram
do you have the  netfilter  package installed?

Offline nitram

  • Hero Member
  • *****
  • Posts: 1054
Re: dCore firewall install, anyone successful?
« Reply #5 on: January 02, 2016, 08:14:18 AM »
Do now, thanks Rich :)
iptables now behaving, glad it was so simple.
Eventual entry for dCore users wanting firewall: http://wiki.tinycorelinux.net/dcore:server_applications.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11178
Re: dCore firewall install, anyone successful?
« Reply #6 on: January 02, 2016, 08:36:00 AM »
Hi nitram
Yes, it was pretty simple. The only listed dependency for  iptables  was  netfilter. Checking the  list  file for  netfilter
showed it contained the missing modules.


Offline nitram

  • Hero Member
  • *****
  • Posts: 1054
Re: dCore firewall install, anyone successful?
« Reply #7 on: January 02, 2016, 08:58:28 AM »
Still figuring out dCore. Didn't realize how much i relied on Apps until it was gone. Bookmarked: http://packages.tinycorelinux.net. Thanks again.