Although I found a few helpful tips and preconfigured iptables-based firewall scripts with Google, I am always baffled by the fact that I don't know how to make a certain script run on bootup with Debian/Ubuntu... and sometimes those scripts don't work or it must be me who doesn't understand those scripts...
Iptables?! No, not for me. Even the tagalized instructions of Jond3rd won't go thru my thick skull. I just don't get it. :( Firestarter only works for me as a firewall and router, but the option to setup a transparent squid proxy doesn't work... any way I do it.
IpKungfu to the rescue! IpKungfu was the first ever firewall I used during my Mandrake 10.1 days. However, as I shifted to Ubuntu it was unfortunate then that it was not available then at the repos (from warty to breezy) so I had to use Firestarter. Good thing that it has finally reached Debian Stable (I think!) and now its in the universe repo of Ubuntu Dapper.
So how did I do it? Here's my how-to for newbies and wannabees. :)
Install IpKungfu (make sure you have the universe repositories enabled)
$sudo apt-get install ipkungfu
Edit /etc/ipkungfu/ipkungfu.conf according to your needs.
$sudo gedit /etc/ipkungfu/ipkungfu.conf
I edited the contents to look like this...
# Please read the README and FAQ for more information
# Some distros (most notably Redhat) don't have
# everything we need in $PATH so we specify it here.
# Make sure modprobe, iptables, and route are here,
# as well as ordinary items such as echo and grep.
# Default is as shown in the example below.
# Your external interface
# This is the one that connects to the internet.
# Ipkungfu will detect this if you don't specify.
# Your internal interfaces, if any. If you have more
# than 1 internal interface, separate them with
# spaces. If you only have one interface, put "lo"
# here. Default is auto-detected.
# IP Range of your internal network. Use "127.0.0.1"
# for a standalone machine. Default is a reasonable
# Set this to 0 for a standalone machine, or 1 for
# a gateway device to share an Internet connection.
# Default is 1.
# TCP ports you want to allow for incoming traffic
# Don't add ports here that you intend to forward.
# This should be a list of tcp ports that have
# servers listening on them on THIS machine,
# separated by spaces. Default is none.
# ALLOWED_TCP_IN="21 22"
# UDP ports to allow for incoming traffic
# See the comments above for ALLOWED_TCP_IN
# Temporarily block future connection attempts from an
# IP that hits these ports (If module is present)
FORBIDDEN_PORTS="135 137 139"
# Drop all ping packets?
# Set to 1 for yes, 0 for no. Default is no.
# Possible values here are "DROP", "REJECT", or "MIRROR"
# "DROP" means your computer will not respond at all. "Stealth mode"
# "REJECT" means your computer will respond with a
# message that the packet was rejected.
# "MIRROR", if your kernel supports it, will swap the source and
# destination IP addresses, and send the offending packet back
# where it came from. USE WITH EXTREME CAUTION! Only use this if you fully
# understand the consequences.
# The safest option, and the default in each case,, is "DROP". Don't change
# unless you fully understand this.
# What to do with 'probably malicious' packets
# What to do with obviously invalid traffic
# This is also the action for FORBIDDEN_PORTS
# What to do with port scans
# How should ipkungfu determine your IP address? The default
# answer, "NONE", will cause ipkungfu to not use the few
# features that require it to know your external IP address.
# This option is good for dialup users who run ipkungfu on
# bootup, since dialup users rarely use the features that
# require this, and the IP address for a dialup connection
# generally isn't known at bootup. "AUTO" will cause
# ipkungfu to automatically determine the IP address of
# $EXT_NET when it is started. If you have a static IP
# address you can simply enter your IP address here.
# If you do port forwarding and your ISP changes your IP
# address, choose NONE here, or your port forwarding
# will break when your IP address changes. Default is
# If the target for identd (113/tcp) is DROP, it can take
# a long time to connect to some IRC servers. Set this to
# 1 to speed up these connections with a negligible cost
# to security. Identd probes will be rejected with the
# 'reject-with-tcp-reset' option to close the connection
# gracefully. If you want to actually allow ident probes,
# and you're running an identd, and you've allowed port
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0.
# Set this to 0 if you're running ipkungfu on a machine
# inside your LAN. This will cause private IP addresses
# coming in on $EXT_NET to be identified as a spoof,
# which would be inaccurate on intra-LAN traffic
# This will cause private IP addresses coming in on
# $EXT_NET to be identified as a spoof. Default is 1.
# For reasons unknown to me, ipkungfu sometimes causes
# kernel panics when run at init time. This is my
# attempt to work around that. Ipkungfu will wait
# the specified number of seconds before starting, to
# let userspace/kernel traffic catch up before executing.
# Default is 0.
# This option, if enabled, will cause ipkungfu to set
# the default policy on all builtin chains in the filter
# table to ACCEPT in the event of a failure. This is
# intended for remote administrators who may be locked
# out of the firewall if ipkungfu fails. A warning to
# this effect will be echoed so that the situation can be
# rectified quickly. This is the same as running
# ipkungfu with --failsafe. Default is 0.
I only changed the following: Gateway, Local_Net, Block_Pings. I simply uncommented Suspect, Known_Bad, and Port Scan settings to DROP. The ReadMe and FAQ can be found at /usr/share/doc/ipkungfu.
To forward port 80 requests to the squid proxy server port, I opened /etc/ipkungfu/redirect.conf:
$sudo gedit /etc/ipkungfu/redirect.conf
...and changed the line "#tcp:80:3128:internal # transparent squid proxy" to "tcp:80:3128:internal # transparent squid proxy" without the apostrophes of course.
To start ipkungfu everytime the computer boots up, I opened /etc/default/ipkungfu:
$sudo gedit /etc/default/ipkungfu
... and change the line "IPKFSTART = 0" to "IPKFSTART=1".
Fire away ipkungfu!
I tested the firewall with the ShieldsUp test at grc.com and it passed with flying colors.
I also tested transparent squid proxy by taking a peek at /var/log/squid/access.log...
$sudo tail -f /var/log/squid/access.log
...and there I saw all PCs in our LAN browsing the net, without them knowing that they were actually proxied.
That's it! I have a firewall and router, I was able to forward port 80 requests to the squid proxy server, and I was able to make ipkungfu ran on bootups!
Now, for linux gurus... this must be a piece of cake but for someone like me who does have not any idea about iptables, netfilters, and among other things.. this is already a slice of heaven.
IpKungfu kicks hard! Eeyah!
P.S.: I must say that I have already configured squid proxy and dhcp to work long before I tried on ipkungfu. So if there is anyone interested on my dhcp.conf and squid.conf, I'm glad to share.