Tuesday, June 27, 2006

IpKungfu kicks Firestarter out of my Ubuntu box

For the longest time I'm using Linux, I have been trying to make transparent squid proxy work. I had no problems setting up Squid proxy along with the lines I need to add on squid.conf to make it work but what pains me is how to forward port 80 requests to the squid proxy.

Although I found a few helpful tips and preconfigured iptables-based firewall scripts with Google, I am always baffled by the fact that I don't know how to make a certain script run on bootup with Debian/Ubuntu... and sometimes those scripts don't work or it must be me who doesn't understand those scripts...

Iptables?! No, not for me. Even the tagalized instructions of Jond3rd won't go thru my thick skull. I just don't get it. :( Firestarter only works for me as a firewall and router, but the option to setup a transparent squid proxy doesn't work... any way I do it.

IpKungfu to the rescue! IpKungfu was the first ever firewall I used during my Mandrake 10.1 days. However, as I shifted to Ubuntu it was unfortunate then that it was not available then at the repos (from warty to breezy) so I had to use Firestarter. Good thing that it has finally reached Debian Stable (I think!) and now its in the universe repo of Ubuntu Dapper.

So how did I do it? Here's my how-to for newbies and wannabees. :)

Install IpKungfu (make sure you have the universe repositories enabled)

$sudo apt-get install ipkungfu

Edit /etc/ipkungfu/ipkungfu.conf according to your needs.

$sudo gedit /etc/ipkungfu/ipkungfu.conf

I edited the contents to look like this...

# Please read the README and FAQ for more information

# Some distros (most notably Redhat) don't have
# everything we need in $PATH so we specify it here.
# Make sure modprobe, iptables, and route are here,
# as well as ordinary items such as echo and grep.
# Default is as shown in the example below.

# Your external interface
# This is the one that connects to the internet.
# Ipkungfu will detect this if you don't specify.

# Your internal interfaces, if any. If you have more
# than 1 internal interface, separate them with
# spaces. If you only have one interface, put "lo"
# here. Default is auto-detected.

# IP Range of your internal network. Use ""
# for a standalone machine. Default is a reasonable
# guess.

# Set this to 0 for a standalone machine, or 1 for
# a gateway device to share an Internet connection.
# Default is 1.

# TCP ports you want to allow for incoming traffic
# Don't add ports here that you intend to forward.
# This should be a list of tcp ports that have
# servers listening on them on THIS machine,
# separated by spaces. Default is none.
# ALLOWED_TCP_IN="21 22"

# UDP ports to allow for incoming traffic
# See the comments above for ALLOWED_TCP_IN

# Temporarily block future connection attempts from an
# IP that hits these ports (If module is present)
FORBIDDEN_PORTS="135 137 139"

# Drop all ping packets?
# Set to 1 for yes, 0 for no. Default is no.

# Possible values here are "DROP", "REJECT", or "MIRROR"
# "DROP" means your computer will not respond at all. "Stealth mode"
# "REJECT" means your computer will respond with a
# message that the packet was rejected.
# "MIRROR", if your kernel supports it, will swap the source and
# destination IP addresses, and send the offending packet back
# where it came from. USE WITH EXTREME CAUTION! Only use this if you fully
# understand the consequences.
# The safest option, and the default in each case,, is "DROP". Don't change
# unless you fully understand this.

# What to do with 'probably malicious' packets

# What to do with obviously invalid traffic
# This is also the action for FORBIDDEN_PORTS

# What to do with port scans

# How should ipkungfu determine your IP address? The default
# answer, "NONE", will cause ipkungfu to not use the few
# features that require it to know your external IP address.
# This option is good for dialup users who run ipkungfu on
# bootup, since dialup users rarely use the features that
# require this, and the IP address for a dialup connection
# generally isn't known at bootup. "AUTO" will cause
# ipkungfu to automatically determine the IP address of
# $EXT_NET when it is started. If you have a static IP
# address you can simply enter your IP address here.
# If you do port forwarding and your ISP changes your IP
# address, choose NONE here, or your port forwarding
# will break when your IP address changes. Default is
# "NONE".

# If the target for identd (113/tcp) is DROP, it can take
# a long time to connect to some IRC servers. Set this to
# 1 to speed up these connections with a negligible cost
# to security. Identd probes will be rejected with the
# 'reject-with-tcp-reset' option to close the connection
# gracefully. If you want to actually allow ident probes,
# and you're running an identd, and you've allowed port
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0.

# Set this to 0 if you're running ipkungfu on a machine
# inside your LAN. This will cause private IP addresses
# coming in on $EXT_NET to be identified as a spoof,
# which would be inaccurate on intra-LAN traffic
# This will cause private IP addresses coming in on
# $EXT_NET to be identified as a spoof. Default is 1.

# For reasons unknown to me, ipkungfu sometimes causes
# kernel panics when run at init time. This is my
# attempt to work around that. Ipkungfu will wait
# the specified number of seconds before starting, to
# let userspace/kernel traffic catch up before executing.
# Default is 0.

# This option, if enabled, will cause ipkungfu to set
# the default policy on all builtin chains in the filter
# table to ACCEPT in the event of a failure. This is
# intended for remote administrators who may be locked
# out of the firewall if ipkungfu fails. A warning to
# this effect will be echoed so that the situation can be
# rectified quickly. This is the same as running
# ipkungfu with --failsafe. Default is 0.

I only changed the following: Gateway, Local_Net, Block_Pings. I simply uncommented Suspect, Known_Bad, and Port Scan settings to DROP. The ReadMe and FAQ can be found at /usr/share/doc/ipkungfu.

To forward port 80 requests to the squid proxy server port, I opened /etc/ipkungfu/redirect.conf:

$sudo gedit /etc/ipkungfu/redirect.conf

...and changed the line "#tcp:80:3128:internal # transparent squid proxy" to "tcp:80:3128:internal # transparent squid proxy" without the apostrophes of course.

To start ipkungfu everytime the computer boots up, I opened /etc/default/ipkungfu:

$sudo gedit /etc/default/ipkungfu

... and change the line "IPKFSTART = 0" to "IPKFSTART=1".

Fire away ipkungfu!

sudo ipkungfu

I tested the firewall with the ShieldsUp test at grc.com and it passed with flying colors.

I also tested transparent squid proxy by taking a peek at /var/log/squid/access.log...

$sudo tail -f /var/log/squid/access.log

...and there I saw all PCs in our LAN browsing the net, without them knowing that they were actually proxied.

That's it! I have a firewall and router, I was able to forward port 80 requests to the squid proxy server, and I was able to make ipkungfu ran on bootups!

Now, for linux gurus... this must be a piece of cake but for someone like me who does have not any idea about iptables, netfilters, and among other things.. this is already a slice of heaven.

IpKungfu kicks hard! Eeyah!

P.S.: I must say that I have already configured squid proxy and dhcp to work long before I tried on ipkungfu. So if there is anyone interested on my dhcp.conf and squid.conf, I'm glad to share.

Friday, June 23, 2006

Oh my Tangerine!!!

I am done with Vista-like or iMac-like Ubuntu desktops! So here is my Ubuntu Dapper Tangerine desktop for a change...

I love the icons... plus a touch of transparent panels...

Whoa, I am using a wallpaper entitled Uplifted by marko cavka...

Transparent Gnome-Terminal with an orange-skinned XMMS. :)

Wednesday, June 21, 2006

Dapper at Last!

Finally, I am on Dapper! I used the Edubuntu Dapper Live CD sent to me by someone I don't even personally know... Wendy Acetes from Daly City. Wendy was the first one who offered to give me Ubuntu CDs after I pleaded thru this blog. Thanks Wendy!

Unfortunately, I accidentally scratched the CDs given by Charo when I placed them on my motorbike's compartment. Sayang!

My first impression on Dapper?! One word: FAST! Two Words: Really FAST!

I like how they were able to make it boot faster... and shutdown a lot faster too than Breezy. I also like the default theme - the colors and icons and all those stuff.

However, it seems that they streamlined it to the bare necessities so gone are the other applications you see on Breezy.

My first attempt to update my Dapper box (which I named TEQNIX after this blog) was last Monday. Although not continously, I was able to finish the download of 90 plus updated deb package this morning... including the kernel updates. I am still using dial-up, remember?!

Other applications I have installed were the following (with some help from ubuntuguide.org, automatix, and easyubuntu): Etherape, Firefox plugins (java, flash, mplayer), FrostWire, Gaim 2.0 Beta, gFTP, Gnome-PPP, Java, GnomeBaker, XPad, MS Core Fonts, MPlayer, XMMS, Simple Backup and Restore (ala System Restore), Boot-Up Manager and of course, the much-needed Audio Video Codecs... oh yes, I almost forgot Squid HTTP Proxy, Firestarter, SAMBA and DHCP3-Server which I had no problem setting up as I used the old .conf which worked like a charm.

I had no problems with NVidia Video Card, sound card, my external modem, and war-torn HP printer. No problem too with my dial-up connection setup.

As with the installation itself, its a great idea to have Live CD that has a nice GUI for the installation process but somehow I still prefer the text-based installation on *buntu install CDs. The bottomline, both are good but I prefer text-based.

So far, everything is bliss... as in heaven for me with my Edubuntu Dapper box. Oh well, mababaw lang ang kaligayahan ko eh!

Now, if only someone can give me *buntu InStALL CDs... and that's another story. :)

Thursday, June 01, 2006

How do I update an internet-less Ubuntu box: a Repost!

Perhaps the fastest way to update an internet-less Ubuntu box is to bring the CPU to an internet shop, connect it to the Local Area Network with a shared internet connection and then do the “sudo apt-get update”. I guess that’s what Zak has been doing…

But in Linux, it is almost always that there are a number of ways to do things for your PC and this is my way of updating an internet-less Ubuntu box.

On an updated PC where I configured it not to delete the downloaded (and updated) deb packages located at /var/cache/apt/archives, I copy the contents of that folder to a folder on my home directory, thus:

$ sudo cp /var/cache/apt/archives/* ~/Desktop/updeb

I then burned the contents of ~/Desktop/updeb folder to a CD(s) with GnomeBaker or any CD Burning app of your preference.

Now going to the internet-less PC, copy the contents of the CD containing the updated deb packages to a folder at the home directory of the internet-less PC.

$ sudo mkdir ~/deb

$ sudo cp /media/cdrom/* ~/deb

Now go to the directory where you copied the packages

$ cd ~/deb

Do this while in the said directory to create Packages.gz:

$ sudo dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz

Open and edit /etc/apt/sources.list to add the local folder as a repo…

$ sudo gedit /etc/apt/sources.list

Insert the following line at the end of the file…

deb file:/home/username/deb/. /

Save and close the file. Update and upgrade with Synaptic or at CLI!

$ sudo apt-get update

$ sudo apt-get upgrade

P.S.: Make sure you have installed the dpkg-dev package on the internet-less PC from the Ubuntu CD Installer before anything else.

$ sudo apt-get install dpkg-dev

I hope this helps!