Tuesday, June 27, 2006

IpKungfu kicks Firestarter out of my Ubuntu box

For the longest time I'm using Linux, I have been trying to make transparent squid proxy work. I had no problems setting up Squid proxy along with the lines I need to add on squid.conf to make it work but what pains me is how to forward port 80 requests to the squid proxy.

Although I found a few helpful tips and preconfigured iptables-based firewall scripts with Google, I am always baffled by the fact that I don't know how to make a certain script run on bootup with Debian/Ubuntu... and sometimes those scripts don't work or it must be me who doesn't understand those scripts...

Iptables?! No, not for me. Even the tagalized instructions of Jond3rd won't go thru my thick skull. I just don't get it. :( Firestarter only works for me as a firewall and router, but the option to setup a transparent squid proxy doesn't work... any way I do it.

IpKungfu to the rescue! IpKungfu was the first ever firewall I used during my Mandrake 10.1 days. However, as I shifted to Ubuntu it was unfortunate then that it was not available then at the repos (from warty to breezy) so I had to use Firestarter. Good thing that it has finally reached Debian Stable (I think!) and now its in the universe repo of Ubuntu Dapper.

So how did I do it? Here's my how-to for newbies and wannabees. :)

Install IpKungfu (make sure you have the universe repositories enabled)

$sudo apt-get install ipkungfu

Edit /etc/ipkungfu/ipkungfu.conf according to your needs.

$sudo gedit /etc/ipkungfu/ipkungfu.conf

I edited the contents to look like this...

# Please read the README and FAQ for more information

# Some distros (most notably Redhat) don't have
# everything we need in $PATH so we specify it here.
# Make sure modprobe, iptables, and route are here,
# as well as ordinary items such as echo and grep.
# Default is as shown in the example below.

# Your external interface
# This is the one that connects to the internet.
# Ipkungfu will detect this if you don't specify.

# Your internal interfaces, if any. If you have more
# than 1 internal interface, separate them with
# spaces. If you only have one interface, put "lo"
# here. Default is auto-detected.

# IP Range of your internal network. Use ""
# for a standalone machine. Default is a reasonable
# guess.

# Set this to 0 for a standalone machine, or 1 for
# a gateway device to share an Internet connection.
# Default is 1.

# TCP ports you want to allow for incoming traffic
# Don't add ports here that you intend to forward.
# This should be a list of tcp ports that have
# servers listening on them on THIS machine,
# separated by spaces. Default is none.
# ALLOWED_TCP_IN="21 22"

# UDP ports to allow for incoming traffic
# See the comments above for ALLOWED_TCP_IN

# Temporarily block future connection attempts from an
# IP that hits these ports (If module is present)
FORBIDDEN_PORTS="135 137 139"

# Drop all ping packets?
# Set to 1 for yes, 0 for no. Default is no.

# Possible values here are "DROP", "REJECT", or "MIRROR"
# "DROP" means your computer will not respond at all. "Stealth mode"
# "REJECT" means your computer will respond with a
# message that the packet was rejected.
# "MIRROR", if your kernel supports it, will swap the source and
# destination IP addresses, and send the offending packet back
# where it came from. USE WITH EXTREME CAUTION! Only use this if you fully
# understand the consequences.
# The safest option, and the default in each case,, is "DROP". Don't change
# unless you fully understand this.

# What to do with 'probably malicious' packets

# What to do with obviously invalid traffic
# This is also the action for FORBIDDEN_PORTS

# What to do with port scans

# How should ipkungfu determine your IP address? The default
# answer, "NONE", will cause ipkungfu to not use the few
# features that require it to know your external IP address.
# This option is good for dialup users who run ipkungfu on
# bootup, since dialup users rarely use the features that
# require this, and the IP address for a dialup connection
# generally isn't known at bootup. "AUTO" will cause
# ipkungfu to automatically determine the IP address of
# $EXT_NET when it is started. If you have a static IP
# address you can simply enter your IP address here.
# If you do port forwarding and your ISP changes your IP
# address, choose NONE here, or your port forwarding
# will break when your IP address changes. Default is
# "NONE".

# If the target for identd (113/tcp) is DROP, it can take
# a long time to connect to some IRC servers. Set this to
# 1 to speed up these connections with a negligible cost
# to security. Identd probes will be rejected with the
# 'reject-with-tcp-reset' option to close the connection
# gracefully. If you want to actually allow ident probes,
# and you're running an identd, and you've allowed port
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0.

# Set this to 0 if you're running ipkungfu on a machine
# inside your LAN. This will cause private IP addresses
# coming in on $EXT_NET to be identified as a spoof,
# which would be inaccurate on intra-LAN traffic
# This will cause private IP addresses coming in on
# $EXT_NET to be identified as a spoof. Default is 1.

# For reasons unknown to me, ipkungfu sometimes causes
# kernel panics when run at init time. This is my
# attempt to work around that. Ipkungfu will wait
# the specified number of seconds before starting, to
# let userspace/kernel traffic catch up before executing.
# Default is 0.

# This option, if enabled, will cause ipkungfu to set
# the default policy on all builtin chains in the filter
# table to ACCEPT in the event of a failure. This is
# intended for remote administrators who may be locked
# out of the firewall if ipkungfu fails. A warning to
# this effect will be echoed so that the situation can be
# rectified quickly. This is the same as running
# ipkungfu with --failsafe. Default is 0.

I only changed the following: Gateway, Local_Net, Block_Pings. I simply uncommented Suspect, Known_Bad, and Port Scan settings to DROP. The ReadMe and FAQ can be found at /usr/share/doc/ipkungfu.

To forward port 80 requests to the squid proxy server port, I opened /etc/ipkungfu/redirect.conf:

$sudo gedit /etc/ipkungfu/redirect.conf

...and changed the line "#tcp:80:3128:internal # transparent squid proxy" to "tcp:80:3128:internal # transparent squid proxy" without the apostrophes of course.

To start ipkungfu everytime the computer boots up, I opened /etc/default/ipkungfu:

$sudo gedit /etc/default/ipkungfu

... and change the line "IPKFSTART = 0" to "IPKFSTART=1".

Fire away ipkungfu!

sudo ipkungfu

I tested the firewall with the ShieldsUp test at grc.com and it passed with flying colors.

I also tested transparent squid proxy by taking a peek at /var/log/squid/access.log...

$sudo tail -f /var/log/squid/access.log

...and there I saw all PCs in our LAN browsing the net, without them knowing that they were actually proxied.

That's it! I have a firewall and router, I was able to forward port 80 requests to the squid proxy server, and I was able to make ipkungfu ran on bootups!

Now, for linux gurus... this must be a piece of cake but for someone like me who does have not any idea about iptables, netfilters, and among other things.. this is already a slice of heaven.

IpKungfu kicks hard! Eeyah!

P.S.: I must say that I have already configured squid proxy and dhcp to work long before I tried on ipkungfu. So if there is anyone interested on my dhcp.conf and squid.conf, I'm glad to share.


Anonymous said...

Thanks heaps for the introduction to IpKunfu! It really is an easy to setup firewall, once you know where the config file is and how to make it start!

AlbuEmil said...


I've tried out IPKungfu, and it's really easy to configure and it seems a lot more intuitive than any other firewall I've tried, so i have to thank you for introducing IPKungfu to me.

I'd like to know how you configured the Squid proxy, cause i'm having a few problems with it. I know it's easy to configure it, but still, a tutorial would be nice :-)

fishfillet said...

Hi albuemil!

I blogged on my basic squid configuration here: http://teqnix.blogspot.com/2007/03/my-basic-squid-proxy-configuration.html

Mr said...

thanx in advance

tr4ngo said...

Men your page rocks i'm from Mexico and was trying to get things work with iptables and Squid with easyfwgen, apparently worked great but as i imagine happened to you too, after trying other things everything got a mess on the infinite world of iptbles, so i found your suggestion and worked perfectly thanks a lot really made me earn a lot of time , i have only one question, how can i make my web server visible to the www with ipkungfu i mean i tried with the conf file vhosts.conf but didnt work, any suggestions??

fishfillet said...

@tr4ngo: THank you for the kind words... but hey don't expect too much from as I am just a newbie. :)

Other than editing vhosts.conf... have you tried uncommenting Allowed_TCP_IN and then add port 80?

I havent tried it but it may work.

Good luck and thank you for dropping by.

Anonymous said...

wow my friend i tried it but didnt work, any other suggestion...

fishfillet said...

I know this may sound stupid.. but do you have a router?

If you have one, you may have to configure it also.

Sorry, if you have already done that.

Anonymous said...

Well, infact i have an ADSL router but it works like a bridge so in theory all packets come directly to my linux box, so i think is more related to open ports with ip-tables. uhhhh i guess i will have to get into iptables again...:(

fishfillet said...

how about your ISP bro? do they allow it? please let me know if ever you find a solution.. btw, there's a conf at ipkungfu folder where you can place your custom iptables command.


Hacky said...

musta sir. one time pasyal ako jan sa lugar nyo tanong ako about sa ipkungfu at squid

happy pinkie fingers getaway