NamHuy

Ipkungfu or linuxkungfu is an iptables firewall script. With ipkungfu, you can easily configure as to which port of the server will be opened for connection, restrict who can access the server plus other security features. You can refer to the website of ipkungfu at http://www.linuxkungfu.org/ for the list of complete features.

Ipkungfu is available a the Ubuntu repositories. To install ubuntu,

# aptitude install ipkungfu

Ipkungfu should now be working.

After installing ipkungfu, type

# ipkungfu

to configure ipkungfu and answer “yes” if you are prompted.

At this point, if you connecting remotely via ssh, make sure you are not disconnected because by default, ipkungfu is blocking all incoming connections. If you are working directly at the terminal, then there’s no problem. Open the file /etc/ipkungfu/services.conf

and append ACCEPT beside the port that you want to open.

# Service Names and Protocols are lowercase, Targets are UPPERCASE.
#
# Example:
# ssh:22:tcp:ACCEPT
ftp-data:20:tcp
ftp:21:tcp
ssh:22:tcp:ACCEPT
telnet:23:tcp
smtp:25:tcp
domain:53:tcp
bootps:63:tcp
http:80:tcp:ACCEPT
pop3:110:tcp
auth:113:tcp
ntp:123:tcp
imap:143:tcp
https:443:tcp
imaps:993:tcp
pop3s:995:tcp
socks:1080:tcp
# Add your services below. The rule is:
# ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)] # extra comments
#

The, save the file. In the example, I have allowed connection for ports 22 (SSH) and 80 (HTTP). Open the file

/etc/ipkungfu/ipkungfu.conf

and configure it based on your server’s setting and your preferred setting.

# =========================================================================
# $Id: ipkungfu.conf 57 2005-11-02 17:04:20Z s0undt3ch $
# =========================================================================
# Please read the README and FAQ for more information
# Some distros (most notably Redhat) don’t have
# everything we need in $PATH so we specify it here.
# Make sure modprobe, iptables, and route are here,
# as well as ordinary items such as echo and grep.

# Default is as shown in the example below.
#PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin

# Set the path to ipkungfu’s runtime error log.
# Default: /var/log/ipkungfu.log
#IPKUNGFU_LOG=

# Your external interface
# This is the one that connects to the internet.
# Ipkungfu will detect this if you don’t specify.
EXT_NET=”eth0″
#EXT_NET=”eth1″
#EXT_NET=”ppp0″

# Your internal interfaces, if any. If you have more
# than 1 internal interface, separate them with
# spaces. If you only have one interface, put “lo”
# here. Default is auto-detected.
#INT_NET=”eth0″
#INT_NET=”eth1″
#INT_NET=”lo”

# IP Range of your internal network. Use “127.0.0.1″
# for a standalone machine. Default is a reasonable
# guess. Separate multiple ranges with spaces.
#LOCAL_NET=”192.168.0.0/255.255.0.0 10.0.0.0/255.0.0.0″

# Set this to 0 for a standalone machine, or 1 for
# a gateway device to share an Internet connection.
# Default is 1.
GATEWAY=0

# TCP ports you want to allow for incoming traffic
# Don’t add ports here that you intend to forward.
# This should be a list of tcp ports that have
# servers listening on them on THIS machine,
# separated by spaces. You can add port ranges
# delimited by hyphens, such as “20-22″. Default
# is none.
#ALLOWED_TCP_IN=”22 80″

# UDP ports to allow for incoming traffic
# See the comments above for ALLOWED_TCP_IN
#ALLOWED_UDP_IN=”"

# Temporarily block future connection attempts from an
# IP that hits these ports (If module is present)
# Hits to these ports will be logged as “BADGUY” hits
# regardless of log.conf settings.
FORBIDDEN_PORTS=”135 137 139″

# Drop all ping packets?
# Set to 1 for yes, 0 for no. Default is no.
BLOCK_PINGS=0

# Possible values here are “DROP”, “REJECT”, or “MIRROR”
#
# “DROP” means your computer will not respond at all. “Stealth mode”
#
# “REJECT” means your computer will respond with a
# message that the packet was rejected.
#
# “MIRROR”, if your kernel supports it, will swap the source and
# destination IP addresses, and send the offending packet back
# where it came from. USE WITH EXTREME CAUTION! Only use this if you fully
# understand the consequences.
#
# The safest option, and the default in each case,, is “DROP”. Don’t change
# unless you fully understand this.
# What to do with ‘probably malicious’ packets
#SUSPECT=”REJECT”
SUSPECT=”DROP”

# What to do with obviously invalid traffic
# This is also the action for FORBIDDEN_PORTS
#KNOWN_BAD=”REJECT”
KNOWN_BAD=”DROP”

# What to do with port scans
#PORT_SCAN=”REJECT”
PORT_SCAN=”DROP”

# How should ipkungfu determine your IP address? The default
# answer, “NONE”, will cause ipkungfu to not use the few
# features that require it to know your external IP address.
# This option is good for dialup users who run ipkungfu on
# bootup, since dialup users rarely use the features that
# require this, and the IP address for a dialup connection
# generally isn’t known at bootup. “AUTO” will cause
# ipkungfu to automatically determine the IP address of
# $EXT_NET when it is started. If you have a static IP
# address you can simply enter your IP address here.
# If you do port forwarding and your ISP changes your IP
# address, choose NONE here, or your port forwarding
# will break when your IP address changes. Default is
# “NONE”.
#GET_IP=”NONE”
#GET_IP=”AUTO”
GET_IP=”202.92.148.101″

# If the target for identd (113/tcp) is DROP, it can take
# a long time to connect to some IRC servers. Set this to
# 1 to speed up these connections with a negligible cost
# to security. Identd probes will be rejected with the
# ‘reject-with-tcp-reset’ option to close the connection
# gracefully. If you want to actually allow ident probes,
# and you’re running an identd, and you’ve allowed port
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0.
#DONT_DROP_IDENTD=0
# Set this to 0 if you’re running ipkungfu on a machine
# inside your LAN. This will cause private IP addresses
# coming in on $EXT_NET to be identified as a spoof,
# which would be inaccurate on intra-LAN traffic
# This will cause private IP addresses coming in on
# $EXT_NET to be identified as a spoof. Default is 1.
#DISALLOW_PRIVATE=1

# For reasons unknown to me, ipkungfu sometimes causes
# kernel panics when run at init time. This is my
# attempt to work around that. Ipkungfu will wait
# the specified number of seconds before starting, to
# let userspace/kernel traffic catch up before executing.
# Default is 0.
#WAIT_SECONDS=5

# This option, if enabled, will cause ipkungfu to set
# the default policy on all builtin chains in the filter
# table to ACCEPT in the event of a failure. This is
# intended for remote administrators who may be locked
# out of the firewall if ipkungfu fails. A warning to
# this effect will be echoed so that the situation can be
# rectified quickly. This is the same as running
# ipkungfu with –failsafe. Default is 0.
#FAILSAFE=0

# Configurable list of kernel modules to load at runtime.
# If no list is provided, the default and needed ones,
# ip_nat_irc, ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc,
# will still be loaded.
#MODULES_LIST=”"

The

EXT_NET=”eth0″

is you the active network interface.

GATEWAY=0

because I’m configuring a standalone server. I have also set the forbidden ports

FORBIDDEN_PORTS=”135 137 139″

I don’t block pings

BLOCK_PINGS=0

because the ping tool is an effective use to test for the connectivity of the server.
For suspected, bad ports and port scan, I drop the packets.

SUSPECT=”DROP”
KNOWN_BAD=”DROP”
PORT_SCAN=”DROP”

If you have a static IP address, set GET_IP to your IP address.

GET_IP=”202.92.148.101″

The save the file. Restart by ipkungfu

/etc/init.d/ipkungfu restart