On this page
Installing ISP-fw (Firewall) On Linux
ISP-fW is a firewall script that provides port forwarding, packet filtering, stateful packet inspection, port redirection, masquerading, SNAT/ DNAT, TOS, and never the last it generates htb rules for bandwidth management. With ISP-fw, you can turn a PC into a gateway with shaping capabilities.
Let's begin:
I will assume that you have installed Linux on your box. I use a Debian machine so this tutorial will be for Debian Linux but should not differ much from the rest of the distros.
1. Requirements:
- GNU/Linux distribution;
- GCC 3.4.6 compiler;
- Iproute2 (the latest version is recommended (http://linux-net.osdl.org/index.php/Iproute2);
- Linux Kernel 2.4.32 or 2.6.16 (www.kernel.org);
- dialog (the latest version from http://invisible-island.net/dialog/);
- flex version 2.5.4a; (not above)
- iptables v1.2.11 or above;
- DHCP (the latest version from ftp://ftp.isc.org/isc/dhcp/);
- Apache and php (required for webISP);
- ZendOptimizer 3.x (required for webISP);
- mySQL 4.x (required for webISP);
- MRTG (required for webISP);
- IPFM (required for webISP).
For shaping you have to enable QoS for your kernel; this the list for 2.4.x and 2.6.x:
Linux Kernel 2.4.32 ( http://www.kernel.org )
----------------------------------------------
If you compile the Kernel from the sources, you will need to select the following options:
#
# QoS and/or fair queuing
#
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_CBQ=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_SCH_CSZ=m
CONFIG_NET_SCH_HFSC=m
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_QOS=y
CONFIG_NET_ESTIMATOR=y
CONFIG_NET_CLS=y
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_CLS_POLICE=y
Linux Kernel 2.6.16 ( http://www.kernel.org )
------------------------------------------------
If you compile the kernel from the sources, you will need to select the following options:
#
# QoS and/or fair queuing
#
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_CLK_JIFFIES=y
# CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set
# CONFIG_NET_SCH_CLK_CPU is not set
#
# Queuing/Scheduling
#
CONFIG_NET_SCH_CBQ=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_SCH_HFSC=m
CONFIG_NET_SCH_PRIO=m
CONFIG_NET_SCH_RED=m
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_SCH_TEQL=m
CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_INGRESS=m
#
# Classification
#
CONFIG_NET_CLS=y
CONFIG_NET_CLS_BASIC=m
CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=y
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_CLS_U32_PERF=y
CONFIG_CLS_U32_MARK=y
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_EMATCH=y
CONFIG_NET_EMATCH_STACK=32
CONFIG_NET_EMATCH_CMP=m
CONFIG_NET_EMATCH_NBYTE=m
CONFIG_NET_EMATCH_U32=m
CONFIG_NET_EMATCH_META=m
CONFIG_NET_EMATCH_TEXT=m
CONFIG_NET_CLS_ACT=y
CONFIG_NET_ACT_POLICE=m
CONFIG_NET_ACT_GACT=y
CONFIG_GACT_PROB=y
CONFIG_NET_ACT_MIRRED=m
CONFIG_NET_ACT_IPT=m
CONFIG_NET_ACT_PEDIT=m
CONFIG_NET_ACT_SIMP=m
CONFIG_NET_CLS_IND=y
CONFIG_NET_ESTIMATOR=y
!!! NOTE !!!
To successfully use mark_in_u32 you MUST use at least the kernel 2.6.16.
2. Download and install isp-fw from http://isp-fw.sourceforge.net
root@htb:~# wget http://kent.dl.sourceforge.net/sourceforge/isp-fw/ispfw-9.5-rc1.deb
root@htb:~# mysql -u user -p password
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> create database ispfw;
Query OK, 1 row affected (0.00 sec)
mysql> quit
Bye
root@htb:~# dpkg -i ispfw-9.5-rc1.deb
SQL host [localhost]:
SQL user [root]: ispfw
SQL pass [changeme]: ****
SQL db [ispfw]: ispfw
Admin user for webpage [admin]: admin
Admin password for webpage [changeme]: ****
Installation successful.
Edit /var/www/webisp/include/config.php.
Change in php.ini session.auto_start to 1
Note that you need to install zendOptimizer http://www.zend.com/free_download/optimizer
You're done installing ISP-fW. Let's go to the configuration.
3. Configure ISP-fW
Edit /etc/isp-fw/firewall.conf to your needs (you can use isped fireconfig from the console to trigger the file). A more explained example can be found in the docs or http://isp-fw.wiki.sourceforge.net/Config-Examples.
#generated by setup, see docs/cfg/ network_name = Example domain = example.com default_editor = vi default_ipt_policy = ACCEPT net_interface = eth0 lan_interface = eth1 net_ip = 45.93.203.4 clone_mac = no gateway = 45.93.203.1 subnet = 255.255.255.0 fake_mac = 00:0D:A1:D9:D2:DA download = start upload = start bandwith = 2048 kbps burst = 0 qdisc = sfq bgp_file = none htb_mode = none ssh_all = no #I set ssh_all to no, if so you have to enter a list of ips in /etc/isp-fw/ssh.allow ssh_port = 22 use_squid = no squid_port = 3128 load_custom = no masquerade = yes update_hosts = yes optimize = yes opt_conntrack = auto mac_filter = no auto_redirect = no my_web = 1234 block_traceroute = no flood = no no_port_scan = no ping_protection = yes max_conn_per_port = use_dhcp = yes #DHCP section class = 10.10.10.0/255.255.255.0 router = 10.10.10.1 range = 10.10.10.1 10.10.10.254 broadcast = 10.10.10.255 dns = 10.10.10.1, 10.10.10.2 wins = 10.10.10.2
/etc/isp-fw/spam.conf - here you enter blacklisted IP(s)
/etc/isp-fw/badports.conf - here you enter blacklisted port(s)
/etc/isp-fw/port.allow - here you enter port(s) that you want to accept
/etc/isp-fw/ssh.allow - here you enter ip(s) that you want to allow to ssh
4. Adding clients to ISP-fW
You can add files by using the command isped clienti:
root@htb:~# isped clienti
Now if you have NAT on your network be sure to have the option masquerade = yes, here's how the file looks:
#CAUTION dont leave blank fields! See docs/cfg/clienti.* for more info #MAC IP-LAN IP-NET MINE/MAXE/MINM/MAXM NAME 00:0E:2E:1F:E7:FA 10.10.10.2 0.0.0.0 16/128/1024/1024 Tom 00:0E:2E:1F:E1:AA 10.10.10.3 0.0.0.0 16/512/1024/1024 Britney #00:01:1A:1A:AA:AA 10.10.10.4 0.0.0.0 16/512/1024/1024 Alice #END
If have your own class of IPs from arin or any other registrant be sure to set masquerade = no.
For this example will assume that we have the class 9.10.11.0/24 allocated.
#CAUTION dont leave blank fields! See docs/cfg/clienti.* for more info 00:0E:2E:1F:E7:FA 0.0.0.0 9.10.11.2 16/32/128/1024 Tom 00:02:AA:11:B2:AC 0.0.0.0 9.10.11.3 16/32/256/2048 Britney #00:01:AA:03:04:05 0.0.0.0 9.10.11.4 16/32/256/2048 Alice #END
Tips
The "16/32/128/1024" means that Tom has for external bandwidth 16 kbps minimum guaranteed and 32 kbps maximum; for metropolitan networks 128kbps minimum and 1024 kbps maximum.
The "#" sign means that the client is disabled, therefore it doesn't have internet access.
The "#>" sign means that the client is redirected to your customized suspended web page
Now to start the program just type
ispfw start