Managing iptables firewall - Network Admin - Techguide
Breaking News: Malaysia organizations don't realize severity of cyberattacks

ZDNet / Techguide / Network Admin

Managing iptables firewall

By Scott Lowe , TechRepublic on September 18, 2002 

 

Summary

By itself, iptables can certainly be difficult to manage, requiring a deep knowledge of the various command-line options and exactly how to use them. Bifrost removes this management headache by providing a Web-based GUI front end for iptables.

Events

Echelon 2012
June 11 and 12, 2012

University Cultural Centre, National University of Singapore

Startup Asia Jakarta 2012
June 7 and 8, 2012

12th Floor, Annex Building, Wisma Nusantara Complex, Jl. M.H. Thamrin No. 59 Jakarta 10350, Indonesia

MMA Forum Singapore
April 23-25, 2012

Grand Hyatt Singapore

Submit
A firewall is an indispensable, yet expensive, piece of every network. To overcome the cost issue, many organizations have turned to Linux firewalls, which can be implemented by purchasing or downloading a low-cost Linux distribution and installing it on commodity hardware. The drawback of a Linux firewall is that it can be somewhat difficult to manage. However, this isn't the case with iptables when it is used with Bifrost.

By itself, iptables can certainly be difficult to manage, requiring a deep knowledge of the various command-line options and exactly how to use them. Bifrost removes this management headache by providing a Web-based GUI front end for iptables.

Requirements
For Bifrost to work, you must be running at least version 1.2.3 of iptables. To check which version you are running, you can enter the following command on your Linux server:

/sbin/iptables --version

If you are running an older version, you will need to upgrade it before you can use Bifrost. You can get the latest version from the Netfilter/Iptables Web site.

You also need a utility named iproute2. My Red Hat Linux 7.2 server has it included in the distribution at /etc/iproute2.

Next, you need to have Apache installed. If you do not have it, you can get it from Apache.org. The current version is 1.3.24. A default installation will work for this product with one exception. A standard Apache installation runs as "nobody," which would open some serious security holes because of the way Bifrost runs. As a result, I created a user named "Apache" and used the following configuration line for my Apache installation:

./configure --prefix=/usr/local/apache --server-uid=apache

Finally, you need Perl. Almost all common Linux distributions include a version of Perl that will work with Bifrost, but if you need Perl, you can get it from your Linux distribution's CD or download it.

Obtaining and installing Bifrost
The most recent version of Bifrost is 0.9, and you can download it from the Bifrost Web site. I saved this download into /usr/src on my server and used the commands in Table A to install it.

Table A
Commands Explanation
cd /usr/src Switches to the /usr/src directory where the Bifrost archive was saved
gunzip -dc Bifrost.0.9.0.tgz | tar xvf Unzips the Bifrost archive
cd Bifrost.0.9.0 Switches to the Bifrost directory
mv Bifrost /etc/ Moves the Bifrost data files under the /etc directory
mv iptables /etc/sysconfig Moves the iptables configuration file to /etc/sysconfig
mv fw.cgi /usr/local/apache/cgi-bin Moves the Bifrost CGI program to the Apache cgi-bin directory
chown apache.root /etc/sysconfig/iptables Assigns the Apache user ownership of the iptables configuration
chmod +s /usr/local/apache/cgi-bin/fw.cgi  
chmod +s /sbin/iptables-save  
chown apache.apache /etc/Bifrost/* Assigns the Apache user ownership of the Bifrost files
chown apache.root /sbin/iptables Assigns the Apache user and the root group ownership of iptables
chmod +x /sbin/iptables  
chmod +s /sbin/iptables  
chmod +r /var/log/messages  

Bifrost installation steps

Following the steps above completes the installation of Bifrost. Make sure that Apache is started. If it isn't, start it with the command:

/usr/local/apache/bin/apachectl start

You'll also want to make sure Apache is set up to start at boot time.

Using Bifrost
Once you have Apache running and have completed the steps above, you can start to use Bifrost. Browse to http://server-ip-address/cgi-bin/fw.cgi. (For example, for my installation, I will browse to http://192.168.1.100/cgi-bin/fw.cgi). Figure A shows the first Bifrost page you will see.

Figure A

The Bifrost main page

This page includes information showing you the current firewall activity. By clicking on Current Traffic Status, you will get output similar to this.

This tells you that a TCP connection has been established from 172.16.1.51 (my workstation) to 172.16.1.235 (the server running Bifrost) on port 80. This makes sense, because I have a Web connection to Bifrost.

Bifrost also includes an Interface Statistics And Status option, which, for my installation, yields the results in Figure B.

Figure B

Interface statistics

Adding rules is easier with Bifrost than using the command line for iptables as well. By clicking on incoming rules and adding a new rule, I can set up my iptables implementation to accept both SMTP and Web traffic. Figure C shows an example.

Figure C

Adding a rule to allow Web and SMTP traffic

An overview with a list of rules is also available. Figure D shows an example from the Bifrost demo site (since my testing server only has one interface).

Figure D

An overview of the iptables rules in Bifrost

Overview
Here is a brief look at what can be done with Bifrost:

  • Dropping—You can add rules that override all other rule sets to drop the traffic specified. This is useful if you want to block access to a specific range of IP addresses.
  • Incoming Traffic—You can manage traffic coming from the outside to the inside of your network. This is useful when you have mail or Web servers behind your firewall.
  • Outgoing Traffic—You can manage traffic leaving your network. For example, don’t want your users using IM? Add a rule to drop it by blocking the outgoing IM traffic.
  • Manage Interfaces—You can add or remove interfaces on your server.
  • Manage NAT—You can add NAT rules to or remove them from your server.

Summary
Bifrost can help to take the pain out of managing an iptables implementation by adding a GUI front end to the process. Keep in mind that version 0.9 is the first public release, so this product is still being developed. In addition, there is very little documentation, so you'll need to go at it on your own for the most part. I am sure that once a final release date gets closer, a manual will be added. In the meantime, Bifrost still provides good functionality for configuring iptables.

Talkback

Hello,

the address from where to download iproute2 (http://defiant.coinet.com/iproute2/) does not give anything but a http 500 error. Is there a save alternative?

Peter van der Meulen July 6, 2004
Add your opinion

In order to post a comment, you need to be registered. (Sign In or register below)

Post your comment

Resource Centre Useful content from our premier sponsors

Network Admin TechGuides

5 tips to help prevent networking configuration oversights

3 PowerShell queries to obtain critical system information

Network security: 7 tips for desktop malware first responders

Fix slow workstations with this tune-up checklist

5 most overlooked networking configuration items

Disabling indirect file transfer through remote desktop

Delegating DNS record write permissions

Identify network settings applied via Group Policy

Set an icon to identify your network

SNMP security: Maligned or ignored, but useful for risk management

More

ZDNet Asia Live

Troy Carter, manager for Lady Gaga, on stage #mm12: Protests in Asia cause of generation divide not really about lady Gaga.

Carter: Three 747 planes jus to bring Gaga show to Asia. We see it as an investment cos we still treat her as a development act. #mm12

Carter: We play show as is. Won't change to play in a country. She's not up there nude; not doing anything provocative jus to be provocative

Sony Mobile yanks feature phones from India - ZDNet Asia: Zee NewsSony Mobile yanks feature phones from IndiaZDN... http://t.co/LZtsRs1B

42 bands from 15 countries to feature at Music Matters Live 2012 which will beam live via YouTube for 1st time this year. #mm12

Music Matters to be launched in Bali via partnership w/Telkom Indonesia. #mm12

HP to shed 27K workers by 2014 http://t.co/OevueOGh http://t.co/erFSwAUB #arcavir

http://t.co/VNaUVSe1 HP to shed 27K workers by 2014: IT vendor plans exit of 8 percent of gl... http://t.co/5LKpdBSZ http://t.co/wiqTBKkj

China solar cell makers seek Taiwan partnershipshttp://bit.ly/JErUGz via @zdnetasia #solar #energy #china

Malaysia organizations don't realize severity of cyberattacks http://t.co/PUCv68Rd

News: Radio Costa Rica by EnjoyIT 1.0: Radio Costa Rica allows you to listen to a great var... http://t.co/BLzVT5As http://t.co/1Dhcy6ki

The key for mobile operators is identifying the applications that are popular with subscribers on their network. They can then work partn...

3 hours ago by camcullen on Experience trumps content in apps monetization

Experience trumps content in apps monetization | ZDNet http://t.co/gBXcjbGd

Experience trumps content in apps monetization - ZDNet Asia News: "What we are doing currently is not to monetiz... http://t.co/S2EZtd8m

Malaysia organizations don't realize severity of cyberattacks: "Minister Maximus Johnity Ongkili said at the Sec... http://t.co/bgVlOBvx

#security Malaysia organizations don't realize severity of cyberattacks: "Minister Maximus Johnity Ongkili said ... http://t.co/hkFb4zrI

So much as we know , MTK6575 extremely integrated frequency1GHz ARM Cortex-A9 processor, the superiority of 3G / HSPA Modem, and help the...

1 day ago by y15822137359 on 5 SaaS adoption speed bumps to avoid

I reckon your view: "CRM is strategy, not software", if a company replicating the approach uses in ERP implementation into CRM, what they...

3 days ago by wykoong on Gartner: Mobile CRM gives better ROI than social

This video will teach you about the Excel fill handle but also provide you with a workook to download... http://www.youtube.com/watch?v=...

3 days ago by TradeBrother on A quick fill handle trick for Microsoft Excel

waiting...

5 days ago by eapete on What should count in a company's market value?

Boy, you've opened a can of worms now.

Wait for the rants & raves.

5 days ago by eapete on What should count in a company's market value?

I was puzzling before this whether to replicate the success formula we executed for a financial institute, and come out with a standard s...

6 days ago by wykoong on Drop the egos, copy ideas, then innovate

Keep up with ZDNet Asia

Facebook Join our fan page

RSS Feeds Subscribe now

NewslettersNewsletters Subscribe today

Twitter Follow us

Whitepapers

Understanding Awareness in Mixed Presence Collaboration

SUSE Linux Enterprise Server on the IBM PureFlex System

IBM® PureFlex™ System: The Future of Datacenter Management by Ptak, Noel & Associates LLC

Businesses are ready for a new approach to IT

IBM PureFlex System for consistent SAP solution hosting and management

Downloads

Crystal Office 1.44

Secure Folder 6.7

Clip Plus 4.54

GeoGebra Portable 4.0.31

GeoGebra 4.0.31

Network Admin News

Motorola's ITC complaint against Microsoft to be heard

Virtual biz cards won't dethrone paper ones

Cisco CEO's key risk: Running a company on social networking

Human touch needed to manage social strategy

Facebook top social networking site in India