Linux Iptables Firewall with a Webinterface Tutorial
Index
Introduction
This HOWTO describes how to configure a computer (running Debian GNU/Linux) for using it as a router, where you can turn on/off the internet connection of single clients with a webinterface, using the iptables firewall. In this HOWTO I neither want to explain how to install your Debian GNU/Linux System, nor how to setup your network, nor how to set up your firewall.
The configuration
This configuration has a integrated webproxy (squid) which runs on port 3128, if you don't have that, just remove all the lines containing '3128'.
Following computers are used in this Tutorial:
- 3 computers which should be switchable (pc1, pc2, pc3)
- 3 computers which should be always on (pc4, pc5, pc6)
192.168.1.11, 192.168.1.12, 192.168.1.13
192.168.1.14, 192.168.1.15, 192.168.1.16
Requirements
- Debian GNU/Linux
- two network interfaces
- Netfilter/iptables
- Apache Webserver
should work with other distributions as well, but not tested yet
www-root is in /data/www/
Firewall
This is the iptables firewall script, we move that script to /etc/init.d/firewall.
cd /etc/rc2.d/ ln -s ../init.d/firewall S99firewall
Now the new firewall is going to be loaded at the next reboot.
Little explanation:
$IPT -A FORWARD -s 192.168.1.0/24 -j DROP
On default forbids all connections direct to the internet
$IPT -A INPUT -i eth0 -p tcp --dport 3128 -j DROP
On default forbids all connections to the webproxy
$IPT -A FORWARD -s 192.168.1.14 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp -s 192.168.1.14 --dport 3128 -j ACCEPT
Allows this client to connect to the webproxy and direct to the internet
$IPT -N pc1 $IPT -A pc1 -s 192.168.1.11 -j ACCEPT $IPT -D pc1 -s 192.168.1.11 -j ACCEPT $IPT -A INPUT -i eth0 -p tcp --dport 3128 -j pc1 $IPT -A FORWARD -i eth0 -j pc1
Creates a new chain called 'pc1' and on default doesn't allow any connection
Check
This little script (check.sh) checks the state of the connection of the client (the first argument). We check the state of the connection with a command like ./check.sh
pc1
This script wheather returns 'On' or 'Off'
Switch
Now we reached the important step of this Tutorial. Our next script (switch.sh) switches the state of the specified client. The first argument is the client, the second argument is 'on' or 'off'. We change the state of the connection with a command like ./switch.sh pc1 on
if $($IPT -L | grep pc1 | grep -q ACCEPT); then if [ "$DEBUG" = "on" ]; then echo "already on"; fi exit 0 else $IPT -A pc1 -s $pc1 -j ACCEPT echo "$(date) - pc1 - on" >>/data/www/html/dsl/dsl.log fi ;;
We started the script with ./switch.sh pc1 on. If the connection's state is not already on, the script executes $IPT -A pc1 -s $pc1 -j ACCEPT
which means, the connection to the webproxy and also direct to the internet is allowed.
echo "$(date) - pc1 - on" >>/data/www/html/dsl/dsl.log
This line wrotes some data for logging to '/data/www/html/dsl/dsl.log', e.g.:
Sat Jan 27 21:30:01 CET 2007 - pc1 - off Sat Jan 27 21:33:02 CET 2007 - pc1 - on
The Webinterface
Now we need a webinterface to control these scripts. Here is my one:
Here is the link to this script:
ScriptNow you should use a .htpasswd to protect this script
AuthUserFile /etc/apache2/htpasswd AuthType Basic AuthName "Password required" <Limit GET> require user dsl </Limit>
If you have any questions or suggestions feel free to write me an email (alex@you need to remove this!krogloth.de) or join the rrdtool channel (#rrdtool) on the IRCnet.