Home
License

Downloads
Mirrors

Documentation

About us
Thanks
Help Us

Valid HTML 4.01!

Valid CSS!

links2world Firewall Homepage

Free Software distributed under GNU General Public License
Thanks to our friends from Open Network Architecture for their support!

Welcome to links2world Firewall Homepage

links2world Firewall is a very simple tool writen in C, that helps you generate iptables rules for Linux 2.4.x and newer kernels. Released under GNU General Public License, it is very easy to configure and designed to run on hosts with one or more network interfaces.

Most of the existing iptables script generators are shell scripts. You have to dig in and to look through entire script in order to customize and configure it for your needs. Furthermore, they are able to generate iptables rules for one or maximum two network interfaces.

On the other hand, links2world Firewall uses a very human readable configuration file that is very easy to understand and write. Still more, it does not matter if you have one, two, three or twenty network interfaces, links2world Firewall is able to generate statefull iptables rulesets able to control the packet flows between all the networks your machine is connected to.

A Simple Configuration Example

Lets take for example a webserver firewall, where you have to allow incomming requests on port 80/tcp. Simply edit /etc/links2world/firewall.conf configuration file and add the following line: 

accept "http" from "anywhere";

This is all you need to generate a statefull set of iptables ruleset allowing incoming http requests to your webserver. If you need access on port 443/tcp for https requests, modify the config file to look like this: 

accept "http" from "anywhere";
accept "https" from "anywhere";

The output of the links2world command is a script that can be saved into a file for later use or piped to a shell and executed imediately. Thus, in order to enforce the iptables rules generated based on your config file, you have to run the following command: 

# links2world | bash

In the above example the ip address of the webserver is not taken into consideration, thus all incoming packets with destination port 80/tcp and 443/tcp, whatever destination ip address they have, are allowed. A more secure solution would allow only incomming http and https requests with destination ip address of your machine. To achive this, the /etc/links2world/firewall.conf configuration file should be modified to look like below: 

interface "eth0" {
        ipaddr 192.168.1.10;
        accept "http" from "anywhere";
        accept "https" from "anywhere";
};

That is all. Now only the incomming http and https packets with destination ip 192.168.1.10 are allowed. Isn't this simple?

If for some reason you want to stop the firewall, just run 

# links2world --stop | bash

This will delete all the iptables rules and set the chains default policy to ACCEPT.

Now lets look into a more complex example, involving a multihomed gateway. Suppose you have three interfaces, one that connects you to Internet, one for your DMZ and one for you intranet. How does the links2world Firewall configuration look in this kind of case? 

// this is your DMZ network
network "dmz" {
        netaddr 192.168.2.0/24;
};

// these are hosts inside your DMZ network
host "www-server" {
        ipaddr 192.168.2.10;
};
host "ftp-server" {
        ipaddr 192.168.2.20;
};

// this is your intranet network
network "intranet" {
        netaddr 192.168.3.0/24;
};

// eth0 connects you to Internet
interface "eth0" {
        ipaddr 1.1.1.1/24;
        // all the outgoing requests from intranet are masqueraded behind eth0
        accept "any" from "intranet" masquerade;
        // all the outgoing requests from DMZ are masqueraded behind eth0
        accept "any" from "dmz" masquerade;
};

// virtual interface
interface "eth0:1" {
        ipaddr 1.1.1.2/24;
        // all the incomming http requests on the virtual interface eth0:1 are 
        // redirected to the "www-server" inside DMZ 
        accept "http" from "anywhere" redirect to "www-server";
        // all the incomming ftp requests on the virtual interface eth0:1 are 
        // redirected to the "ftp-server" inside DMZ 
        accept "ftp" from "anywhere" redirect to "ftp-server";
};

// eth1 interface that connects you to DMZ network
interface "eth1" {
        ipaddr 192.168.2.254/24;
};

// eth2 interface that connects you to intranet
interface "eth2" {
        ipaddr 192.168.3.254/24;
};

// all incomming ssh requests on any interface are allowed 
accept "ssh" from "anywhere";

The above example is a very simple solution. Of course you might want to restrict the access from intranet to Internet, or make other changes, and you can create your own configuration file stating from this example.

The http, https, ftp and all other services are all defined in /etc/links2world/firewall.default.conf file like this: 

service "ssh" { // SSH Remote Login Protocol
        protocol "tcp" {
                sport 0:65535;
                dport 22;
        };
        use-conntrack yes;
};

To define your own service, add it in the begining of /etc/links2world/firewall.conf. The default configuration file should not be modified, since it might be overwriten by a software upgrade.

powered by Linux

Copyright © 2004 Adrian Pascalau. All Rights Reserved.