کد:
http://articles.techrepublic.com.com/5100-10878_11-1047998.html?tag=rbxccnbtr1
A firewall is an indispensable, yet expensive, piece of every network. To overcome the cost issue, many organizations have turned to Linux firewalls, which can be implemented by purchasing or downloading a low-cost Linux distribution and installing it on commodity hardware. The drawback of a Linux firewall is that it can be somewhat difficult to manage. However, this isn't the case with
iptables when it is used with
Bifrost.
By itself,
iptables can certainly be difficult to manage, requiring a deep knowledge of the various command-line options and exactly how to use them. Bifrost removes this management headache by providing a Web-based GUI front end for
iptables.
Requirements
For Bifrost to work, you must be running at least version 1.2.3 of
iptables. To check which version you are running, you can enter the following command on your Linux server:
/sbin/iptables --version
If you are running an older version, you will need to upgrade it before you can use Bifrost. You can get the latest version from the
Netfilter/Iptables Web site.
You also need a utility named
iproute2. My Red Hat Linux 7.2 server has it included in the distribution at
/etc/iproute2.
Next, you need to have Apache installed. If you do not have it, you can get it from
Apache.org. The current version is 1.3.24. A default installation will work for this product with one exception. A standard Apache installation runs as "nobody," which would open some serious security holes because of the way Bifrost runs. As a result, I created a user named "Apache" and used the following configuration line for my Apache installation:
./configure --prefix=/usr/local/apache --server-uid=apache
Finally, you need Perl. Almost all common Linux distributions include a version of Perl that will work with Bifrost, but if you need Perl, you can get it from your Linux distribution's CD or
download it.
Obtaining and installing Bifrost
The most recent version of Bifrost is 0.9, and you can download it from the
Bifrost Web site. I saved this download into
/usr/src on my server and used the commands in
Table A to install it.
Table A Commands Explanation cd /usr/src Switches to the /usr/src directory where the Bifrost archive was saved gunzip -dc Bifrost.0.9.0.tgz | tar xvf Unzips the Bifrost archive cd Bifrost.0.9.0 Switches to the Bifrost directory mv Bifrost /etc/ Moves the Bifrost data files under the /etc directory mv iptables /etc/sysconfig Moves the iptables configuration file to /etc/sysconfig mv fw.cgi /usr/local/apache/cgi-bin Moves the Bifrost CGI program to the Apache cgi-bin directory chown apache.root /etc/sysconfig/iptables Assigns the Apache user ownership of the iptables configuration chmod +s /usr/local/apache/cgi-bin/fw.cgi chmod +s /sbin/iptables-save chown apache.apache /etc/Bifrost/* Assigns the Apache user ownership of the Bifrost files chown apache.root /sbin/iptables Assigns the Apache user and the root group ownership of iptables chmod +x /sbin/iptables chmod +s /sbin/iptables chmod +r /var/log/messages
Bifrost installation steps
Following the steps above completes the installation of Bifrost. Make sure that Apache is started. If it isn't, start it with the command:
/usr/local/apache/bin/apachectl start
You'll also want to make sure Apache is set up to start at boot time.
Using Bifrost
Once you have Apache running and have completed the steps above, you can start to use Bifrost. Browse to
http://server-ip-address/cgi-bin/fw.cgi. (For example, for my installation, I will browse to
http://192.168.1.100/cgi-bin/fw.cgi).
Figure A shows the first Bifrost page you will see.
Figure A
The Bifrost main page
This page includes information showing you the current firewall activity. By clicking on Current Traffic Status, you will get output similar to
this.
This tells you that a TCP connection has been established from 172.16.1.51 (my workstation) to 172.16.1.235 (the server running Bifrost) on port 80. This makes sense, because I have a Web connection to Bifrost.
Bifrost also includes an Interface Statistics And Status option, which, for my installation, yields the results in
Figure B.
Figure B
Interface statistics
Adding rules is easier with Bifrost than using the command line for
iptables as well. By clicking on incoming rules and adding a new rule, I can set up my
iptables implementation to accept both SMTP and Web traffic.
Figure C shows an example.
Figure C
Adding a rule to allow Web and SMTP traffic
An overview with a list of rules is also available.
Figure D shows an example from the Bifrost demo site (since my testing server only has one interface).
Figure D
An overview of the
iptables rules in Bifrost
Overview
Here is a brief look at what can be done with Bifrost:
- · Dropping—You can add rules that override all other rule sets to drop the traffic specified. This is useful if you want to block access to a specific range of IP addresses.
- · Incoming Traffic—You can manage traffic coming from the outside to the inside of your network. This is useful when you have mail or Web servers behind your firewall.
- · Outgoing Traffic—You can manage traffic leaving your network. For example, don’t want your users using IM? Add a rule to drop it by blocking the outgoing IM traffic.
- · Manage Interfaces—You can add or remove interfaces on your server.
- · Manage NAT—You can add NAT rules to or remove them from your server.
Summary
Bifrost can help to take the pain out of managing an
iptables implementation by adding a GUI front end to the process. Keep in mind that version 0.9 is the first public release, so this product is still being developed. In addition, there is very little documentation, so you'll need to go at it on your own for the most part. I am sure that once a final release date gets closer, a manual will be added. In the meantime, Bifrost still provides good functionality for configuring
iptables