At first rampart used webmin for its firewall. But I descided to go a different way with it. But since I had to scour the internet looking for webmin firewall/router information, and I already had the documentation for it, I descided to put the documentation here for anyone who might be needing it.
There are several tutorials out there for installation of webmin on ubuntu. In a nut shell…
sudo apt-get install –y libnet-ssleay-perl libauthen-pam-perl libio-pty-perl perl5 libnet-ssleay-perl
sudo wget http://prdownloads.sourceforge.net/webadmin/webmin_1.530_all.deb
sudo dpkg -i webmin_1.530_all.deb
Webmin will set up our routing for us. Goto Webmin -> Network -> Network Interfaces. Routing and Gateways Icon.
Default Router tick “None (or from DHCP)” more than likely your ISP is dhcp. Be certain eth0 is the interface specified.
Webmin -> Network -> Network Interfaces. Routing and Gateways Icon. Active configuration tab.
Verify that interfaces entered above are present and that the default route looks right and is assigned to the correct interface. Notice that the destination networks are associated with the correct interface. And that there is only one default gateway. I suppose one could have more than one default gateway, but we aren’t covering that in this tutorial.
Test: Perform a connectivity test by plugging a device into an interface (with a mini switch) and assigning it a static IP in that range. (because we haven’t configured dhcp yet) In the example obove, using eth2 I plugged in a device and gave it the IP of 192.168.3.19 and the gateway 192.168.3.1. Then ping the gateway. Try pinging other IPs. Because we haven’t configured our firewall, we are only going to sweat if our gateway ping fails.
Webmin modifies the /etc/network/interfaces file. But it may not set it up exactly like you’ll need. My interfaces file was missing a valid gateway entry. That is why we just edited the interfaces file manually. Besides, it is quicker to copy and past then it is to point and click for each interface.
Webmin Linux Firewall
Webmin -> Networking -> Linux Firewall and initialize the firewall. Go ahead and choose allow/accept as the the default setting. I didn’t get any screen shots or notes on this step. It is pretty strait forward. But, before you start configuring your, get on your console and type
sudo cp /etc/iptables.up.rules /etc/iptables.up.rules.original
and should you screw something up you can go back to a clean slate by typing
sudo mv /etc/iptables.up.rules.original /etc/iptables.up.rules
sudo shutdown now –r
Back into webmin, setting up the rules is kind of figure it out as you go along. Click the Add Rule button and poke around. Just don’t hit thie Apply Configuration Button until you get it set the way you want it. There are lots of good configuration tutorials on the internet. But don’t sweat it, I’m going to cover what you need to get this router firewall filter with WAP up and running.
Hint: The Iptables read from top to bottom. So each packet that comes in gets compared to the first rule, then the second and so on until it gets accepted, or gets dropped. And the last line should always be a drop all. So a desired packet or connection needs to meet an accept rule someplace above a drop rule.
Hint: If you get a set up that you like, and want to save your work and keep editing you can go back to your console and type
sudo cp /etc/iptables.up.rules /etc/iptables.up.rules.bk.X
where X is the version number. That way you can easily restore to a particular version with a
sudo mv /etc/iptables.up.rules.X /etc/iptables.up.rules && sudo shutdown now –r
Webmin Linux Firewall – INPUT
Notice it says “addressed to this host” this is connections attempted to the machine we are currently configuring. Not data that is being routed or passed through or destined for another system. If the first 2 lines are missing then you just got locked out of your box using webmin and ssh. And then you’ll be sitting at the console and doing the mv command as explained above. The last line is the security line that says basically, if no other conditions are met, then drop this packet. Also set the “default action” to drop by adjusting the drop down box and then clicking the button. I don’t know why there are 2 methods of assigning a default action, but lets cover all bases and do both.
Webmin Linux Firewall – FORWARD
Webmin Linux Firewall – Outgoing
There is nothing to configure here. It is probably ok to leave this with no rules and the default action set to accept. There is no reason to fear this server sending unwanted packets out.
Webmin Linux Firewall – Routing
In order for the routing (configured in webmin’s interfaces and routing sections) to work we need to tell the firewall to masquerade packets. Go to Webmin → Linux Firewall. Select Network Address Translation from the drop down list and if needed click “Show IPTable”. You only need to modify the “Packets After Rouging (POSTROUTING)” section. I want all segments to be able to route to all other segments. If I wanted to make eth3 invisible to other eths then that could be done, but that isn’t in the scope of this tutorial.
Filtering – OpenDNS
We want to Force all internal users to use OpenDNS server, even if they have admin on their computers and change their DNS settings to something else. The firewall can redirect the DNS requests and make them use our OpenDNS account for DNS. And that forces them to use our OpenDNS filtering.
It has come to my attention that webmin does not give much details in the Action setting. Usually this isn’t a problem So far the Action has just been doing drop or accept or masq. But here we are actually doing something complex with the action, and webmin isn’t showing is what it is. It just says Destination NAT. So When that happens I’ll edit the image to include the information from the “Chain Actions Details” pane. And I will try to highlight those changes in a red box on the screenshot. It makes for a butchered looking picture, but it will help clearify what is going on.
Be sure that these rules are above any drop rules that may break it.
Note: OpenDNS is not 100% fool proof. It won’t block anyone from using an IP address to access a blocked site. But this is a great start for filtering.
Filtering – Squid
Squid can be installed from webmin by clicking on the un-used modules and clicking “squid proxy server”. This installs version 2.7 stable. And squid is currently at version 3.x. Why? the package name changed. the package squid is anything under 3. And squid3 is well, squid3. So we are going to install squid3 from the ubuntu repos, and then configure webmin to use squid3.
If you haven’t already installed the module, you may need to do so. Which will install squid 2.7. After installing the module we want to remove any instances squid.
sudo apt-get purge -y squid && sudo apt-get autoremove -y
This is going to break our squid webmin module. But the webmin module will still be waiting and tell you “The Squid executable squid does not exist. If you have Squid installed, adjust your module configuration to use the correct path.” And the words “module configuration” are a hyper link. Click on that. You should have installed squid3 above. If not go back to the command line and
sudo apt-get install squid3 then back to the webmin module and make it look like this.
If there is another way to get to module configuration, then you can do that too. Be sure to remove squid and keep squid3
The squid configuration can be done from webmin. But since we have a simple configuration change, it is easiest to copy and paste it form command line.
sudo mv /etc/squid3/squid.conf /etc/squid3/squid.conf.original
sudo nano /etc/squid3/squid.conf
and paste in the following
http_port 3128 transparent
acl our_networks src 10.0.0.0/8
acl localnet src 127.0.0.1/255.255.255.255
acl malware_block_list url_regex -i "/etc/squid3/malware_block_list.txt"
acl porn_block_list url_regex -i "/etc/squid3/blacklists/porn/urls"
http_access deny malware_block_list
http_access deny porn_block_list
http_access allow our_networks
http_access allow localnet
cache_dir ufs /var/spool/squid3 4000 16 256
Note: The first number in cache_dir (4000 aka 4Gigs) in this example is the maximum size of the web cache. Depending on your hard drive size, and how much caching you want to do you should edit this setting.
Note: you can employ more lists than those specified here. The Blacklists (to be downloaded, below) has many more lists. You can use a list by adding an appropriate acl and http_access deny for each list you want to use. For now, lets stick to the ones I’ve suggested. I’m only using these 2 lists because I want to protect children and the computers, but I don’t want to disrupt other users surfing.
We are using squid for added filtering. We want to filter porn, spam and malware. We will use the lists of bad sites provided by the free services malware portal, and Squid Guard & MESD. Squid will check these lists before allowing the connections.
sudo nano /etc/squid3/getlists.sc
paste in the following
wget -O "http://malware.hiperlinks.com.br/cgi/submit?action=list_squid" > /etc/squid3/malware_block_list.txt
rm -R blacklists
tar -xf blacklists.tgz
squid -k reconfigure
Warning: possible word wrapping on line 2. Line 2 should end with txt.
sudo chmod +x /etc/squid3/getlists.sc
sudo crontab -e
and add the line
1 1 * * * /etc/squid3/getlists.sc
This will download the newly updated lists every day.
Now we have a functional squid3 proxy server running performing list based filtering. It isn’t doing any filtering yet. In fact, it isn’t even receiving any traffic until we configure our firewall to direct traffic to it. Quick, back to the Webmin firewall!
At this point you maybe asking “Why do I have to keep going back to the webmin firewall?” Well, I broke this tutorial down into ‘modules’ so that it maybe easier to implement a feature at a time, or not use some features at all. And still have a sturdy router without a bunch of open holes.
Help decoding the picture: The section highlighted in green is the rules we created earliy for openDNS port redirection and has nothing to do with our squid. The sections highlighted in red are the Actions that webmin isn’t giving us much details on. As explained above. The pertinent information from the “Chain and Action Details” pain has been copied and pasted in the red boxes under the appropriate rule.
After this, get behind the squid proxy with a computer and access the web to be certain it loads. Then go back to your webmin and stop squid (it takes awhile, this is normal) and then try to reload the same site. It should time out because squid is dead. Now go back to webmin and start squid again and reload the page. It should load. You just proved that you are going through the proxy and are at its mercy.
Now try to goto a blocked porn or malware site. Because of your high moral quality you may not know what sites to try. You could peak in the supplied files for a list of sites to try. Squid should Stop you you.
Here is an nmap webmin scanner. It doesn’t do the network scan, but can scan a single host with verbose output.