Installation guide
Requirements
- Linux kernel >2.4 (2.6 recommended) with appropriate netfilter modules available
- Iptables >1.4 with iptables-save and iptables-restore binaries
- Sudo >1.6 privileges escalation tool
- PHP5 >5.1 without safe-mode and with sessions support
- Smarty >2.6 PHP templates processing framework
- Web server with PHP5 support (Apache2 recommended)
- Web browser with JavaScript and cookies enabled (Firefox3 recommended)
Configuration
This application is web-based. You need to identify the web user on your system to grant proper permissions.
Web user may change according to your Linux distribution and web server: www-data, apache, www, etc.
- Extract archive to web directory
- tar -xzf archive.tar.gz
- Grant permissions to web user
- chown -R www-data.www-data
- Edit sudo configuration
- visudo or edit /etc/sudoers
- Grant root privileges to web user for Iptables binaries execution
root ALL = (ALL) ALL
www-data ALL = (root) NOPASSWD: /sbin/iptables*
- Edit application configuration file
- edit inc/config.inc.php
- Define display preferences and system paths to binaries
define('DEBUG', true);
define('LANG', 'en');
define('COLOR', 'white');
define('TITLE', 'Iptables Firewall Administration');
define('SMARTY_DIR', '/usr/share/php/smarty/libs/');
define('HTML_DIR', '/var/www/firewall/');
define('SUDO', '/usr/bin/sudo ');
define('IPTABLES', SUDO .'/sbin/iptables');
define('IPTABLES_SAVE', SUDO .'/sbin/iptables-save');
define('IPTABLES_RESTORE', SUDO .'/sbin/iptables-restore');
define('IFCONFIG', '/sbin/ifconfig -a');
define('NETSTAT', '/bin/netstat -n -t -u');
define('ARP', '/usr/sbin/arp -a -n');
define('UNAME', '/bin/uname -s -n -r -m -o');
define('UPTIME', '/usr/bin/uptime');
define('CPUINFO', '/bin/cat /proc/cpuinfo');
define('MEMINFO', '/bin/cat /proc/meminfo');
- Secure your web directory!
- Bind web server to local addresses only
- Create appropriate firewall rules to restrict connections
- Enable server-embedded user authentication (.htaccess)
Caution
Backup your current Iptables configuration before running the application. Even though most common rules and options are supported and will be automatically imported, some specific parameters may be lost in the process. Note that no modification will be made before you actually commit a new configuration so pay close attention to first run.
User guide
Networking and Iptables
Networking basics (TCP/IP, routing, NAT) and security notions are required to go though the configuration process. NSPM will automatically generate Iptables rules according to your settings but will not setup a secure network if your security policy is not well thought. By the way, if you are not familiar with Iptables internal mecanisms such as tables and chains traversal which are out of the scope of this documentation, you should first take a look at this great tutorial:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
http://www.linux-france.org/prj/inetdoc/guides/iptables-tutorial/