date: 2014-08-29
Inline Linux Firewall For Those Rare Occasions
1.0 Purpose. 3
2.0 Installation and Configuration. 3
Details. 3
Install Ubuntu with SSH.. 3
Adding Scripts to clean up archived log files to prevent disk exhaustion. 5
Installing Tivoli storage manager 5
3.0 Administration using firewall builder 6
Figure 1 - Firewall Builder GUI. 7
Figure 2 - Push Policy Step1. 8
Figure 3 - Push Policy Step2 Compiling Rules. 8
Figure 4 - Policy Push Step3 Deploying Files. 9
No table of figures entries found.
1.0 Purpose
The purpose of this document is to describe the steps taken to install the operating system and configuration of that operating system to the point that in can be put into service as an inline firewall. The implementation does rely on the use of rapid spanning tree protocol to prevent network loops since there are two nodes for the sake of redundancy, this can make it a bit finicky(be sure to connect network on one node at a time leaving an interval before proceeding with the other node).
2.0 Installation and Configuration
Details
OS; Ubuntu 12.10
Server; IBM 3650 M4, 1gb ram
UFW1 IP; 192.168.52.241
UFW2 IP; 192.168.52.242
Install Ubuntu with SSH
First Install Ubuntu with SSH from CD and set the local account to sadmin.
~# apt-get update
~# apt-get upgrade
~# apt-get install bridge-utils ethtool ssh traceroute conntrackd vrrpd snmp ipset ifenslave-2.6 vlan
~# nano /etc/network/interfaces
This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto em2
iface em2 inet dhcp
auto em3
iface em3 inet dhcp
auto em4
iface em4 inet dhcp
# Management IP
auto em5
iface em5 inet static
address 172.16.52.242
netmask 255.255.255.0
gateway 172.16.52.254
#setup of bridged ports
auto p1p1
iface p1p1 inet manual
iface p1p2 inet manual
iface p1p3 inet manual
iface p1p4 inet manual
auto p2p1
iface p2p1 inet manual
iface p2p2 inet manual
iface p2p3 inet manual
iface p2p4 inet manual
iface br0 inet manual
bridge_ports p1p1 p2p1
iface br1 inet manual
bridge_ports p1p2 p2p2
iface br2 inet manual
bridge_ports p1p3 p2p3
iface br3 inet manual
bridge_ports p1p4 p2p4
~# nano /etc/sysctl.conf
Search for this line and uncomment it so that it looks like the following
net.ipv4.ip_forward=1
~# mkdir /etc/fw
~# nano /etc/init.d/firewall
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the Firewall
### END INIT INFO
opts=”start stop restart”
bin=/etc/fw/rc.firewall.local
trapped_log=/var/log/trapped.log
traf_log=/var/log/traffic.log
case “$1” in
start)
$bin
;;
stop)
/sbin/iptables –flush
/sbin/iptables -t nat –flush
/sbin/iptables -F -t mangle
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
;;
esac
exit 0
~# chmod +x /etc/init.d/firewall
~# update-rc.d firewall defaults
~# nano /etc/rsyslog.conf
append to end of file
*.* @172.16.52.156:514
~# sudo su
~# passwd
Adding Scripts to clean up archived log files to prevent disk exhaustion
Ubuntu uses anacron so you can drop scripts into /etc/cron.[hourly | daily | monthly] folder. |
I created a script called clean-archived-logs and chmod 777 this file. The contents are;
#!/bin/sh
cd /var/log
rm *.gz
I then symlinked this to the hourly folder for testing
Installing Tivoli storage manager
Original source = http://enterprisetechieblog.wordpress.com/2013/05/12/tsm-v6-4-client-on-ubuntu/#comments
Ibm do not officially support ubuntu but we can install a few extra packages to translate the install across. Run the following commands
# apt-get install ksh libstdc++5 alien
Transfer across and Unpack the official download
# tar –xvf 6.4.0.7-TIV-TSMBAC-LinuxX86.tar
Run Alien on the rpms which will create directories for each package.
alien -k gskcrypt64-8.0.14.14.linux.x86_64.rpm
alien -k gskssl64-8.0.14.14.linux.x86_64.rpm
alien -k TIVsm-API64.x86_64.rpm
alien -k TIVsm-BA.x86_64.rpm
dpkg -i *.deb
Link the libraries
ln -s /opt/tivoli/tsm/client/api/bin64/libgpfs.so /lib/
ln -s /opt/tivoli/tsm/client/api/bin64/libdmapi.so /lib/
ln -s /usr/local/ibm/gsk8_64/lib64/libgsk8cms_64.so /lib/
ln -s /usr/local/ibm/gsk8_64/lib64/libgsk8ssl_64.so /lib/
ln -s /usr/local/ibm/gsk8_64/lib64/libgsk8sys_64.so /lib/
ln -s /usr/local/ibm/gsk8_64/lib64/libgsk8iccs_64.so /lib/
ln -s /opt/tivoli/tsm/client/lang/EN_US /opt/tivoli/tsm/client/ba/bin/
Now you should be ready to set up TSM config files and proceed normally.
Configure your dsm.opt & dsm.sys + your scheduler and so forth – then you are
Modify /opt/tivoli/tsm/client/ba/bin/dsm.sys.smp and save as dsm.sys same for dsm.opt.smp remember to drop the smp
Dsm.sys
************************************************************************
* Tivoli Storage Manager *
* *
* Sample Client System Options file for UNIX (dsm.sys.smp) *
************************************************************************
* This file contains the minimum options required to get started
* using TSM. Copy dsm.sys.smp to dsm.sys. In the dsm.sys file,
* enter the appropriate values for each option listed below and
* remove the leading asterisk (*) for each one.
* If your client node communicates with multiple TSM servers, be
* sure to add a stanza, beginning with the SERVERNAME option, for
* each additional server.
************************************************************************
SErvername Site-A
COMMMethod TCPip
TCPPort 1500
TCPServeraddress 172.16.52.165
Dsm.opt
************************************************************************
* Tivoli Storage Manager *
* *
* Sample Client User Options file for UNIX (dsm.opt.smp) *
************************************************************************
* This file contains an option you can use to specify the TSM
* server to contact if more than one is defined in your client
* system options file (dsm.sys). Copy dsm.opt.smp to dsm.opt.
* If you enter a server name for the option below, remove the
* leading asterisk (*).
************************************************************************
SErvername Site-A
* A server name defined in the dsm.sys file
3.0 Administration using firewall builder
Firstly install firewall builder 5.1.
You can find the policy at \\nasserver2\techsupport\Network Infrastructure\Inline Firewalls\Policy CDS.fwb
Once you have opened FWBuilder and have opened the policy (see Figure 1 - Firewall Builder GUI), you can begin to edit the rules by going to Clusters > UFW > Policy. If your familiar with checkpoint then you will be very comfortable with this interface.
Once you’ve finished editing you then need to push policy, go and click the ’Install’ icon.
When you click next it will begin compiling the rules, if no errors are detected then you can move on, compiling can take upto 5 mins. Click next once finished.
You will then be prompted for the password, for each firewall in turn. Enter the details and click Install. Note if you get the password wrong you will not be notified and it will sit there doing nothing. The process of deploying the files only takes a minute.
Figure 1 - Firewall Builder GUI
Figure 2 - Push Policy Step1
Figure 3 - Push Policy Step2 Compiling Rules
Figure 4 - Policy Push Step3 Deploying Files