[Announce] genwall a simple iptables firewall
 

Genwall for N900

Hi all,

This application was born out of boredom due to the loss of DSL connection.
I used the N900 as my router, the poor bandwith forced me to do local stuff on my computer like programming.

In 2012 the version 1.0.0 took part in the coding competition. http://wiki.maemo.org/Maemo.org_Coding_Competition_2012

Genwall started in principle as an iptable firewall script generator. These days it can do a bit more.
It is very useful if you want to route or forwarding to another network.

The generated firewall script is based on this example:
http://www.debuntu.org/iptables-how-...et-connection/
There are the same chains defined, but genwall you can choose logging or not.

- creating connections with Wlan-ad-hoc, USB, BT
- you can activate forwarding from internet from and to any device
- set your firewall script, open ports, forwarding ports
- gives network and iptable informations
- you can modify start scripts or the firewall script by yourself with an editor
- it can read syslog file


requirements:
- you need to start application as root
- sysklogd (only if you want to enable logging)


All files genwall creates are in "/home/user/.genwall/".
[local->basics]
"gen" button = generates firestart.sh
"start" button = runs the script
"stop" button = generates and runs firestop.sh script

First steps would be:
Choose your "WAN-device" (local->basics) and your "LAN-device" (for/out->forward)
and generate your script. After this you can start it to set the firewall up.

Solid scripts you will find in /opt/genwall/
These script are based on forum members and applications
maybe you want to add something

bt_on.sh (route->BT: start button)
bt_off.sh (route->BT: stop button)
hotspot.sh (route->Wifi: adhoc button)
hotspot_off.sh (route->Wifi: adhoc button)
wifi.sh (route->Wifi: wifi start/stop button)
ssh-status.sh (local->SSH: start/stop button)
usb_on.sh (route->USB: start button)
usb_off.sh (route->USB: stop button)
usbmodule.sh (route->USB: module 3x button)

Install help

extract genwall_help_vx.x.tar.gz to /home/user/.genwall/


Install and configure sysklogd for use with genwall

Make persistent bootfile

Domain filter and iptable blacklist

Download an Ad-domain list

Linux Bluetooth PAN connection and internet sharing

Windows Bluetooth PAN connection and internet sharing


For more screenshots and little description go to:

http://www.setius.net/n900_genwall.html

Have fun generating your rules. Comments are welcome.


Old requirements:
- you need to start application as root
- iptables of course
- sudser (only if you want to start with desktop icon) no more needed since v1.0.1
- rootsh for gainroot no more needed since version 1.0.4
- sysklogd (only if you want to enable logging)

Old Deb file v0.0.2 by sifo:)

For N900 the application is in extras-devel now.
For N9(50) the application is in a very experimental stage.

Re: [Announce] genwall a simple iptables firewall
 

unbelievable how much time you find yourself with without I-Net, huh ;) :p :D

thanks!

going to install it on test dev & let you know how it works; usually only use to exchange files between the two N900s or to sync backup on PC.
if that behaves / works on test dev i'll give it a try on primary & test "Qt Mobile Hotspot" as well

may take a couple days, though :o

Re: [Announce] genwall a simple iptables firewall
 

Excuse my ignorance as I run or install the script

Re: [Announce] genwall a simple iptables firewall
 

genwall_v0.0.1_binary_armel.tar.gz contains the compiled ready to run genwall executable.
on windoooooz use 7zip to unpack it

• copy it into /usr/sbin e.g after copying it over from your PC to [N900]
• open an X-Terminal
• Code:

  ---

  root
mv /home/user/MyDocs/genwall /usr/sbin
chmod 755 /user/sbin/genwall
genwall &
exit
exit

  ---

you only need to do mv and chmod the 1st time
after that simply become root & start it

Re: [Announce] genwall a simple iptables firewall
 

i am gonna test it soon i get back home . Thanks ,been waiting for such kinda thing for long.Great stuff

Re: [Announce] genwall a simple iptables firewall
 

Thank you very much, it works without problems :)

Re: [Announce] genwall a simple iptables firewall
 

Thank you misterc for explaining. And sorry for my poor explanation. This application is atm a prerelease so only binary. I think it will grow in the future to a deb package and will get a shortcut:)

However you can run it also at user, the script that will be generated from the application uses gainroot to execute iptables.
I don't know if you run it the first time as root if it still working as user. It could be that after executing as root at first time that the user don't have the rights to the created directory and script. I will look and report.

And sorry for using windows shame on me. For linux I need to install the designer I have only installed the scratchbox environment.

@imo you are welcome. I wanted such application too and makes me happy that it is also useful for other people.

@D@vIcHoJD good to hear.

Re: [Announce] genwall a simple iptables firewall
 

thank you Halftux for this useful app :) btw the UI reminds me of fAircrack :-D

Re: [Announce] genwall a simple iptables firewall
 

What's the UI created with? Qt or GTK? What's the control for the buttons/tabs on the left?

Re: [Announce] genwall a simple iptables firewall
 

Halftux,

thank you for the clarification.
however, if the executable is in /usr/sbin only root (or the system) will actually be able to start it
if the user should be able to start it as well, put it in /usr/bin
you still need to be root to place it there.
alternatively, as it doesn't have any location related dependencies (good coding ;)) put it anywhere where user has access and start it with absolute path (e.g. /home/user/MyDocs/genwall or ./genwall )

personally i feel a firewall belongs in /usr/sbin

Re: [Announce] genwall a simple iptables firewall
 

Hehe yes the idea with two tabs comes from fAircrack but I used C++ and QT. As far as I know fAircrack is pyqt.

It is created with QT. The left buttons are from a tabwidget orientated to west.

Yeah you are right. Btw is it possible when launching an application with a button, that you will get asked for a root password and executing it as root like in real debian?

Re: [Announce] genwall a simple iptables firewall
 

yes it is possible to set a password as like smscon i dont know how but you may get the source if available or ask Saturn :)

Re: [Announce] genwall a simple iptables firewall
 

In smscon it isn't password for root, it's smscon-editor internal password.
---

Yupi, finally iptables GUI! Keeping my thumbs for this project :)

/Estel

Re: [Announce] genwall a simple iptables firewall
 

If this is aimed at me :p i know they are not the same passwords ! but i thought he mean to put a password in his application and giving an example like debian packages hehe never mind the important thing is Halftux know what to do :)

./sifo

Re: [Announce] genwall a simple iptables firewall
 

HAM & FAM |The App Managers) call upon apt-Co, so it is possible
i'm an app & command line system admiin and @ home i'm an openSUSE user blissfully unaware of any sys admin tasks if i can help it
and if not YaST takes care of most things :D :cool:

maybe the author of FAM can point you in the right direction?

PS: maybe you should drop the "simple" from the topic? with all the options already lined up you are aim @ more then simple ;)

Re: [Announce] genwall a simple iptables firewall
 

oky doky...
hope you didn't burn up your AT&T long distance calling card yet ;) :D
i'll let you discover the output of
yourself :eek:
scary what's needed for a nice app :confused:

PS: obviously you need to be root as well for the find to return something meaningful...

Re: [Announce] genwall a simple iptables firewall
 

@misterc really nice find thank you I will have a look into it.:)

Re: [Announce] genwall a simple iptables firewall
 

New version v0.0.2 out now see first post.
I wanted to make a new release more complete but since I found a decent bug I decided to upload a new binary.

It is now a linux conform tar.gz

Sifo will release a deb soon only an icon decision needs to be done. Thanks for your support.


Changelog v0.0.2
- removed add forward port bug
- removed load bug listwidget gets cleared before loading
- improved local port handling
- added function extra rules
- added function clear all to listwidgets
- added pidof syslogd, klogd
- added notifications for start, stop, gen (the firestop.sh script needs to be deleted to take effect of notification change)

Re: [Announce] genwall a simple iptables firewall
 

:D building the deb file is nothing :) im sure 75 % of maemo community members can do it ;)

Re: [Announce] genwall a simple iptables firewall
 

Yes but you are supporting me and I will save some time :)

Re: [Announce] genwall a simple iptables firewall
 

If somebody want to have a look into a log file before the next release, I will give a small howto.

Install sysklogd and edit config file:

comment out (to prevent fill up the root):

add:

Re: [Announce] genwall a simple iptables firewall
 

New version out now! Major update.

Changelog v1.0.0
- Layout changes
- removed button bugs
- removed syslog related pid bug
- removed listwidget add bug no double item
- added syslog handler
- added log view
- added filter options for log view
- added extra rule creator for log view
- added icmp handling
- added filter view
- added nat view
- added output handling
- added root password Authentication
- added add/remove gateway
- added dns resolv
- added runtime add rule for log view and lo ports
- added runtime remove rule for filter view
- added save & load function for widget option


I think I need to write a manual. Screenshots and description will be updated soon.
Genwall will take part in the coding competition 2012 and will be uploaded to extras next days.

Re: [Announce] genwall a simple iptables firewall
 

The package is uploaded to extras-devel. Added more screenshots.

To use the icon from application browser you need to have sudser installed.

Re: [Announce] genwall a simple iptables firewall
 

Isnt it better to add a a "genwall.sudoers" in "/etc/sudoers.d/" ?
here is an example for the bnf.sudoers file
and then you can remove the sudo from the desktop file ;)
i really dont know the different but this is what all devs doing :D
Great job dude

./sifo

Re: [Announce] genwall a simple iptables firewall
 

Thank you for the hint I didn't know that. I will dig into it.

Re: [Announce] genwall a simple iptables firewall
 

Yes.

No.

Nope, if you follow sifo's first hint. Put a genwall.sudoers file into /etc/sudoers.d with content
or
or whereever your binary/link lives.
And then call update 'update-sudoers' in postinstall script.
This will allow the user to execute genwall with sudo rights without entering a password. You still need to call it with sudo from desktop file as well as from command line.
Sudser just adds a * to sudoers (not my security-preferred thing, but easy for lazy) ...

Re: [Announce] genwall a simple iptables firewall
 

@peterleinchen

sorry, i missed that :D
Thanks

./sifo

Re: [Announce] genwall a simple iptables firewall
 

Thank you to put some light in this matter. What you think about the file location? Move the binary to opt or make a symlink?

Re: [Announce] genwall a simple iptables firewall
 

I did not take a look into your sources/binaries, but in general put all stuff to opt and just put a symlnk to /usr/sbin/genwall (so there is no 'or' in your question ;)).

Re: [Announce] genwall a simple iptables firewall
 

Released a experimental version for N9(50). See deb in first post.

- load iptable modules and run genwall as root or developer

If somebody knows how to tweak the logging for syslog in PR1.2 let me know.
At the moment I try to figure out what is possible with N950; the stock kernel modules are poor.

Re: [Announce] genwall a simple iptables firewall
 

Hi to all,maybe this is off topic but i have to try to ask.I want to block traffic to facebook from n900 to my laptop.Command which i use is:
but i have still access to facebook site,maybe i should try first with:
echo "1" > ... and then arpspoof ....
and finally with iptables ......

then i decided to bock all traffic with:
but again no result

one more try to drop all incoming connections on a specific network interface with:
no result
if anyone from you made some progress with these tools,let share it

info about commands for iptables from here
http://linuxconfig.org/collection-of...iptables-rules

Re: [Announce] genwall a simple iptables firewall
 

Hi, sorry if I've missed this.. But I can't see how this will automatically start at boot. My settings don't seem to be saved after exit (and saving) either. It seems easiest to save the iptables rules and then start at boot with an upstart script perhaps.

Re: [Announce] genwall a simple iptables firewall
 

This function is not implemented at the moment. The save function save only the settings from the application.

- I will add an option to load iptables rules at startup for the next release

Re: [Announce] genwall a simple iptables firewall
 

Ok next update 1.0.3 should be soon available.

Under local->settings there is some checkbox for iptables persistence reboot...

If this checkbox is enabled and you push the "gen" button, to generate your rules, another file will be created in /etc/network/if-up.d/iptables. This will automatically run your rules file.

To delete this file you can use the "delete boot file" button.

Re: [Announce] genwall a simple iptables firewall
 

Did you see my comments on http://maemo.org/packages/package_in...genwall/1.0.2/

Re: [Announce] genwall a simple iptables firewall
 

Yep, second that.
And a nice little tiny desktop file would be nice (it is a GUI not cli).

Re: [Announce] genwall a simple iptables firewall
 

You mean unnecessary files from deb package?
I really tried all method to gain root access also with a sudoers.d file.
However I open some shell session and calling also some scripts with the main application and when I used sudoers.d It can start genwall as root but every new session is not a root session. I will look into my application maybe there is another way to open a sub session as root.

I think rootsh is also required because I ask for a root password at startup. No rootsh no password or am I wrong?

Re: [Announce] genwall a simple iptables firewall
 

I think I shouldn't update my application and need to remove before reinstall. I didn't know that it has no desktop file.:confused:

It should has a desktop file under network, which runs a script in
/opt/genwall/genwall_desk.sh

Thanks for the input.

Re: [Announce] genwall a simple iptables firewall
 

Hey halftux,

what kind of prob'ems with sudoers.file you ran into?
In general you put a file with all.your desired applications and scripts into /etc/sudoers.d and run once update-sudoers from postinstall script. Then you are able/allowed to call that app with 'sudo /opt/genwall/genwall' and there is no need for "sudoing" like genwall_desktop.sh.
For your new.sh sessions IDK, but you are safe to move out your desired sh actions into dedicated scripts and add/allow them also into sudoers file (worked for me. You need to call them then with 'sudo ,yScript inside your app). Also you might run complete GUI as user and only run scripts needing root access. Just as a reminder :)
About root password without rootsh I really do not know as it is too long time ago ;)

Re: [Announce] genwall a simple iptables firewall
 

@peterleinchen

I am sorry I removed everything and install the deb again and everytime I get a desktop file. I can't reproduce your situation.

Do you have these files?:

\usr\share\icons\hicolor\64x64\apps\genwall.png
\usr\share\application\hildon\genwall.desktop


And rootsh is not needed for set a root password. I think when I bought this phone I didn't know that it has a default root password and I read somewhere when you install openssh server you can set a root password. I mixed up openssh with rootsh. So I will try to optimize my script calls and qt console calls so that they will work with sudoers.d and removing rootsh.