Created by
Luigi Genoni, venom@DarkStar.sns.it
Version 1.0.0
Welcome to knetfilter. This application manage netfilter rules. knetfilter gives you the option to close a port for the rest of your network or the internet. There is a list of the most commonly exploited ports later. There is probably some qt and KDE guru out there who thinks this application sucks, or that the code is poorly. I have to say that I am not a very good coder, the knetfilter code may be poor, or/and bad but it works (here anyway). As model i took kfirewall, that was good for his own purpose, but i tried to make possible to manage all common things that everyone would like to do with his own firewall. I also addedd interface to tcpdump, to make it possible to manage seriously security issues. The main scope of this application is to be usefull, easy to understand and to be developed.
This application has been thinked to be used not only with lan, but also with ppp, slip, isdn connections, if someone would like to connect more than one computer to the internet trought his modem. This is an eredity from kfirewall that I am happy to keep.
The possibility to save the port settings and to reload them is already implemented, but in the reality it does not work, since iptables lacks those commands. Right now i am waiting netfilter guys to implement this possibility as it was for ipchains.
All you have to do to
is to select your network interface and to insert your ethernet
IP-address and your netmask. You can find these options at the bottom
left of the application.
If the network interface has been
selected, then using the "probe interface" button
knetfilter will try to autodetect the IP-address and the netmask. The
network inteface you choose will be the one you are managing operatin
the packet filter.
The menu TablesPolicy allow to manage the
packet filter.
Add rule will block the port you have
specified in the port input. Delete rule will open the port you have
specified unless the port is not blocked. You can choice beetwen tcp,
udp, both tcp and udp, or icmp packets.
You can select the source
port from another network or address and/or the destination port on
your local interface.
If you are filtering icmp pakets, then you
can both use the number or the name inside the "ICMP Type:"
space. It is important to choice the chain you want to manipulate and
the policy of the rule you are going to insert.
To set up a complite netfilter, you can
choose an external address or network to filter. The netmask box if
facultative if you are willing to filter a full C class network of a
particular network IP-address.
"Define Tables Chain policy"
allows to change the general policy of a chain, choose commit to
enable your setting.
"Flush iptables rules" is used to flush all the rules, to get a clean and fresh start.
The NatPolicy menu gives
access to NAT managment.
"Masquerading on" means allow all
connections from your network to access the internet. The network
interface you selected will be considered the output interface for
masquerade. Please, consider that you will not do packet filtering
simply using masquerading.
Activating the "Redirections"
manager, you will obtain a new box, where it is possible to set up
the NAT. This is as intuitive as the packet filter, but you are
supposed to know how NAT work under Linux.
Please, remember to
choose the right NAT Chain.
Choose "Commit" to enable
your settings, and then start again.
If you want to set up
the NAT Chain general policy, use the "Define NAT Chain policy"
entry.
"Flush NAT Rules" will flush all NAT Rules.
The menu Options gives access to extra functionalities.
"List Rules and Masquerading entries" is a brand new option, witch will allow you to view all the current rules in ipchains. You can also see nat settings.
"tcpdump" starts
the interface to tcpdump program.
This is a autoprobe for you eth device, and only the eth device. It will find your IP address and your netmask. If it doesn't get you IP address, then configure it manually. It was a non sense to autoprobe other devices. Since I am supporting them, I am intending knetfilter to be used for mission critical Linux firewalls on the network, that means for the most of cases "lan". Anyway network address aliases on some interface are not supported. Usually it has no meaning, since aliases are expensive to be managed by the system and for a firewall they should never be used. If I will be asked I will see if include them
This clears the rule list.
If you get an error message like: "iptables died" then there is something wrong (hehe). Check if iptables in /usr/bin or /usr/local/bin. If not link iptables from the current location to /usr/bin, you can do this with the command: ln -s <where ipchains is located>/iptables /usr/bin/iptables.
I am going to include this, but my first priority was a full implementation of NAT capabilities.
Kim Andre Northeim, kim-nor@online.no
Original author of kfirewall that i took as model for my knetfilter.
Luigi Genoni 2000 venom@DarkStar.sns.it