Loading...
 

Appendix B - Other systems


B Other systems

Watcher was initially developed on CentOS which is a RedHat-style Linux distribution. So all the examples show how things are organized and configured for such a RedHat-style system.

For other Linux distributions like Debian (and its offsprings like Ubuntu) things may be different due to the differences in system organization.

For instance configuration of system services is found on RedHat-style systems below ‘/etc/sysconfig/…’ but a Debian-style system has organized this to be to be below ‘/etc/default/…’ or somewhere else. Also package names may essentially differ among different distributions. For example, what a RedHat-style package delivers in package ‘iptables-services’ can be found in the software repository for a Debian-style system by the package name ‘netfilter-persistent’.

This chapter relates to these differences and explains the changes for other systems.

 

B.1 Debian

Debian is a top-level distribution style and so is the guideline for the offsprings like Ubuntu and the offsprings of offsprings like Linux Mint (unsupported by Watcher)

In Debian the ‘iptables-services’ package to fill the initial firewall setup is ‘netfilter-persistent’. So in order to have Watcher work properly you have to install the ‘netfilter-persistent’ package:

     # apt install netfilter-persistent

The firewall setup of a Debian-style system is kept in /etc/iptables/rules.v4. This file must be edited to reflect your situation.

As a starting point the following can be taken:

# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5902 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT


You may also include the following ports, if your server supports it:

-A INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT # POP -A INPUT -p tcp -m tcp -m state --dport 143 --state NEW -j ACCEPT # IMAP -A INPUT -p tcp -m tcp -m state --dport 465 --state NEW -j ACCEPT # SMTP/TLS -A INPUT -p tcp -m tcp -m state --dport 587 --state NEW -j ACCEPT # SMTP/STARTTLS -A INPUT -p tcp -m tcp -m state --dport 993 --state NEW -j ACCEPT # IMAP/TLS -A INPUT -p tcp -m tcp -m state --dport 995 --state NEW -j ACCEPT # POP/TLS

 

 

B.2 Ubuntu

Ubuntu is an offspring of Debian. So Ubuntu shares much with the Debian organization. Here we explain the specifics for Ubuntu.

At the time of this writing there were no things, that go beyond the Debian specifics. So if the Debian specifics are full-filled you are done, if running Ubuntu.

 

B.3 SuSE

SuSE is prefering the ‘firewalld’ as the favourite firewall management system. This is definitely a very bad idea.

‘firewalld’ is not a linux firewall system at all. ‘firewalld’ is a PYTHON wrapper around the native ‘nft’ commands that manage a modern ‘nftables’ kernel firewall. Even worse is, that SuSE did never supply an ‘iptables-services’ package, that loads an xtables firewall configuration by use of the ‘iptables’ command.

SuSE systems luckily have adopted RPM as the software cataloging system and uses the system configuration in /etc/sysconfig/... like all RedHat-style systems.

So to get a ‘iptables-services’ package into a SuSE is fairly easy with some easy tweaks.

Get an ‘iptables-services’ package from any RHEL repository; e.g. that of CentOS 8.

https://centos.pkgs.org/8/centos-baseos-x86_64/iptables-services-1.8.4-20.el8.x86_64.rpm.html

(or search http://pkgs.org for a package that fits your need. The repositories for Alma Linux 8 and/or Rocky Linux 8 are both just fine)

Install the downloaded *.rpm with the 'nodeps' option into the SuSE system:

# rpm -ivh --nodeps iptables-services-XXXXXXX.el8.x86_64.rpm

The first start of ‘service iptables start’ will produce some errors on missing things, that must be fixed.

  1. The directory ‘/var/lock/subsys’ must be established:
    # mkdir /var/lock/subsys
  2. The file /etc/init.d/functions is missing and must at be at least touched to get rid of the error
    # touch /etc/init.d/functions
  3. For the ‘iptables-service’ only two trivial functions are referenced in this file and the following text must be inserted exactly as shown into the file /etc/init.d/functions:
    success() { echo “Success” } failure() { echo “Failure” }

 

Finally you just have to edit the ‘iptables’ load file in /etc/sysconfig/...  to fit your needs.

# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5902 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

 

You may also include the following ports, if your server supports it:

-A INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT # POP -A INPUT -p tcp -m tcp -m state --dport 143 --state NEW -j ACCEPT # IMAP -A INPUT -p tcp -m tcp -m state --dport 465 --state NEW -j ACCEPT # SMTP/TLS -A INPUT -p tcp -m tcp -m state --dport 587 --state NEW -j ACCEPT # SMTP/STARTTLS -A INPUT -p tcp -m tcp -m state --dport 993 --state NEW -j ACCEPT # IMAP/TLS -A INPUT -p tcp -m tcp -m state --dport 995 --state NEW -j ACCEPT # POP/TLS