Genwall v1.0.0 for the N900
Genwall is a simple iptables firewall for Maemo fremantle. It generates scripts that will be executed. There is also an option where you can add or remove local ports during runtime.
Follow the Meamo talk thread:
Genwall a simple iptables firewallYou can have a look at the pictures and you will see what the application can do.
Activate logging
Netfilter is a part of the Kernel and the logging works with syslog. So you need to install sysklogd. After installation you will find the config file in "/etc/syslog.conf". To prevent to much logging and fill up root disable all logs and enable kernel logging to "/home/user/.genwall".
kern.warning /home/user/.genwall/iptables.log
Requirements
The application itself can be downloaded from extras-devel repository.
- you need to start the application as root
- iptables of course
- sudser (only if you want to start with desktop icon) or create a right file in "/etc/sudoers.d" will be fixed in next version
- rootsh for gainroot (only if you want to include gainroot in script)
- sysklogd (only if you want to enable logging)
Screenshots
After starting the application it asks for the system root password.
Here you can set basic rules. Normally all Incoming gets blocked. You can allow all connections from local lan and local machine. Under "Local - Ports" you can define ports or range to be accepted.
All files genwall creates are in "/home/user/.genwall/".
"gen" button = generates firestart.sh
"start" button = runs the script
"stop" button = generates and runs firestop.sh script
Here you can deny or accept icmp packets coming from wan, lan or both. You can also set none matching icmp packets get logged through the firewall chain.
Here you can define ports or range to be accepted from WAN or LAN. When generating firewall script all listed ports will be accepted.
With "add now" you can open ports during runtime by inserting a input filter rule.
Here you can add ssh port to be reachable from WAN by only one ip.
Overview of filter chains.
With a right click (push longer until menu pops up) and open you will see a list of the INPUT chain. With a double click on an entry it will remove the rule in runtime.
Overview list of open connections.
The settings tab is for saving the settings from checkboxes and more. You can also activate bad flags and gainroot for the generated script.
Here you can activate forwarding to the local lan and the packages gets masquerade to LAN or a subnet.
Here you can set ports which get forwarded to a specific ip.
Overview nat chains.
Here you can block the outgoing traffic and add some exceptions. You can also activate logging for the blocked connections. If not right configured it will lead to none working web applications.
Here you can define extra rules.
Here you can activate logging for predefined chains. Start stop sysklogd and set the filter for the log view. The delete button will be active if sysklogd is not running. It will delete the log file and the load button will load the log file to log view.
Filter option for the log view tab.
Log view tab. With a right click and open you can create rules for blocked events or refresh the logview.
Right click and open will open a list with the log view content. With a double click on an entry the rule creator pops up.
Extra rule creator. Will create a rule in the extra rules listwidget. "Accept now" will insert as first entry a rule in the INPUT chain at runtime. When the current ip checkbox is enabled then the created rule is only set for the ip from logfile.
Here you can change the gateway, default route or the dns server of resolv.conf.
Shows IP information from all devices.
Routing table information.
Have fun all best.