rChains for Linux
What:
-
rChains is a detailed, custom, ipchains ruleset that implements many features including, most noteably, per host bandwidth monitoring via MRTG and CGI log reports.
Why:
-
rChains was written primarally for security reasons and it's main purpose is firewalling. By default rChains will DENY or REJECT everything (anything that needs to be allowed must be statically done so). No LAN (internal or, obviously, external) is considered to be "trusted" (This is soon to change. Future versions will implement a DMZ for internal servers.).
-
One nifty side affect of rChains (err, ipchains actually) is bandwidth monitoring. When coupled with MRTG and a simple one liner awk (or sed, or Perl, or whatever) script, detailed graphs showing each user's bandwidth is possible. Actually any chain's bandwidth can be monitored (more on this later). This is a major advantage of using rChains/ipchains for a firewall that does more than just firewalling (ie: serves as a webserver, DNS server, etc. -- or does port forwards for the services).
-
rChains also includes a CGI script that generates an HTML log report.
How:
-
rChains is currently a simple bash script spawn across four (4) files. The files (as well as a short discription) are:
-
rc.firewall - this is the main file and it controls the flow.
-
blocked - where you put your problem sites (like napster).
-
functions - this is where the script's functions live.
-
proxy - where you set up your transparent proxy support.
-
rChains is currently very static and that can make configuring and updating it a major PITA. Therefore, don't be surprized if future versions are both more dynamic and partially written in Perl.
Requirements:
-
rChains is currently written to use ipchains v1.3.9 and v1.3.10 (@ least that is all that has been tested anyway) and Linux v2.2.16, v2.2.17, and v2.2.18 (again tested, I'm sure other kernel versions will work).
Future:
-
rChains development has stopped. Please see rTables for a 2.4.x/iptables firewall implementation.
Where:
-
rChains can be found at: no longer available
Documentation:
Support:
-
Support is no longer availiable
Version Numbering:
-
Version numbering uses a date/time stamp in the format: YYYYMMDDHHMM (much like common BIND serial #'s).
-
Devel versions are NOT tagged in any way. Unless you want the devel version for some reason, be sure not to download files from the devel directory.
-
I use the term "stable" loosely since this firewall script is not going to crash your system unless something is very wrong with your system already. A stable release simply indicates that at the time of release there were no known bugs in the script. Unstable releases may contain bugs; if you use an unstable release, please report back any problems you encounter.
Todo:
-
Improve FAQ
-
Better user defined chains
-
Per host monitoring documentation
-
Included documentation
-
Improve/Update RedHat RPM's and bz2 packages
Last Updated: 10/15/03 21:00:49