2
\: this file maintained using arch at http://arch.gna.org/uruk/
3
\: this is a manpage in zoem format. see http://micans.org/zoem/ and man_zmm(7)
5
\def{"man::synstyle"}{long}
6
\def{"man::defstyle"}{long}
11
\set{"man::name"}{uruk}
12
\set{"man::html-title"}{uruk}
13
\set{"man::section"}{8}
16
\${html}{\"man::maketoc"}
19
\NAME{uruk}{wrapper for Linux iptables, for managing firewall rules}
21
\sec{synopsis}{SYNOPSIS}
25
\sec{description}{DESCRIPTION}
27
\uruk loads an \rc file (see \sibref{uruk-rc}{uruk-rc(5)}) which defines
28
network service access policy, and invokes \bf{iptables(8)} to set up firewall
29
rules implementing this policy. By default the file \ttrcpath is used; one can
30
overrule this by specifying another file in the URUK_CONFIG environment
31
variable. Under some circumstances, it's useful to use another command for
32
iptables; this can be achieved by setting the URUK_IPTABLES (and/or
33
URUK_IP6TABLES) environment variables. See \sibref{uruk-rc}{uruk-rc(5)} for
36
\sec{quick setup guide}{QUICK SETUP GUIDE}
38
Uruk will \it{not} "just work" out of the box. It needs manual configuration.
39
For those of you who don't like reading lots of documentation:
44
# /etc/init.d/uruk start}
46
\sec{getting started}{GETTING STARTED}
48
Once the \uruk script is installed, you want to go use it, of course. We'll
49
give a detailed description of what to do here.
53
First, create an \rc file. See \sibref{uruk-rc}{uruk-rc(5)} for info on how to
54
do this. Once this file is created and installed (this script looks in
55
\ttrcpath by default), you're ready to run \uruk. You might want to test your
56
\rc file by running \uruk in debug mode, see \sibref{uruk-rc}{uruk-rc(5)}.
58
\cpar{Vanilla iptables}
60
After editing \rc, load your rules like this. First flush your current rules:
65
Then enable your \rc rules
70
. Inspect the rules by doing:
77
If you want to make these changes survive a reboot, use the init script as
78
shipped with this package. If you'd rather write your own init script, the
79
\bf{iptables-restore(8)} and \bf{iptables-save(8)} commands from the iptables
80
package might be helpful.
82
\cpar{Using the Uruk init script}
84
Assumed is the Uruk init script is installed as explained in the README file.
85
Optionally, install /etc/default/uruk (or /etc/sysconfig/uruk) and tweak it.
86
An example file is in \tt{\defpath} (You might like to enable support for IPv6
87
rules, or for \uruk_save.) Now activate uruk by doing:
92
Now your pre-uruk iptables rules (if any) are saved as the "inactive" ruleset.
93
While executing \tt{\initpath start}, your box is open during a short while.
94
If you don't like this, read about \uruk_save.
98
When rebooting, everything will be fine: \ttinitpath stores
99
state in \tt{\statepath/iptables}, using
100
iptables-save(8), which comes with Linux iptables.
103
\cpar{Using ifupdown}
105
In case you have just one network interface which should get protected, you
106
could use \bf{interfaces(5)} from the ifupdown package instead
110
# mkdir -p \statepath/iptables
114
# iptables-save -c > \statepath/iptables/down
116
# iptables-save -c > \statepath/iptables/up}
121
pre-up iptables-restore < \statepath/iptables/up
122
post-down iptables-restore < \statepath/iptables/down}
124
to your interfaces stanza, in your \tt{/etc/network/interfaces} .
128
However, beware! Uruk will fiddle with the global iptables rules. Some
129
default uruk rules affect \it{all} network interfaces.
132
\sec{loading a new rc file}{LOADING A NEW \rc FILE}
134
Need to change your rules?
136
\cpar{Using the Uruk init script}
142
# \initpath force-reload}
144
While executing \ttinitpath force-reload, your box is open during a short
145
while. If you don't like this, read about \uruk_save.
147
\sec{using uruk-save as the initscript backend}{USING uruk-save AS THE INITSCRIPT BACKEND}
149
By default, \uruk_save is not used by the uruk init script. You might want to
150
use it, though. The \uruk_save script is faster and when using \uruk_save,
151
your box won't be open while loading new rules. But beware: \uruk_save is not
152
as robust as using \uruk itself. However, if you don't use any hooks in your
153
\rc file, you're save.
157
The init script will use \uruk_save only if asked to do so in /etc/default/uruk
158
(or /etc/sysconfig/uruk). If this file features
162
enable_uruk_save=true
163
enable_uruk_save_warning=false}
165
\uruk_save is used whenever appropriate. The \tt{enable_uruk_save_warning}
166
variable controls whether a warning should get displayed whenever \uruk_save is
169
See \sibref{uruk-save}{uruk-save(8)} for more details.
171
\sec{policy}{DEFAULT POLICY}
173
By default, \uruk drops packets which have unknown private network addresses in
174
their source or destination.
178
By default, \uruk drops all ICMP packets with type other than
185
\item address-mask-reply
186
\item address-mask-request
187
\item destination-unreachable (this is a catch-all for a lot of types)
190
\item parameter-problem (catch-all for ip-header-bad and required-option-missing)
191
\item timestamp-reply
192
\item timestamp-request
193
\item ttl-zero-during-transit
194
\item ttl-zero-during-reassembly
199
By default, the FORWARD chain is left untouched, so has policy ACCEPT. (This
200
won't do much harm, since packet forwarding is disabled by default in the Linux
201
kernel. However, if you don't mind being paranoid, you might want to add a
204
iptables --policy FORWARD REJECT}
206
to your $rc_a uruk hook. See \sibref{uruk-rc}{uruk-rc(5)}.)
210
By default, \uruk logs all UDP and TCP packets which are blocked by the user
211
defined policies. Loglevel is debug, logprefix is "iptables:". See
212
also the notes on \it{loglevel} in \sibref{uruk-rc}{uruk-rc(5)}.
216
Blocked TCP packets are answered with a tcp-reset.
218
\sec{warning}{WARNING}
220
In order to keep the \uruk script small and simple, the script does very little
221
error handling. It does not check the contents of the \rc file in any way
222
before executing it. When your \rc file contains bogus stuff, \uruk will very
223
likely behave in unexpected ways. Caveat emptor.
225
\sec{environment}{ENVIRONMENT}
227
\uruk honors environment variables URUK_IPTABLES (\tt{/sbin/iptables} by
228
default) and URUK_CONFIG (\ttrcpath by default).
230
\sec{see also}{SEE ALSO}
232
\sibref{uruk-rc}{uruk-rc(5)}, The Uruk homepage is at
233
\httpref{http://mdcc.cx/uruk/} .
235
\bf{iptables(8)}, \bf{iptables-save(8)},
236
\bf{iptables-restore(8)}, \httpref{http://www.netfilter.org/}
237
\: (no manpage online :( )
238
\: http://lists.mdcc.cx/mcl-devel/msg00297.html
240
\bf{interfaces(5)}, \httpref{http://ifupdown.sourceforge.net/}
242
\sec{copyright}{COPYRIGHT}
244
Copyright (C) 2003 Stichting LogReport Foundation logreport@logreport.org;
245
Copyright (C) 2003, 2004 Tilburg University http://www.uvt.nl/;
246
Copyright (C) 2003, 2004, 2005 Joost van Baal
250
This program is free software; you can redistribute it and/or modify
251
it under the terms of the GNU General Public License as published by
252
the Free Software Foundation; either version 2 of the License, or
253
(at your option) any later version.
257
This program is distributed in the hope that it will be useful,
258
but WITHOUT ANY WARRANTY; without even the implied warranty of
259
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
260
GNU General Public License for more details.
264
You should have received a copy of the GNU General Public License along with
265
this program (see COPYING); if not, check with
266
http://www.gnu.org/copyleft/gpl.html or write to the Free Software Foundation,
267
Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.