INSTALLING IPKUNGFU
Installation of ipkungfu is designed to be as simple as possible. Unlike previous (and future) versions, ipkungfu does not ship with a configurator, and no configuration is done automatically at install time.
To install, download the ipkungfu-<version>.tgz file and run:
tar zxvf ipkungfu-''<version>''.tgz
Or if you have the ipkungfu-<version>.tar.bz2 file:
tar jxvf ipkungfu-''<version>''.tar.bz2
This will unpack and extract the files to a subdirectory named ipkungfu-<version>.
Then change into that directory:
cd ipkungfu-<version>
And then su to root. (You must be root to run the installer) Then do:
./install
CONFIGURATION FILES
There are several configuration files, each one corresponding to a specific function or set of functions. Advanced users or those with more complex networks will want to edit most or all of these files. They are located in [T(Filename,/etc/ipkungfu/)] and are:
accept_hosts.conf: IP addresses of hosts or nets to always ACCEPT and optionally the ports they are allowed to access.
advanced.conf: Configuration settings for advanced users.
custom.conf: Here you will find sample rules several sample rules already predefined. This is where you would add any custom rules you want applied to your firewall. This file is parsed first, before any other rules are added by ipkungfu, to ensure that none of ipkungfu's rules override the rules in this file.
deny_host.conf: You can list IP addresses/subnets:ports:protocols you wish to block completely. This file is parsed before accept_hosts.conf and takes precedence over it.
ipkungfu.conf: This is the main configuration file. Edit this file, if nothing else. For most people, this is the only file that needs to be edited to set up a decent firewall, with or without Internet connection sharing.
log.conf: This file specifies what the firewall will log and the rate at which it is logged. By default, nearly all dropped packets are logged. To turn logging off on a particular item, change the 1 (log) to a 0 (don't log). The default location of the log on most systems is [[T(Filename|/var/log/syslog)}}. Consult your syslogd configuration to find out where kernel logs are stored.
redirect.conf: Use this file to specify where certain traffic should be routed on the SAME machine. If you want to redirect ports that come in on one port, and should go to another, set them up here. There is a single entry here that is commented out by default- tcp:443:10000 which redirects incoming https traffic on port 443 to webmin on port 10000. Please see the file for more information.
conf.conf: If you have virtual hosts, (servers on machines behind your gateway), define the routing rules here. This file makes it possible to have servers behind the firewall, with private IP addresses, accessible from the Internet.
pre.conf: This is parsed and executed as a bash script prior to running ipkungfu.
post.conf: This is parsed and executed as a bash script after ipkungfu has completed execution.
MANUALLY EDITING FILES
Most people, especially those with very simple configurations, will only need to edit /etc/ipkungfu/ipkungfu.conf if anything at all. As of 0.5.1 ipkungfu does a lot of detecting and guessing for the main configuration parameters unless you specify their values in ipkungfu.conf. This should work for most people. To go over the list of variables as ipkungfu knows them, run ipkungfu --show-vars. If anything looks wrong, edit the appropriate configuration file accordingly.
A "#" is a comment. When a line begins with #, the whole line is ignored. If you want enable an option in a configuration file that is commented out, simply remove the leading #. If you wish to remove an option, place a # in front of that line.
Note that anytime you edit a configuration file, you MUST rerun the script as outlined below in order for changes to take effect.
RUNNING THE SCRIPT
Now that you have ipkungfu configured, you must run the ipkungfu script as root to enable the firewall.
/usr/local/sbin/ipkungfu or, if /usr/local/sbin is in your PATH, simply ipkungfu or, if your system is chkconfig-compatible, try /etc/init.d/ipkungfu start or /etc/rc.d/init.d/ipkungfu start.
You should see several lines explaining what is being done, unless you started ipkungfu using the init script.
If you would like ipkungfu to start at boot time, and your system is chkconfig compatible, then do (as root)
chkconfig --level 2345 ipkungfu on
This turns ipkungfu on for runlevels 2, 3, 4 and 5. Put whatever levels you like, with the obvious exceptions of levels 0, 1 or 6.
That's it! You can check to verify that the firewall is loaded:
ipkungfu -c or ipkungfu --check
You can also check to see if the firewall is running by
ipkungfu -l or ipkungfu --list
You should see several lines or pages of chains and rules. If you only see a few lines, or an error message, then the firewall is probably not enabled.
Any time you make a change to any of your configuration files, you MUST run ipkungfu again for your changes to take effect.
TROUBLESHOOTING
Most problems can be resolved by checking your settings in your configuration files. Many users overlook certain settings, so you may want to double-check them to be sure. Remember to run ipkungfu again /usr/local/sbin/ipkungfu after making any changes to the configuration files (located in /etc/ipkungfu/).
Please see the FAQ for more troubleshooting issues and resolutions. If all else fails, you can ask for help via IRC at: irc.freenode.net channel #ipkungfu.
UNINSTALLING IPKUNGFU
Although uninstalling IPKungFu is not recommended, you may safely uninstall it using the uninstall script in the directory that the package was unpacked to. This does not remove the chains. Your iptables rules will be flushed and reset to the default ACCEPT policy. The uninstall file is located in the directory where you unpacked the source.
./uninstall
