RFC: firewall-hint_v1.2

Henning Rohde Rohde.Henning at gmx.net
Mon Jul 23 13:19:02 PDT 2001

Hi Ian, hi everybody else,

although the firewall-hint was released just a few days ago
i did work it over to make some things a bit clearer.

As it has been last time: everybody is welcome to send comments,
may they deal with the hint itself, may they cover spelling or grammer.

Have a nice day,


-------------- next part --------------
TITLE:		Firewall.txt
LFS VERSION:	any, but Kernel > 2.4
AUTHOR:		Henning Rohde	Henning.Rohde at uni-bayreuth.de

	Question:	What's a firewall?
	Answer:		Some wall of fire that only the Saints can pass trough!
And at Internet?	Just a box, that permits only the sane packages to pass!
How Do I build one?	fetch iptables and read the following:

When you read the word "firewall" there's not only one way to understand it:
a) "Personel-Firewall":	
	Program sold by eg Norton to secure a home-desktop-pc with 
	internet-access by modem, DSL or similar. Quite relevant for users 
	being always_online with flatrated broadband_links.
b) Firewall at it's origine meaning: 
	Box put between internet and intranet doing nothing but protecting 
	the intranet, sometimes masquerading the intranet.
c) Firewall offering services:
	Old Box, nearly forgotten to exist, put in a corner or down the cellar,
	doing (B), but offering a bunch	of services, eg web-cache.
	This may be very commonly used in non-professional area, 
	but it severely violates some principles of (B).
d) Firewall with DeMilitarizedZone.	   (Not described here)
	Highly availiable & powerfull box, doing (B), but having a third NIC:
	here are those servers connected, that must be easily accessible
	from both the inter- and intranet, the firewall protects them all.
e) Packetfilter / partly accessible Net.   (Only partly described here, see (C))
	Doing (B) but permitting only selected services to be accessible,
	sometimes only by selected internal user / boxes; mostly used in
	professional highly secure area, sometimes by distrusting employers.
	This has been the common layout of a firewall at times of Linux_V2.2,
	it's still possible, but makes the rules quite complex and enomerous.

If you want your Linux-Box to do firewalling you must in the very first line
have a firewalling-enabled kernel:

But, before you do a 'make menuconfig', consider to patch your kernel
with the latest iptables-enhancements:

Download the latest version of iptables from http://netfilter.samba.org

Having current kernel-sources in /usr/src/linux, goto subdir 'patch-o-matic' 
of iptables-sources and do a './runme', preferably being an user who is allowed
to patch the kernel.
You must not use all patches, but the IRC-patch or masq-dynaddr.patch could be 
useful, depending on your needs. 
If patching is not successfull, eg. because of outdated patches,
don't worry too much, just skip it, mostly the default kernel is adaequate
to common needs! 
The important thing is that iptables has scanned the kernel for already
accepted / incorporated patches.

Now configure the kernel:
Networking options:
	Network packet filtering
	IP: TCP/IP networking
	IP: advanced router
		IP: use TOS value as routing key
		IP: verbose route monitoring
	IP: TCP Explicit Congestion Notification support
	IP: TCP syncookie support
	IP: Netfilter Configuration
		every option, but not ipchains and ipfwadm.

Now compile and install your new kernel, update your bootloader and do a reboot.

During / after this (re-)build iptables:
Before compiling you might want to edit the Makefile to adapt install-dir's.
Now compile and install iptables and the utilities for saving and restoring
via 'make && make install experimental install-experimental'.

|Now we can start to build your Firewall|

A Personel-Firewall is supposed to let you access the whole amount of 
services offered on the internet, keeping your data private.

Allow me to quote Rusty Russel (slightly modified)

# Insert connection-tracking modules	(not needed if built into kernel).
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter
# permit answers to existing (established) connections
# and permit new connections related to existing ones (eg active-ftp)
iptables -A INPUT	-m state --state ESTABLISHED,RELATED	-j ACCEPT
# set a sane policy
iptables -P INPUT       DROP
iptables -P FORWARD     DROP
iptables -P OUTPUT      ACCEPT
# be verbose on dynamic ip-adresses	(not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification - too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

His script is quite simple but solely surfing the internet you will unlikely 
break it's limits.

A true Firewall has got two interfaces, one connected to intranet, eth0,
one connected to the internet, ppp0.
To provide the maximum security against the box itself being breaken into, 
using eg exploits in offered services, it is to be assured that there are
no servers running on it, especially not X11 et al., and, as a principle,
that it does not access any services:

# Insert connection-tracking modules (not needed if built into kernel).
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_nat_ftp
# allow locally generated connections
iptables -A INPUT	-i lo					-j ACCEPT
iptables -A OUTPUT		-o lo				-j ACCEPT
# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED 	-j ACCEPT
iptables -A FORWARD -m state --state NEW	-i ! ppp+	-j ACCEPT
# do masquerading (not needed if intranet is not using private ip-adresses)
iptables -t nat -A POSTROUTING  -o ppp+				-j MASQUERADE
# set a sane policy
iptables -P INPUT       DROP
iptables -P FORWARD     DROP
iptables -P OUTPUT      DROP
# activate IP-Forwarding 
echo 1 > /proc/sys/net/ipv4/ip_forward
# be verbose on dynamic ip-adresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification - too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

With this Script your net should be acceptable secure against external attacks, 
if you needed further security or capabilities, see Appendix.1 and
start to read a bit!

This scenario in not too different to (B), but you've got some servers
running on your box.
It gets relevant in that moment when you want to admin your box remotely,
eg via secureShell.
Be cautious, every service you offer makes your box less secure, see (B)!

Take the script as (B), but insert:
iptables -I INPUT  -p tcp --dport 22				  -j ACCEPT
iptables -I OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Alternativly, if you want to ping your box to enshure it's still alive:
iptables -I INPUT  -p icmp -m icmp --icmp-type echo-request	  -j ACCEPT
iptables -I OUTPUT -p icmp -m icmp --icmp-type echo-reply	  -j ACCEPT

Third, if only some part of your intranet should be allowed to access the proxy
on your firewall:
iptables -I INPUT  -i eth+ -s -p tcp --dport 8080  -j ACCEPT

These are only examples, on my gateway i've got the following services:
openSSH, Samba, squid, djbDNS, CUPS, LeafNode, POP3/IMAP and Postfix!

If you add any of your offered or accessed services like the above and delete 
the general clauses, you get an oldfashioned packetfilter, 
not unlike that one mentioned in (E).


Nowadays, we must face the fact of DenialOfService-Attacks,
even against private users.
(Seems to be quite common if you do online-gaming)

There may be ways to protect both your router and your intranet, but any hint 
i would give here could tomorrow become insufficent and would keep you
in false security.

If you are really concerned about DOS, just start to read:
http://www.little-idiot.de/firewall  (german & outdated, but very comprehensive)
(If someone wants a link to be added, please mail!)

If you are in the need to turn firewalling off in a short:

iptables -Z
iptables -F
iptables -t nat         -F PREROUTING
iptables -t nat         -F OUTPUT
iptables -t nat         -F POSTROUTING
iptables -t mangle      -F PREROUTING
iptables -t mangle      -F OUTPUT
iptables -X
iptables -P INPUT       ACCEPT
iptables -P FORWARD     DROP
iptables -P OUTPUT      ACCEPT

Be cautious!
		Henning Rohde
	(Henning.Rohde at uni-bayreuth.de)

PS: And always do remember:
	SecureIT is not a matter of a status-quo 
	but one of never stopping to take care!

More information about the hints mailing list