RFC: Firewall-howto

Henning Rohde Rohde.Henning at gmx.net
Wed Jul 18 15:02:47 PDT 2001


Hi everybody working on LFS!

After half a year of absence i've just taken a second look at LFS:
    high respect to everyone who did help to improve the book,
    i'm glad to see how far you got!


Doing this glance i noticed the wish for a firewall hint.
I've attached one, please tell me, if it fits your needs.

I didn't want to be too explicit, for the higher needs one has got to
start reading oneself, but the 4 scripts should help out the most.

Have a nice day,

	Henning Rohde


PS: Please give hints for correction, especially in matters of grammatics
 and spelling!
-------------- next part --------------
TITLE:		Firewall.txt
LFS VERSION:	any, but Kernel > 2.4
AUTHOR:		Henning Rohde	Henning.Rohde at uni-bayreuth.de

SYNOPSIS:	
	Question:	What's a firewall?
	Answer:		Some wall of fire that only the Saints can pass trough!
And at Internet?	Just a box, that permits only the sane packages to pass!
How Do I build one?	fetch iptables and read the following:

HINT:
When you read the word "firewall" there are at least three ways to understand it:
a) "Personel-Firewall":	
	Program sold by eg Norton to secure a home-desktop-pc with 
	internet-access by modem or similar.
b) Firewall at it's origine meaning: 
	Box put between internet and intranet protecting the intranet.
c) Most practical used in non-professional area:
	Some box in a corner masquerading internet-access and at the same time 
	offering a bunch of services.
d) Packetfilter / partly accessible Net. (Not described here).
	Doing (B) but permitting only chosen services 
	to be accessible, sometimes only by chosen internal user/boxes;
	mostly used in professional area.
e) Firewall with servers for the public. (Not described here).
	Highly availiable box, similar to (D), mostly box has a third NIC:
	on this branch of the netword are those servers, that must be 
	accessible from both the inter- and intranet:
	this branch is called DeMilitarizedZone.


--------------
|Introduction|
--------------
If you want your Linux-Box to fullfill as one of the first 3 of these puposes
you must in the first line have a firewalling-enabled kernel:

But, before you do now a "make menuconfig", consider to patch your kernel
with the latest iptables-enhancements:

Download the latest version of iptables from http://netfilter.samba.org

Having current kernel-sources in /usr/src/linux goto subdir 'patch-o-matic' 
below iptables an do a './runme', preferable being an user who is allowed to 
patch the kernel.
You must not use all patches, but the IRC-patch or masq-dynaddr.patch could be 
useful, depending on your needs. 
If patching is not successfull, don't worry too much, just skip it,
mostly the default kernel is adaequate to common needs!

Now you can configure the kernel:
General options to activate:
	IP: TCP/IP networking
	IP: advanced router
	IP: verbose route monitoring
	IP: TCP Explicit Congestion Notification support
	IP: TCP syncookie support (disabled per default) 
Specially iptables/Netfilter:
	every option below 'IP: Netfilter Configuration',
	but not ipchains and ipfwadm.

After compiling and installing the new kernel you might edit the Makefile of 
iptables and adapt the installation-directories.
Now compile and install iptables. 
Compile and install the save- and restore-utilities by 'make experimental', 
'make install-experimental'.


---------------------------------------------
|Now we can enter the making of the Firewall|
---------------------------------------------

(A) 
A Personel-Firewall is supposed to let you access the whole amount of 
services offered on the internet, but keep your data private.

Let me quote Rusty Russel (slightly modified)
(netfilter.filewatcher.org/unreliable-guides/packet-filtering-HOWTO/index.html)

#!/bin/sh
##/etc/init.d/firewall
# Insert connection-tracking modules (not needed if built into kernel).
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter
# permit answers to existing connections and
# permit new connections related to existing ones (eg active-ftp)
iptables -A INPUT	-m state --state ESTABLISHED,RELATED	-j ACCEPT
# allow locally generated connections
iptables -A INPUT	-i lo					-j ACCEPT
# set a safe policy
iptables -P INPUT       DROP
iptables -P FORWARD     DROP
iptables -P OUTPUT      ACCEPT
# be verbose on dynamic ip-adresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# TCPsyncookie support
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# disable ExplicitCongestionNotification - too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

His script is quite simple but solely surfing the internet you will unlikely 
break it's limits.

(B)
A true Firewall has got two interfaces, one connected to intranet, eth0,
one connected to the internet, ppp0.
There are no servers running on it nor does it access any services, 
local connections must although be allowed:

#!/bin/sh
##/etc/init.d/firewall
# Insert connection-tracking modules (not needed if built into kernel).
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_nat_ftp
# allow locally generated connections
iptables -A INPUT	-i lo					-j ACCEPT
iptables -A OUTPUT		-o lo				-j ACCEPT
# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED 	-j ACCEPT
iptables -A FORWARD -m state --state NEW	-i ! ppp+	-j ACCEPT
# do masquerading
iptables -t nat -A POSTROUTING  -o ppp+				-j MASQUERADE
# set a safe policy
iptables -P INPUT       DROP
iptables -P FORWARD     DROP
iptables -P OUTPUT      DROP
# activate IP-Forwarding 
echo 1 > /proc/sys/net/ipv4/ip_forward
# be verbose on dynamic ip-adresses
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# TCPsyncookie support
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# disable ExplicitCongestionNotification - too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

With this Script your net should be acceptable secure from external attacks, 
if you needed further security, see Appendix.1 and start to read a bit!

(C)
This scenario in not too different to (B), but you've got some servers running 
on your box.
It get relevant in that moment when you want to administer your box remotely 
via internet, eg via secureShell.

Take the script as (B), but insert before blocking INPUT and OUTPUT:
iptables -I INPUT  -p tcp --dport 22				  -j ACCEPT
iptables -I OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Alternativly, if you want to ping your box to enshure it's still alive:
iptables -I INPUT  -p icmp -m icmp --icmp-type echo-request	-j ACCEPT
iptables -I OUTPUT -p icmp -m icmp --icmp-type echo-reply	-j ACCEPT

These are only examples, on my gateway i've got the following services:
openSSH, Samba, djbDNS, CUPS, LeafNode, POP3/IMAP and Postfix!


------------
|APPENDICES|
------------

(1)
Nowedays, we must face the fact of DenialOfService-Attacks, 
even against private users (seems to be quite common if you do online-gaming).

There may be ways to protect both your router and your intranet, but any hint 
i would give here would keep you in false security.

If you are really concerned about them, just start to read:
http://netfilter.samba.org/unreliable-guides/
http://netfilter.samba.org/netfilter-faq.html
http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
http://www.e-infomax.com/ipmasq/ 
http://www.linuxgazette.com/issue65/stumpel.html

(2)
If you are in the need to turn firewalling off in a short:

#!/bin/sh
##/etc/init.d/firewall.stop
iptables -Z
iptables -F
iptables -t nat         -F PREROUTING
iptables -t nat         -F OUTPUT
iptables -t nat         -F POSTROUTING
iptables -t mangle      -F PREROUTING
iptables -t mangle      -F OUTPUT
iptables -X
iptables -P INPUT       ACCEPT
iptables -P FORWARD     DROP
iptables -P OUTPUT      ACCEPT



Good Luck!
		Henning Rohde
	(Henning.Rohde at uni-bayreuth.de)


More information about the lfs-dev mailing list