LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/guide/docbook/Linux-Networking/Firewalling-and-Masqueradin...

323 lines
13 KiB
XML
Raw Blame History

<sect1 id="Firewalling-and-Masquerading">
6.6. IP Firewall (for Linux-2.0)
IP Firewall and Firewalling issues are covered in more depth in the
Firewall-HOWTO. IP Firewalling allows you to secure your machine
against unauthorized network access by filtering or allowing datagrams
from or to IP addresses that you nominate. There are three different
classes of rules, incoming filtering, outgoing filtering and
forwarding filtering. Incoming rules are applied to datagrams that are
received by a network device. Outgoing rules are applied to datagrams
that are to be transmitted by a network device. Forwarding rules are
applied to datagrams that are received and are not for this machine,
ie datagrams that would be routed.
Kernel Compile Options:
Networking options --->
[*] Network firewalls
....
[*] IP: forwarding/gatewaying
....
[*] IP: firewalling
[ ] IP: firewall packet logging
Configuration of the IP firewall rules is performed using the ipfwadm
command. As I mentioned earlier, security is not something I am expert
at, so while I will present an example you can use, you should do your
own research and develop your own rules if security is important to
you.
Probably the most common use of IP firewall is when you are using your
linux machine as a router and firewall gateway to protect your local
network from unauthorized access from outside your network.
The following configuration is based on a contribution from Arnt
Gulbrandsen, <agulbra@troll.no>.
The example describes the configuration of the firewall rules on the
Linux firewall/router machine illustrated in this diagram:
- -
\ | 172.16.37.0
\ | /255.255.255.0
\ --------- |
| 172.16.174.30 | Linux | |
NET =================| f/w |------| ..37.19
| PPP | router| | --------
/ --------- |--| Mail |
/ | | /DNS |
/ | --------
- -
The following commands would normally be placed in an rc file so that
they were automatically started each time the system boots. For
maximum security they would be performed after the network interfaces
are configured, but before the interfaces are actually brought up to
prevent anyone gaining access while the firewall machine is rebooting.
#!/bin/sh
# Flush the 'Forwarding' rules table
# Change the default policy to 'accept'
#
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p accept
#
# .. and for 'Incoming'
#
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p accept
# First off, seal off the PPP interface
# I'd love to use '-a deny' instead of '-a reject -y' but then it
# would be impossible to originate connections on that interface too.
# The -o causes all rejected datagrams to be logged. This trades
# disk space against knowledge of an attack of configuration error.
#
/sbin/ipfwadm -I -a reject -y -o -P tcp -S 0/0 -D 172.16.174.30
# Throw away certain kinds of obviously forged packets right away:
# Nothing should come from multicast/anycast/broadcast addresses
#
/sbin/ipfwadm -F -a deny -o -S 224.0/3 -D 172.16.37.0/24
#
# and nothing coming from the loopback network should ever be
# seen on a wire
#
/sbin/ipfwadm -F -a deny -o -S 127.0/8 -D 172.16.37.0/24
# accept incoming SMTP and DNS connections, but only
# to the Mail/Name Server
#
/sbin/ipfwadm -F -a accept -P tcp -S 0/0 -D 172.16.37.19 25 53
#
# DNS uses UDP as well as TCP, so allow that too
# for questions to our name server
#
/sbin/ipfwadm -F -a accept -P udp -S 0/0 -D 172.16.37.19 53
#
# but not "answers" coming to dangerous ports like NFS and
# Larry McVoy's NFS extension. If you run squid, add its port here.
#
/sbin/ipfwadm -F -a deny -o -P udp -S 0/0 53 \
-D 172.16.37.0/24 2049 2050
# answers to other user ports are okay
#
/sbin/ipfwadm -F -a accept -P udp -S 0/0 53 \
-D 172.16.37.0/24 53 1024:65535
# Reject incoming connections to identd
# We use 'reject' here so that the connecting host is told
# straight away not to bother continuing, otherwise we'd experience
# delays while ident timed out.
#
/sbin/ipfwadm -F -a reject -o -P tcp -S 0/0 -D 172.16.37.0/24 113
# Accept some common service connections from the 192.168.64 and
# 192.168.65 networks, they are friends that we trust.
#
/sbin/ipfwadm -F -a accept -P tcp -S 192.168.64.0/23 \
-D 172.16.37.0/24 20:23
# accept and pass through anything originating inside
#
/sbin/ipfwadm -F -a accept -P tcp -S 172.16.37.0/24 -D 0/0
# deny most other incoming TCP connections and log them
# (append 1:1023 if you have problems with ftp not working)
#
/sbin/ipfwadm -F -a deny -o -y -P tcp -S 0/0 -D 172.16.37.0/24
# ... for UDP too
#
/sbin/ipfwadm -F -a deny -o -P udp -S 0/0 -D 172.16.37.0/24
Good firewall configurations are a little tricky. This example should
be a reasonable starting point for you. The ipfwadm manual page offers
some assistance in how to use the tool. If you intend to configure a
firewall, be sure to ask around and get as much advice from sources
you consider reliable and get someone to test/sanity check your
configuration from the outside.
6.7. IP Firewall (for Linux-2.2)
The new firewalling code is accessed via ``IP Firewall Chains''. See
the IP chanins home page for more information. Among other things,
you'll now need to use ipchains instead of ipfwadm to configure your
filters. (From Documentation/Changes in the latest kernel sources).
We are aware that this is a sorely out of date statement and we are
currently working on getting this section more current. You can expect
a newer version in August of 1999.
8.7. Firewall
A firewall is a device that protects a private network from the public
part (the internet as a whole). It is designed to control the flow of
packets based on the source, destination, port and packet type
information contained in each packet.
Different firewall toolkits exist for Linux as well as built-in
support in the kernel. Other firewalls are TIS and SOCKS. These
firewall toolkits are very complete and combined with other tools
allow blocking/redirection of all kinds of traffic and protocols.
Different policies can be implemented via configuration files or GUI
programs.
<20> TIS home page <http://www.tis.com>
<20> SOCKS <http://www.socks.nec.com/socksfaq.html>
<20> Firewall HOWTO <http://metalab.unc.edu/mdw/HOWTO/Firewall-
HOWTO.html>
8.8. Port forwarding
An increasing number of web sites are becoming interactive by having
cgi-bins or Java applets that access some database or other service.
Since this access may pose a security problem, the machine containing
the database should not be directly connected to the Internet.
Port Forwarding can provide an almost ideal solution to this access
problem. On the firewall, IP packets that come in to a specific port
number can be re-written and forwarded to the internal server
providing the actual service. The reply packets from the internal
server are re-written to make it appear that they came from the
firewall.
Port forwarding information may be found here
<http://www.ox.compsoc.net/~steve/portforwarding.html>
8.3. IP Masquerade
IP Masquerade is a developing networking function in Linux. If a Linux
host is connected to the Internet with IP Masquerade enabled, then
computers connecting to it (either on the same LAN or connected with
modems) can reach the Internet as well, even though they have no
officially assigned IP addresses. This allows for reduction of costs,
since many people may be able to access the Internet using a single
modem connection as well as contributes to increased security (in some
way the machine is acting as a firewall, since unofficially assigned
addresses cannot be accessed outside of that network).
IP masquerade related pages and documents:
<20> http://ipmasq.home.ml.org/
<20> http://www.indyramp.com/masq/links.pfhtml
<20> http://metalab.unc.edu/mdw/HOWTO/IP-Masquerade-HOWTO.html
<title>Firewalling-and-Masquerading</title>
<para>
</para>
Masquerading Made Simple HOWTO
-----------------------------------------------------------------------------
Chapter 8. Miscellaneous
8.1. Useful Resources
<EFBFBD><EFBFBD>*<2A>[http://ipmasq.webhop.net/] IP Masquerade Resource page Will have all the
current information for setting up IP Masquerade on 2.0.x, 2.2.x, and
even old 1.2 kernels!
<EFBFBD><EFBFBD>*<2A>[http://juanjox.kernelnotes.org] Juan Jose Ciarlante's WWW site who is
one of the current Linux IP Masquerade maintainers. A mirror can be fount
at [http://ipmasq.webhop.net/juanjox/] ipmasq.webhop.net/juanjox
<EFBFBD><EFBFBD>*<2A>IP Masquerade mailing list Archives contains the recent messages sent to
the mailing lists.
<EFBFBD><EFBFBD>*<2A>David Ranch's Linux page including the TrinityOS Linux document and
current versions of the IP-MASQ-HOWTO.. Topics such as IP MASQ, strong
IPFWADM/IPCHAINS rulesets, PPP, Diald, Cablemodems, DNS, Sendmail, Samba,
NFS, Security, etc. are covered.
<EFBFBD><EFBFBD>*<2A>The IP Masquerading Applications page: A comprehensive list of
applications that work or can be tuned to work through a Linux IP
masquerading server.
<EFBFBD><EFBFBD>*<2A>For users setting up IP Masq on MkLinux, email Taro Fukunaga at [mailto:
tarozax@earthlink.net] tarozax@earthlink.net for a copy of his short
MkLinux version of this HOWTO.
<EFBFBD><EFBFBD>*<2A>IP masquerade FAQ has some general information
<EFBFBD><EFBFBD>*<2A>Paul Russel's [http://www.netfilter.org/ipchains/] http://
www.netfilter.org/ipchains/ doc and its possibly older backup at Linux
IPCHAINS HOWTO. This HOWTO has lots of information for IPCHAINS usage, as
well as source and binaries for the ipchains tool.
<EFBFBD><EFBFBD>*<2A>[http://www.xos.nl/linux/ipfwadm/] X/OS Ipfwadm page contains sources,
binaries, documentation, and other information about the ipfwadm package
<EFBFBD><EFBFBD>*<2A>Check out the GreatCircle's Firewall mailing list for a great resource
about strong firewall rulesets.
<EFBFBD><EFBFBD>*<2A>The LDP Network Administrator's Guide is a MUST for the beginner Linux
administrator trying to set up a network.
<EFBFBD><EFBFBD>*<2A>The [http://www.tldp.org/HOWTO/Net-HOWTO/index.html] Linux NET HOWTO is
also another comprehensive document on how to setup and configure Linux
networking.
<EFBFBD><EFBFBD>*<2A>Linux ISP Hookup HOWTO and [http://www.tldp.org/HOWTO/PPP-HOWTO/
index.html] Linux PPP HOWTO gives you information on how to connect your
Linux host to the Internet
<EFBFBD><EFBFBD>*<2A>Linux Ethernet-Howto is a good source of information about setting up a
LAN running over Ethernet.
<EFBFBD><EFBFBD>*<2A>Donald Becker's NIC drivers and Support Utils
<EFBFBD><EFBFBD>*<2A>You may also be interested in [http://www.tldp.org/HOWTO/
Firewall-HOWTO.html] Linux Firewalling and Proxy Server HOWTO
<EFBFBD><EFBFBD>*<2A>Linux Kernel HOWTO will guide you through the kernel compilation process
<EFBFBD><EFBFBD>*<2A>Other [http://www.tldp.org/HOWTO/HOWTO-INDEX/howtos.html] Linux HOWTOs
such as Kernel HOWTO
<EFBFBD><EFBFBD>*<2A>Posting to the USENET newsgroup: [news:comp.os.linux.networking]
comp.os.linux.networking
-----------------------------------------------------------------------------
8.2. Linux IP Masquerade Resource
The [http://ipmasq.webhop.net/] Linux IP Masquerade Resource is a website
dedicated to Linux IP Masquerade information also maintained by Ambrose Au.
It has the latest information related to IP Masquerade and may have
information that is not being included in the HOWTO.
You may find the Linux IP Masquerade Resource at the following locations:
<EFBFBD><EFBFBD>*<2A>[http://ipmasq.webhop.net/] http://ipmasq.webhop.net/, Primary Site,
redirected to [http://ipmasq.webhop.net/] http://ipmasq.webhop.net/
<EFBFBD><EFBFBD>*<2A>[http://ipmasq2.webhop.net/] http://ipmasq2.webhop.net/, Secondary Site,
redirected to [http://www.e-infomax.com/ipmasq/] http://www.e-infomax.com
/ipmasq
</sect1>
View Git Blame Copy Permalink