mirror of https://github.com/tLDP/LDP
323 lines
13 KiB
XML
323 lines
13 KiB
XML
<sect1 id="Firewalling-and-Masquerading">
|
||
|
||
6.6. IP Firewall (for Linux-2.0)
|
||
|
||
IP Firewall and Firewalling issues are covered in more depth in the
|
||
Firewall-HOWTO. IP Firewalling allows you to secure your machine
|
||
against unauthorized network access by filtering or allowing datagrams
|
||
from or to IP addresses that you nominate. There are three different
|
||
classes of rules, incoming filtering, outgoing filtering and
|
||
forwarding filtering. Incoming rules are applied to datagrams that are
|
||
received by a network device. Outgoing rules are applied to datagrams
|
||
that are to be transmitted by a network device. Forwarding rules are
|
||
applied to datagrams that are received and are not for this machine,
|
||
ie datagrams that would be routed.
|
||
|
||
Kernel Compile Options:
|
||
|
||
|
||
Networking options --->
|
||
[*] Network firewalls
|
||
....
|
||
[*] IP: forwarding/gatewaying
|
||
....
|
||
[*] IP: firewalling
|
||
[ ] IP: firewall packet logging
|
||
|
||
|
||
|
||
Configuration of the IP firewall rules is performed using the ipfwadm
|
||
command. As I mentioned earlier, security is not something I am expert
|
||
at, so while I will present an example you can use, you should do your
|
||
own research and develop your own rules if security is important to
|
||
you.
|
||
|
||
Probably the most common use of IP firewall is when you are using your
|
||
linux machine as a router and firewall gateway to protect your local
|
||
network from unauthorized access from outside your network.
|
||
|
||
|
||
The following configuration is based on a contribution from Arnt
|
||
Gulbrandsen, <agulbra@troll.no>.
|
||
|
||
The example describes the configuration of the firewall rules on the
|
||
Linux firewall/router machine illustrated in this diagram:
|
||
|
||
|
||
|
||
- -
|
||
\ | 172.16.37.0
|
||
\ | /255.255.255.0
|
||
\ --------- |
|
||
| 172.16.174.30 | Linux | |
|
||
NET =================| f/w |------| ..37.19
|
||
| PPP | router| | --------
|
||
/ --------- |--| Mail |
|
||
/ | | /DNS |
|
||
/ | --------
|
||
- -
|
||
|
||
|
||
|
||
The following commands would normally be placed in an rc file so that
|
||
they were automatically started each time the system boots. For
|
||
maximum security they would be performed after the network interfaces
|
||
are configured, but before the interfaces are actually brought up to
|
||
prevent anyone gaining access while the firewall machine is rebooting.
|
||
|
||
|
||
|
||
#!/bin/sh
|
||
|
||
# Flush the 'Forwarding' rules table
|
||
# Change the default policy to 'accept'
|
||
#
|
||
/sbin/ipfwadm -F -f
|
||
/sbin/ipfwadm -F -p accept
|
||
#
|
||
# .. and for 'Incoming'
|
||
#
|
||
/sbin/ipfwadm -I -f
|
||
/sbin/ipfwadm -I -p accept
|
||
|
||
# First off, seal off the PPP interface
|
||
# I'd love to use '-a deny' instead of '-a reject -y' but then it
|
||
# would be impossible to originate connections on that interface too.
|
||
# The -o causes all rejected datagrams to be logged. This trades
|
||
# disk space against knowledge of an attack of configuration error.
|
||
#
|
||
/sbin/ipfwadm -I -a reject -y -o -P tcp -S 0/0 -D 172.16.174.30
|
||
|
||
# Throw away certain kinds of obviously forged packets right away:
|
||
# Nothing should come from multicast/anycast/broadcast addresses
|
||
#
|
||
/sbin/ipfwadm -F -a deny -o -S 224.0/3 -D 172.16.37.0/24
|
||
#
|
||
# and nothing coming from the loopback network should ever be
|
||
# seen on a wire
|
||
#
|
||
/sbin/ipfwadm -F -a deny -o -S 127.0/8 -D 172.16.37.0/24
|
||
|
||
# accept incoming SMTP and DNS connections, but only
|
||
# to the Mail/Name Server
|
||
#
|
||
/sbin/ipfwadm -F -a accept -P tcp -S 0/0 -D 172.16.37.19 25 53
|
||
#
|
||
# DNS uses UDP as well as TCP, so allow that too
|
||
# for questions to our name server
|
||
#
|
||
/sbin/ipfwadm -F -a accept -P udp -S 0/0 -D 172.16.37.19 53
|
||
#
|
||
# but not "answers" coming to dangerous ports like NFS and
|
||
# Larry McVoy's NFS extension. If you run squid, add its port here.
|
||
#
|
||
/sbin/ipfwadm -F -a deny -o -P udp -S 0/0 53 \
|
||
-D 172.16.37.0/24 2049 2050
|
||
|
||
# answers to other user ports are okay
|
||
#
|
||
/sbin/ipfwadm -F -a accept -P udp -S 0/0 53 \
|
||
-D 172.16.37.0/24 53 1024:65535
|
||
|
||
# Reject incoming connections to identd
|
||
# We use 'reject' here so that the connecting host is told
|
||
# straight away not to bother continuing, otherwise we'd experience
|
||
# delays while ident timed out.
|
||
#
|
||
/sbin/ipfwadm -F -a reject -o -P tcp -S 0/0 -D 172.16.37.0/24 113
|
||
|
||
# Accept some common service connections from the 192.168.64 and
|
||
# 192.168.65 networks, they are friends that we trust.
|
||
#
|
||
/sbin/ipfwadm -F -a accept -P tcp -S 192.168.64.0/23 \
|
||
-D 172.16.37.0/24 20:23
|
||
|
||
# accept and pass through anything originating inside
|
||
#
|
||
/sbin/ipfwadm -F -a accept -P tcp -S 172.16.37.0/24 -D 0/0
|
||
|
||
# deny most other incoming TCP connections and log them
|
||
# (append 1:1023 if you have problems with ftp not working)
|
||
#
|
||
/sbin/ipfwadm -F -a deny -o -y -P tcp -S 0/0 -D 172.16.37.0/24
|
||
|
||
# ... for UDP too
|
||
#
|
||
/sbin/ipfwadm -F -a deny -o -P udp -S 0/0 -D 172.16.37.0/24
|
||
|
||
|
||
|
||
Good firewall configurations are a little tricky. This example should
|
||
be a reasonable starting point for you. The ipfwadm manual page offers
|
||
some assistance in how to use the tool. If you intend to configure a
|
||
firewall, be sure to ask around and get as much advice from sources
|
||
you consider reliable and get someone to test/sanity check your
|
||
configuration from the outside.
|
||
|
||
6.7. IP Firewall (for Linux-2.2)
|
||
|
||
The new firewalling code is accessed via ``IP Firewall Chains''. See
|
||
the IP chanins home page for more information. Among other things,
|
||
you'll now need to use ipchains instead of ipfwadm to configure your
|
||
filters. (From Documentation/Changes in the latest kernel sources).
|
||
|
||
We are aware that this is a sorely out of date statement and we are
|
||
currently working on getting this section more current. You can expect
|
||
a newer version in August of 1999.
|
||
|
||
|
||
8.7. Firewall
|
||
|
||
A firewall is a device that protects a private network from the public
|
||
part (the internet as a whole). It is designed to control the flow of
|
||
packets based on the source, destination, port and packet type
|
||
information contained in each packet.
|
||
|
||
Different firewall toolkits exist for Linux as well as built-in
|
||
support in the kernel. Other firewalls are TIS and SOCKS. These
|
||
firewall toolkits are very complete and combined with other tools
|
||
allow blocking/redirection of all kinds of traffic and protocols.
|
||
Different policies can be implemented via configuration files or GUI
|
||
programs.
|
||
|
||
|
||
<20> TIS home page <http://www.tis.com>
|
||
|
||
<20> SOCKS <http://www.socks.nec.com/socksfaq.html>
|
||
|
||
<20> Firewall HOWTO <http://metalab.unc.edu/mdw/HOWTO/Firewall-
|
||
HOWTO.html>
|
||
|
||
|
||
8.8. Port forwarding
|
||
|
||
An increasing number of web sites are becoming interactive by having
|
||
cgi-bins or Java applets that access some database or other service.
|
||
Since this access may pose a security problem, the machine containing
|
||
the database should not be directly connected to the Internet.
|
||
|
||
Port Forwarding can provide an almost ideal solution to this access
|
||
problem. On the firewall, IP packets that come in to a specific port
|
||
number can be re-written and forwarded to the internal server
|
||
providing the actual service. The reply packets from the internal
|
||
server are re-written to make it appear that they came from the
|
||
firewall.
|
||
|
||
Port forwarding information may be found here
|
||
<http://www.ox.compsoc.net/~steve/portforwarding.html>
|
||
|
||
8.3. IP Masquerade
|
||
|
||
IP Masquerade is a developing networking function in Linux. If a Linux
|
||
host is connected to the Internet with IP Masquerade enabled, then
|
||
computers connecting to it (either on the same LAN or connected with
|
||
modems) can reach the Internet as well, even though they have no
|
||
officially assigned IP addresses. This allows for reduction of costs,
|
||
since many people may be able to access the Internet using a single
|
||
modem connection as well as contributes to increased security (in some
|
||
way the machine is acting as a firewall, since unofficially assigned
|
||
addresses cannot be accessed outside of that network).
|
||
|
||
IP masquerade related pages and documents:
|
||
|
||
<20> http://ipmasq.home.ml.org/
|
||
<20> http://www.indyramp.com/masq/links.pfhtml
|
||
<20> http://metalab.unc.edu/mdw/HOWTO/IP-Masquerade-HOWTO.html
|
||
|
||
<title>Firewalling-and-Masquerading</title>
|
||
|
||
<para>
|
||
</para>
|
||
|
||
Masquerading Made Simple HOWTO
|
||
|
||
-----------------------------------------------------------------------------
|
||
|
||
Chapter 8. Miscellaneous
|
||
|
||
8.1. Useful Resources
|
||
|
||
<EFBFBD><EFBFBD>*<2A>[http://ipmasq.webhop.net/] IP Masquerade Resource page Will have all the
|
||
current information for setting up IP Masquerade on 2.0.x, 2.2.x, and
|
||
even old 1.2 kernels!
|
||
|
||
<EFBFBD><EFBFBD>*<2A>[http://juanjox.kernelnotes.org] Juan Jose Ciarlante's WWW site who is
|
||
one of the current Linux IP Masquerade maintainers. A mirror can be fount
|
||
at [http://ipmasq.webhop.net/juanjox/] ipmasq.webhop.net/juanjox
|
||
|
||
<EFBFBD><EFBFBD>*<2A>IP Masquerade mailing list Archives contains the recent messages sent to
|
||
the mailing lists.
|
||
|
||
<EFBFBD><EFBFBD>*<2A>David Ranch's Linux page including the TrinityOS Linux document and
|
||
current versions of the IP-MASQ-HOWTO.. Topics such as IP MASQ, strong
|
||
IPFWADM/IPCHAINS rulesets, PPP, Diald, Cablemodems, DNS, Sendmail, Samba,
|
||
NFS, Security, etc. are covered.
|
||
|
||
<EFBFBD><EFBFBD>*<2A>The IP Masquerading Applications page: A comprehensive list of
|
||
applications that work or can be tuned to work through a Linux IP
|
||
masquerading server.
|
||
|
||
<EFBFBD><EFBFBD>*<2A>For users setting up IP Masq on MkLinux, email Taro Fukunaga at [mailto:
|
||
tarozax@earthlink.net] tarozax@earthlink.net for a copy of his short
|
||
MkLinux version of this HOWTO.
|
||
|
||
<EFBFBD><EFBFBD>*<2A>IP masquerade FAQ has some general information
|
||
|
||
<EFBFBD><EFBFBD>*<2A>Paul Russel's [http://www.netfilter.org/ipchains/] http://
|
||
www.netfilter.org/ipchains/ doc and its possibly older backup at Linux
|
||
IPCHAINS HOWTO. This HOWTO has lots of information for IPCHAINS usage, as
|
||
well as source and binaries for the ipchains tool.
|
||
|
||
<EFBFBD><EFBFBD>*<2A>[http://www.xos.nl/linux/ipfwadm/] X/OS Ipfwadm page contains sources,
|
||
binaries, documentation, and other information about the ipfwadm package
|
||
|
||
<EFBFBD><EFBFBD>*<2A>Check out the GreatCircle's Firewall mailing list for a great resource
|
||
about strong firewall rulesets.
|
||
|
||
<EFBFBD><EFBFBD>*<2A>The LDP Network Administrator's Guide is a MUST for the beginner Linux
|
||
administrator trying to set up a network.
|
||
|
||
<EFBFBD><EFBFBD>*<2A>The [http://www.tldp.org/HOWTO/Net-HOWTO/index.html] Linux NET HOWTO is
|
||
also another comprehensive document on how to setup and configure Linux
|
||
networking.
|
||
|
||
<EFBFBD><EFBFBD>*<2A>Linux ISP Hookup HOWTO and [http://www.tldp.org/HOWTO/PPP-HOWTO/
|
||
index.html] Linux PPP HOWTO gives you information on how to connect your
|
||
Linux host to the Internet
|
||
|
||
<EFBFBD><EFBFBD>*<2A>Linux Ethernet-Howto is a good source of information about setting up a
|
||
LAN running over Ethernet.
|
||
|
||
<EFBFBD><EFBFBD>*<2A>Donald Becker's NIC drivers and Support Utils
|
||
|
||
<EFBFBD><EFBFBD>*<2A>You may also be interested in [http://www.tldp.org/HOWTO/
|
||
Firewall-HOWTO.html] Linux Firewalling and Proxy Server HOWTO
|
||
|
||
<EFBFBD><EFBFBD>*<2A>Linux Kernel HOWTO will guide you through the kernel compilation process
|
||
|
||
<EFBFBD><EFBFBD>*<2A>Other [http://www.tldp.org/HOWTO/HOWTO-INDEX/howtos.html] Linux HOWTOs
|
||
such as Kernel HOWTO
|
||
|
||
<EFBFBD><EFBFBD>*<2A>Posting to the USENET newsgroup: [news:comp.os.linux.networking]
|
||
comp.os.linux.networking
|
||
|
||
-----------------------------------------------------------------------------
|
||
|
||
8.2. Linux IP Masquerade Resource
|
||
|
||
The [http://ipmasq.webhop.net/] Linux IP Masquerade Resource is a website
|
||
dedicated to Linux IP Masquerade information also maintained by Ambrose Au.
|
||
It has the latest information related to IP Masquerade and may have
|
||
information that is not being included in the HOWTO.
|
||
|
||
You may find the Linux IP Masquerade Resource at the following locations:
|
||
|
||
<EFBFBD><EFBFBD>*<2A>[http://ipmasq.webhop.net/] http://ipmasq.webhop.net/, Primary Site,
|
||
redirected to [http://ipmasq.webhop.net/] http://ipmasq.webhop.net/
|
||
|
||
<EFBFBD><EFBFBD>*<2A>[http://ipmasq2.webhop.net/] http://ipmasq2.webhop.net/, Secondary Site,
|
||
redirected to [http://www.e-infomax.com/ipmasq/] http://www.e-infomax.com
|
||
/ipmasq
|
||
|
||
</sect1>
|