584 lines
15 KiB
HTML
584 lines
15 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>A Sample Firewall Configuration</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Network Administrators Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="TCP/IP Firewall"
|
|
HREF="x-087-2-firewall.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Testing a
|
|
Firewall Configuration"
|
|
HREF="x-087-2-firewall.checkingconf.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="IP Accounting"
|
|
HREF="x-087-2-accounting.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Network Administrators Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-firewall.checkingconf.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 9. TCP/IP Firewall</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-accounting.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="X-087-2-FIREWALL.EXAMPLE"
|
|
>9.11. A Sample Firewall Configuration</A
|
|
></H1
|
|
><P
|
|
> We've discussed the fundamentals of firewall configuration. Let's now
|
|
look at what a firewall configuration might actually look like.</P
|
|
><P
|
|
>The configuration in this example has been designed to be easily
|
|
extended and customized. We've provided three versions. The first
|
|
version is implemented using the <B
|
|
CLASS="COMMAND"
|
|
>ipfwadm</B
|
|
> command
|
|
(or the <B
|
|
CLASS="COMMAND"
|
|
>ipfwadm-wrapper</B
|
|
> script), the second uses
|
|
<B
|
|
CLASS="COMMAND"
|
|
>ipchains</B
|
|
>, and the third uses
|
|
<B
|
|
CLASS="COMMAND"
|
|
>iptables</B
|
|
>. The example doesn't attempt to exploit
|
|
user-defined chains, but it will show you the similarities and
|
|
differences between the old and new firewall configuration tool
|
|
syntaxes:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>#!/bin/bash
|
|
##########################################################################
|
|
# IPFWADM VERSION
|
|
# This sample configuration is for a single host firewall configuration
|
|
# with no services supported by the firewall machine itself.
|
|
##########################################################################
|
|
|
|
# USER CONFIGURABLE SECTION
|
|
|
|
# The name and location of the ipfwadm utility. Use ipfwadm-wrapper for
|
|
# 2.2.* kernels.
|
|
IPFWADM=ipfwadm
|
|
|
|
# The path to the ipfwadm executable.
|
|
PATH="/sbin"
|
|
|
|
# Our internal network address space and its supporting network device.
|
|
OURNET="172.29.16.0/24"
|
|
OURBCAST="172.29.16.255"
|
|
OURDEV="eth0"
|
|
|
|
# The outside address and the network device that supports it.
|
|
ANYADDR="0/0"
|
|
ANYDEV="eth1"
|
|
|
|
# The TCP services we wish to allow to pass - "" empty means all ports
|
|
# note: space separated
|
|
TCPIN="smtp www"
|
|
TCPOUT="smtp www ftp ftp-data irc"
|
|
|
|
# The UDP services we wish to allow to pass - "" empty means all ports
|
|
# note: space separated
|
|
UDPIN="domain"
|
|
UDPOUT="domain"
|
|
|
|
# The ICMP services we wish to allow to pass - "" empty means all types
|
|
# ref: /usr/include/netinet/ip_icmp.h for type numbers
|
|
# note: space separated
|
|
ICMPIN="0 3 11"
|
|
ICMPOUT="8 3 11"
|
|
|
|
# Logging; uncomment the following line to enable logging of datagrams
|
|
# that are blocked by the firewall.
|
|
# LOGGING=1
|
|
|
|
# END USER CONFIGURABLE SECTION
|
|
###########################################################################
|
|
# Flush the Incoming table rules
|
|
$IPFWADM -I -f
|
|
|
|
# We want to deny incoming access by default.
|
|
$IPFWADM -I -p deny
|
|
|
|
# SPOOFING
|
|
# We should not accept any datagrams with a source address matching ours
|
|
# from the outside, so we deny them.
|
|
$IPFWADM -I -a deny -S $OURNET -W $ANYDEV
|
|
|
|
# SMURF
|
|
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
|
|
$IPFWADM -I -a deny -P icmp -W $ANYDEV -D $OURBCAST
|
|
|
|
# TCP
|
|
# We will accept all TCP datagrams belonging to an existing connection
|
|
# (i.e. having the ACK bit set) for the TCP ports we're allowing through.
|
|
# This should catch more than 95 % of all valid TCP packets.
|
|
$IPFWADM -I -a accept -P tcp -D $OURNET $TCPIN -k -b
|
|
|
|
# TCP - INCOMING CONNECTIONS
|
|
# We will accept connection requests from the outside only on the
|
|
# allowed TCP ports.
|
|
$IPFWADM -I -a accept -P tcp -W $ANYDEV -D $OURNET $TCPIN -y
|
|
|
|
# TCP - OUTGOING CONNECTIONS
|
|
# We accept all outgoing tcp connection requests on allowed TCP ports.
|
|
$IPFWADM -I -a accept -P tcp -W $OURDEV -D $ANYADDR $TCPOUT -y
|
|
|
|
# UDP - INCOMING
|
|
# We will allow UDP datagrams in on the allowed ports.
|
|
$IPFWADM -I -a accept -P udp -W $ANYDEV -D $OURNET $UDPIN
|
|
|
|
# UDP - OUTGOING
|
|
# We will allow UDP datagrams out on the allowed ports.
|
|
$IPFWADM -I -a accept -P udp -W $OURDEV -D $ANYADDR $UDPOUT
|
|
|
|
# ICMP - INCOMING
|
|
# We will allow ICMP datagrams in of the allowed types.
|
|
$IPFWADM -I -a accept -P icmp -W $ANYDEV -D $OURNET $UDPIN
|
|
|
|
# ICMP - OUTGOING
|
|
# We will allow ICMP datagrams out of the allowed types.
|
|
$IPFWADM -I -a accept -P icmp -W $OURDEV -D $ANYADDR $UDPOUT
|
|
|
|
# DEFAULT and LOGGING
|
|
# All remaining datagrams fall through to the default
|
|
# rule and are dropped. They will be logged if you've
|
|
# configured the LOGGING variable above.
|
|
#
|
|
if [ "$LOGGING" ]
|
|
then
|
|
# Log barred TCP
|
|
$IPFWADM -I -a reject -P tcp -o
|
|
|
|
# Log barred UDP
|
|
$IPFWADM -I -a reject -P udp -o
|
|
|
|
# Log barred ICMP
|
|
$IPFWADM -I -a reject -P icmp -o
|
|
fi
|
|
#
|
|
# end.</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>Now we'll reimplement it using the <B
|
|
CLASS="COMMAND"
|
|
>ipchains</B
|
|
> command:</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>#!/bin/bash
|
|
##########################################################################
|
|
# IPCHAINS VERSION
|
|
# This sample configuration is for a single host firewall configuration
|
|
# with no services supported by the firewall machine itself.
|
|
##########################################################################
|
|
|
|
# USER CONFIGURABLE SECTION
|
|
|
|
# The name and location of the ipchains utility.
|
|
IPCHAINS=ipchains
|
|
|
|
# The path to the ipchains executable.
|
|
PATH="/sbin"
|
|
|
|
# Our internal network address space and its supporting network device.
|
|
OURNET="172.29.16.0/24"
|
|
OURBCAST="172.29.16.255"
|
|
OURDEV="eth0"
|
|
|
|
# The outside address and the network device that supports it.
|
|
ANYADDR="0/0"
|
|
ANYDEV="eth1"
|
|
|
|
# The TCP services we wish to allow to pass - "" empty means all ports
|
|
# note: space separated
|
|
TCPIN="smtp www"
|
|
TCPOUT="smtp www ftp ftp-data irc"
|
|
|
|
# The UDP services we wish to allow to pass - "" empty means all ports
|
|
# note: space separated
|
|
UDPIN="domain"
|
|
UDPOUT="domain"
|
|
|
|
# The ICMP services we wish to allow to pass - "" empty means all types
|
|
# ref: /usr/include/netinet/ip_icmp.h for type numbers
|
|
# note: space separated
|
|
ICMPIN="0 3 11"
|
|
ICMPOUT="8 3 11"
|
|
|
|
# Logging; uncomment the following line to enable logging of datagrams
|
|
# that are blocked by the firewall.
|
|
# LOGGING=1
|
|
|
|
# END USER CONFIGURABLE SECTION
|
|
##########################################################################
|
|
# Flush the Input table rules
|
|
$IPCHAINS -F input
|
|
|
|
# We want to deny incoming access by default.
|
|
$IPCHAINS -P input deny
|
|
|
|
# SPOOFING
|
|
# We should not accept any datagrams with a source address matching ours
|
|
# from the outside, so we deny them.
|
|
$IPCHAINS -A input -s $OURNET -i $ANYDEV -j deny
|
|
|
|
# SMURF
|
|
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
|
|
$IPCHAINS -A input -p icmp -w $ANYDEV -d $OURBCAST -j deny
|
|
|
|
# We should accept fragments, in ipchains we must do this explicitly.
|
|
$IPCHAINS -A input -f -j accept
|
|
|
|
# TCP
|
|
# We will accept all TCP datagrams belonging to an existing connection
|
|
# (i.e. having the ACK bit set) for the TCP ports we're allowing through.
|
|
# This should catch more than 95 % of all valid TCP packets.
|
|
$IPCHAINS -A input -p tcp -d $OURNET $TCPIN ! -y -b -j accept
|
|
|
|
# TCP - INCOMING CONNECTIONS
|
|
# We will accept connection requests from the outside only on the
|
|
# allowed TCP ports.
|
|
$IPCHAINS -A input -p tcp -i $ANYDEV -d $OURNET $TCPIN -y -j accept
|
|
|
|
# TCP - OUTGOING CONNECTIONS
|
|
# We accept all outgoing TCP connection requests on allowed TCP ports.
|
|
$IPCHAINS -A input -p tcp -i $OURDEV -d $ANYADDR $TCPOUT -y -j accept
|
|
|
|
# UDP - INCOMING
|
|
# We will allow UDP datagrams in on the allowed ports.
|
|
$IPCHAINS -A input -p udp -i $ANYDEV -d $OURNET $UDPIN -j accept
|
|
|
|
# UDP - OUTGOING
|
|
# We will allow UDP datagrams out on the allowed ports.
|
|
$IPCHAINS -A input -p udp -i $OURDEV -d $ANYADDR $UDPOUT -j accept
|
|
|
|
# ICMP - INCOMING
|
|
# We will allow ICMP datagrams in of the allowed types.
|
|
$IPCHAINS -A input -p icmp -w $ANYDEV -d $OURNET $UDPIN -j accept
|
|
|
|
# ICMP - OUTGOING
|
|
# We will allow ICMP datagrams out of the allowed types.
|
|
$IPCHAINS -A input -p icmp -i $OURDEV -d $ANYADDR $UDPOUT -j accept
|
|
|
|
# DEFAULT and LOGGING
|
|
# All remaining datagrams fall through to the default
|
|
# rule and are dropped. They will be logged if you've
|
|
# configured the LOGGING variable above.
|
|
#
|
|
if [ "$LOGGING" ]
|
|
then
|
|
# Log barred TCP
|
|
$IPCHAINS -A input -p tcp -l -j reject
|
|
|
|
# Log barred UDP
|
|
$IPCHAINS -A input -p udp -l -j reject
|
|
|
|
# Log barred ICMP
|
|
$IPCHAINS -A input -p icmp -l -j reject
|
|
fi
|
|
#
|
|
# end.</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>In our <B
|
|
CLASS="COMMAND"
|
|
>iptables</B
|
|
> example, we've switched to using
|
|
the <TT
|
|
CLASS="LITERAL"
|
|
>FORWARD</TT
|
|
> ruleset because of the difference in
|
|
meaning of the <TT
|
|
CLASS="LITERAL"
|
|
>INPUT</TT
|
|
> ruleset in the
|
|
<I
|
|
CLASS="EMPHASIS"
|
|
>netfilter</I
|
|
> implementation. This has implications
|
|
for us; it means that none of the rules protect the firewall host
|
|
itself. To accurately mimic our <B
|
|
CLASS="COMMAND"
|
|
>ipchains</B
|
|
> example,
|
|
we would replicate each of our rules in the <TT
|
|
CLASS="LITERAL"
|
|
>INPUT</TT
|
|
>
|
|
chain. For clarity, we've dropped all incoming datagrams received from
|
|
our outside interface instead.</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>#!/bin/bash
|
|
##########################################################################
|
|
# IPTABLES VERSION
|
|
# This sample configuration is for a single host firewall configuration
|
|
# with no services supported by the firewall machine itself.
|
|
##########################################################################
|
|
|
|
# USER CONFIGURABLE SECTION
|
|
|
|
# The name and location of the ipchains utility.
|
|
IPTABLES=iptables
|
|
|
|
# The path to the ipchains executable.
|
|
PATH="/sbin"
|
|
|
|
# Our internal network address space and its supporting network device.
|
|
OURNET="172.29.16.0/24"
|
|
OURBCAST="172.29.16.255"
|
|
OURDEV="eth0"
|
|
|
|
# The outside address and the network device that supports it.
|
|
ANYADDR="0/0"
|
|
ANYDEV="eth1"
|
|
|
|
# The TCP services we wish to allow to pass - "" empty means all ports
|
|
# note: comma separated
|
|
TCPIN="smtp,www"
|
|
TCPOUT="smtp,www,ftp,ftp-data,irc"
|
|
|
|
# The UDP services we wish to allow to pass - "" empty means all ports
|
|
# note: comma separated
|
|
UDPIN="domain"
|
|
UDPOUT="domain"
|
|
|
|
# The ICMP services we wish to allow to pass - "" empty means all types
|
|
# ref: /usr/include/netinet/ip_icmp.h for type numbers
|
|
# note: comma separated
|
|
ICMPIN="0,3,11"
|
|
ICMPOUT="8,3,11"
|
|
|
|
# Logging; uncomment the following line to enable logging of datagrams
|
|
# that are blocked by the firewall.
|
|
# LOGGING=1
|
|
|
|
# END USER CONFIGURABLE SECTION
|
|
###########################################################################
|
|
# Flush the Input table rules
|
|
$IPTABLES -F FORWARD
|
|
|
|
# We want to deny incoming access by default.
|
|
$IPTABLES -P FORWARD deny
|
|
|
|
# Drop all datagrams destined for this host received from outside.
|
|
$IPTABLES -A INPUT -i $ANYDEV -j DROP
|
|
|
|
# SPOOFING
|
|
# We should not accept any datagrams with a source address matching ours
|
|
# from the outside, so we deny them.
|
|
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP
|
|
|
|
# SMURF
|
|
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
|
|
$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET -j DENY
|
|
|
|
# We should accept fragments, in iptables we must do this explicitly.
|
|
$IPTABLES -A FORWARD -f -j ACCEPT
|
|
|
|
# TCP
|
|
# We will accept all TCP datagrams belonging to an existing connection
|
|
# (i.e. having the ACK bit set) for the TCP ports we're allowing through.
|
|
# This should catch more than 95 % of all valid TCP packets.
|
|
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN /
|
|
! --tcp-flags SYN,ACK ACK -j ACCEPT
|
|
$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN /
|
|
! --tcp-flags SYN,ACK ACK -j ACCEPT
|
|
|
|
|
|
# TCP - INCOMING CONNECTIONS
|
|
# We will accept connection requests from the outside only on the
|
|
# allowed TCP ports.
|
|
$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET $TCPIN /
|
|
--syn -j ACCEPT
|
|
|
|
# TCP - OUTGOING CONNECTIONS
|
|
# We will accept all outgoing tcp connection requests on the allowed /
|
|
TCP ports.
|
|
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR /
|
|
--dports $TCPOUT --syn -j ACCEPT
|
|
# UDP - INCOMING
|
|
# We will allow UDP datagrams in on the allowed ports and back.
|
|
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET /
|
|
--dports $UDPIN -j ACCEPT
|
|
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET /
|
|
--sports $UDPIN -j ACCEPT
|
|
# UDP - OUTGOING
|
|
# We will allow UDP datagrams out to the allowed ports and back.
|
|
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR /
|
|
--dports $UDPOUT -j ACCEPT
|
|
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR /
|
|
--sports $UDPOUT -j ACCEPT
|
|
# ICMP - INCOMING
|
|
# We will allow ICMP datagrams in of the allowed types.
|
|
$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET /
|
|
--dports $ICMPIN -j ACCEPT
|
|
# ICMP - OUTGOING
|
|
# We will allow ICMP datagrams out of the allowed types.
|
|
$IPTABLES -A FORWARD -m multiport -p icmp -i $OURDEV -d $ANYADDR /
|
|
--dports $ICMPOUT -j ACCEPT
|
|
# DEFAULT and LOGGING
|
|
# All remaining datagrams fall through to the default
|
|
# rule and are dropped. They will be logged if you've
|
|
# configured the LOGGING variable above.
|
|
#
|
|
if [ "$LOGGING" ]
|
|
then
|
|
# Log barred TCP
|
|
$IPTABLES -A FORWARD -m tcp -p tcp -j LOG
|
|
# Log barred UDP
|
|
$IPTABLES -A FORWARD -m udp -p udp -j LOG
|
|
# Log barred ICMP
|
|
$IPTABLES -A FORWARD -m udp -p icmp -j LOG
|
|
fi
|
|
#
|
|
# end.</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
>In many simple situations, to use the sample all you have to do is edit
|
|
the top section of the file labeled “USER
|
|
CONFIGURABLE section” to specify which protocols and datagrams
|
|
type you wish to allow in and out. For more complex configurations,
|
|
you will need to edit the section at the bottom, as well. Remember,
|
|
this is a simple example, so scrutinize it very carefully to ensure it
|
|
does what you want while implementing it.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-firewall.checkingconf.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-accounting.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Testing a
|
|
Firewall Configuration</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-firewall.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>IP Accounting</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |