Re: [wlug] Configuring a firewall
I'm trying to set up a firewall to hopefully prevent being hacked again. Since the machine is a dialup (until DSL comes to Hikutaia) I figure that it's got to be pretty straightforward.
The machine is also a workstation and file/print/mail/dnscache etc server for my home office network of itself plus 2 or 3 other machines.
The whole issue of what firewall software to use seems a bit confusing, but I think I've figured out that ipmasq does what I need. I've installed it and read the debian ipmasq users manual but I'm not sure what to do next. According to the manual I configure it using dpkg-reconfigure. I've done that and selected the ppp option.
If I were you, I'd start by reading http://www.wlug.org.nz/HowFirewallingWorks, I'd skim-read about how Perry's firewalling script works (at http://www.wlug.org.nz/PerrysFirewallingScript) and then I would install the .deb, which I'd find at http://www.wlug.org.nz/archive/debian/linuxserver-firewall_0.3_all.deb. (hint: wget the file, then dpkg -i) Then, you need to go into /etc/linuxserver-firewall/interfaces.d, check the mapping between interfaces and classes (which you learnt about in your skim-read), edit the files as required and type '/etc/init.d/linuxserver-firewall restart' And then you're done, and you did some good learning along the way too. ;) Future versions of the Debian package will do automatic guessing of interfaces and network addresses. Someday. This message bought to you by "When in doubt, ask the Wiki" Craig
Thanks everyone for your advice,
If I were you, I'd start by reading http://www.wlug.org.nz/HowFirewallingWorks, I'd skim-read about how Perry's firewalling script works (at http://www.wlug.org.nz/PerrysFirewallingScript) and then I would install the .deb, which I'd find at http://www.wlug.org.nz/archive/debian/linuxserver-firewall_0.3_all.deb.
(hint: wget the file, then dpkg -i)
What would be the advantage of installing Perry's script instead of using the stuff supplied by the distibution? I found some of what I was looking for in the debian package description. If only this description had been repeated in the introduction of the manual in /usr/shar/doc/ipmasq/ipmasq.html ! I think I'll suggest it to the maintainer.
This package contains scripts to initialize IP Masquerade for use as a firewall. IP Masquerade is a feature of Linux that allows an entire network of computers to be connected to another network (usually the Internet) with only one network address on the other network. IP Masquerade is often referred to as NAT (Network Address Translation) on other platforms.
By default, this package configures the system as a basic forwarding firewall, with IP spoofing and stuffed routing protection. The firewall will allow hosts behind the firewall to get to the Internet, but not allow connections from the Internet to reach the hosts behind the firewall. However, ipmasq now features a very flexible framework where you can override any of the predefined rules if you so choose. It also allows you to control if the rules are reinterpreted when pppd brings a link up or down.
This package should be installed on the firewall host and not on the hosts behind the firewall.
IP Masquerade requires the kernel to be compiled with masquerading support (please see documentation for specific kernel options required).
So I think that hosts behind the firewall are protected, but I'm not sure about the firewall machine itself. http://www.wlug.org.nz/HowFirewallingWorks says:
The world's simplest firewall and what it does
## Create chain which blocks new connections on the ppp0 interface, except if coming from inside. iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j block iptables -A FORWARD -j block
The output from ipmasq -v when the ppp link is up says this:
#: Interfaces found: #: ppp0 203.79.79.14/255.255.255.255 #: ppp0 203.79.79.14/255.255.255.255 #: eth0 192.168.1.1/255.255.255.0 echo "0" > /proc/sys/net/ipv4/ip_forward /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -t mangle -F PREROUTING /sbin/iptables -t mangle -F OUTPUT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -t nat -F PREROUTING /sbin/iptables -t nat -F POSTROUTING /sbin/iptables -t nat -F OUTPUT /sbin/iptables -A INPUT -j ACCEPT -i lo /sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0 /sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0 /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32 /sbin/iptables -A INPUT -j ACCEPT -i eth0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 224.0.0.0/4 -p ! tcp /sbin/iptables -A INPUT -j LOG -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -A INPUT -j DROP -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -t nat -A PREROUTING -j LOG -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -t nat -A PREROUTING -j DROP -i ppp0 -s 192.168.1.1/255.255.255.0/sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 255.255.255.255/32 /sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 203.79.79.14/32 /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.1/255.255.255.0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth0 -o ppp0 -s 192.168.1.1/255.255.255.0 -j ACCEPT/sbin/iptables -A FORWARD -o eth0 -i ppp0 -d 192.168.1.1/255.255.255.0 -j ACCEPT/sbin/iptables -A OUTPUT -j ACCEPT -o lo /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32 /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 224.0.0.0/4 -p ! tcp /sbin/iptables -A FORWARD -j LOG -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A FORWARD -j DROP -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j LOG -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j DROP -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -d 255.255.255.255/32 /sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -s 203.79.79.14/32 echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
Does that lot say that new imcoming connections on ppp0 are aleady blocked or do I need to add the "The world's simplest firewall" rules from above? The line: /sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 203.79.79.14/32 seems to say that new connections will be accepted. So if I need to add rules, then I guess that the proper place is /etc/ipmasq/rules. The setup of /etc/ipmasq/rules seems quite complex so does anyone know where the correct place to put the extra rule is? g -- Glenn Ramsey <glenn(a)componic.co.nz> 07 8627077 http://www.componic.co.nz
My best advise would be to learn how to use iptables and code up a firewall script yourself. If you want to have a dedicated "firewall" box then something like Smoothwall or IPCop will be good for someone who wants an easy to use all in one solution. However for educations sake there is nothing quite like knowing how it all works and being able to put it together by hand. Regards On Fri, 2003-07-25 at 09:53, Glenn Ramsey wrote:
Thanks everyone for your advice,
If I were you, I'd start by reading http://www.wlug.org.nz/HowFirewallingWorks, I'd skim-read about how Perry's firewalling script works (at http://www.wlug.org.nz/PerrysFirewallingScript) and then I would install the .deb, which I'd find at http://www.wlug.org.nz/archive/debian/linuxserver-firewall_0.3_all.deb.
(hint: wget the file, then dpkg -i)
What would be the advantage of installing Perry's script instead of using the stuff supplied by the distibution?
I found some of what I was looking for in the debian package description. If only this description had been repeated in the introduction of the manual in /usr/shar/doc/ipmasq/ipmasq.html ! I think I'll suggest it to the maintainer.
This package contains scripts to initialize IP Masquerade for use as a firewall. IP Masquerade is a feature of Linux that allows an entire network of computers to be connected to another network (usually the Internet) with only one network address on the other network. IP Masquerade is often referred to as NAT (Network Address Translation) on other platforms.
By default, this package configures the system as a basic forwarding firewall, with IP spoofing and stuffed routing protection. The firewall will allow hosts behind the firewall to get to the Internet, but not allow connections from the Internet to reach the hosts behind the firewall. However, ipmasq now features a very flexible framework where you can override any of the predefined rules if you so choose. It also allows you to control if the rules are reinterpreted when pppd brings a link up or down.
This package should be installed on the firewall host and not on the hosts behind the firewall.
IP Masquerade requires the kernel to be compiled with masquerading support (please see documentation for specific kernel options required).
So I think that hosts behind the firewall are protected, but I'm not sure about the firewall machine itself.
http://www.wlug.org.nz/HowFirewallingWorks says:
The world's simplest firewall and what it does
## Create chain which blocks new connections on the ppp0 interface, except if coming from inside. iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j block iptables -A FORWARD -j block
The output from ipmasq -v when the ppp link is up says this:
#: Interfaces found: #: ppp0 203.79.79.14/255.255.255.255 #: ppp0 203.79.79.14/255.255.255.255 #: eth0 192.168.1.1/255.255.255.0 echo "0" > /proc/sys/net/ipv4/ip_forward /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -t mangle -F PREROUTING /sbin/iptables -t mangle -F OUTPUT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -t nat -F PREROUTING /sbin/iptables -t nat -F POSTROUTING /sbin/iptables -t nat -F OUTPUT /sbin/iptables -A INPUT -j ACCEPT -i lo /sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0 /sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0 /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32 /sbin/iptables -A INPUT -j ACCEPT -i eth0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 224.0.0.0/4 -p ! tcp /sbin/iptables -A INPUT -j LOG -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -A INPUT -j DROP -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -t nat -A PREROUTING -j LOG -i ppp0 -s 192.168.1.1/255.255.255.0 /sbin/iptables -t nat -A PREROUTING -j DROP -i ppp0 -s 192.168.1.1/255.255.255.0/sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 255.255.255.255/32 /sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 203.79.79.14/32 /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.1/255.255.255.0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth0 -o ppp0 -s 192.168.1.1/255.255.255.0 -j ACCEPT/sbin/iptables -A FORWARD -o eth0 -i ppp0 -d 192.168.1.1/255.255.255.0 -j ACCEPT/sbin/iptables -A OUTPUT -j ACCEPT -o lo /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32 /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 224.0.0.0/4 -p ! tcp /sbin/iptables -A FORWARD -j LOG -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A FORWARD -j DROP -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j LOG -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j DROP -o ppp0 -d 192.168.1.1/255.255.255.0 /sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -d 255.255.255.255/32 /sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -s 203.79.79.14/32 echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
Does that lot say that new imcoming connections on ppp0 are aleady blocked or do I need to add the "The world's simplest firewall" rules from above?
The line:
/sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 203.79.79.14/32
seems to say that new connections will be accepted.
So if I need to add rules, then I guess that the proper place is /etc/ipmasq/rules. The setup of /etc/ipmasq/rules seems quite complex so does anyone know where the correct place to put the extra rule is?
g
-- Oliver Jones § Senior Software Engineer § Deeper Design Limited. oliver(a)deeper.co.nz § www.deeperdesign.com § +64 (21) 41-2238
Perhaps also safety in numbers too, Having a couple of firewalls means that the paranoids cant get to me. Cause I know that those paranoids are trying to get me. ... They really are you know :-) On Friday, July 25, 2003, at 10:02 AM, Oliver Jones wrote:
My best advise would be to learn how to use iptables and code up a firewall script yourself. If you want to have a dedicated "firewall" box then something like Smoothwall or IPCop will be good for someone who wants an easy to use all in one solution.
However for educations sake there is nothing quite like knowing how it all works and being able to put it together by hand.
participants (4)
-
Craig Box -
Gavin Denby -
Glenn Ramsey -
Oliver Jones