Advertisment

Linux Firewalls

author-image
PCQ Bureau
New Update

In our last month’s issue we talked about how to set up and configure a Linux-based firewall distribution called IPCop (IPCop Firewall Appliance, page 90, PCQuest 2003). This time we’ll configure the Netfilter (IPTables) firewall, which is available with PCQ Linux 8.0 (given in March 2003) and two other firewall distros–MandrakeSecurity Multi Network Firewall and CensorNet Firewall–that we’ve given on this month’s PCQ Xtreme CD. We’ll use the same hardware setup that was used for IPCop, so you’ll need to refer to it while going through this article. Here are the steps to configure it. 

Advertisment

First use netconfig to assign IP addresses to the network cards in the firewall that are connected to the internal, external and DMZ networks. We used 172.16.0.1, 192.168.2.1 and 192.168.3.1, respectively. Next, re-configure and recompile your PCQLinux kernel to enable Netfilter. 

Netfilter 



Login as root, go to /urs/src/linux.-2.4/ directory and issue the following commands.

# make mrproper



# make oldconfig


# make xconfig

Advertisment

This will show you a list of all the modules available in the Linux distribution. Here, click on the Networking options and go to the Network Packet Filtering window. You’ll get a list of the following network packet filtering modules. 

Adding rules in Mandrake firewall 

Connection Tracking (required for masq/NAT)



FTP Protocol support (new)


Userspace queuing via NELINK (Experimental)


IP table support (required for filtering/masq/NAT)


limit match support (new)


MAC address match support (new)


netfilter MARK match support (new)


Multiple port match support (New)


TOS match support (New)


connection state match support (new)


Unclean match support (new)


Owner match support (new)


packet filtering (new)


REJECT target support (new)


MIRROR target support (new)


Full NAT(new)


MASQUERADE target support (new)


REDIRECT target support (new)


Packet mangling (new)


TOS target support (new)


MARK target support (new)


LOG target support (new)



















Advertisment

Select all these modules, and click on the Main Menu. Save and then exit. Issue the following command to rebuild the kernel.

#make dep



#make clean


#make bzImage 

This will create a new kernel image named bzImage in /urs/src/linux-2.4/arch/i386/boot. Copy this image file to the /boot directory, edit the grub.conf from /etc directory and add the following lines.

Advertisment

title firewall kernel



root (hd0,x)


kernel /bzImage ro root=/dev/hdcx

Here replace x with the hard drive for your root partition. Reboot and select Firewall kernel in the boot loader menu to boot using the new kernel. Now we’ll enter commands to set the firewall rules in the script files. 

Configure rules for internal interface



Open any Linux editor to write a script file, say internal-fire.sh. A sample is as follows.

Advertisment

#!/bin/sh



IPTABLES=/sbin/iptables


LAN=”172.16.0.0/16”


LAN_INTERFACE=”eth0”


LAN_INTERFACE_ADD=”172.16.0.1”


EXT=”192.168.2.0/24”


EXT_INTERFACE=”eth1”


EXT_INTERFACE_ADDS=”192.168.2.1”


$IPTABLES -F 


$IPTABLES -F INPUT


$IPTABLES -F OUTPUT


$IPTABLES -P FORWARD DROP


$IPTABLES -P OUTPUT ACCEPT


$IPTABLES -P INPUT DROP


$IPTABLES -A INPUT -i lo -p all -j ACCEPT


$IPTABLES -A INPUT -p icmp -j ACCEPT


$IPTABLES -A INPUT -i $LAN_INTERFACE -s $LAN -j ACCEPT


$IPTABLES -A OUTPUT -p ALL -s $LAN_INTERFACE_ADD -d $LAN -j ACCEPT


$IPTABLES -t nat -A POSTROUTING -o $EXT_INTERFACE -d ! $LAN -j MASQUERADE


$IPTABLES -A FORWARD -s $LAN -j ACCEPT


$IPTABLES -A FORWARD -d $LAN -j ACCEPT


















These rules will allow all internal network nodes to access the external network. 

Configure rules for external interface 



Here again, create a file called ext_firewall.sh and enter the following script. 






#!/bin/sh


IPTABLES=/sbin/iptables


DMZ_LAN=”192.168.3.0/24”


DMZ_LAN_CARD=”eth2”


DMZ_LAN_CARD_ADD=”192.168.3.1”


EXT=”192.168.2.0/24”


EXT_INTERFACE=”eth1”


EXT_INTERFACE_ADDS=”192.168.2.1”


DMZ_APACHE_SERVER_ADD=”192.168.3.2”


LAN=”172.16.0.0/16”


LAN_INTERFACE=”eth0”


LAN_INTERFACE_ADD=”172.16.0.1”


$IPTABLES -F 


$IPTABLES -F INPUT


$IPTABLES -F OUTPUT


$IPTABLES -P FORWARD DROP


$IPTABLES -P OUTPUT ACCEPT


$IPTABLES -P INPUT DROP


$IPTABLES -A INPUT -i lo -p all -j ACCEPT


$IPTABLES -A INPUT -p icmp -j ACCEPT


$IPTABLES -A INPUT -i $DMZ_LAN_CARD -s $DMZ_LAN -j ACCEPT


$IPTABLES -A OUTPUT -p ALL -s $ DMZ_LAN_CARD -d $DMZ_LAN —j ACCEPT


$IPTABLES -t nat -A POSTROUTING -o $EXT_INTERFACE —s $LAN -d ! $LAN -j MASQUERADE


$IPTABLES -A FORWARD -s $DMZ_LAN -j ACCEPT


$IPTABLES -A FORWARD -d $DMZ_LAN -j ACCEPT
























Advertisment

These rules are meant to isolate the DMZ and your internal network from the external one. 

Configure DMZ



Here, you need to create rules so that servers in your DMZ are accessible. Create a file called access_apache_DMZ.sh, where we’re assuming that the server is running Aache and enter the following script.

#!/bin/sh



IPTABLES=/sbin/iptables


EXT_INTERFACE=”eth1”


DMZ_APACHE_SERVER_ADD=”192.168.3.2”


$IPTABLES —A INPUT —I $EXT_INTERFACE —p tcp —s 0/0 1024-65535 \


-d $DMZ_APACHE_SERVER_ADD 80 —j ACCEPT


$IPTABLES —A output —i $EXT_INTERFACE —p tcpn ! —y \


-s $DMZ_APACHE_SERVER_ADD 80 —d 0/0 1024-65535 —j ACCEPT





Advertisment

Similarly, you can access other Web servers running in your DMZ from the outside, simply by adding the its IP with port number in the shell script.

Execute scripts



First, assign executable permissions to the script file using the following command.

chmod +x

Change to the directory where you have created the script files and execute the scripts as.

./

To execute the scripts on startup, append the path of the scripts to the file /etc/rc.d/rc.local. Your firewall is now ready for action. Of course, these are the basic rules we’ve defined, and you’ll need to refer to the documentation to configure it for your organization’s needs. 

At times building our own firewall may be time consuming and we may go wrong while defining a rule. Why not use one of the pre-built, yet free, firewalls. Next, we take a quick look at two pre-built firewalls namely MandrakeSecurity Multi Network Firewall and CensorNet Firewall.

Mandrake Secuirty MNF 



MandrakeSecurity Multi Network Firewall is a feature rich firewall distribution with a very intuitive configuration interface. To install it, first burn its ISO image from this month’s PCQ Xtreme CD onto a CD. This will create a bootable CD, so when you boot from it, just follow the self-explanatory onscreen instructions. When prompted to set up the network cards, key in the IP addresses as per your setup. We used the same setup as the one used in IPTables firewall configuration. Once installed its browser based interface can be accessed from the URL https://172. 16.0.1:8443 from a machine on your internal network. 

MNF needs to be configured a little to allow Internet access. 

Click on Internet Access>Cable, Lan. Click on the network interface with IP 192.168.2.1, which was eth1 in our case. In the subsequent screens, click on Next and Apply. Next, click on Firewall Rules>Zone Setup and scroll down to the second section below Interfaces Configured. Click on the Edit button corresponding to eth1. From the Interface dropdown, select WAN. Next go to the Firewall Rules>Masq NAT, and for the masqueraded network enter eth0 and for “through interface” select eth1. You should now be able to browse the external network or Internet. 

On the page Firewall Rules>Rules, you can construct your own rules graphically without keying in any command. Note that to block a port you can use Drop or Reject. The difference is, in the latter case the connecting host is informed of the connection being dropped. MNF integrates an IDS (both host and network based), web proxy, VPN, DHCP and DNS systems. All these can be configured intuitively through the browser based interface. 

CensorNet



This is an ISP-centric firewall that can be used for features like proxy authentication or bandwidth control on your network.

The ISO image for this one is also on the PCQ Xtreme CD. CensorNet is not meant to support DMZ, so you may like to plug out the network card for DMZ from the firewall machine. Boot the firewall machine off the CD and 



follow the self-explanatory onscreen instructions. After installation and subsequent reboot, login to the firewall machine as root with password root (set by default). 

Issue the command “setup” and follow the onscreen instructions. After setting up System Locale, select Network Configuration. Select the option Install Network Card Drivers. Click on Automatic using spacebar. This should 



detect one of the network cards. Clicking on automatic again will detect the second network card. Next, click on IP Address settings and key in the IP addresses for the private (internal) and public (external) interface as per the network setup in last month’s
article. Also specify the DNS and gateway. 

On the main menu, select System Maintenance>Probe LAN for Windows Workstations. Next, select User Authentication Configuration. Select Internal Censornet. Launch the browser-based interface of

CensorNet, using the URL http://172.16.0.1 and login with username “admin” and password “admin”. 

Click on Users>Manage Users to add a new user. 

This sums up the proxy authentication setup. Setup the proxy IP as 172.16.0.1 and port as 8080 in the web browsers of machines on your internal

network. Subsequently, an attempt to access the Internet will prompt for login credentials, upon which your network users must supply the username and password that you had setup above. To limit the bandwidth click on Users>Bandwidth Limiter. Here you can limit the

bandwidth by per user or per workstation.

Sanjay Majumder and Shekhar Govindarajan

Advertisment