[f45b1953] | 1 | <sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
|
---|
| 2 | <title>Masquerading Router</title>
|
---|
| 3 |
|
---|
| 4 | <para>A true Firewall has two interfaces, one connected to an intranet,
|
---|
| 5 | in this example, eth0, and one connected to the internet, here, ppp0.
|
---|
| 6 | To provide the maximum security against the box itself being broken into,
|
---|
| 7 | make sure that there are no servers running on it, especially not X11 et
|
---|
| 8 | al. And, as a general principle, the box itself should not access any untrusted
|
---|
| 9 | service<footnote><para>Thínk of a nameserver giving answers that make your
|
---|
| 10 | bind crash, or, even worse, that implement a worm via a
|
---|
| 11 | buffer-overflow.</para></footnote>.</para>
|
---|
| 12 |
|
---|
| 13 | <para><screen><userinput>cat > /etc/rc.d/init.d/firewall << "EOF"</userinput>
|
---|
| 14 | #!/bin/sh
|
---|
| 15 |
|
---|
| 16 | # Begin $rc_base/init.d/firewall
|
---|
| 17 |
|
---|
| 18 | echo
|
---|
| 19 | echo "You're using the example-config for a setup of a firewall"
|
---|
| 20 | echo "from the firewalling-hint written for LinuxFromScratch."
|
---|
| 21 | echo "This example is far from being complete, it is only meant"
|
---|
| 22 | echo "to be a reference."
|
---|
| 23 | echo "Firewall security is a complex issue, that exceeds the scope"
|
---|
| 24 | echo "of the quoted configuration rules."
|
---|
| 25 | echo "You can find some quite comprehensive information"
|
---|
| 26 | echo "about firewalling in Chapter 6 of the BLFS book."
|
---|
| 27 | echo "http://beyond.linuxfromscratch.org/"
|
---|
| 28 | echo
|
---|
| 29 |
|
---|
| 30 | # Insert iptables modules (not needed if built into the kernel).
|
---|
| 31 |
|
---|
| 32 | modprobe ip_tables
|
---|
| 33 | modprobe iptable_filter
|
---|
| 34 | modprobe ip_conntrack
|
---|
| 35 | modprobe ip_conntrack_ftp
|
---|
| 36 | modprobe ipt_state
|
---|
| 37 | modprobe iptable_nat
|
---|
| 38 | modprobe ip_nat_ftp
|
---|
| 39 | modprobe ipt_MASQUERADE
|
---|
| 40 | modprobe ipt_LOG
|
---|
| 41 | modprobe ipt_REJECT
|
---|
| 42 |
|
---|
| 43 | # allow local-only connections
|
---|
| 44 | iptables -A INPUT -i lo -j ACCEPT
|
---|
| 45 | iptables -A OUTPUT -o lo -j ACCEPT
|
---|
| 46 |
|
---|
| 47 | # allow forwarding
|
---|
| 48 | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
| 49 | iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
|
---|
| 50 |
|
---|
| 51 | # do masquerading (not needed if intranet is not using private ip-addresses)
|
---|
| 52 | iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
|
---|
| 53 |
|
---|
| 54 | # Log everything for debugging (last of all rules, but before DROP/REJECT)
|
---|
| 55 | iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
|
---|
| 56 | iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
|
---|
| 57 | iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
|
---|
| 58 |
|
---|
| 59 | # set a sane policy
|
---|
| 60 | iptables -P INPUT DROP
|
---|
| 61 | iptables -P FORWARD DROP
|
---|
| 62 | iptables -P OUTPUT DROP
|
---|
| 63 |
|
---|
| 64 | # be verbose on dynamic ip-addresses (not needed in case of static IP)
|
---|
| 65 | echo 2 > /proc/sys/net/ipv4/ip_dynaddr
|
---|
| 66 |
|
---|
| 67 | # disable ExplicitCongestionNotification
|
---|
| 68 | echo 0 > /proc/sys/net/ipv4/tcp_ecn
|
---|
| 69 |
|
---|
| 70 | # activate TCPsyncookies
|
---|
| 71 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
---|
| 72 |
|
---|
| 73 | # activate Route-Verification = IP-Spoofing_protection
|
---|
| 74 | for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
---|
| 75 | echo 1 > $f
|
---|
| 76 | done
|
---|
| 77 |
|
---|
| 78 | # activate IP-Forwarding
|
---|
| 79 | echo 1 > /proc/sys/net/ipv4/ip_forward
|
---|
| 80 | <userinput>EOF</userinput></screen></para>
|
---|
| 81 |
|
---|
| 82 | <para>With this script your intranet should be sufficiently
|
---|
| 83 | secure against external attacks: no one should be able to setup a
|
---|
| 84 | new connection to any internal service and, if it's masqueraded,
|
---|
| 85 | it s even invisible; furthermore, your firewall should be nearly immune
|
---|
| 86 | because there are no services running that a cracker could attack.</para>
|
---|
| 87 |
|
---|
| 88 | <para>Note: if the interface you're connecting to the Internet
|
---|
| 89 | doesn't connect via ppp, you will need to change
|
---|
| 90 | <userinput>ppp+</userinput> to the name of the interface which you are
|
---|
| 91 | using. If you are using the same interface type to connect to both your
|
---|
| 92 | intranet and the internet, you need to use the actual name of the
|
---|
| 93 | interface such as <emphasis>eth<userinput>0</userinput></emphasis>,
|
---|
| 94 | on both interfaces.</para>
|
---|
| 95 |
|
---|
| 96 | <para>If you need stronger security (e.g., against DOS, connection
|
---|
| 97 | highjacking, spoofing, etc.) have a look at the list of
|
---|
| 98 | <xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
|
---|
| 99 |
|
---|
| 100 | </sect3>
|
---|