[f45b1953] | 1 | <sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
|
---|
| 2 | <title>Masquerading Router</title>
|
---|
| 3 |
|
---|
| 4 | <para>A true Firewall has two interfaces, one connected to an intranet,
|
---|
[3df86b66] | 5 | in this example, <emphasis role="strong">eth0</emphasis>, and one
|
---|
[5e18c49c] | 6 | connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
|
---|
[f45b1953] | 7 | To provide the maximum security against the box itself being broken into,
|
---|
[3df86b66] | 8 | make sure that there are no servers running on it, especially not
|
---|
| 9 | <application>X11</application> et
|
---|
[f45b1953] | 10 | al. And, as a general principle, the box itself should not access any untrusted
|
---|
[1aacd4b5] | 11 | service (Think of a name server giving answers that make your
|
---|
[f45b1953] | 12 | bind crash, or, even worse, that implement a worm via a
|
---|
[1aacd4b5] | 13 | buffer-overflow).</para>
|
---|
[f45b1953] | 14 |
|
---|
[1aacd4b5] | 15 | <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command>
|
---|
[f45b1953] | 16 | #!/bin/sh
|
---|
| 17 |
|
---|
| 18 | # Begin $rc_base/init.d/firewall
|
---|
| 19 |
|
---|
| 20 | echo
|
---|
| 21 | echo "You're using the example-config for a setup of a firewall"
|
---|
| 22 | echo "from the firewalling-hint written for LinuxFromScratch."
|
---|
| 23 | echo "This example is far from being complete, it is only meant"
|
---|
| 24 | echo "to be a reference."
|
---|
| 25 | echo "Firewall security is a complex issue, that exceeds the scope"
|
---|
| 26 | echo "of the quoted configuration rules."
|
---|
| 27 | echo "You can find some quite comprehensive information"
|
---|
[c2ee009c] | 28 | echo "about firewalls in Chapter 4 of the BLFS book."
|
---|
| 29 | echo "http://www.linuxfromscratch.org/blfs"
|
---|
[f45b1953] | 30 | echo
|
---|
| 31 |
|
---|
| 32 | # Insert iptables modules (not needed if built into the kernel).
|
---|
| 33 |
|
---|
| 34 | modprobe ip_tables
|
---|
| 35 | modprobe iptable_filter
|
---|
| 36 | modprobe ip_conntrack
|
---|
| 37 | modprobe ip_conntrack_ftp
|
---|
| 38 | modprobe ipt_state
|
---|
| 39 | modprobe iptable_nat
|
---|
| 40 | modprobe ip_nat_ftp
|
---|
| 41 | modprobe ipt_MASQUERADE
|
---|
| 42 | modprobe ipt_LOG
|
---|
| 43 | modprobe ipt_REJECT
|
---|
| 44 |
|
---|
| 45 | # allow local-only connections
|
---|
| 46 | iptables -A INPUT -i lo -j ACCEPT
|
---|
| 47 | iptables -A OUTPUT -o lo -j ACCEPT
|
---|
| 48 |
|
---|
| 49 | # allow forwarding
|
---|
| 50 | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
| 51 | iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
|
---|
| 52 |
|
---|
| 53 | # do masquerading (not needed if intranet is not using private ip-addresses)
|
---|
| 54 | iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
|
---|
| 55 |
|
---|
| 56 | # Log everything for debugging (last of all rules, but before DROP/REJECT)
|
---|
| 57 | iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
|
---|
| 58 | iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
|
---|
| 59 | iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
|
---|
| 60 |
|
---|
| 61 | # set a sane policy
|
---|
| 62 | iptables -P INPUT DROP
|
---|
| 63 | iptables -P FORWARD DROP
|
---|
| 64 | iptables -P OUTPUT DROP
|
---|
| 65 |
|
---|
| 66 | # be verbose on dynamic ip-addresses (not needed in case of static IP)
|
---|
| 67 | echo 2 > /proc/sys/net/ipv4/ip_dynaddr
|
---|
| 68 |
|
---|
| 69 | # disable ExplicitCongestionNotification
|
---|
| 70 | echo 0 > /proc/sys/net/ipv4/tcp_ecn
|
---|
| 71 |
|
---|
| 72 | # activate TCPsyncookies
|
---|
| 73 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
---|
| 74 |
|
---|
| 75 | # activate Route-Verification = IP-Spoofing_protection
|
---|
| 76 | for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
---|
| 77 | echo 1 > $f
|
---|
| 78 | done
|
---|
| 79 |
|
---|
| 80 | # activate IP-Forwarding
|
---|
| 81 | echo 1 > /proc/sys/net/ipv4/ip_forward
|
---|
[1aacd4b5] | 82 | <command>EOF</command></userinput></screen>
|
---|
[f45b1953] | 83 |
|
---|
[1ea79a1] | 84 | <para>With this script your intranet should be sufficiently secure against
|
---|
| 85 | external attacks. No one should be able to setup a new connection to any
|
---|
| 86 | internal service and, if it's masqueraded, it's even invisible. Furthermore,
|
---|
| 87 | your firewall should be nearly immune because there are no services running
|
---|
| 88 | that a cracker could attack.</para>
|
---|
[f45b1953] | 89 |
|
---|
| 90 | <para>Note: if the interface you're connecting to the Internet
|
---|
| 91 | doesn't connect via ppp, you will need to change
|
---|
[3df86b66] | 92 | <replaceable>ppp+</replaceable> to the name of the interface which you are
|
---|
[f45b1953] | 93 | using. If you are using the same interface type to connect to both your
|
---|
[5e18c49c] | 94 | intranet and the Internet, you need to use the actual name of the
|
---|
[3df86b66] | 95 | interface such as <emphasis role="strong">eth0</emphasis>,
|
---|
[f45b1953] | 96 | on both interfaces.</para>
|
---|
| 97 |
|
---|
| 98 | <para>If you need stronger security (e.g., against DOS, connection
|
---|
[1ea79a1] | 99 | highjacking, spoofing, etc.), have a look at the list of
|
---|
[f45b1953] | 100 | <xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
|
---|
| 101 |
|
---|
| 102 | </sect3>
|
---|