1 | <sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
|
---|
2 | <title>Masquerading Router</title>
|
---|
3 |
|
---|
4 | <para>A true Firewall has two interfaces, one connected to an intranet,
|
---|
5 | in this example, <emphasis role="strong">eth0</emphasis>, and one
|
---|
6 | connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
|
---|
7 | To provide the maximum security against the box itself being broken into,
|
---|
8 | make sure that there are no servers running on it, especially not
|
---|
9 | <application>X11</application> et
|
---|
10 | al. And, as a general principle, the box itself should not access any untrusted
|
---|
11 | service (Think of a name server giving answers that make your
|
---|
12 | bind crash, or, even worse, that implement a worm via a
|
---|
13 | buffer-overflow).</para>
|
---|
14 |
|
---|
15 | <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command>
|
---|
16 | #!/bin/sh
|
---|
17 |
|
---|
18 | # Begin $rc_base/init.d/firewall
|
---|
19 |
|
---|
20 | echo
|
---|
21 | echo "You're using the example-config for a setup of a firewall"
|
---|
22 | echo "from the firewalling-hint written for LinuxFromScratch."
|
---|
23 | echo "This example is far from being complete, it is only meant"
|
---|
24 | echo "to be a reference."
|
---|
25 | echo "Firewall security is a complex issue, that exceeds the scope"
|
---|
26 | echo "of the quoted configuration rules."
|
---|
27 | echo "You can find some quite comprehensive information"
|
---|
28 | echo "about firewalls in Chapter 4 of the BLFS book."
|
---|
29 | echo "http://www.linuxfromscratch.org/blfs"
|
---|
30 | echo
|
---|
31 |
|
---|
32 | # Insert iptables modules (not needed if built into the kernel).
|
---|
33 |
|
---|
34 | modprobe ip_tables
|
---|
35 | modprobe iptable_filter
|
---|
36 | modprobe ip_conntrack
|
---|
37 | modprobe ip_conntrack_ftp
|
---|
38 | modprobe ipt_state
|
---|
39 | modprobe iptable_nat
|
---|
40 | modprobe ip_nat_ftp
|
---|
41 | modprobe ipt_MASQUERADE
|
---|
42 | modprobe ipt_LOG
|
---|
43 | modprobe ipt_REJECT
|
---|
44 |
|
---|
45 | # allow local-only connections
|
---|
46 | iptables -A INPUT -i lo -j ACCEPT
|
---|
47 | iptables -A OUTPUT -o lo -j ACCEPT
|
---|
48 |
|
---|
49 | # allow forwarding
|
---|
50 | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
51 | iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
|
---|
52 |
|
---|
53 | # do masquerading (not needed if intranet is not using private ip-addresses)
|
---|
54 | iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
|
---|
55 |
|
---|
56 | # Log everything for debugging (last of all rules, but before DROP/REJECT)
|
---|
57 | iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
|
---|
58 | iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
|
---|
59 | iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
|
---|
60 |
|
---|
61 | # set a sane policy
|
---|
62 | iptables -P INPUT DROP
|
---|
63 | iptables -P FORWARD DROP
|
---|
64 | iptables -P OUTPUT DROP
|
---|
65 |
|
---|
66 | # be verbose on dynamic ip-addresses (not needed in case of static IP)
|
---|
67 | echo 2 > /proc/sys/net/ipv4/ip_dynaddr
|
---|
68 |
|
---|
69 | # disable ExplicitCongestionNotification
|
---|
70 | echo 0 > /proc/sys/net/ipv4/tcp_ecn
|
---|
71 |
|
---|
72 | # activate TCPsyncookies
|
---|
73 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
---|
74 |
|
---|
75 | # activate Route-Verification = IP-Spoofing_protection
|
---|
76 | for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
---|
77 | echo 1 > $f
|
---|
78 | done
|
---|
79 |
|
---|
80 | # activate IP-Forwarding
|
---|
81 | echo 1 > /proc/sys/net/ipv4/ip_forward
|
---|
82 | <command>EOF</command></userinput></screen>
|
---|
83 |
|
---|
84 | <para>With this script your intranet should be sufficiently
|
---|
85 | secure against external attacks: no one should be able to setup a
|
---|
86 | new connection to any internal service and, if it's masqueraded,
|
---|
87 | it s even invisible; furthermore, your firewall should be nearly immune
|
---|
88 | because there are no services running that a cracker could attack.</para>
|
---|
89 |
|
---|
90 | <para>Note: if the interface you're connecting to the Internet
|
---|
91 | doesn't connect via ppp, you will need to change
|
---|
92 | <replaceable>ppp+</replaceable> to the name of the interface which you are
|
---|
93 | using. If you are using the same interface type to connect to both your
|
---|
94 | intranet and the Internet, you need to use the actual name of the
|
---|
95 | interface such as <emphasis role="strong">eth0</emphasis>,
|
---|
96 | on both interfaces.</para>
|
---|
97 |
|
---|
98 | <para>If you need stronger security (e.g., against DOS, connection
|
---|
99 | highjacking, spoofing, etc.) have a look at the list of
|
---|
100 | <xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
|
---|
101 |
|
---|
102 | </sect3>
|
---|