Masquerading Router

<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
<title>Masquerading Router</title>

<para>A true Firewall has two interfaces, one connected to an intranet,
in this example, eth0, and one connected to the internet, here, ppp0. 
To provide the maximum security against the box itself being broken into,
make sure that there are no servers running on it, especially not X11 et
al.  And, as a general principle, the box itself should not access any untrusted
service<footnote><para>Think of a name server giving answers that make your
bind crash, or, even worse, that implement a worm via a 
buffer-overflow.</para></footnote>.</para>

<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</userinput>
#!/bin/sh

# Begin $rc_base/init.d/firewall

echo
echo "You're using the example-config for a setup of a firewall"
echo "from the firewalling-hint written for LinuxFromScratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the quoted configuration rules."
echo "You can find some quite comprehensive information"
echo "about firewalling in Chapter 4 of the BLFS book."
echo "http://beyond.linuxfromscratch.org/"
echo

# Insert iptables modules (not needed if built into the kernel).

modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ipt_REJECT

# allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! ppp+	 -j ACCEPT

# do masquerading    (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

# Log everything for debugging (last of all rules, but before DROP/REJECT)
iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "

# set a sane policy
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr

# disable ExplicitCongestionNotification
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn

# activate TCPsyncookies
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies

# activate Route-Verification = IP-Spoofing_protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 1 &gt; $f
done

# activate IP-Forwarding 
echo 1 &gt; /proc/sys/net/ipv4/ip_forward
<userinput>EOF</userinput></screen></para>

<para>With this script your intranet should be sufficiently 
secure against external attacks: no one should be able to setup a 
new connection to any internal service and, if it's masqueraded, 
it s even invisible; furthermore, your firewall should be nearly immune 
because there are no services running that a cracker could attack.</para>

<para>Note: if the interface you're connecting to the Internet 
doesn't connect via ppp, you will need to change
<userinput>ppp+</userinput> to the name of the interface which you are
using.  If you are using the same interface type to connect to both your
intranet and the internet, you need to use the actual name of the
interface such as <emphasis>eth<userinput>0</userinput></emphasis>, 
on both interfaces.</para>

<para>If you need stronger security (e.g., against DOS, connection 
highjacking, spoofing, etc.) have a look at the list of 
<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>

</sect3>