source: postlfs/security/firewalling/masqrouter.xml@ 064db32a

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk v1_0 v5_0 v5_0-pre1 v5_1 v5_1-pre1 xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 064db32a was 064db32a, checked in by Larry Lawrence <larry@…>, 19 years ago

caught a few more tags

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@876 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 3.7 KB
Line 
1<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
2<title>Masquerading Router</title>
3
4<para>A true Firewall has two interfaces, one connected to an intranet,
5in this example, eth0, and one connected to the internet, here, ppp0.
6To provide the maximum security against the box itself being broken into,
7make sure that there are no servers running on it, especially not X11 et
8al. And, as a general principle, the box itself should not access any untrusted
9service<footnote><para>Think of a name server giving answers that make your
10bind crash, or, even worse, that implement a worm via a
11buffer-overflow.</para></footnote>.</para>
12
13<para><screen><userinput>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</userinput>
14#!/bin/sh
15
16# Begin $rc_base/init.d/firewall
17
18echo
19echo "You're using the example-config for a setup of a firewall"
20echo "from the firewalling-hint written for LinuxFromScratch."
21echo "This example is far from being complete, it is only meant"
22echo "to be a reference."
23echo "Firewall security is a complex issue, that exceeds the scope"
24echo "of the quoted configuration rules."
25echo "You can find some quite comprehensive information"
26echo "about firewalling in Chapter 4 of the BLFS book."
27echo "http://beyond.linuxfromscratch.org/"
28echo
29
30# Insert iptables modules (not needed if built into the kernel).
31
32modprobe ip_tables
33modprobe iptable_filter
34modprobe ip_conntrack
35modprobe ip_conntrack_ftp
36modprobe ipt_state
37modprobe iptable_nat
38modprobe ip_nat_ftp
39modprobe ipt_MASQUERADE
40modprobe ipt_LOG
41modprobe ipt_REJECT
42
43# allow local-only connections
44iptables -A INPUT -i lo -j ACCEPT
45iptables -A OUTPUT -o lo -j ACCEPT
46
47# allow forwarding
48iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
49iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
50
51# do masquerading (not needed if intranet is not using private ip-addresses)
52iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
53
54# Log everything for debugging (last of all rules, but before DROP/REJECT)
55iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
56iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
57iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
58
59# set a sane policy
60iptables -P INPUT DROP
61iptables -P FORWARD DROP
62iptables -P OUTPUT DROP
63
64# be verbose on dynamic ip-addresses (not needed in case of static IP)
65echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
66
67# disable ExplicitCongestionNotification
68echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
69
70# activate TCPsyncookies
71echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
72
73# activate Route-Verification = IP-Spoofing_protection
74for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
75 echo 1 &gt; $f
76done
77
78# activate IP-Forwarding
79echo 1 &gt; /proc/sys/net/ipv4/ip_forward
80<userinput>EOF</userinput></screen></para>
81
82<para>With this script your intranet should be sufficiently
83secure against external attacks: no one should be able to setup a
84new connection to any internal service and, if it's masqueraded,
85it s even invisible; furthermore, your firewall should be nearly immune
86because there are no services running that a cracker could attack.</para>
87
88<para>Note: if the interface you're connecting to the Internet
89doesn't connect via ppp, you will need to change
90<userinput>ppp+</userinput> to the name of the interface which you are
91using. If you are using the same interface type to connect to both your
92intranet and the internet, you need to use the actual name of the
93interface such as <emphasis>eth<userinput>0</userinput></emphasis>,
94on both interfaces.</para>
95
96<para>If you need stronger security (e.g., against DOS, connection
97highjacking, spoofing, etc.) have a look at the list of
98<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
99
100</sect3>
Note: See TracBrowser for help on using the repository browser.