source: postlfs/security/firewalling/masqrouter.xml@ 1ea79a1

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk v5_1 xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 1ea79a1 was 1ea79a1, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

Typos and punctuation

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2236 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 3.8 KB
Line 
1<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
2<title>Masquerading Router</title>
3
4<para>A true Firewall has two interfaces, one connected to an intranet,
5in this example, <emphasis role="strong">eth0</emphasis>, and one
6connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
7To provide the maximum security against the box itself being broken into,
8make sure that there are no servers running on it, especially not
9<application>X11</application> et
10al. And, as a general principle, the box itself should not access any untrusted
11service (Think of a name server giving answers that make your
12bind crash, or, even worse, that implement a worm via a
13buffer-overflow).</para>
14
15<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
16#!/bin/sh
17
18# Begin $rc_base/init.d/firewall
19
20echo
21echo "You're using the example-config for a setup of a firewall"
22echo "from the firewalling-hint written for LinuxFromScratch."
23echo "This example is far from being complete, it is only meant"
24echo "to be a reference."
25echo "Firewall security is a complex issue, that exceeds the scope"
26echo "of the quoted configuration rules."
27echo "You can find some quite comprehensive information"
28echo "about firewalls in Chapter 4 of the BLFS book."
29echo "http://www.linuxfromscratch.org/blfs"
30echo
31
32# Insert iptables modules (not needed if built into the kernel).
33
34modprobe ip_tables
35modprobe iptable_filter
36modprobe ip_conntrack
37modprobe ip_conntrack_ftp
38modprobe ipt_state
39modprobe iptable_nat
40modprobe ip_nat_ftp
41modprobe ipt_MASQUERADE
42modprobe ipt_LOG
43modprobe ipt_REJECT
44
45# allow local-only connections
46iptables -A INPUT -i lo -j ACCEPT
47iptables -A OUTPUT -o lo -j ACCEPT
48
49# allow forwarding
50iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
51iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
52
53# do masquerading (not needed if intranet is not using private ip-addresses)
54iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
55
56# Log everything for debugging (last of all rules, but before DROP/REJECT)
57iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
58iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
59iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
60
61# set a sane policy
62iptables -P INPUT DROP
63iptables -P FORWARD DROP
64iptables -P OUTPUT DROP
65
66# be verbose on dynamic ip-addresses (not needed in case of static IP)
67echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
68
69# disable ExplicitCongestionNotification
70echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
71
72# activate TCPsyncookies
73echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
74
75# activate Route-Verification = IP-Spoofing_protection
76for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
77 echo 1 &gt; $f
78done
79
80# activate IP-Forwarding
81echo 1 &gt; /proc/sys/net/ipv4/ip_forward
82<command>EOF</command></userinput></screen>
83
84<para>With this script your intranet should be sufficiently secure against
85external attacks. No one should be able to setup a new connection to any
86internal service and, if it's masqueraded, it's even invisible. Furthermore,
87your firewall should be nearly immune because there are no services running
88that a cracker could attack.</para>
89
90<para>Note: if the interface you're connecting to the Internet
91doesn't connect via ppp, you will need to change
92<replaceable>ppp+</replaceable> to the name of the interface which you are
93using. If you are using the same interface type to connect to both your
94intranet and the Internet, you need to use the actual name of the
95interface such as <emphasis role="strong">eth0</emphasis>,
96on both interfaces.</para>
97
98<para>If you need stronger security (e.g., against DOS, connection
99highjacking, spoofing, etc.), have a look at the list of
100<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
101
102</sect3>
Note: See TracBrowser for help on using the repository browser.