1 | <sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
|
---|
2 | <title>Masquerading Router</title>
|
---|
3 |
|
---|
4 | <para>A true Firewall has two interfaces, one connected to an intranet,
|
---|
5 | in this example, eth0, and one connected to the internet, here, ppp0.
|
---|
6 | To provide the maximum security against the box itself being broken into,
|
---|
7 | make sure that there are no servers running on it, especially not X11 et
|
---|
8 | al. And, as a general principle, the box itself should not access any untrusted
|
---|
9 | service<footnote><para>Thínk of a nameserver giving answers that make your
|
---|
10 | bind crash, or, even worse, that implement a worm via a
|
---|
11 | buffer-overflow.</para></footnote>.</para>
|
---|
12 |
|
---|
13 | <para><screen><userinput>cat > /etc/rc.d/init.d/firewall << "EOF"</userinput>
|
---|
14 | #!/bin/sh
|
---|
15 |
|
---|
16 | # Begin $rc_base/init.d/firewall
|
---|
17 |
|
---|
18 | echo
|
---|
19 | echo "You're using the example-config for a setup of a firewall"
|
---|
20 | echo "from the firewalling-hint written for LinuxFromScratch."
|
---|
21 | echo "This example is far from being complete, it is only meant"
|
---|
22 | echo "to be a reference."
|
---|
23 | echo "Firewall security is a complex issue, that exceeds the scope"
|
---|
24 | echo "of the quoted configuration rules."
|
---|
25 | echo "You can find some quite comprehensive information"
|
---|
26 | echo "about firewalling in Chapter 6 of the BLFS book."
|
---|
27 | echo "http://beyond.linuxfromscratch.org/"
|
---|
28 | echo
|
---|
29 |
|
---|
30 | # Insert iptables modules (not needed if built into the kernel).
|
---|
31 |
|
---|
32 | modprobe ip_tables
|
---|
33 | modprobe iptable_filter
|
---|
34 | modprobe ip_conntrack
|
---|
35 | modprobe ip_conntrack_ftp
|
---|
36 | modprobe ipt_state
|
---|
37 | modprobe iptable_nat
|
---|
38 | modprobe ip_nat_ftp
|
---|
39 | modprobe ipt_MASQUERADE
|
---|
40 | modprobe ipt_LOG
|
---|
41 | modprobe ipt_REJECT
|
---|
42 |
|
---|
43 | # allow local-only connections
|
---|
44 | iptables -A INPUT -i lo -j ACCEPT
|
---|
45 | iptables -A OUTPUT -o lo -j ACCEPT
|
---|
46 |
|
---|
47 | # allow forwarding
|
---|
48 | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
49 | iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT
|
---|
50 |
|
---|
51 | # do masquerading (not needed if intranet is not using private ip-addresses)
|
---|
52 | iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
|
---|
53 |
|
---|
54 | # Log everything for debugging (last of all rules, but before DROP/REJECT)
|
---|
55 | iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
|
---|
56 | iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
|
---|
57 | iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
|
---|
58 |
|
---|
59 | # set a sane policy
|
---|
60 | iptables -P INPUT DROP
|
---|
61 | iptables -P FORWARD DROP
|
---|
62 | iptables -P OUTPUT DROP
|
---|
63 |
|
---|
64 | # be verbose on dynamic ip-addresses (not needed in case of static IP)
|
---|
65 | echo 2 > /proc/sys/net/ipv4/ip_dynaddr
|
---|
66 |
|
---|
67 | # disable ExplicitCongestionNotification
|
---|
68 | echo 0 > /proc/sys/net/ipv4/tcp_ecn
|
---|
69 |
|
---|
70 | # activate TCPsyncookies
|
---|
71 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
---|
72 |
|
---|
73 | # activate Route-Verification = IP-Spoofing_protection
|
---|
74 | for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
---|
75 | echo 1 > $f
|
---|
76 | done
|
---|
77 |
|
---|
78 | # activate IP-Forwarding
|
---|
79 | echo 1 > /proc/sys/net/ipv4/ip_forward
|
---|
80 | <userinput>EOF</userinput></screen></para>
|
---|
81 |
|
---|
82 | <para>With this script your intranet should be sufficiently
|
---|
83 | secure against external attacks: no one should be able to setup a
|
---|
84 | new connection to any internal service and, if it's masqueraded,
|
---|
85 | it s even invisible; furthermore, your firewall should be nearly immune
|
---|
86 | because there are no services running that a cracker could attack.</para>
|
---|
87 |
|
---|
88 | <para>Note: if the interface you're connecting to the Internet
|
---|
89 | doesn't connect via ppp, you will need to change
|
---|
90 | <userinput>ppp+</userinput> to the name of the interface which you are
|
---|
91 | using. If you are using the same interface type to connect to both your
|
---|
92 | intranet and the internet, you need to use the actual name of the
|
---|
93 | interface such as <emphasis>eth<userinput>0</userinput></emphasis>,
|
---|
94 | on both interfaces.</para>
|
---|
95 |
|
---|
96 | <para>If you need stronger security (e.g., against DOS, connection
|
---|
97 | highjacking, spoofing, etc.) have a look at the list of
|
---|
98 | <xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
|
---|
99 |
|
---|
100 | </sect3>
|
---|