|
| |
|
|
|
|
|
|
|
|
|
|
|
|
Version 2.6 of the Linux kernel uses iptables to provide its firewall facilities. For more information on iptables, see http://www.netfilter.org. Iptables is a wonderfully robust and functional firewall package, and will form the core of all of our machine's firewall and routing functionality. Iptables is installed by default as part of the minimal Debian installation, so there's no further installation needed.
The predecessor to iptables, ipchains is also installed by default, but we don't need it on our system. I recommend removing it to keep things simple and uncluttered:
Firewall:~# apt-get remove ipchains
Iptables is wonderfully powerful, but unfortunately that power comes at a price...namely configuration. While it can technically be configured by hand, it has been said that iptables configuration is not human readable. In short, it's very complex and can quickly become overwhelming. Luckily, we have a solution in the form of a program called Shorewall. Shorewall was written by Tom Eastep, and is available via http://shorewall.sourceforge.net. Of course, we also have a Debian package for shorewall, so there's no need to download and install it by hand. To start, use apt-get to install the shorewall package:
Firewall:~# apt-get install shorewall
Important Notice: As the introduction mentions, this tutorial is based on the Debian 3.1 "Sarge" operating system. All Linux operating systems use different sets of packages and different release cycles (even if the package names are the same)! This includes the popular Ubuntu OS, which is based on Debian. This means that if you're using a different operating system, you may be using different software versions. Because of this, the tutorial examples may not work verbatim! The examples here are intended to work with Shorewall 2.2, currently in Debian Stable. If your distro uses different versions, you should be able to convert the examples by reading the product documentation.
At this point apt may tell you it has to install a couple extra supporting package along with shorewall. This is normal and you should accept the prompt to allow it to install everything. Don't worry about the "suggested" packages, we won't need those.
|
|
|
Alternative Alert! - Shorewall
The problem of configuring iptables is not new, and as with most things in computing, there's more than one way to solve the problem. While this tutorial uses Shorewall to do its dirty work, there are other programs out there that will do the same. One popular alternative is FireHOL (http://firehol.sourceforge.net). If shorewall isn't floating your boat look around...there are always alternatives.
|
|
|
|
|
|
Before we move on, let's clear up a couple common misconceptions: Shorewall is not a firewall, and in fact it's not even an application. The common notion of a program (or daemon) is that of an application that runs continuously. This is not the case with Shorewall. Instead, Shorewall is actually just a very large set of scripts which run once and then exit. Shorewall itself does not perform any firewalling work; it merely configures iptables to your specifications, then quits.
Now on to configuration. You probably noticed a warning message at the end of the Shorewall installation telling you the program will not start unless you change the /etc/default/shorewall file. Lets do that now:
Firewall:~# nano -w /etc/default/shorewall
Now simply change
startup = 0
to
startup = 1
save, and exit.
Shorewall configuration files are stored in two separate places:
/etc/shorewall stores all the program configuration files.
/usr/share/shorewall stores supporting files and action files.
On the Debian package version of shorewall, /etc/shorewall is rather empty. Luckily, we're provided with default configuration files in /usr/share/doc/shorewall/default-config
Since we will need to use these config files to actually make Shorewall work, the first thing to do is to copy them over to /etc/shorewall:
Firewall:~# cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now our /etc/shorewall directory should have default copies of all the config files. Next we modify a few of them to get our firewall in basic working order. I'm only going to cover the basic configurations necessary to get the firewall working. Please read the documentation in each config file you edit so you can fully understand what each step is really doing!
First we add our network "zones" Shorewall uses zones as a way of defining different portions of our routed network. Our simple setup will have two zones: local and internet (loc & net). Shorewall can easily be extended to support many more zones such as a DMZ or a VPN zone. This configuration is performed in /etc/shorewall/zones:
Firewall:~# nano -w /etc/shorewall/zones
All we have to do here is name our zones:
net Net The Internet
loc Local Local Network
That's it, save and exit.
Next, we have to add our physical interfaces. This is done via /etc/shorewall/interfaces:
Firewall:~# nano -w /etc/shorewall/interfaces
First we add our internet (net) interface, eth0. We set it to automatically detect the interface settings, and also tell it to perform some filtering. I won't go into detail here; everything is explained nicely at the top of the file.
net eth0 detect dhcp,routefilter,tcpflags,nobogons
Second is our internal interface (eth1):
loc eth1 detect dhcp
Notice it's not generally necessary to turn on all the filtering options on the internal interface, as our local zone is considered "safe". We're only super cautious about traffic coming into the system from outside. Interface configuration is done, so save and close the file.
Our system uses PAT (port address translation). This is featured as the default on most small home and SOHO firewall devices. Basically, PAT allows our router to translate between our external IP address (on eth0) and all our internal addresses (connecting to eth1). This feature is often referred to (incorrectly) as NAT, or Network Address Translation. Please note that PAT/NAT are not required to operate a firewall, but you will have to set up alternative methods of routing instead. In Shorewall, PAT is configured in /etc/shorewall/masq:
Firewall:~# nano -w /etc/shorewall/masq
We have to tell shorewall that we want all traffic coming from inside the network (on eth1) to be translated out through the interface on eth0). We do this simply by specifying the interfaces:
eth0 eth1
It is important to note that as always, there are more advanced possibilities here than what we're using...read the documentation! Also, don't be fooled by /etc/shorewall/nat. This file is for providing Network Address Translation, which translates internal IP addresses to external IP addresses directly, rather than using a single external address and translating the ports. I recommend Wikipedia and Google if you want to learn more.
Now comes the ever important firewall policy. The policy forms the basis for how all traffic on our network will be treated. This is not for fine grained control, we'll get to that later. This just sets the baseline actions for a zone.
Firewall:~# nano -w /etc/shorewall/policy
We trust our local traffic, so we want to accept traffic that comes from our LAN, no matter where it's going:
loc all ACCEPT
Note that there is also a built-in zone for the firewall machine itself, which is "fw" by default. You have the option of adding that to the policy as well.
While this rule is optional, I recommend adding it. It says all traffic generated by the machine is allowed. You can also leave this out and configure a more strict rule (in the rules file) to only allow certain traffic, but keep in mind if you do not add some type of policy or rule, you will not be able to use any network based features of the system. For example apt will no longer work if fw traffic is not ACCEPTed. The rest of this tutorial assumes this option is added.
fw all ACCEPT
We don't trust external traffic from the internet. When we see internet traffic that doesn't match any specific rules (later), we want it DROPPED:
net all DROP
Finally, any traffic not matching the above is rejected (this must be the last rule):
all all REJECT
Finally we get to the last necessary file, /etc/shorewall/shorewall.conf. This file manages global shorewall options, and you should read it through completely.
Firewall:~# nano -w /etc/shorewall/shorewall.conf
Most importantly, change IP_FORWARDING to "On". If you don't, your packets won't be able to get out of the local network:
IP_FORWARDING=On
For security, I suggest setting DROPINVALID to "Yes" as well:
DROPINVALID=Yes
Read through the whole file and customize it as you wish. When you're done, save your work. That should complete the basic firewall configuration. You should run "shorewall check" to see if you've made any typos. It won't catch all possible errors, but it helps:
Firewall:~# shorewall check
If you get "Configuration Validated" you can go ahead and start Shorewall:
Firewall:~# /etc/init.d/shorewall start
Note that Shorewall should run automatically every time the system boots, so you won't have to do it manually. If you want to change your settings without rebooting, just use "restart" instead of start in the above command.
|
|
|
|
|
|
Proceed to Step 6 - Firewall Rules |
|
|
|
|
|
|
|
