Tutorial: Linux Internet Server: Set Up a Firewall Part 2
By Paul Dunne
This article examines how to set up a Linux box to provide routing services between the local network and the Internet, and to address the security issues raised by such a connection by having the Linux box act as a firewall. This article deals with setting up a Linux PC for use as a firewall between the Internet and a local network. It is a tutorial that takes the reader through installing, configuring and administering a L inux firewall. Some knowledge of TCP/IP networking and Linux is assumed, as well as a basic acquaintance with firewalls.
Questions regarding this article should be directed to the author at email@example.com
Other installments of this Linux Internet server tutorial series include:
It is assumed that you are familiar with the theory behind firewalls. If not, a bit of background readin g might help. There is a good collection of papers at AT&T's Research site . The set of papers at the TIS site is also worth a read.
As it stands, our Linux box is connected to the Internet and to the local network, but our local network is still unable to talk to the Internet, and vice versa. For this, we must enable routing on the Linux box, so that packets from one network interface destined for addresses outside the local network are sent on through the other network interface.
There are two different ways to provide routing, depending on whether or not the local network has been allocated IP addresses by InterNIC, or whether it uses the ``private'' addresses allowed by RFC 1597 .
For the purpose of this article, we will assume that the local network has not had Internet addresses allocated to it, and must thus be kept hidden from the Internet. Our firewall set-up will serve the dual purpose of providing the routing services for the hidden network, and also acting as a security barrier.
There are two types of firewalls. The first is a filtering firewall, where packets are allowed or denied routing according to a rule-set. The other type is the proxy firewall, which blocks off the internal network from the external network entirely, and provides proxy services as requested by the internal network. Further, there are two types of proxy firewall: firstly, the application proxy gateway, secondly, the circuit-level relay.
In this article, we will be setting up a basic filtering firewall. For more information about the other kinds, see the Firewalling and Proxy Server HOWTO .
Any PC capable of running Linux can be used as a firewall. There are certain features that a firewall relies on more than others. A filtering firewall needs a decent amount of RAM, if only to hold the routing tables in memory; a proxy firewall's hardware needs are determined by the requirements of the services for which it provides proxy support. For example, providing WWW proxy support can demand plenty of RAM and high-performance hard disk space, depending on how much caching is done.
Using a Linux box as a firewall can be done either by using the built-in firewall capability, or by installing additional packages. This article looks specifically at turning a Linux machine into a packet-filtering router, using no additional packaged software.
The Linux kernel needs to be compiled with certain options enabled in order to use the firewall code. Most generic kernels -- that type usually supplied with a distribution -- will have these options turned off, so that it is nece ssary to recompile the kernel. This is a simple task, and we will quickly run through the steps here. For more details, see the Linux Kernel HOWTO .
I should also point out that it is a good idea to take this opportunity to upgrade your kernel to the latest stable release. At time of writing, this is 2.0.30. The kernel is brought up to date in one of two ways: either by downloading the latest source tree en masse, or by applying all the patch files released between your version, and the current stable release. The former is easier, the latter cheaper if you pay for telephone calls to your ISP, or are billed for usage. Either way, many sites carry both. See the Linux v2 Information HQ for details.
Configuring The Kernel
The Linux kernel is configured by the ``make config'' command. The following options must be switched on.
CONFIG_FIREWALL=y CONFIG_INET=y CONFIG_IP_FORWAR D=y CONFIG_SYN_COOKIES=y CONFIG_IP_FIREWALL=y CONFIG_IP_FIREWALL_VERBOSE=y CONFIG_IP_MASQUERADE=y CONFIG_IP_ACCT=y
Recompiling The Kernel
The following command sequence will re-compile the kernel:
make dep && make clean && make zImage
Installing the New Kernel
The following sequence of commands copies the new kernel image and its associated symbol table to the root directory, and reruns LILO so that the boot loader knows about the new kernel:
cp /usr/src/linux/arch/i386/boot/zImage / cp /usr/src/linux/System.map / /sbin/lilo
It's not a bad idea to put the new kernel on a floppy only at first, and reboot using that diskette, just to make sure everything is working right. You can then install the new kernel on the hard disk as shown above when this has been done. You can use a simple copy operation, like:
cp /usr/src/linux/arch/i386/boot/zImage /dev/fd0
Getti ng ipfwadm
The core of firewall functionality is contained in the rule-sets that determine what happens to packets. There are four types of rule-sets: those governing input, those governing output, those in charge of forwarding, and those controlling accounting. Rule-sets are maintained by ipfwadm(8) .
Rather than bludgeoning you with a great list of options and
In the examples that follow, we shall construct a firewall machine tha t is connected to the local network via interface 192.168.1.1, and to the Internet via 192.168.20.1. Please note that the 192.168.0.0 net is a non-routed net address block set aside specifically for use on networks that are not connected to the Internet, or are screened from contact with the Internet by a firewall of the type we are building. They should NOT be used on any network which will be directly connected to the Net. The system acts as a mail relay hub for the local network, as a router for the local network, provides local DNS services, and provides HTTP and FTP services.
Note that in the rules that follow are taken from an ``rc script'' on my machine, where the following variables are defined at the head of the file to simplify maintenance:
LOCALHOST=`hostname` IFEXTERN="126.96.36.199" IFINTERN="192.168.1.1" LOCALNET="192.168.1.0/24" ANYWHERE="0.0.0.0/0" UNPRIVPORTS="1024:65535"
The blocking rules control going directly to or fro
firewall itself. In what follows, I will build up step by step a
set of blocking rules for our basic firewall. With
Firstly, we block everything! The idea here is that we deny access wherever we do not explicitly permit it.
# Sure we're paranoid, but are we paranoid enough? ipfwadm -I -p deny ipfwadm -O -p deny ipfwadm -F -p deny
# Handle spoofed packets. ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET -D $ANYWHERE ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN -D $ANYWHERE
For a start, we can allow packets between the firewall and our local network:
# Unlimited traffic within the local network. ipfwadm -I -a accept -V 192.168.1.1 -S 0.0.0.0/0 -D 0.0.0.0/0 ipfwadm -O -a accept -V 192.168.1.1 -S 0.0.0.0/0 -D 0.0.0.0/0 # Unlimited traffic to localhost ipfwadm -I -a accept -V 127.0.0.1 -S 127.0.0.1 -D 127.0.0.1 ipfwadm -O -a accept -V 127.0.0.1 -S 127.0.0.1 -D 127.0.0.1
Here, we see the use of the input (
Now, in one fell swoop, we add SMTP, FTP, WWW and DNS access:
# SMTP ipfwadm -I -a accept -P tcp -S $ANYWHERE -D $LOCALHOST smtp ipfwadm -O -a accept -P tcp -S $LOCALHOST $UNPRIVPORTS -D $ANYWHERE ipfwadm -O -a accept -P tcp -S $LOCALHOST smtp -D $ANYWHERE ipfwadm -I -a accept -P tcp -S $ANYWHERE -D $LOCALHOST $UNPRIVPORTS # DNS ipfwadm -I -a accept -P tcp -S $ANYWHERE -D $LOCALHOST domain ipfwadm -I -a accept -P udp -S $ANYWHERE -D $LOCALHOST domain ipfwadm -O -a accept -P udp -S $LOCALHOST domain -D $ANYWHERE # FTP ipfwadm -I -a accept -P tcp -S $ANYWHERE -D $LOCALHOST ftp ipfwadm -I -a accept -k -P tcp -S $ANYWHERE -D $LOCALHOST ftp-data ipfwadm -O -a accept -P tcp -S $LOCALHOST ftp -D $ANYWHERE # WWW ipfwadm -I -a accept -P tcp -S $ANYWHERE -D $LOCALHOST www ipfwadm -O -a accept -P tcp -S $LOCALHOST www -D $ANYWHERE
Because we intend to allow traffic to be forwarded to and from the in ternal network, we must also add some input and output rules to allow for this, in addition to the forwarding rules in the next section:
# Outgoing packets. ipfwadm -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \ -D $ANYWHERE smtp ftp ftp-data www telnet domain ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \ -D $ANYWHERE smtp ftp ftp-data www telnet domain ipfwadm -O -a accept -P udp -S $LOCALHOST $UNPRIVPORTS \ -D $ANYWHERE domain # Incoming packets. ipfwadm -I -a accept -k -P tcp -S $ANYWHERE ftp www telnet domain \ -D $LOCALNET $UNPRIVPORTS ipfwadm -I -a accept -k -P tcp -S $ANYWHERE ftp www telnet domain \ -D $IFEXTERN $UNPRIVPORTS ipfwadm -I -a accept -P tcp -S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS ipfwadm -I -a accept -P tcp -S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS ipfwadm -I -a accept -P udp -S $ANYWHERE domain -D $LOCALHOST $UNPRIVPORTS
Firstly, we allow input TCP packets from anywhere into our
local network, provided they are f
rom our allowed services. We
also allow UDP packets to the name server. The
The forwarding rules control which packets will be forwarded by the firewall. In addition, our forwarding rules must take care of masquerading. As mentioned above in the section on routing, we are using ``private'' IP numbers for our network, and we cannot allow packets with source addresses set to these numbers out onto the Internet. Therefore, our firewall will ``masquerade'' as our other machines for the purposes of sending packets to and from the Internet.
Once again, we start by denying everything, before explicitly allowing some sorts of traffic.
ipfwadm -F -p deny
ipfwadm -F -m -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \ -D $ANYWHERE ftp ftp-data www telnet ipfwadm -F -m -a accept -k -P tcp -S $ANYWHERE ftp www telnet \ -D $LOCALNET $UN PRIVPORTS ipfwadm -F -m -a accept -P tcp -S $ANYWHERE ftp-data \ -D $LOCALNET $UNPRIVPORTS
The accounting rules are used to build up packet and byte counts for selected traffic. There is a single set, used for both incoming and outgoing traffic. Every packet is checked against each rule, and the counts of ea ch matching rule incremented.
ipfwadm -A -a -b -P tcp -S 0.0.0.0/0 -D 192.168.1.2 www
Where we assume that a machine on the local network with address 192.168.1.2 hosts the Web server.
The rule I use is rather more simple, just:
ipfwadm -A -a -b
This article has shown you how to set up a Linux box as a combined router and firewall, using the network capabilities built in to the Linux kernel. It does not attempt to provide a complete, robust firewalling solution; but it will prove sufficient for sites without grave security concerns. For further information, a good starting p oint is Linux Journal Firewall Resources
Paul Dunne is a writer and consultant who specialises in Linux. He has a home page that describes in more detail what he does.