|
Size: 10055
Comment:
|
Size: 10114
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 59: | Line 59: |
| dmz ipv4 | |
| Line 76: | Line 77: |
| loc eth1 detect dhcp | dmz eth1 detect dhcp loc eth2 detect dhcp |
| Line 91: | Line 93: |
| eth0 eth2 | |
| Line 106: | Line 109: |
| net all DROP dmz all REJECT |
|
| Line 107: | Line 112: |
| net all DROP |
Version 2.6 of the Linux kernel uses iptables to provide its firewall facilities. For more information on iptables, see http://www.netfilter.org. Iptables is a wonderfully robust and functional firewall package, and will form the core of all of our machine's firewall and routing functionality. Iptables is installed by default as part of the minimal Debian installation, so there's no further installation needed.
Iptables is wonderfully powerful, but unfortunately that power comes at a price...namely configuration. While it can technically be configured by hand, it's a common saying that iptables configuration is not human readable. In short, it's very complex and can quickly become overwhelming. Luckily, we have a solution in the form of a program called Shorewall. Shorewall was written by Tom Eastep, and is available via http://shorewall.sourceforge.net. Of course, we also have a Debian package for shorewall, so there's no need to download and install it by hand. To start, use apt-get to install the shorewall package:
Firewall:~# apt-get install shorewall
At this point apt may tell you it has to install a couple extra supporting package along with shorewall. This is normal and you should accept the prompt to allow it to install everything. Don't worry about the "suggested" packages, we won't need those.
Alternative Alert! - Shorewall The problem of configuring iptables is not new, and as with most things in computing, there's more than one way to solve the problem. While this tutorial uses Shorewall to do its dirty work, there are other programs out there that will do the same. One popular alternative is FireHOL (http://firehol.sourceforge.net). If shorewall isn't floating your boat look around...there are always alternatives.
Before we move on, let's clear up a couple common misconceptions: Shorewall is not a firewall, and in fact it's not even an application. The common notion of a program (or daemon) is that of an application that runs continuously. This is not the case with Shorewall. Instead, Shorewall is actually just a very large set of scripts which run once and then exit. Shorewall itself does not perform any firewalling work; it merely configures iptables to your specifications, then quits.
Now on to configuration. You probably noticed a warning message at the end of the Shorewall installation telling you the program will not start unless you change the /etc/default/shorewall file. Lets do that now:
Firewall:~# nano -w /etc/default/shorewall
Now simply change
startup = 0
to
startup = 1
save, and exit.
Shorewall configuration files are stored in two separate places:
- /etc/shorewall stores all the program configuration files.
- /usr/share/shorewall stores supporting files and action files.
On the Debian package version of shorewall, /etc/shorewall is rather empty. Luckily, we're provided with default configuration files in /usr/share/doc/shorewall/default-config
Since we will need to use these config files to actually make Shorewall work, the first thing to do is to copy them over to /etc/shorewall:
Firewall:~# cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now our /etc/shorewall directory should have default copies of all the config files. Next we modify a few of them to get our firewall in basic working order. I'm only going to cover the basic configurations necessary to get the firewall working. Please read the documentation in each config file you edit so you can fully understand what each step is really doing!
Creating Zones
First we add our network "zones" Shorewall uses zones as a way of defining different portions of our routed network. Our simple setup will have two zones: local and internet (loc & net). Shorewall can easily be extended to support many more zones such as a DMZ or a VPN zone. This configuration is performed in /etc/shorewall/zones:
Firewall:~# nano -w /etc/shorewall/zones
All we have to do here is name our zones and specify their types:
fw firewall net ipv4 dmz ipv4 loc ipv4
That's it, save and exit.
Associating Zones with Interfaces
Next, we have to add our physical interfaces. This is done via /etc/shorewall/interfaces:
Firewall:~# nano -w /etc/shorewall/interfaces
Now we have to associate our zones with thier respective ethernet interface. In this example we are going to associate "eth0" interface with our "net" zone, and we want our "eth1" interface connected to our "loc" zone. We are also going to set them to automatically detect the network settings, and also make it so that they will never block dhcp traffic.
net eth0 detect dhcp,routefilter,tcpflags,nobogons dmz eth1 detect dhcp loc eth2 detect dhcp
Notice that there are a few extra options on the "net" zone. These options help filter out some of the invalid packets and garbage we see on the Internet. Interface configuratin is done, so save and close the file.
Our system uses PAT (port address translation). This is featured as the default on most small home and SOHO firewall devices. Basically, PAT allows our router to translate between our external IP address (on eth0) and all our internal addresses (connecting to eth1). This feature is often referred to (incorrectly) as NAT, or Network Address Translation. Please note that PAT/NAT are not required to operate a firewall, but you will have to set up alternative methods of routing instead. In Shorewall, PAT is configured in /etc/shorewall/masq:
Firewall:~# nano -w /etc/shorewall/masq
We have to tell shorewall that we want all traffic coming from inside the network (on eth1) to be translated out through the interface on eth0). We do this simply by specifying the interfaces:
eth0 eth1 eth0 eth2
It is important to note that as always, there are more advanced possibilities here than what we're using...read the documentation! Also, don't be fooled by /etc/shorewall/nat. This file is for providing Network Address Translation, which translates internal IP addresses to external IP addresses directly, rather than using a single external address and translating the ports. I recommend Wikipedia and Google if you want to learn more.
Creating Default Policies
Now comes the ever important firewall policy. The policy forms the basis for how all traffic on our network will be treated. This is not for fine grained control, we'll get to that later. This just sets the baseline actions for a zone.
Firewall:~# nano -w /etc/shorewall/policy
Here are the default policies we are going to use for our example. They are made up of three columns: Source Zone, Destination Zone, and Action.
net all DROP dmz all REJECT loc all REJECT fw all ACCEPT all all REJECT
The first line says that we are going to REJECT all traffic comming from our local network no matter where its headed. This might sound funny, as most people trust their local traffic. In fact, most individuals and companies would configure this with an ACCEPT action. But I am a firm believer that if you are going to learn how to secure your network, don't only do it half way. And remember, most attacks come from inside your network. But keep in mind, if you do not add rules later on for every protocol you want your workstations to use, their traffic will kindly rejected. For example, if you want your users to surf the web, you are going to have to create rules allowing them to use HTTP, HTTPS, and DNS.
The second line says we are going to drop all traffic from the Internet. We don't trust external traffic from the internet, so this should make sense. When we see internet traffic that doesn't match any specific rules (later), we want it DROPPED. Now, whats the defference between REJECT and DROP? REJECT will let the person know that their traffic is not allow. The DROP action simply throws the traffic in the bin bucket (you know, the garbage can) and doesn't bother telling the person. The makes it a little harder for attacker to figure out how your firewall is configured.
The third rule is for the firewall machine itself, which is "fw" by default. You have the option of adding that to the policy as well. It says all traffic generated by the machine is allowed. You can also leave this out and configure a more strict rule (in the rules file) to only allow certain traffic, but keep in mind if you do not add some type of policy or rule, you will not be able to use any network based features of the system. For example apt will no longer work if fw traffic is not ACCEPTed. The rest of this tutorial assumes this option is added.
And finally, any traffic not matching the above is rejected. This should always be added as the last rule, just in case you forgot a zone.
Turning on Forwarding
Finally we get to the last necessary file, /etc/shorewall/shorewall.conf. This file manages global shorewall options, and you should read it through completely.
Firewall:~# nano -w /etc/shorewall/shorewall.conf
We need to find the secion of the file that talks about "IP_FORWARDING" and change it from "Off" to "On". If you don't, your packets won't be able to get from one interface to the other.
IP_FORWARDING=On
Read through the whole file and customize it as you wish. When you're done, save your work. That should complete the basic firewall configuration. You should run "shorewall check" to see if you've made any typos. It won't catch all possible errors, but it helps:
Checking Your Configs and Starting Shorewall
Firewall:~# shorewall check
If you get "Configuration Validated" you can go ahead and start Shorewall:
Firewall:~# /etc/init.d/shorewall start
Note that Shorewall should run automatically every time the system boots, so you won't have to do it manually. If you want to change your settings without rebooting, just use "restart" instead of start in the above command.