Building Linux Firewall

an article added by: Ronald T Besser at 04092007


Linux :: Building Linux Firewall ::

 French | Spanish | Portuguese | Italian | German | Japanese | Chinese | Korean | Russian | Arabic Bookmark and Share

First, we need to set up Squid proxy server to be able to perform transparent proxy for the children's computer and deny access to porn sites and some viruses.
Squid can be found at www.squid-cache.org, and is the most widely used proxy server under Linux—most distributions have packages for Squid. The best documentation for Squid is the configuration file itself, which is heavily commented.
We will run Squid on its default port, 3128. To be able to use Squid as transparent proxy, we have to add the following information in the configuration file (usually /etc/squid/squid.conf):

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Next, we need to define Squid access lists for the internal network to have access to Squid and to deny porn sites and dangerous files. We will do this for our entire internal network, but we will use the transparent proxy only for the children's computer. Any file can be a virus, and the file extensions that follow are just as an example; so please feel free to add any file extension you consider dangerous. In the squid.conf file, we add the following lines:

acl all src 0.0.0.0/0.0.0.0
acl our_network src 192.168.1.0/24
acl porn url_regex -i sex adult porn hardcore fetish
acl downloads urlpath_regex \.exe$ \.rar$ \.zip$ \.pif$ \.scr$
http_access deny porn
http_access deny downloads
http_access allow our_network
http_access deny all

The ACL named "porn" contains a list of names that are not allowed in the URL; so you won't be able to access a site that has one of those words in its name using the proxy server.
The ACL named "downloads" contains a list of file types that are not allowed to be accessed; so you won't be able to download files with the extensions in that list using the proxy server.
Now that we have set up the proxy server, let's implement the firewall to match the security policy we just built.
For the gaming device, we need to find out how it works when we host GameSpy Arcade games on it. We go to their websites and we see that we need to forward the following ports to the gaming device:

  • 6500 UDP: for GameSpy Arcade
  • 6700 UDP: for GameSpy Tunnel

Let's forward those ports:

iptables –t nat –A PREROUTING –p udp –-dport 6500 –j DNAT –-to 192.168.1.200
iptables –t nat –A PREROUTING –p udp –-dport 6700 –j DNAT –-to 192.168.1.200

For the gaming device to work, we also have to perform NAT for it, which will be included in the NAT rule for our entire network, which will be at the end.
Next, we need to deny access for the network printer to the Internet. Normally, we don't do filtering in the NAT table, but we don't want to do masquerading for the printer IP address. Since the printer has a private IP address, it won't be accessible from outside and also we will drop packets going out of eth0 in the POSTROUTING chain of the nat table so that the printer's IP address doesn't get NATed.

iptables –t nat –A POSTROUTING –o eth0 –s 192.168.1.100 –j DROP

For the children's computer, we will perform transparent proxy, meaning that the computer will use the proxy server without configuring the web browser. We have already set up the proxy server, so now we need to redirect all the traffic for port 80 TCP to the proxy server. We also want the children's computer to access port 443 TCP, which is HTTPS:

iptables -t nat -A PREROUTING -s 192.168.1.55 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING –o eth0 -s 192.168.1.55 -p tcp --dport 443 -j MASQUERADE

Now, requests from 192.168.1.55 to any host having the destination port 80 or 443 will go to our proxy server; so everything is done locally and we don't have to masquerade 192.168.1.55 for those requests.
Next, we need to masquerade the children's computer when it sends DNS requests to our provider:

iptables –t nat –A POSTROUTING –o eth0 –s 192.168.1.55 –p udp –-dport 53 –j MASQUERADE

DNS requests use port 53 UDP; so now the children's computer can access any DNS servers.
We want to allow them to use Yahoo! Messenger only for chatting (not voice or file transfer). Reading the Yahoo! Messenger help, we see that Yahoo! Messenger uses ports 20, 23, 25, 80, 119, 5050, 8001, and 8002. Also, we see that the hosts needed for instant messaging using Yahoo! Messenger are:

  1. scs.msg.yahoo.com
  2. scsa.msg.yahoo.com
  3. scsb.msg.yahoo.com
  4. scsc.msg.yahoo.com

So it's better to masquerade the children's computer IP address when accessing those hosts; we should do like this:

iptables –t nat –A POSTROUTING –o eth0 –s 192.168.1.55 –d scs.msg.yahoo.com –j MASQUERADE
iptables –t nat –A POSTROUTING –o eth0 –s 192.168.1.55 –d scsa.msg.yahoo.com –j MASQUERADE
iptables –t nat –A POSTROUTING –o eth0 –s 192.168.1.55 –d scsb.msg.yahoo.com –j MASQUERADE
iptables –t nat –A POSTROUTING –o eth0 –s 192.168.1.55 –d scsc.msg.yahoo.com –j MASQUERADE

When using a canonical name instead of an IP address in the syntax of iptables, the Linux router will resolve the IP address(es) of the canonical name and insert the rules in the kernel using those IP addresses. If one canonical name is resolved to multiple IP addresses, then iptables will insert in the kernel a number of rules equal to the number of IP addresses resolved, each line having one of the resolved IP addresses.

 

Now that we have set up access for the children's computer, we have to deny access to other ports and hosts. We do that in the POSTROUTING chain of the nat table:

iptables –t nat –A POSTROUTING –o eth0 –s 192.168.1.55 –j DROP

The laptop and desktop computer must be able to access anything, and so, no special rules are inserted for them, except the MASQUERADE rule for our network, which we will append now:

iptables –t nat –A POSTROUTING –o eth0 –s 192.168.1.0/24 –j MASQUERADE

One more configuration must be done in the nat table to provide the ability to log in remotely to the desktop computer using VNC. We set up VNC server to use TCP port 9112 on the desktop computer, so we have to perform DNAT for this port as follows:

iptables –t nat –A PREROUTING –p tcp –-dport 9112 –j DNAT –-to 192.168.1.11

This is all the configuration that we need for the local network. We need to set up some firewall rules to secure the Linux router.
First, we need SSH to run on the Linux router so we can administer it remotely. To secure the SSH access, it is best to create a chain called SSH in which we permit or deny access to SSH. If a vulnerability is discovered in OpenSSH, it's very likely that worms scanning for OpenSSH servers on port 22 will appear in a few hours. Therefore, we might want to run the SSH server on another port than the standard one (for example, 1234). The SSH chain is created by:

iptables –N SSH

Next, we insert a rule that tells the kernel to look up the SSH chain for all incoming TCP connections on port 1234:

iptables –A INPUT –p tcp –-dport 1234 –j SSH

We must insert rules in the SSH chain to allow access only from trusted hosts. Let's say that the IP address at our office is 1.2.3.4:

iptables –A SSH –s 1.2.3.4 –j ACCEPT
iptables –A SSH –s 192.168.1.0/27 –j ACCEPT
iptables –A SSH –s 0/0 –j DROP

The first rule accepts connections from our office IP address 1.2.3.4. The second rule allows incoming SSH connections only from 192.168.1.0/27, which contains IP addresses from 192.168.1.1 to 192.168.1.32, as we don't want to allow SSH access from the children's computer, the printer, and the gaming device. The third rule drops all other incoming connections to port 1234.
The proxy server (Squid) has its own security by using access lists. However, the best way to secure it and the router is to drop TCP SYN packets from the Internet in the input chain. This way, no incoming connection to the Linux router can be made from the Internet, except SSH on port 1234 from 1.2.3.4, which is matched before this rule. We also want to accept all packets on the loopback interface (lo) for IPC (internal process communications).

iptables –A INPUT –i lo –j ACCEPT
iptables –A INPUT –i eth0 –p tcp –-syn –j DROP

Dropping SYN packets offers a good protection for processes that might have bugs. However, this only drops incoming TCP connections with the SYN flag set (the request to set up a TCP connection), and will not offer any protection to software that opens UDP ports.

legal disclaimer

Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.

related articles

1. Public and Private IP Addresses
The Internet is a public network, and therefore a device connected directly to the Internet has a public IP address. Those IP addresses must be administered by someone in such way that two devices connected to the public network don't use the same IP address or that two networks don't have the same network address. This job was done by InterNIC (Internet Network Information Center), which has been succeeded by IANA (Internet Assigned Numbers Authority). IANA makes sure to provide unique IP network addresses to Internet Service Provide...

2. IP Supernetting or CIDR
CIDR stands for "Classless Inter-Domain Routing". It is a new addressing scheme for the Internet, intended to replace the old classful (Class A, B, C) address scheme. CIDR allows a more efficient allocation of IP addresses and uses routing aggregation for minimizing the routing table entries, and is also called supernetting. A recapitulation of classful IP addressing shows us the following: Address ...

3. Linux Security Threats
Creating firewalls may block some malicious attempts on your network, but this step is far from running an entirely secure network. As a network administrator or security consultant, to design a proper firewall for your network you need to know what you defend your network from. We cannot fully discuss this topic, even in 1000 pages, but we want to explain some principles that you should consider in running a safe network. As hard as it may seem to protect your network from the outside world, the most dangerous threats always come f...

4. IP Spoofing
An attacker might spoof a trusted IP address when communicating to a host in order to gain unauthorized access on that host. There are a variety of tools that can be found on the Internet to do IP spoofing. Using IP spoofing, attackers can also initiate Denial of Service by sending data with the source IP spoofed to the attacked IP address. The receiver then sends back replies that can contain large amounts of data to the attacked IP address resulting in...

5. BIND Domain Name System DNS
BIND (Berkley Internet Name Domain) is the most used DNS server on the Internet. Nowadays, every Linux distribution has a BIND package for DNS services. The problem with BIND and any DNS server is that in order to be able to translate names into IP addresses it has to communicate with a whole lot of other DNS servers, and so, filtering DNS packets is not possible. DNS services are vital for internet connection; so in order to disrupt services to victims, attackers have a great interest in bringing down DNS servers. Although BIN...

6. Simple Network Management Protocol SNMP
These days, most network devices use SNMP for remote monitoring and configuration. SNMP is a simple protocol used usually to create monitoring software that can retrieve information such as network traffic, CPU load, disk load, etc., and also to modify configuration of devices such as wireless equipment, broadband routers, etc. Most SNMP implementations on those kinds of network devices use version 1 or version 2, which have a very weak authentication method. SNMP version 1 contains a set of bugs in the way SNMP traps and reques...

7. Firewalls, netfilter/iptables
The two things needed to build firewalls and Quality of Service (QoS) with Linux are two packages named netfilter and iproute. While netfilter is a packet filtering framework included in the Linux kernels 2.4 and 2.6, iproute is a package containing a few utilities that allow Linux users to do advanced routing and traffic shaping. This article is intended to introduce the tools we will use throughout this article. However, netfilter ...

8. Iptables Target Specifications in Linux
For the filter table, the most used targets for firewall rules are DROP and ACCEPT. If a rule matches the filtering specifications and has a DROP target, the packet will simply be discarded. If a packet matches a rule with a DROP target, the Linux kernel will drop the packet without consulting other rules in the firewall. If the target is ACCEPT, then the packet is accepted without further consultation of other firewall rules. An alternative to DROP is the REJECT target, which drops the packet but sends an ICMP packet to the sou...