Re: What should I use?
Andreas Palsson wrote [in part]:
>
> I have been given the task to setup a firewall, but I'm no expert so I
> have to ask a few questions.
>
> I have a Debian box (P166/64) with 3 NIC's (3Com).
> I have an IP-range from .0 to .63.
> A Cisco router is the current gateway on .62.
> A mail/dns-server is placed on .33.
>
> What is a good solution with these tools?
Andreas,
Below is an excerpt from a response I sent someone who asked basically
the same question.
I hope it is of some help.
montefin
--------- EXCERPT BEGINS HERE ------------
Jonathan,
Man are you in luck.
I found two things just this weekend that will make firewalling Potato a
piece of cake for you!
First, you want a 'spoonfed Kernel compilation guide' for ipchains and
portfowarding? So did I, and here it is:
http://members.home.net/ipmasq/ipmasq-HOWTO-1.82-3.html#ss3.1
I chose to compile into the kernel, but just about all of the choices
can be modules.
Second, how about a dandy ipchains firewall startup script that even
'slightly' cooled my passion for iptables? Here it is, plus portmapper
and ssh scripts!:
http://www.linuxdoc.org/HOWTO/Securing-Domain-HOWTO-8.html#ss8.1
I searched weeks for guidance in both those areas and persistence
finally paid off.
The only tricky part about the firewall.sh and firewall.portmap.sh
scripts is 'where to put them in the Potato boottime sequence'. The
author shows how to do it for Slackware, not Debian. Well guess what? I
figured that out about 2AM this morning, and here it is too:
Once you've customized firewall.sh for your routing table (hint: the
author uses eth1 and you may have your 'outside' interface on eth0, as I
do. Just change it to eth0, if that's the case), then place your revised
firewall.sh and firewall.portmap.sh (WITH chmod 755 permissions) into
/etc/init.d./
Then, go into /etc/rcS.d/ and create these two symlinks:
[BIG NOTE: right after setting up my firewall, I upgraded to Woody which
uses a single file called /etc/runlevel.conf to replace all the symlinks
in the /etc/rcS.d directory. It very neatly retained the boottime order
as described below for Potato.]
ln -s ../init.d/firewall.sh S40firewall.sh [which boots the firewall
alphabetically just BEFORE S40networking starts the network daemons.]
and
ln -s ../init.d/firewall.portmap.sh S42firewall.portmap.sh [which runs
the portmap rules numerically just AFTER S41portmap starts the
portmapper.]
I probably learned more about ipchain'ing by reading that firewall.sh
script real carefully, line-by-line, than I did from all the other
HOWTO's and man pages I waded through over the last few weeks. The
author really gives you 'the sense' of what you're doing and why with
his comments, too. And that's a rarity. One thing however, where he says
"Don't bother logging accesses on TCP port 80, the www port." on Line
139 in the original script, he really should have mentioned that what
his lines were actually doing was blocking all port 80 requests and
_incidentally_ not logging them (no -l option).
I have ipmasqadm (http://juanjox.kernelnotes.org/ipmasqadm-0.4.2.tar.gz
), so I commented out Line 139 that DENY's access on port 80, and
appended the following portforwarding routine to the bottom of my
firewall.sh
script.
But _first_, I created a new variable in firewall.sh, $ETHINTERNAL.
Right below Line 12, which sets up the 'inet addr' that the 'ifconfig'
command will give you for eth0 (if that's where you connect to ppp/DSL)
LINE 12 reads:
ETHOUTSIDE="Your.eth0.inet.addr # fred.example.com's public IP
On LINE 13, I added
ETHINTERNAL="Your.eth1.inet.addr # montefin.example.com's
internal
webserver IP
which sets up the 'inet addr' that again the 'ifconfig' command will
give you for eth1, if that's where you connect to your internal machines
with servers.
Now, here's the addition to the firewall.sh script for portforwarding.
Right after the final lines that turn on ip_portforwarding (Lines 201
thru 204 in the original script), which read:
#
# Turn on forwarding
echo "1" > ${FORWARD_PROCENTRY}
I added
# -------- Portforwarding routine starts here ------------
sleep 5s # Just in case, give firewall a pause to complete.
#
# Enable IPPORTFW Redirection and forward all www accesses on
# TCP port 80 to our internal webserver
#
/usr/sbin/ipmasqadm portfw -f
/usr/sbin/ipmasqadm portfw -a -P tcp -L $ETHOUTSIDE 80 -R $ETHINTERNAL
80
# -------- Portforwarding routine ends here ---------------
I rebooted to see if there were boottime problems, and WOW! it worked.
Remember, to comment out that Line 139 (in the original script)
mentioned above that DENY's access to the www port 80. Otherwise, the
addition above will never get any www requests to forward, _if_, that
is, you have a webserver on a machine(s) beyond the firewall.
Jonathan, I hope I'm not overloading you here. This is all so fresh,
it's just pouring out.
I haven't tackled the shh routine yet, and I'm still trying to keep the
log files from getting out of hand, but the firewall blocks and the
portforwarding of www requests on to my internal network has been
working fine all day today.
Anyway, I hope I've been of some help. You sure helped me.
Of course, your mileage may vary; but I hope it doesn't, because it's
working well here.
montefin
----------- EXCERPT ENDS HERE -----------------
Reply to: