Re: Modem Gateway

To: Dan Hunt <danhunt@cronustechnologies.com>
Cc: dan.hunt@st.brieux.com, debian-user@lists.debian.org
Subject: Re: Modem Gateway
From: Crispin Wellington <crispin@aeonline.net>
Date: 24 Jul 2002 18:37:30 +0800
Message-id: <[🔎] 1027507055.916.87.camel@void>
In-reply-to: <[🔎] 1027487822.3d3e384ed6498@webmail.cronuscorp.com>
References: <[🔎] 1027487822.3d3e384ed6498@webmail.cronuscorp.com>

On Wed, 2002-07-24 at 13:17, Dan Hunt wrote:
> 
> Now on with the firewall.
> 

You can use the iptables save command, as Geoff suggested, but this is
the way I do it. YMMV.

I made an /etc/init.d/firewall script. It looks like this...

-----------------------------------------------------------
#!/bin/sh

# start, stop, restart the firewall

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="firewall"

flush_rules ()
{
        iptables -P INPUT ACCEPT
        iptables -P OUTPUT ACCEPT
        iptables -P FORWARD ACCEPT

        iptables -F INPUT
        iptables -F OUTPUT
        iptables -F FORWARD     

        iptables -t nat -F POSTROUTING
        iptables -t nat -F PREROUTING
        iptables -t nat -F OUTPUT

}

load_tables ()
{
        . /etc/firewall.conf
}

case "$1" in
  start)
        echo -n "Starting $DESC: "

        flush_rules
        load_tables

        echo "done."
        ;;
  stop)
        echo -n "** WARNING **: Stopping $DESC: "

        flush_rules

        echo "done."
        ;;
  restart)
        echo -n "Restarting $DESC: "
        flush_rules
        load_tables     
        echo "done."
        ;;
  *)
        N=/etc/init.d/$0
        echo "Usage: $N {start|stop|restart}" >&2
        exit 1
        ;;
esac

exit 0
--------------------------------------------------------------

Stick that in /etc/init.d/firewall and then set the executable bit

chmod a+x /etc/init.d/firewall

What this script does: If its called as '/etc/init.d/firewall stop' It
flushes all the rules from the inbuilt chains. It completely removes the
firewall *including the masquerading*!

If you run it as '/etc/init.d/firewall start' It runs the script
/etc/firewall.conf

In /etc/firewall.conf I have my firewall script set up. A simple one
would be (some of these lines have split and will need to be on one
line. Each line begins with an iptables and is one line)

---------------------------------------------------------------
#
# firewall config /etc/firewall.conf
#

# our external interface
EXTERNAL_IF=ppp0

# Create a new chain that blocks all *new* connections from being
# established. We call this chain block_all_external

# clear if its left over
iptables -F block_all_external
iptables -X block_all_external

# new chain
iptables -N block_all_external

# allow established connections
iptables -A block_all_external -m state --state ESTABLISHED,RELATED -j
ACCEPT

# continue processing new connections from inside our network
iptables -A block_all_external -m state --state NEW -i ! $EXTERNAL_IF -j
RETURN

# log the rest
iptables -A block_all_external -i $EXTERNAL_IF -m limit -j LOG
--log-prefix "Bad packet from $EXTERNAL_IF:"
iptables -A block_all_external -i ! $EXTERNAL_IF -m limit -j LOG
--log-prefix "Bad packet not from $EXTERNAL_IF:"

# drop the rest
iptables -A block_all_external -j REJECT

# Input Chain
# -----------
iptables -A INPUT -j block_all_external

# Forward chain
# -------------
iptables -A FORWARD -j block_all_external

# Output chain
# ------------

# Postrouting chain
# -----------------
# Masquerade the connection out the external link
iptables -t nat -A POSTROUTING -o $EXTERNAL_IF -j MASQUERADE

----------------------------------------------------------------------

Set this as executable too. This is a simple ruleset that masquerades
your internal machines, and blocks all new connections from outside your
network and logs them to syslog.

I have more in mine. I block malicious ICMP's and block IRC completely
(remote control trojans often use IRC to connect to their controllers)
and block certain UDP packets. For more information you should read the
"Linux 2.4 NAT HOWTO" and the "Linux 2.4 Packet Filtering HOWTO". Search
on google for them.

Once you have your scripts in place, and starting and stopping the
firewall works OK, you can have the computer start up the firewall on
startup by (assuming a default debian install - runlevel 2)...

cd /etc/rc2.d
ln -s ../init.d/firewall S20firewall

This will set up a symlink to start the firewall on boot into runlevel
2.

Note that with the above firewall, if you say have apache running on
your gateway machine, only machines inside the network will be able to
see it. External machines will not.

It is best you not rely on this, but understand what is actually going
on. Security is a state of mind, not just something you install. The
HOWTO's mentioned above are excellent, and will have you building your
own custom rulesets tailored to your needs in no time at all. Just put
the commands you want to execute into /etc/firewall.conf and then run
/etc/init.d/firewall restart. 

Fantastic!

Crispin Wellington

-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Modem Gateway
  - From: Dan <dan.hunt@st.brieux.com>

References:
- Re: Modem Gateway
  - From: Dan Hunt <danhunt@cronustechnologies.com>

Prev by Date: Re: Japanese Input?
Next by Date: Re: configuring X with i810
Previous by thread: Re: Modem Gateway
Next by thread: Re: Modem Gateway
Index(es):
- Date
- Thread