Re: Modem Gateway
On Wed, 2002-07-24 at 13:17, Dan Hunt wrote:
>
> Now on with the firewall.
>
You can use the iptables save command, as Geoff suggested, but this is
the way I do it. YMMV.
I made an /etc/init.d/firewall script. It looks like this...
-----------------------------------------------------------
#!/bin/sh
# start, stop, restart the firewall
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="firewall"
flush_rules ()
{
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
}
load_tables ()
{
. /etc/firewall.conf
}
case "$1" in
start)
echo -n "Starting $DESC: "
flush_rules
load_tables
echo "done."
;;
stop)
echo -n "** WARNING **: Stopping $DESC: "
flush_rules
echo "done."
;;
restart)
echo -n "Restarting $DESC: "
flush_rules
load_tables
echo "done."
;;
*)
N=/etc/init.d/$0
echo "Usage: $N {start|stop|restart}" >&2
exit 1
;;
esac
exit 0
--------------------------------------------------------------
Stick that in /etc/init.d/firewall and then set the executable bit
chmod a+x /etc/init.d/firewall
What this script does: If its called as '/etc/init.d/firewall stop' It
flushes all the rules from the inbuilt chains. It completely removes the
firewall *including the masquerading*!
If you run it as '/etc/init.d/firewall start' It runs the script
/etc/firewall.conf
In /etc/firewall.conf I have my firewall script set up. A simple one
would be (some of these lines have split and will need to be on one
line. Each line begins with an iptables and is one line)
---------------------------------------------------------------
#
# firewall config /etc/firewall.conf
#
# our external interface
EXTERNAL_IF=ppp0
# Create a new chain that blocks all *new* connections from being
# established. We call this chain block_all_external
# clear if its left over
iptables -F block_all_external
iptables -X block_all_external
# new chain
iptables -N block_all_external
# allow established connections
iptables -A block_all_external -m state --state ESTABLISHED,RELATED -j
ACCEPT
# continue processing new connections from inside our network
iptables -A block_all_external -m state --state NEW -i ! $EXTERNAL_IF -j
RETURN
# log the rest
iptables -A block_all_external -i $EXTERNAL_IF -m limit -j LOG
--log-prefix "Bad packet from $EXTERNAL_IF:"
iptables -A block_all_external -i ! $EXTERNAL_IF -m limit -j LOG
--log-prefix "Bad packet not from $EXTERNAL_IF:"
# drop the rest
iptables -A block_all_external -j REJECT
# Input Chain
# -----------
iptables -A INPUT -j block_all_external
# Forward chain
# -------------
iptables -A FORWARD -j block_all_external
# Output chain
# ------------
# Postrouting chain
# -----------------
# Masquerade the connection out the external link
iptables -t nat -A POSTROUTING -o $EXTERNAL_IF -j MASQUERADE
----------------------------------------------------------------------
Set this as executable too. This is a simple ruleset that masquerades
your internal machines, and blocks all new connections from outside your
network and logs them to syslog.
I have more in mine. I block malicious ICMP's and block IRC completely
(remote control trojans often use IRC to connect to their controllers)
and block certain UDP packets. For more information you should read the
"Linux 2.4 NAT HOWTO" and the "Linux 2.4 Packet Filtering HOWTO". Search
on google for them.
Once you have your scripts in place, and starting and stopping the
firewall works OK, you can have the computer start up the firewall on
startup by (assuming a default debian install - runlevel 2)...
cd /etc/rc2.d
ln -s ../init.d/firewall S20firewall
This will set up a symlink to start the firewall on boot into runlevel
2.
Note that with the above firewall, if you say have apache running on
your gateway machine, only machines inside the network will be able to
see it. External machines will not.
It is best you not rely on this, but understand what is actually going
on. Security is a state of mind, not just something you install. The
HOWTO's mentioned above are excellent, and will have you building your
own custom rulesets tailored to your needs in no time at all. Just put
the commands you want to execute into /etc/firewall.conf and then run
/etc/init.d/firewall restart.
Fantastic!
Crispin Wellington
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: