Using Linux as a firewall
By Alastair Cousins
28 May, 2002 10:00 Sydney, Australia
This month we discuss how to secure an Internet gateway (or any Linux computer connected to the Internet, for that matter) using a firewall. A firewall is essentially a barrier between a computer and the network to which it is connected: it inspects data travelling in both directions and only permits certain data to pass, according to a set of rules given to the firewall when it is set up.
The most basic firewall strategy, and the one we will implement in this article, is to deny all connections from the outside network, while allowing the local computer to access the outside network without restriction. With this configuration we can access the Internet as we always have, while at the same time being protected against nasties such as hacking attempts.
Two tools are used to configure a firewall; which tool you use is dependent on the kernel your Linux system runs. To determine your kernel version, type the following in a shell:
$ uname -r
On my computer, this returns "2.4.17". The second number in this version is important. If your kernel version is of the form 2.2.x, follow the instructions under the heading IP Chains. If your kernel is like mine, and of the form 2.4.x, follow the instructions under the heading IP Tables.
IP Chains
The following script will set up a basic firewall on your computer. Open up your text editor and type in the script below. You will then have to save the script as /etc/rc.d/rc.firewall. Change <LAN IP> in the script to the IP range of your LAN; for example, my LAN uses IP addresses in the range 192.168.0.1-255, so I replace <LAN IP> with 192.168.0.0/24.
#!/bin/sh
IP=$1
IPCHAINS=/usr/local/sbin/ipchains
# flush existing rules
$IPCHAINS -F input
# allow traffic from the LAN to pass.
$IPCHAINS -A input -s <LAN IP> -j ACCEPT
# allow high numbered TCP ports from the Internet # to pass
$IPCHAINS -A input -p TCP ! -y -d $IP 1024:65535 \"-j ACCEPT
# allow FTP transfers to pass
$IPCHAINS -A input -p TCP -y -s 0.0.0.0/0 20 -d $IP \ "1024:65535 -J ACCEPT
# allow DNS requests to pass
$IPCHAINS -A input -p UDP -s 0.0.0.0/0 53 -d $IP \ 1024.65535 -j ACCEPT
# allow ICMP (ping) requests to pass
$IPCHAINS -A input -p ICMP -j ACCEPT
# deny everything else from the Internet
$IPCHAINS -A input -i ! lo -l -j DENY
IP Tables
The following script will set up a basic firewall on your computer. Open up your text editor and type in the script below. You will then need to save the script as /etc/rc.d/rc.firewall. Change <LAN IP> in the script to the IP range of your LAN; for example, my LAN uses IP addresses in the range 192.168.0.1-255, so I replace <LAN IP> with 192.168.0.0/24.
#!/bin/sh
IP=$1
IPTABLES=/usr/local/sbin/iptables
# flush existing rules
$IPTABLES -F INPUT
# allow traffic from the LAN to pass
$IPTABLES -A INPUT -s <LAN IP> -j ACCEPT
# allow high numbered TCP ports from the Internet # to pass
$IPTABLES -A INPUT -p tcp ! --syn -d $IP --dport \"1024:65535 -j ACCEPT
# allow FTP transfers to pass
$IPTABLES -A INPUT -p tcp --syn --sport 20 -d $IP \ --dport 1024:65535 -j ACCEPT
# allow DNS requests to pass
$IPTABLES -A INPUT -p udp -s 0.0.0.0/0 --sport 53 -d \ $IP --dport 1024:65535 -j ACCEPT
# allow ICMP (ping) requests to pass
$IPTABLES -A INPUT -p icmp -j ACCEPT
# drop all other data
$IPTABLES -A INPUT -i ! lo -j DROP
Running the firewallOnce saved, the script will need to be made executable by typing:
$ chmod 700 /etc/rc.d/rc.firewall
If you are a modem user, add the following to the end of /etc/ppp/ip-up:
/etc/rc.d/rc.firewall $4
If you use a service such as cable or DSL, you will need to call this script after you have established your Internet connection by typing the following:
$ /etc/rc.d/rc.firewall <YOUR IP>
replacing <YOUR IP> with the IP of your cable or DSL connection.
Testing the firewall
There are a number of free Web-based services on the Internet with which you can test your firewall. These services will try to connect to your computer in a number of common ways to test for servers and holes in your firewall. They will then return the results for your inspection. Some good free testing services are www.auditmypc.com and www.dslreports.com/secureme_go.
Reply With Quote
Bookmarks