[ISN] Ten minute Firewall

From: InfoSec News (isnat_private)
Date: Wed Oct 09 2002 - 00:22:34 PDT

  • Next message: InfoSec News: "[ISN] Just a quick administrative note..."

    |  Linux Security: Tips, Tricks, and Hackery                       |
    |  Published by Onsight, Inc.                                      |
    |                                                                  |
    |  08-October-2002                                                 |
    |  http://www.hackinglinuxexposed.com/articles/20021008.html       |
    This issue sponsored by: Onsight, Inc, your source for open-source
    Onsight offers on-site training on Basic Perl programming, Advanced
    Perl programming, CGI programming using Perl, Tcl/Tk, XML and
    JavaScript. All courses are hands-on, designed by real-world
    consultants and fully customizable. Because all classes are on-site,
    our overhead is low and our prices consistently beat those of our
    competitors. Every Onsight instructor is a seasoned consultant able
    to provide back-end web programming, network security, system
    administration and other support services.
    For more information, visit http://www.onsight.com/
    Ten minute Firewall
    By Brian Hatch
    Summary: Create a simple but effective firewall for your home network
    in ten minutes or less.
    Newsletter Subscription Note: Welcome to the Linux Security: Tips,
    Tricks, and Hackery newsletter. Folks who were subscribed to the old
    ITWorld list are slowly signing up to the new one. Feel free to pass
    this message on to others. If you wish to subscribe and receive the
    newsletter each week in your email, go to http://lists.onsight.com/.
    For the last four months I've been living in a temporary apartment
    while our house was being remodeled and my servers have been in
    storage. For four months our daily computing lives have been reduced
    to two laptops directly attached to the Internet via DSL.
    This wasn't much of a problem for my machine, since it runs Linux and
    has a very paranoid set of iptables rulesets. My fiancee's, however,
    runs Windows 98, with enough vulnerabilities to fill an encyclopedia.
    So now that we're settled down, it's time to set up our LAN and get a
    proper firewall in place.
    Each major version of Linux has had a different firewalling software
    suite. 2.0 kernels had ipfwadm, 2.2 had ipchains, and 2.4 has
    iptables. (2.4 can support ipchains-style rules if you load the
    ipchains module.) Each offers great improvements from its
    predecessors. Iptables, aka Netfilter[1] offers extreemly powerful
    network controls, and can route packets to and from different
    machines and ports in ways beyond belief and understanding.
    Because of it's potential compexity, iptables can be intimidating.
    There are many Firewall scripts[2] out and about on the Internet, as
    well as some excellent firewall books[3]. If you want the nitty
    gritty, these are the places to go. Instead, here I intend to help
    you whip up a firewall in ten minutes or less. First, some lame ASCII
                                    +--- machine
      Internet -----  Firewall  ----+
                                    +--- machine
                                    +--- machine
    We're going to use a dedicated firewall machine with two network
    cards, and put all our machines behind it on the LAN. Let's assume we
    pick as the LAN network, offering us a maximum of 254
    hosts back there. We'll use for the firewall's LAN IP
    address (let's assume this is eth0) and assume that the IP address
    for the Internet side is 300.3.3.3 on eth1.
    Our firewall won't do much. We'll turn off all services except for
    ssh, which you should lock down by configuring your TCP Wrappers to
    deny all hosts except the lan:
      machine$ cat /etc/hosts.allow
      sshd: 192.168.1.
      machine$ cat /etc/hosts.deny
      ALL: ALL
    The only other thing we'll run on the firewall is a DHCPD server to
    distribute IP addresses to the LAN machines. We'll configure iptables
    to re-write all outbound packets from LAN hosts, thus masquerading
    all outbound connections as if they came from the firewall itself.
    This setup should work for any kind of Internet connectivity you
    have, be it dedicated DSL, dialup modem, or anything. The only tricky
    part may be making sure you have some way to know the IP address
    given to you by your ISP. While I'll call it 300.3.3.3 here, it's up
    to you to figure out what it is, and find some way to re-run our
    configuration should it change.
    First, let's set up our DHCP server by creating an /etc/dhcpd.conf
    file. We need to specify a blank configuration for the
    Internet-connected side (300.3.3.0/24, presumably) and then our
    actual data for inside:
      firewall$ cat /etc/dhcpd.conf
         subnet 300.3.3.0 netmask { }
         subnet netmask {
                allow bootp;
                option routers;
                option subnet-mask;
                option broadcast-address;
                # Adjust these lines
                option domain-name "example.com";
                option domains-name-servers A.B.C.D E.F.G.H;
                range dynamic-bootp;
                default-lease-time 18000;
                max-lease-time 18000;
                get-lease-hostnames on;
      firewall# /etc/init.d/dhcp start
      Internet Software Consortium DHCP Server 2.0pl4
      Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
      All rights reserved.
      Please contribute if you find this software useful.
      For info, please visit http://www.isc.org/dhcp-contrib.html
      Listening on LPF/eth1/00:10:18:77:bd:28/
      Sending on   LPF/eth1/00:10:18:77:bd:28/
      Listening on LPF/eth0/00:e0:74:28:e9:e6/300.3.3.0
      Sending on   LPF/eth0/00:e0:74:28:e9:e6/300.3.3.0
      Sending on   Socket/fallback/fallback-net
    Ok, now that we've gotten our DHCP server started, internal machines
    will be able to use DHCP to get an address in the - range. I like to leave some IPs on the Class C for
    non-DHCP hosts, so are available for these machines if
    you wish.
    Ok, time to create your firewall rules. Create a startup script in /
    etc/init.d and link to it from the /etc/rcX.d directories as
    appropriate for your machine. Rather than hit each section piece by
    piece, I'll comment the script itself.
      # Definitions
      # Ok, let's load some of the modules we'll need to
      # support NAT and protocols that act stupid.
        modprobe iptable_nat
        modprobe ip_conntrack_ftp ip_nat_ftp
        modprobe ip_conntrack_irc ip_nat_irc
      # Whew.  Now that all those are out of the way, down to
      # the nitty gritty.  Let's set up our iptables rules.
        # Flush any existing tables
        iptables --flush
        iptables -t nat --flush
        # Drop packets on the Internet side going to/from the private use
        # multicast, reserved, and loopback networks.  Perform egress
        # filtering as well, to make sure we don't spoof others.
        for network in \
              iptables -A  INPUT -i $EXT_INTERFACE -s $network -j DROP
              iptables -A OUTPUT -i $EXT_INTERFACE -s $network -j DROP
        # Ok, now time to tell iptables that we want it to
        # re-write all connections that initiate from inside
        # to use it's external interface IP address, and re-write
        # any of the responses appropriately.
        iptables -t nat -F
        iptables -t nat -A POSTROUTING -o $INT_INTERFACE \
                    -j SNAT --to-source $EXT_IP
      # End of script
    That's it. If you lock down your firewall so it is secure, then you
    can provide Internet connectivity for your internal machines, while
    keeping them from being directly accessible from the internet.
    Undoubtably some folks will point out that there are many things I've
    left out, and I agree. For example this is a classic case of 'default
    allow' programming, which is a tried and true bad idea. You can
    create much more complicated firewall scripts that will protect
    against lots of things not covered here. For the paranoid folks with
    a good amount of time on their hands, you should write your scripts
    to explicitly define appropriate connections both inbound and
    outbound. But for a ten minute firewall installation, this solution
    offers a good deal of security beyond your typically direct-connected
    These days there seem to be hundreds of ready-to-go firewall scripts
    out there. I'd love to hear folks impressions and recomendations of
    those they've used in the past. I'll collect and summarize them next
    week for folks. Personally, I always write my own[5]
    Next week: firewall related /proc entries.
    [1] http://www.netfilter.org/
    [2] For example http://www.linux-firewall-tools.com/ftp/firewall/
    [3] See our recomendations at http://www.hackinglinuxexposed.com/
    [4] This type of firewall protects crackers from getting to your
    computers directly. But any vulnerabilities in your client software
    or protocol-related hacks are still are not protected.
    [5] Some might say that writing your own iptables rulesets is like
    acting as your own lawyer....
    Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
    Linux Exposed and Building Linux VPNs. It seems like lately he's
    spent more time patching his fiancee's Windows 98 machine than he has
    spent sleeping. Now that the machine is back behind a firewall, he
    can bask in the artificial feeling of security with it's single point
    of failure. Of course Microsoft code counts as several on it's own.
    Brian can be reached at brianat_private
    This newsletter is distributed by Onsight, Inc.
    The list is managed with MailMan (http://www.list.org). You can
    subscribe, unsubscribe, or change your password by visiting
    http://lists.onsight.com/ or by sending email to
    Archives of this and previous newsletters are available at
    Copyright 2002, Brian Hatch.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 19:45:23 PDT