DSL Firewall
Desktop Training - DSL Book

Project: Build a Firewall Using DSL

Damn Small 4.0 on CD $1.95

DSL Book (PDF Download)

This project will show you how to build a firewall using the rc.firewall script.

rc.firewall (projectfiles.com)

This firewall script is easy to use and is an effective way to build a firewall for your network.

Load the rc.firewall script using MyDSL. Now the rc.firewall script will be placed in the /etc/init.d directory. Move to this directory to set up the firewall.

cd /etc/init.d

 

Simple Commands

Notice that all of the commands start with a ./ which tells the system that it is a command to be executed.

 

These commands will start, stop and restart the firewall.

./rc.firewall start

./rc.firewall stop

./rc.firewall restart

 

./rc.firewall save [filename]

 

If you wanted to save your firewall script, a good idea, then use this command and save it as MyFirewall for example.

./rc.firewall save MyFirewall

Now if you had problems and needed to load the firewall from a backup or you wanted to move the firewall to another computer, you would be able to load it from this saved file.

./rc.firewall load MyFirewall

Now below you will see an example of the saved firewall. It will remove all of the unnecessary text, the text that explains each feature, and create a file with all of your settings.

# Linux Firewall configuration -- http://projectfiles.com/firewall/

# Generated by '/etc/init.d/rc.firewall save MyFirewall'
# on Sun Jul 10 02:46:54 EDT 2005.
# Generated with version: "2.0rc9".

PERMIT="my_isp_for_mail.net:110/tcp"
INTERNAL_INTERFACES="eth0"
DYNAMIC_INTERFACES=""
DENY_OUTBOUND=""
ALLOW_INBOUND=""
BLACKLIST=""
STATIC_INSIDE_OUTSIDE=""
PORT_FORWARDS=""
PORT_FWD_ALL="yes"
PORT_FWD_ROUTED_NETWORKS="yes"
ADDITIONAL_ROUTED_NETWORKS=""
TRUST_ROUTED_NETWORKS="yes"
SHARED_INTERNAL="yes"
FIREWALL_IP=""
TRUST_LOCAL_EXTERNAL_NETWORKS="no"
DMZ_INTERFACES=""
NAT_EXTERNAL="yes"
ADDITIONAL_NAT_INTERFACES=""
IGNORE_INTERFACES=""
LOGGING="no"
NO_RP_FILTER_INTERFACES=""
INTERNAL_DHCP="no"
RFC_1122_COMPLIANT="yes"
DROP_NEW_WITHOUT_SYN="no"
DUMP_TCP_ON_INIT="no"
TTL_STEALTH_ROUTER="no"
LOG_LIMIT="1/minute"
LOG_BURST="5"
LOG_LEVEL="notice"

return



# Generated by iptables-save v1.2.6a on Sun Jul 10 02:46:55 2005
*mangle
:PREROUTING ACCEPT [15:824]
:INPUT ACCEPT [13:688]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:1972]
:POSTROUTING ACCEPT [13:1972]
COMMIT
# Completed on Sun Jul 10 02:46:55 2005
# Generated by iptables-save v1.2.6a on Sun Jul 10 02:46:55 2005
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.5.0/255.255.255.0 -o eth1 -j SNAT --to-source 12.132.34.119
COMMIT
# Completed on Sun Jul 10 02:46:55 2005
# Generated by iptables-save v1.2.6a on Sun Jul 10 02:46:55 2005
*filter
:INPUT DROP [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13:1972]
:TRUSTED - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.5.0/255.255.255.0 -i eth0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j TRUSTED
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.5.0/255.255.255.0 -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state NEW -j TRUSTED
-A OUTPUT -d 192.168.5.0/255.255.255.0 -o eth0 -p icmp -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A TRUSTED -d 12.132.34.119 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -d 192.168.5.222 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -p icmp -j DROP
-A TRUSTED -j REJECT --reject-with icmp-port-unreachable
COMMIT

This image gives you an idea of what a typical network using DSL will look like, an Internet connection using a router, with a firewall between the router and the entire internal network. The firewall is using a public IP Address on the outside network card and using a private IP Address on the inside which connects to the internal network. The DSL firewall in this example is doing NAT (Network Address Translation), it is not occurring at the router. This is often a good choice for many small networks that are sharing one router connection to the Internet as forcing the router to be a firewall and do NAT often creates a bottleneck for the whole network. The reason for this is that many people getting DSL for a small business or home network purchase cheap routers with low RAM thus making them very vulnerable to overwork. Using a separate machine to to NAT allows the router to route packets into the network faster and then shifts the load of NAT onto a second machine. The second machine can actually be an old machine as it will have plenty of resources to act as a firewall and do NAT.


This second example would be a machine that has a modem or dsl modem inside one machine on your network and you use it for a firewall for the entire internal network. The difference here is that all the firewall, routing and NAT occur on this machine. Either of these examples will allow you to use a firewall setup like the one listed.

Configuration Line by Line

 

# Linux Firewall configuration -- http://projectfiles.com/firewall/
# Generated by '/etc/init.d/rc.firewall save MyFirewall'
# on Sun Jul 10 02:46:54 EDT 2005.
# Generated with version: "2.0rc9".

PERMIT="my_isp_for_mail.net:110/tcp"

The PERMIT works on three levels; you may permit a single port, or you may permit a network or as in the example permit one network one port. The example shows how you may want to allow mail access to your internal network. This example shows how to configure your system to be able to connect to your ISP to download your email using POP3. The format is your mail server:port/protocol. Now remember that by default all of the hosts on the internal network will have access to all services already but the ISP needs a way to bring email via POP3.

INTERNAL_INTERFACES="eth0"

You will need to specify which network card is the internal network card. Each network card that is NOT listed here will be considered to be external and protected by the firewall.

DYNAMIC_INTERFACES=""

Any interfaces that do not have a static IP Address should be listed here. In the example networks shown above all IP Addresses are static. Note, if you are using a dial-up modem it will be listed as ppp0 and should be entered into this section.


DENY_OUTBOUND=""
When you want to control access that your internal network has to the Internet use this line.

Format
source network/mask :destination network: ports/protocol

Be careful because in the format the source network is NOT preceded with a : while the destination network is preceded with a :.

Here are examples on stopping all traffic for a specific port.

DENY_OUTBOUND=¨192.168.5.0/24 21/tcp¨ #Deny FTP
DENY_OUTBOUND=¨192.168.5.0/24 25/tcp¨ #Deny SMTP
DENY_OUTBOUND=¨192.168.5.0/24 443/tcp¨ #Deny SSL
These options will stop connections from the entire network. If you want to allow a computer on the network to connect using one of these ports enter it in the

This is what it looks like if you want allow your network to have access to ftp but not the ftp server at 12.192.34.56.

DENY_OUTBOUND=¨:12.192.34.56 21/tcp¨ #Deny FTP

Note the : in front of the IP Address which designates it as a destination not a source.


ALLOW_INBOUND=""

This option is used if you have a web server or ftp server on your internal network that you would like to allow access from the Internet.

ALLOW_INBOUND=":192.168.5.11:80/tcp"

 

This example is if you want allow access to your web server at 192.168.5.11.

 

ALLOW_INBOUND=":192.168.5.11:21/tcp" #Internal FTP Server

 

BLACKLIST=""

Here you can list those IP Addresses that you do not want any connection with at any time.


STATIC_INSIDE_OUTSIDE=""
PORT_FORWARDS=""
PORT_FWD_ALL="yes"
PORT_FWD_ROUTED_NETWORKS="yes"
ADDITIONAL_ROUTED_NETWORKS=""
TRUST_ROUTED_NETWORKS="yes"

This is allowing all outbound connections from your internal network.

SHARED_INTERNAL="yes"
FIREWALL_IP=""
TRUST_LOCAL_EXTERNAL_NETWORKS="no"
DMZ_INTERFACES=""
NAT_EXTERNAL="yes"

If you are allowing the firewall to do Network Address Translation, changing the IP Address from a public IP (12.132.34.119 in example above) to an internal private IP Address (192.168.5.0/24 network in example above), then this must be selected as yes.

ADDITIONAL_NAT_INTERFACES=""
IGNORE_INTERFACES=""
LOGGING="no"
NO_RP_FILTER_INTERFACES=""
INTERNAL_DHCP="no"
RFC_1122_COMPLIANT="yes"
DROP_NEW_WITHOUT_SYN="yes"

Netfilter does not consider SYN packets to be a part of an existing session, which is true for 99% of the time. There are some situations where SYN packets may be still a part of the session however. For best security practices however, this should be changed to yes to keep SYN packets out of a session as it will prevent crackers from sending you SYN packets.

DUMP_TCP_ON_INIT="no"
TTL_STEALTH_ROUTER="no"
LOG_LIMIT="1/minute"
LOG_BURST="5"
LOG_LEVEL="notice"

return



# Generated by iptables-save v1.2.6a on Sun Jul 10 02:46:55 2005
*mangle
:PREROUTING ACCEPT [15:824]
:INPUT ACCEPT [13:688]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:1972]
:POSTROUTING ACCEPT [13:1972]
COMMIT
# Completed on Sun Jul 10 02:46:55 2005
# Generated by iptables-save v1.2.6a on Sun Jul 10 02:46:55 2005
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.5.0/255.255.255.0 -o eth1 -j SNAT --to-source 12.132.34.119
COMMIT
# Completed on Sun Jul 10 02:46:55 2005
# Generated by iptables-save v1.2.6a on Sun Jul 10 02:46:55 2005
*filter
:INPUT DROP [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13:1972]
:TRUSTED - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.5.0/255.255.255.0 -i eth0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j TRUSTED
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.5.0/255.255.255.0 -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state NEW -j TRUSTED
-A OUTPUT -d 192.168.5.0/255.255.255.0 -o eth0 -p icmp -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A TRUSTED -d 12.132.34.119 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -d 192.168.5.222 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -p icmp -j DROP
-A TRUSTED -j REJECT --reject-with icmp-port-unreachable
COMMIT