sarusij
asked on
How do I set up a dedicate firewall machine (iptables)
I need to deploy a web server. For security reason I need to protect my server from the outside world. I dedicated a computer with two Ethernet interfaces for firewalling.
The external interface (eth1) is connected to a frame relay router and my IP is fixed(example) 235.177.16.152
The internal interface (eth0) is connected to my local network address range 192.168.0.0/28 while my web server is 192.168.0.14.
Two goal I need to achieve:-
1. Allow all my local network users to freely access the internet
2. Allow all external users to visit my web site while protecting against malicious intruders.
firewall rules should be very tough, no external access to any computer configuration to no body.
Jacob
The external interface (eth1) is connected to a frame relay router and my IP is fixed(example) 235.177.16.152
The internal interface (eth0) is connected to my local network address range 192.168.0.0/28 while my web server is 192.168.0.14.
Two goal I need to achieve:-
1. Allow all my local network users to freely access the internet
2. Allow all external users to visit my web site while protecting against malicious intruders.
firewall rules should be very tough, no external access to any computer configuration to no body.
Jacob
1. Read the documentation mentioned by jeremynd01
2. Have a look at https://www.experts-exchange.com/questions/20465511/Iptables-Portforwarding-problem.html
2. Have a look at https://www.experts-exchange.com/questions/20465511/Iptables-Portforwarding-problem.html
ASKER
I have read all this stuff already. My first problem as it seem it that even without firewalling and all INPUT, OUTPUT, FORWARD are accept. I am not able to ping between both nets ( I have set the ip_forward to 1).
I will add more precise info:-
my internet connection uses a PC that is connected to the internet in one side and the Ethernet port is connected to the non trusted Ethernet port of the firewall (Ethernet IP of the PC 192.168.0.1 and Ethernet IP address in the firewall 192.168.0.3 netmask 255.255.255.240 (eth1))
trusted network is connected to firewall eth1 (192.168.0.174 netmask 255.255.255.240)
Pinging from firewall anywhere is OK
Pinging from trusted network to both firewall addresses OK
Pinging from non trusted to both firewall addresses OK.
Pinging from trusted / non trusted computers to Non trusted / trusted computers NOK.
ifconfig for firewall
eth0 Link encap:Ethernet HWaddr 00:00:F8:05:A5:FA
inet addr:192.168.0.174 Bcast:192.168.0.175 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8683 errors:1 dropped:0 overruns:0 frame:0
TX packets:24836 errors:0 dropped:0 overruns:0 carrier:0
collisions:10 txqueuelen:100
RX bytes:657558 (642.1 Kb) TX bytes:6813765 (6.4 Mb)
Interrupt:11 Base address:0xf000
eth1 Link encap:Ethernet HWaddr 00:50:DA:C6:6B:41
inet addr:192.168.0.3 Bcast:192.168.0.15 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:830 errors:0 dropped:0 overruns:0 frame:0
TX packets:219 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:65454 (63.9 Kb) TX bytes:24551 (23.9 Kb)
Interrupt:9 Base address:0x6500
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:33 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2986 (2.9 Kb) TX bytes:2986 (2.9 Kb)
route for firewall:-
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.240 U 0 0 0 eth1
192.168.0.160 0.0.0.0 255.255.255.240 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
# more /proc/sys/net/ipv4/ip_forw
1
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
My trusted computer is 192.168.0.172/255.255.255.
It might be that I am missing any red hat package that support this forward, if so which?
I will add more precise info:-
my internet connection uses a PC that is connected to the internet in one side and the Ethernet port is connected to the non trusted Ethernet port of the firewall (Ethernet IP of the PC 192.168.0.1 and Ethernet IP address in the firewall 192.168.0.3 netmask 255.255.255.240 (eth1))
trusted network is connected to firewall eth1 (192.168.0.174 netmask 255.255.255.240)
Pinging from firewall anywhere is OK
Pinging from trusted network to both firewall addresses OK
Pinging from non trusted to both firewall addresses OK.
Pinging from trusted / non trusted computers to Non trusted / trusted computers NOK.
ifconfig for firewall
eth0 Link encap:Ethernet HWaddr 00:00:F8:05:A5:FA
inet addr:192.168.0.174 Bcast:192.168.0.175 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8683 errors:1 dropped:0 overruns:0 frame:0
TX packets:24836 errors:0 dropped:0 overruns:0 carrier:0
collisions:10 txqueuelen:100
RX bytes:657558 (642.1 Kb) TX bytes:6813765 (6.4 Mb)
Interrupt:11 Base address:0xf000
eth1 Link encap:Ethernet HWaddr 00:50:DA:C6:6B:41
inet addr:192.168.0.3 Bcast:192.168.0.15 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:830 errors:0 dropped:0 overruns:0 frame:0
TX packets:219 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:65454 (63.9 Kb) TX bytes:24551 (23.9 Kb)
Interrupt:9 Base address:0x6500
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:33 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2986 (2.9 Kb) TX bytes:2986 (2.9 Kb)
route for firewall:-
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.240 U 0 0 0 eth1
192.168.0.160 0.0.0.0 255.255.255.240 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
# more /proc/sys/net/ipv4/ip_forw
1
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
My trusted computer is 192.168.0.172/255.255.255.
It might be that I am missing any red hat package that support this forward, if so which?
Do ALL your machines have the appropriate gateway ?
ASKER
I believe so. All my computers on the non trusted side can connect the internet. the firewall can ping the internet. and the trusted computer gateway is the firewall trusted side ip.
If I got it right, your network looks something like this:
Trusted eth0 eth1 Untrusted eth0 Internet
network ------ Firewall------- network -------- connection PC --Internet
I(nside) D(MZ)
The routing tables look something like:
I: 0.0.0.0 mask 0.0.0.0 gw 192.168.0.174
F: 0.0.0.0 mask 0.0.0.0 gw 192.168.0.1
PC:0.0.0.0 mask 0.0.0.0 gw whatever your net gw is
192.168.0.160 mask 255.255.255.240 gw 192.168.0.3
D: 0.0.0.0 mask 0.0.0.0 gw 192.168.0.1
192.168.0.160 mask 255.255.255.240 gw 192.168.0.3
Of course the direct connected networks and the loopbacks aren't in this table, but you should have no deed to input those, they should appear automatically.
You can thke out the last route from D, but I wouldn't recomend that.
Also I hope you haven't played with proxy arp and that the netmasks are 255.255.255.240 on ALL your ethernet interfaces (according to what you have explained)
Trusted eth0 eth1 Untrusted eth0 Internet
network ------ Firewall------- network -------- connection PC --Internet
I(nside) D(MZ)
The routing tables look something like:
I: 0.0.0.0 mask 0.0.0.0 gw 192.168.0.174
F: 0.0.0.0 mask 0.0.0.0 gw 192.168.0.1
PC:0.0.0.0 mask 0.0.0.0 gw whatever your net gw is
192.168.0.160 mask 255.255.255.240 gw 192.168.0.3
D: 0.0.0.0 mask 0.0.0.0 gw 192.168.0.1
192.168.0.160 mask 255.255.255.240 gw 192.168.0.3
Of course the direct connected networks and the loopbacks aren't in this table, but you should have no deed to input those, they should appear automatically.
You can thke out the last route from D, but I wouldn't recomend that.
Also I hope you haven't played with proxy arp and that the netmasks are 255.255.255.240 on ALL your ethernet interfaces (according to what you have explained)
ASKER
Trusted Net |---| Firewall |-|--|Internet gateway PC |---Internet
192.168.0.160-192.168.0.17
|
Computer on the untrusted Net
The routing tables look something like:
I: 192.168.0.160+x mask 255.255.255.240 gw 192.168.0.174
F: 192.168.0.160 mask 255.255.255.240(Trusted side Eth0)
F: 192.168.0.0 mask 255.255.255.240 gw 192.168.0.1(unTrusted side Eth1)
I would prefer pinging from everywhere to any network before starting firewalling.
Do you have any idea where I can find documentation regarding the forward task.
192.168.0.160-192.168.0.17
|
Computer on the untrusted Net
The routing tables look something like:
I: 192.168.0.160+x mask 255.255.255.240 gw 192.168.0.174
F: 192.168.0.160 mask 255.255.255.240(Trusted side Eth0)
F: 192.168.0.0 mask 255.255.255.240 gw 192.168.0.1(unTrusted side Eth1)
I would prefer pinging from everywhere to any network before starting firewalling.
Do you have any idea where I can find documentation regarding the forward task.
You're right, I didn't make myself clear.
D is the computer in the untrusted net. I should have the routes I've written in the previous comment.
Setting ip_forward to 1 is enough for IP forward. You don't need any modules or anything special for that.
D is the computer in the untrusted net. I should have the routes I've written in the previous comment.
Setting ip_forward to 1 is enough for IP forward. You don't need any modules or anything special for that.
ASKER
Trusted Net |---| Firewall |-|--|Internet gateway PC |---Internet
192.168.0.160-192.168.0.17
|
Computer on the untrusted Net
The routing tables look something like:
I: 192.168.0.160+x mask 255.255.255.240 gw 192.168.0.174
F: 192.168.0.160 mask 255.255.255.240(Trusted side Eth0)
F: 192.168.0.0 mask 255.255.255.240 gw 192.168.0.1(unTrusted side Eth1)
I would prefer pinging from everywhere to any network before starting firewalling.
Do you have any idea where I can find documentation regarding the forward task.
192.168.0.160-192.168.0.17
|
Computer on the untrusted Net
The routing tables look something like:
I: 192.168.0.160+x mask 255.255.255.240 gw 192.168.0.174
F: 192.168.0.160 mask 255.255.255.240(Trusted side Eth0)
F: 192.168.0.0 mask 255.255.255.240 gw 192.168.0.1(unTrusted side Eth1)
I would prefer pinging from everywhere to any network before starting firewalling.
Do you have any idea where I can find documentation regarding the forward task.
ASKER
It seem Windows can not handle two gateays or have a problem while sharing a internet connection, this is the reason it didn't reply my pings. I will start now NAT and see what come out of it.
Ok, if you have windows (although I thought it can candle multiple entrie s in the routing table), give as default gateway for the computers in the untrusted net 192.168.0.3
Don't mind me saying it, but maybe you should read a little bit more. For some quick readings you can try:
http://www.sangoma.com/fguide.htm
http://www.tcpipprimer.com/section.cfm
http://www.sangoma.com/fguide.htm
http://www.tcpipprimer.com/section.cfm
ASKER
yes, Ihave done it and I am able to ping untrusted computers and trusted except for the internet gateway computer. when I changed its gateway to 192.168.0.3 it stops accessing the internet (seem logical to me). NAT should help here.
I will read the, and I don't mind at all.
I will read the, and I don't mind at all.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It seem Windows can not handle two gateays or have a problem while sharing a internet connection, this is the reason it didn't reply my pings. I will start now NAT and see what come out of it.
ASKER
route (in windows) did great.
Masquerading made simple HOWTO (will get you and and running in five minutes):
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Masquerading-Simple-HOWTO.html
Linux NAT HOWTO (to understand above):
http://www.netfilter.org/documentation/index.html#HOWTO
(look for NAT HOWTO)
Packet Filtering HOWTO:
http://www.netfilter.org/documentation/index.html#HOWTO
(look for PACKET FILTERING HOWTO)
Basically, you want to iptables (get rid of ipchains all together - remove it, uninstall it, just get rid of it). Once that's installed and its modules are loaded, you'll want the following rules:
To allow all incoming traffic on eth0 (trusted device)
iptables -A INPUT -i eth0 -j ACCEPT
To deny all traffic incomming on eth1 (external device)
iptables -A INPUT -i eth1 -j REJECT
(or REJECT can be DROP, if you want to be real tough about it).
To setup your webserver, you're going to have to allow connections to port 80. Perhaps if you go a little more in depth about how your computer are networked, which computer is webserving, which is firewalling, etc..., I can help a little more.