?
Solved

How do I set up a dedicate firewall machine (iptables)

Posted on 2003-02-23
17
Medium Priority
?
303 Views
Last Modified: 2010-03-18
I need to deploy a web server. For security reason I need to protect my server from the outside world. I dedicated a computer with two Ethernet interfaces for firewalling.

The external interface (eth1) is connected to a frame relay router and my IP is fixed(example) 235.177.16.152
The internal interface (eth0) is connected to my local network address range 192.168.0.0/28 while my web server is 192.168.0.14.

Two goal I need to achieve:-
1. Allow all my local network users to freely access the internet
2. Allow all external users to visit my web site while protecting against malicious intruders.

firewall rules should be very tough, no external access to any computer configuration to no body.

Jacob
0
Comment
Question by:sarusij
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
17 Comments
 

Expert Comment

by:jeremynd01
ID: 8005287
First, I suggest you check out some documents:

Masquerading made simple HOWTO (will get you and and running in five minutes):
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Masquerading-Simple-HOWTO.html

Linux NAT HOWTO (to understand above):
http://www.netfilter.org/documentation/index.html#HOWTO
(look for NAT HOWTO)

Packet Filtering HOWTO:
http://www.netfilter.org/documentation/index.html#HOWTO
(look for PACKET FILTERING HOWTO)


Basically, you want to iptables (get rid of ipchains all together - remove it, uninstall it, just get rid of it).  Once that's installed and its modules are loaded, you'll want the following rules:

To allow all incoming traffic on eth0 (trusted device)
iptables -A INPUT -i eth0 -j ACCEPT

To deny all traffic incomming on eth1 (external device)
iptables -A INPUT -i eth1 -j REJECT
(or REJECT can be DROP, if you want to be real tough about it).

To setup your webserver, you're going to have to allow connections to port 80.  Perhaps if you go a little more in depth about how your computer are networked, which computer is webserving, which is firewalling, etc..., I can help a little more.
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 8012124
1. Read the documentation mentioned by jeremynd01

2. Have a look at http://www.experts-exchange.com/Operating_Systems/Linux/Q_20465511.html
0
 

Author Comment

by:sarusij
ID: 8098078
I have read all this stuff already. My first problem as it seem it that even without firewalling and all INPUT, OUTPUT, FORWARD are accept. I am not able to ping between both nets ( I have set the ip_forward to 1).
I will add more precise info:-
my internet connection uses a PC that is connected to the internet in one side and the Ethernet port is connected to the non trusted Ethernet port of the firewall (Ethernet IP of the PC 192.168.0.1 and Ethernet IP address in the firewall 192.168.0.3 netmask 255.255.255.240 (eth1))
trusted network is connected to firewall eth1 (192.168.0.174 netmask 255.255.255.240)
Pinging from firewall anywhere is OK
Pinging from trusted network to both firewall addresses OK
Pinging from non trusted to both firewall addresses OK.
Pinging from trusted / non trusted computers to Non trusted / trusted computers NOK.

ifconfig for firewall

eth0      Link encap:Ethernet  HWaddr 00:00:F8:05:A5:FA
          inet addr:192.168.0.174  Bcast:192.168.0.175  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8683 errors:1 dropped:0 overruns:0 frame:0
          TX packets:24836 errors:0 dropped:0 overruns:0 carrier:0
          collisions:10 txqueuelen:100
          RX bytes:657558 (642.1 Kb)  TX bytes:6813765 (6.4 Mb)
          Interrupt:11 Base address:0xf000

eth1      Link encap:Ethernet  HWaddr 00:50:DA:C6:6B:41
          inet addr:192.168.0.3  Bcast:192.168.0.15  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:830 errors:0 dropped:0 overruns:0 frame:0
          TX packets:219 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:65454 (63.9 Kb)  TX bytes:24551 (23.9 Kb)
          Interrupt:9 Base address:0x6500

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:33 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2986 (2.9 Kb)  TX bytes:2986 (2.9 Kb)

route for firewall:-
Kernel IP routing table
Destination                 Gateway         Genmask         Flags Metric Ref    Use Iface
      192.168.0.0           0.0.0.0         255.255.255.240 U        0         0        0    eth1
192.168.0.160           0.0.0.0         255.255.255.240   U        0         0        0     eth0
 127.0.0.0           0.0.0.0                     255.0.0.0          U        0         0        0      lo
0.0.0.0   192.168.0.1                         0.0.0.0               UG     0         0        0      eth1
# more /proc/sys/net/ipv4/ip_forward
1

# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


My trusted computer is 192.168.0.172/255.255.255.240 gateway 192.168.0.174

It might be that I am missing any red hat package that support this forward, if so which?

0
More Than Just A Video Library

Train for your certification. Learn the latest DevOps tools. Grow your skillset to do better work.

At Linux Academy, we release new training modules every week so you'll always be up to date on the latest tech.

 
LVL 6

Expert Comment

by:mbarbos
ID: 8098148
Do ALL your machines have the appropriate gateway ?
0
 

Author Comment

by:sarusij
ID: 8098300
I believe so. All my computers on the non trusted side can connect the internet. the firewall can ping the internet. and the trusted computer gateway is the firewall trusted side ip.
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 8099102
If I got it right, your network looks something like this:

Trusted    eth0       eth1    Untrusted     eth0     Internet
network ------ Firewall------- network -------- connection PC --Internet
I(nside)                        D(MZ)

The routing tables look something like:

I: 0.0.0.0 mask 0.0.0.0 gw 192.168.0.174
F: 0.0.0.0 mask 0.0.0.0 gw 192.168.0.1
PC:0.0.0.0 mask 0.0.0.0 gw whatever your net gw is
   192.168.0.160 mask 255.255.255.240 gw 192.168.0.3
D: 0.0.0.0 mask 0.0.0.0 gw 192.168.0.1
   192.168.0.160 mask 255.255.255.240 gw 192.168.0.3

Of course the direct connected networks and the loopbacks aren't in this table, but you should have no deed to input those, they should appear automatically.

You can thke out the last route from D, but I wouldn't recomend that.

Also I hope you haven't played with proxy arp and that the netmasks are 255.255.255.240 on ALL your ethernet interfaces (according to what you have explained)
0
 

Author Comment

by:sarusij
ID: 8099503
Trusted Net                |---| Firewall                               |-|--|Internet gateway PC         |---Internet
192.168.0.160-192.168.0.173|---| eth0 (192.168.0.174)--eth1(192.168.0.3)|-|--|(eth-192.168.0.1—ADSL((DHCP)|---x.y.z.w
                                                                          |
                                                        Computer on the untrusted Net

The routing tables look something like:

I: 192.168.0.160+x mask 255.255.255.240 gw 192.168.0.174
F: 192.168.0.160    mask 255.255.255.240(Trusted side Eth0)
F: 192.168.0.0         mask 255.255.255.240 gw 192.168.0.1(unTrusted side Eth1)


I would prefer pinging from everywhere to any network before starting firewalling.
Do you have any idea where I can find documentation regarding the forward task.
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 8099625
You're right, I didn't make myself clear.

D is the computer in the untrusted net. I should have the routes I've written in the previous comment.

Setting ip_forward to 1 is enough for IP forward. You don't need any modules or anything special for that.
0
 

Author Comment

by:sarusij
ID: 8101709
Trusted Net                |---| Firewall                               |-|--|Internet gateway PC         |---Internet
192.168.0.160-192.168.0.173|---| eth0 (192.168.0.174)--eth1(192.168.0.3)|-|--|(eth-192.168.0.1—ADSL((DHCP)|---x.y.z.w
                                                                          |
                                                        Computer on the untrusted Net

The routing tables look something like:

I: 192.168.0.160+x mask 255.255.255.240 gw 192.168.0.174
F: 192.168.0.160    mask 255.255.255.240(Trusted side Eth0)
F: 192.168.0.0         mask 255.255.255.240 gw 192.168.0.1(unTrusted side Eth1)


I would prefer pinging from everywhere to any network before starting firewalling.
Do you have any idea where I can find documentation regarding the forward task.
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 8101726
?
0
 

Author Comment

by:sarusij
ID: 8110865
It seem Windows can not handle two gateays or have a problem while sharing a internet connection, this is the reason it didn't reply my pings. I will start now NAT and see what come out of it.
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 8111323
Ok, if you have windows (although I thought it can candle multiple entrie s in the routing table), give as default gateway for the computers in the untrusted net 192.168.0.3
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 8111393
Don't mind me saying it, but maybe you should read a little bit more. For some quick readings you can try:
http://www.sangoma.com/fguide.htm
http://www.tcpipprimer.com/section.cfm
0
 

Author Comment

by:sarusij
ID: 8112358
yes, Ihave done it and I am able to ping untrusted computers and trusted except for the internet gateway computer. when I changed its gateway to 192.168.0.3 it stops accessing the internet (seem logical to me). NAT should help here.
I will read the, and I don't mind at all.
0
 
LVL 6

Accepted Solution

by:
mbarbos earned 150 total points
ID: 8113382
You can add routes to a windows machine from the command line with route. Don't forget to add a -p switch to your route command if you want to make the route persistent (be there after a reboot)
0
 

Author Comment

by:sarusij
ID: 8123690
It seem Windows can not handle two gateays or have a problem while sharing a internet connection, this is the reason it didn't reply my pings. I will start now NAT and see what come out of it.
0
 

Author Comment

by:sarusij
ID: 8123707
route (in windows) did great.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question