Firewall

416 Part V Linux Server

Figure 20-1 shows an illustration of what a network looks like with a firewall in place. Basically, the firewall stands between the network and the Internet. If you have any dial-up services to your company, those services are on a system behind the firewall. If you only have a single system at home and want to use dial-up services to access the Internet, then you can perform those services on the firewall system.

Figure 20-1: A firewall sitting between the Internet and the internal network

A similar device is a router. Though a firewall does route packets from one network to another, it discriminates the data contained in the packets. However, a router just routes packets from one network to another based on the destination. The router does not care what the packets contain, just where they’re going. You can find routers installed between subnets (groups of IP address with different ranges), sometimes represented by physical location — as in between floors of a building or between the buildings themselves. The purpose of the router is to pass what is needed in the direction it needs to go.

Another aspect of using a firewall is disguising the originator of a request (called masquerading the IP). When a person behind the firewall makes a request for a Web page in the Internet, the page appears to come from the firewall instead of the real originator. In other words, the daily activity appears to come only from one machine for your entire site. This reduces the risk of someone exploiting your network.

Note IP masquerading is the Linux version of Network Address Translation (NAT) found on commercial network routers and firewalls. You can get more information about IP masquerading at ipmasq.cjb.net.

Hardware Requirements and Preparations

You will need different hardware to meet minimum requirements for a firewall/ router as compared to a proxy server. A firewall/router takes fewer resources than a proxy server does. Here are the minimum requirements for a system destined for a firewall only:

Chapter 20 Firewall 417

A computer with at least a 486 running at 100MHz

32MB of RAM

A 500MB hard drive to hold the operating system

Two network cards compatible with Linux (I stick with name-brand PCI cards.)

Looking over the preceding specs, this might be a good time to make use of one of those old computers stored in the closet. The proxy server is another story. In order for a system to effectively run as a proxy server, the system needs the following:

A computer running at least a Pentium II class processor

64MB of RAM

A 2GB hard drive to hold the operating system and the proxy cache

Two network cards compatible with Linux

As you can see, the requirements for the proxy server are a little higher than for the firewall. Most of the work for a firewall takes place at the kernel level, where packets are examined and either dropped or passed on. The proxy server needs a reserve of enough hard drive space to hold the information in servers.

Adding a Second Network Card

In general, the best means for protecting a network is to physically isolate it. The network card is the link from the computer to the network, so using a separate network card for each network a computer connects to helps to isolate it. Typically, a computer connects to two networks at a time (at the most).

Assuming that you configured at least one network card at the time of installation and it is working properly, you can power down the system to add the other network card. Once the second card is physically installed, then you need to load the driver if this card is different from the first card. Here is a scenario for adding a second network card:

1.Starting with a system with the first Ethernet card (3c905) already installed during the setup, add the second card (Kingston 120TX) by installing a new module for the new Ethernet card into the kernel. The first card is connected to the Internet, while the second card is connected to the Internet network. Initially, to install the module for the second card, use the following:

# insmod /lib/modules/2.2.17/net/rtl8139.o

Once the module is successfully added to the kernel, add the module name to /etc/modules so it gets loaded at boot time.

418 Part V Linux Server

2.Then add the specifics about the new card to /etc/network/interfaces:

iface eth1 inet static address 192.168.0.10

netmask 255.255.255.224 network 192.168.0.0 broadcast 192.168.0.31

This information identifies the second card as interface eth1; the IP address is static. The file also specifies the IP address for the card along with netmask, network, and broadcast numbers.

3.Restarting the networking service activates the card and assigns the information set up in the last step. To restart the networking services, issue the following command:

# /etc/init.d/networking restart

You should see some type of confirmation on the screen that networking was restarted.

4.To confirm that all the cards are now active and assigned the proper information, check them with the interface configure command (ifconfig). This command and its results are as follows:

RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0

This shows each adapter installed and running. From the information here, you can determine the configuration of the card, the IP addresses bound to the card, and other information unique to the network card.

Chapter 20 Firewall 419

5.Each card is connected to a different network — one to the Internet and the other to your internal network. You should be able to ping an address on each network from this machine. You also should be able to ping this machine from a remote computer on each network. If you try to ping a computer on the network attached to the eth0 card from a computer attached to the eth1 card, you should get a “request timed out” or no response at all.

Note In some cases, where the Internet provider is a cable modem service or other special access service, these instructions may need to be varied slightly. Some Internet services have requirements such as a pre-defined host name, a specific MAC address (a MAC address is the identifier for the Ethernet card), or some other criteria on your system. Because I can’t account for all special conditions, you may need to seek additional help from your Internet service provider or other sources such as mailing lists.

6.In order to ping the other network, you must turn on ip_forward. Edit the

/etc/network/options file, and change the no to a yes for ip_forward. Then, restart the networking services as in step 3.

7.At this point, IP forwarding should be active. Confirm that the service is enabled in the kernel by looking at the contents of the ip_forward placeholder, which should equal 1.

$ more /proc/sys/net/ipv4/ip_forward

1

Using ipchains

The kernel actually handles the packets once they arrive at the machine. The component in the kernel is called ipchains. This has been included in the kernel since version 2.1. Therefore, you need to compile the kernel to handle such things as forwarding, routing, and masquerading. When using the default kernel from the CD or Internet install, these functions are already available.

ipchains is essentially a series of rules for handling IP packets as they come into a machine (handled by the kernel). When the kernel looks at a packet, the packet is evaluated against the first rule in the chain. If the criteria don’t match, the kernel tries the second rule, and so on down the line until a rule is found to apply to the packet.

There are three built-in chains — input, output, and forward. You can change the policy for each and add rules to refine their functions. Often, many more than just one or two rules are specified for a chain. Each rule can have a set of target values:

ACCEPT, DENY, REJECT, MASQ, REDIRECT, or RETURN. The most commonly used targets are ACCEPT, DENY, and MASQ (short for masquerade).

420 Part V Linux Server

Tip For those who have never set up a firewall, have trouble understanding ipchains, or want to have it installed quickly, download and use the PMFirewall program described later in this chapter.

The ipchains utility applies, modifies, or deletes rules from a command line. The following is an example of how ipchains adds and changes rules. The first command changes the policy on the forward chain. The second adds a rule to forward to the ppp0 interface and MASQ the IP address. This is common practice with dial-up connections to the Internet.

#ipchains -P forward DENY

#ipchains -A forward -i ppp0 -j MASQ

To get a better handle on the options and parameters used while creating the rules, look over Table 20-1. You can use these options and parameters in any number of ways to create specific rules to control your firewall.

Chapter 20 Firewall 421

Notice that the source and destination parameters contain an exclamation point (!), which means the inverse of whatever follows it. This is referred to as not. So a rule that reads ! 192.168.10.120 means everything else but 192.168.10.120.

As you start getting the hang of adding rules, making rule changes, and removing rules, make sure that you save the finished state. Because you add them manually, those rule changes are out the window the next time the computer reboots.

Be sure to save the rule changes. It is a good idea to save as you go so you can return to any point along the way. There are two commands to help — ipchains-save and ipchains-restore. This command string saves the current rules for a later restore at boot time:

# ipchains-save > /etc/ipchains.rules

#

Use the -v option with the Save command to print all rules. You can then restore the rules from the created file using:

# ipchains-restore < /etc/ipchains.rules

#

You can create a script like the following to automatically add the rules at start time (this script is from IPCHAINS-HOWTO by Rusty Russell):

#! /bin/sh

#Script to control packet filtering.

#If no rules, do nothing.

[ -f /etc/ipchains.rules ] || exit 0

case “$1” in start)

echo -n “Turning on packet filtering:” /sbin/ipchains-restore < /etc/ipchains.rules || exit 1 echo 1 > /proc/sys/net/ipv4/ip_forward

echo “.”

;;

stop)

echo -n “Turning off packet filtering:” echo 0 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F

/sbin/ipchains -X /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT echo “.”

;;

*)

echo “Usage: /etc/init.d/packetfilter {start|stop}” exit 1

;;

422 Part V Linux Server

esac

exit 0

You can then create a symbolic link to this script in the /etc/init.d directory and add it to the rc2.d run level. The rules should run before networking in the run level. This script just adds and removes the rules kept in the /etc/ipchains. rules file created using the ipchains-save command.

You can find further examples in IPCHAINS-HOWTO, which is located at www. linuxdoc.org. IPCHAINS-HOWTO provides a lot of information, which can be confusing at first. The more you work with ipchains, the easier it becomes. However, once you set up ipchains, you may not need to change them again unless you feel that a configuration tool would work better.

Note A special project has created all you need to make a router (software wise) and fit it on a 1.44 floppy disk. This may not be surprising; but by not using a hard disk, you can build a system that uses no moving parts to run. You can investigate the Linux Router Project (or LRP) at www.linuxrouter.org.

Masquerading a Private Network

In most cases, masquerading a private network is a great option. The purpose of the masquerade is to make numerous machines appear as one.

1.Install the ipmasq package using the Debian package-management system. There may be a recommended package that does not appear to be available. This second package is not needed for the firewall to work properly. ipmasq enables masquerading of your network for better protection.

2.Answer no to the question Do you want to have ipmasq recompute the

firewall rules when pppd rings up or takes down a link [Y/n] if your system requires no dial-up services to connect to the Internet.

Note Using a firewall with dial-up Internet is possible and also a good idea. Instead of using an Ethernet card for the Internet interface, use a pppd connection. When you install the ipmasq package, answer yes to the question about recomputing the firewall rules during the configuration portion of the install.

3. Ensure that both cards appear in the routing table, as shown here:

$ /sbin/route

Kernel IP routing table

Chapter 20 Firewall 423

At this point, you should be able to ping across this machine from the internal network to the Internet. Anyone can get out to use the Internet; and as far as the Internet goes, all requests are coming from the firewall machine because of the masquerading. If you stop configuring at this point, you can run your systems with access to the Internet. However, for tighter control, set up rules for controlling what actually passes across the firewall. You can find the configuration files for doing so in /etc/ipmasq/rules.

Note If you use real IP addresses for both sides of the network, then you should be able to ping in both directions. You must set up each remote machine to use this machine as the gateway, thus making the gateway address the same as the address assigned to the card connected to the same network. If you use a reserved set of addresses, as in 192.168.x.x, you cannot ping into that network.

Configuring a Firewall with PMFirewall

If you want to quickly and easily build a firewall, but don’t understand the ipchains command strings, then use PMFirewall. Written in Perl script, it interactively configures the firewall on your system using ipchains. If you are interested in masquerading your internal network’s IP addresses, you can configure that as well.

You can obtain a copy of the program at www.pmfirewall.com/PMFirewall. Once downloaded, move the file to /usr/src with:

mv ./filename /usr/src

Then you can extract the contents of the tarball with

tar zxvf filename.tar.gz

Change to the newly created directory and begin the installation (logged in as root) with

/bin/sh ./install.sh

This installation process creates the program’s new home at /usr/local/ pmfirewall. Here, all the configuration files are created. The script then confirms that you have ipchains installed and asks what you want to set as the external interface. Normally, the external interface is set to eth0. Figure 20-2 gives you an idea of what you might see during the installation.

If there are IP address ranges that require unrestricted access, then answer Yes and enter the address/netmask number in the next dialog box. If you are unsure, answer No to the first question.

If there are known IP addresses that should be blocked completely, then answer Yes to the question and enter those numbers. Again, if you are unsure, answer No to this question as well.

424 Part V Linux Server

Figure 20-2: Answering configuration questions as PMFirewall installs

If your system receives its IP address via DHCP, then answer Yes to the next question. For the next few questions, you are asked about the specific services that you plan to run on this machine. These services are accessed from an external source. Typical firewall machines are used only as firewalls, which is the most secure practice. You should not use a firewall machine for any other Internet service,

such as Web services, Domain Name Services (DNS), or File Transfer Protocol (FTP) services. For the purposes of security, I assume that you are installing a firewallonly server.

This is only a firewall machine, so answer No to all the services (such as FTP, Finger, Web, POP, and others). You should not allow some services, such as NetBIOS/Samba and NFS, on the firewall because of their tendency to allow file access.

You are then asked if you want to start PMFirewall when the system starts. Go ahead and answer Yes to this question, as automatically starting the firewall at system start won’t require physical intervention by you later. When it does start, PMFirewall has the capability to detect the IP address for the machine. This is useful for systems that dial into an Internet Service Provider and get a different IP address each time.

If you don’t care what address is used when someone from the inside makes an Internet request, then answer No to the question about masquerading. Then the configuration files are created and the firewall is ready to go.

If you do decide to set up masquerading of your internal network, there is no easier way to get it set up than with PMFirewall. Figure 20-3 shows where in the configuration you must make this decision.

Chapter 20 Firewall 425

Figure 20-3: Masquerading is not configured by default.

There are just a couple of extra steps to perform if you want to set up masquerading. The first question asks you to specify the internal interface — the default is normally eth1 for the second card. The script then wants to autodetect the internal IP address. The script then asks if you use a DHCP server. Select the appropriate answer to continue. Several files are configured and then you are finished.

Note If you use a group of private IP addresses for your internal network, then you need to employ masquerading, which you can easily set up using the PMFirewall script.

Locking Down the Firewall

When maximizing security, this is the most critical portion of the entire configuration. This is where you do your best to prevent people from cracking the firewall. If they get in here, then they have access to the entire network. With the proper setup on the firewall, you can still run some of the services for inside use only, such as OpenSSH, which provides a secure shell connection to a server.

The first step is to turn off all the ports on the firewall machine. An active port is an available door through which the attacker can enter. Normally these ports control daemons that start when a packet arrives. These ports include telnet, ftp, shell, and many others. To disable these ports, edit the /etc/inetd.conf file and place a pound sign (#) at the beginning of each line that does not have one (including discard, daytime, time, telnet, shell, login, exec, talk, ntalk, smtp, finger, and ident). Also, turn off any other ports not listed.

Once you comment out the services, restart the inetd daemon with the following:

# /etc/init.d/inetd restart

426 Part V Linux Server

Test to make sure that the ports are no longer active by telneting to this machine. Try a couple of different ports.

$ telnet localhost

$ telnet localhost 25

The system should not respond to the telnet requests other than to inform you that the connection was refused.

If turning off the services is not an option for you and you want to add more security, here are a few simple additions and changes you can make:

For added protection, create the file /etc/nologin. You can put a few lines of text in it such as, “This machine is off limits”. When this file exists, the login does not allow any user to log on (except root from the console). These users only see the contents of this file and their refused logins.

You can also edit the file /etc/securetty for a little more control of login locations. If the user is root, then the login must occur on a tty listed in /etc/securetty. The syslog facility logs all login failures.

With both of these controls in place, the only way to log in to the firewall is as root from the console. The server accepts no other attempts.

If you need remote root access, use SSH (Secure Shell). I suggest that you turn off telnet. SSH provides a secure, encrypted data connection between two computers, whereas telnet transmits in clear text for anyone to see (including passwords).

Add other countermeasures, such as Tripwire, to ensure that users do not tamper with anything.

As you might guess, if the software does not exist, then you cannot use it. Unfortunately, this is not always an option. Reducing the number of services, open ports, and number of actual accounts on a system is about all you can do in the end.

Squid Proxy Service

Because a firewall sets up a single point of access to the Internet for an organization, the traffic demands may be high at times. Many of those people may be looking at the same site. The point of a proxy, such as Squid, is to cache the Web pages for multiple requests at a location. For instance, if Joe visits www.fish-r-us.com, the page is loaded into cache on the proxy. Suppose a few seconds later Bob requests to visit the same site. This time, the proxy serves the page, rather than the request, to Bob.

Another service that a proxy can provide is controlling who gets access through the firewall; the network, IP address, or user name can do this. The proxy configuration file sets this and more.

Chapter 20 Firewall 427

The first step in setting up a proxy is making sure the software is in place. You need to install Squid from the archives. Once installed, you can begin to configure it for your system.

To configure Squid, you need to edit the /etc/squid.conf file. This file contains an example of nearly all settings available with this proxy server. By default, the server is set to not allow anyone to make requests through it. Setting up a Web browser to use the proxy server’s default port of 3128 and attempting to access an external site produces the error message shown in Figure 20-4.

Figure 20-4: This error lets you know that the proxy is running but is not allowing you to grab the page.

You need to change a few settings in the configuration file. This is a large file to sift through using the text editor. The file is broken down into major categories:

Network options

Options affecting neighbor selection

Options affecting the cache size

Log file path names and cache directories

Options for external support programs

Options for tuning the cache

Timeouts

Access control

428 Part V Linux Server

Administration parameters

Options for cache registration services

HTTPD-Accelerator options

Miscellaneous

The main change you need to make is in the Access control section. There is a line that reads as follows:

http_access deny all

Comment that line out and then add the following line:

http_access allow all

This enables anyone on your network to browse the Internet once you restart the Squid service. Restart the service using the following:

/etc/init.d/squid restart

You can continue to narrow the scope of who has access by creating an access group in that same section. The syntax at the beginning of the section reads as follows:

acl aclname src IPaddress/netmask

And a local group of IP addresses looks like this:

acl local src 192.168.10.1-192.168.10.30/255.255.255.224

This line sets the range of addresses as the source and gives it a name of local. You can then add that name to the http_access group:

http_access allow local

Likewise, you can also block a group of internal addresses. You can allow or deny access in several ways, whether you want to specify the source, the destination, or even a URL. Reading through the configuration file should give you some understanding of configuring the server. You can also look at www.squid-cache.org to get more information.

Accessing the Internet through a Firewall/Proxy

A firewall should act as a gatekeeper — letting requests go out from sources on the inside, but not letting requests come in. The outgoing requests are intercepted and redirected to the correct port on the remote server. The proxy only listens to one

Chapter 20 Firewall 429

port and then interprets the request. If the server does not have the desired pages, then it goes out and gets them. You must set up your internal devices to make the requests to the correct internal proxy address and port number.

The most common device that needs configuration is the Web browser. To add the proxy information to Netscape, for instance, open the browser. Once the browser is open, click Edit and then Preferences. A dialog box appears. On the left side, click the triangle sign next to Advanced.

You should see two new items appear. Clicking Proxy changes the information in the right side of the dialog box. Select the Manual option, and press the button labeled View. For each service your server proxies, enter the IP address or the fully qualified domain name in the left box and the proxy port on the right. For the default HTTP proxy service, the port is 3128. Figure 20-5 shows the configuration screen in Netscape.

Figure 20-5: Configuring proxies in Netscape

For the lynx and Mosaic browsers, you can set an environment variable to define the proxy. The two shells, csh and tcsh, use the following commands to set the variable:

setenv http_proxy http://myhost:3128/ setenv gopher_proxy http://myhost:3128/ setenv ftp_proxy http://myhost:3128/

430 Part V Linux Server

For the ksh and bash shells, you use:

export http_proxy=http://myhost:3128/ export gopher_proxy=http://myhost:3128/ export ftp_proxy=http://myhost:3128/

You can add any of these to the startup scripts for your preferred shell (for example, ~/.bashrc). You can also add them to /etc/profile to make them useful system wide.

The systems on the local network also need to point to the internal network IP of the firewall as the gateway. This tells traffic destined for the Internet where to go to reach its destination.

Summary

With an understanding of what a firewall does, you now know the importance of using a firewall to protect a private network. On top of that, masquerading the IP addresses lets your entire internal network of computers appear from the outside as if all requests come from the firewall. This adds to the degree of protection because those addresses are never transmitted over the Internet.

Setting up a firewall for a home network is just as important as setting up one for an office. Granted, configuring rules using ipchains by hand may not seem straightforward in the beginning, but it gives you the greatest control in choosing the restrictions. In addition, with tools such as PMFirewall, setting up a firewall keeps getting easier.

To control access from the inside, the proxy server controls what services are used, who can use them, and from what systems. Squid, the proxy server, provides an extensive list of configuration options in its configuration file. The possible configuration variations are too numerous to count.

You can find more information about firewalls, ipchains, and IP masquerading from the list of HOWTOs at www.linuxdoc.org.