Some
important (security) information:
1)
Always first start the firewall before you enable your (ADSL)
internet connection (if possible). For an ppp-interface that
doesn't exist yet you can use the wildcard device called "ppp+"
(but this only works if there aren't any other ppp
interfaces!).
2) Don't change any (security) settings
('EXPERT SETTINGS') if you don't really understand what they mean.
Changing them anyway could have a big impact on the security of
your machine.
3) I get a lot of emails from people
complaining that their webserver etc. stopped working after
installing my firewall. This is the CORRECT behaviour for a
firewall: BLOCKING ALL incoming traffic by default. If you want
for example want to run an HTTP-server(port 80) and/or an
SSH-server(port 22) accessible from the internet you should
configure the OPEN_TCP / OPEN_UDP variables accordingly. For HTTP
AND SSH it should become: OPEN_TCP="22 80" OPEN_UDP="22
80"
Quick
setup
If you want to have it run quickly or
are a novice user than this is the part that's important. Remember
that my firewall has a lot of other useful features which will NOT
be used in this way. On the other hand, various security features
are enabled by default to protect you from hostile attacks.
1)
First we've to check whether your Linux setup is OK in order to
make the script work correctly:
-
It of course requires iptables to be installed. It's recommended
to get the latest version (package), if possible. This prevents
any incompatibilities or bugs my script might have with older
versions and the latest version contains all known (security)
fixes, which strengthens the firewall itself.
-
Make sure that you have a kernel with iptables compiled into it or
a module-based kernel with the iptables modules installed. This is
NOT possible when ipchains is still installed. If ipchains is
installed (default for RedHat 7.1) you need to do "rmmod
ipchains" first before running this script.
My
scripts needs the following binaries in your path: ifconfig,
modprobe, grep, uname, sed, date, cut.
The
traffic shaper (rc.traffic-shaper) requires the "tc"
command (from the iproute2 package).
If
you want to enable resolving of IPs ($RESOLV_IPS) then the
command 'dig' should also be available.
2)
Now we need to determine whether you have a single- or dual-homed
machine. Single means you ONLY have one network-interface, which
is the one connected to the outside "evil" world
(internet). Dual-homed also have a local subnet connected to an
additional network interface.
3)
Put rc.iptables & iptables-firewall.conf in the appropriate
directories (see above). You probably also want to automatically
start the firewall-script at system boot. There are various ways
to accomplish this (depending on your distribution), here are some
examples:
RedHat:
Drop a line like "/etc/rc.d/rc.iptables start" in the
file "/etc/rc.d/rc.local" (probably at or near the
end). The script is also compatible with chkconfig runlevels
(Redhat) Note that the script has a chkconfig-compatible header,
so if you're familar with it you can use this to stop/start the
script in the different runlevels. In this case don't start it
from "/etc/rc.d/rc.local" but instead put the script
itself in /etc/init.d/ (instead of /etc/rc.d/) and eg. run
"chkconfig rc.iptables on".
Debian:
Put rc.iptables in "/etc/init.d/" and create a softlink
to it in "/etc/rcS.d/" (eg. "ln -s
/etc/init.d/rc.iptables /etc/rcS.d/S99iptables")
Now
we will change the required settings in
"(/etc/)iptables-firewall.conf":
4) Configure
your external network interfaces, EXT_IF. This is the interface
which is the one connected to the internet. When you have an
(dynamically) IP assigned to you (by your ISP) via DHCP, you
should set "EXT_IF_DHCP_IP=1" else leave it off (0).
5)
For dual-homed machines you should also configure INT_IF, the
interface used for the local network. You should set your local
subnet range in "INTERNAL_NET=". If you want your
internal network to be able to access the internet (aka.
internet-sharing), you should also enable NAT (Masquerading) by
setting "NAT=1").
6)
If you don't have an (A)DSL modem (which works with a PPtP
connection to your machine) or you have a bridging (transparent)
modem, you can continue with step 7 (You can verify this with
'ifconfig', if a ppp device with your public IP exists you should
(most likely) configure the (A)DSL MODEM settings).
Now
we must configure the network interface(ethX) to which your modem
is physically(!) connected (=MODEM_IF, which is commented(#) out
by default), and this is NOT ppp+, ppp0 etc.!
Here
are some examples on how to do it for some providers (it's assumed
that the modem is connected to eth0):
PPPoE
connection with a static public IP (ie. MxStream in the
Netherlands) (setup with the ADSL4Linux package from
http://www.adsl4linux.nl): -
MODEM_IF="eth0" - MODEM_IF_IP="10.0.0.150" -
MODEM_IP="10.0.0.138" # Make sure this IP corresponds to
the one used by your modem! - EXT_IF_DHCP_IP=0
T-DSL
(Germany) with a dynamic public IP: - MODEM_IF="eth0" -
MODEM_IF_IP="192.168.99.1" - MODEM_IP="" -
EXT_IF_DHCP_IP=1
PPPoA
connection with a dynamic public IP (eg. Versatel Zonnet in the
Netherlands): - MODEM_IF="eth0" - MODEM_IF_IP=""
# This MUST be unset("") (default) -
MODEM_IP="10.0.0.138" # Make sure this IP corresponds to
the one used by your modem! - EXT_IF_DHCP_IP=1
Note:
For extra security you *can* set the IP of your modem (MODEM_IP),
but it's not neccessary (anymore). If you don't know its IP or
believe it doesn't have an IP, you can leave MODEM_IP=""
(default). The same applies for the IP of the modem network
interface (MODEM_IF_IP). In case of a PPPoA (PPP-over-ATM) you
MUST leave MODEM_IF_IP unset(="")!
7) When your
public IP is assigned to you by your ISP (through DHCP) then you
should enable support for an DHCP-assigned external IP by setting
"EXT_IF_DHCP_IP=1".
8) You're now ready to start
the firewall by issueing "/etc/rc.d/rc.iptables start"
or /etc/init.d/rc.iptables start (or whatever place you put
rc.iptables in). Everything should now work OK, if it doesn't,
carefully review all steps and your configuration. For
troubleshouting you can consult my webpage (FAQ).
NOTE:
Additional (more advanced) options are (also) explained in the
configuration-file comments or in the QA's on my webpage (eg.
Freeswan/VPN support).
Parameters for
rc.iptables: start = Start firewall (AND reset
iptables counters) stop = Stop firewall (set default policies
to accept) restart = Restart firewall (DOES NOT reset iptables
counters) breread = Reread blocked hosts (blackhole)
file status [-t {table}] [chain] = View firewall ruleset
([chain] & [-t {table}] are optional)"
|