Linux** – Firewall and Masquerading

For this document and all references (links) please obey the hints and regulations concerning copyright, disclaimer and trademarks.

This document describes the installation of a Firewall and Masquerading on a Linux Operating-System using ipchains.

A Firewall is a system, which allows
* to define the type of TCP/IP-packets which can cross between internal network and worldwide Internet,
* to define the ports to be opened so that a computer can be controlled from another computer,
* and to define which computers on the internal network should be allowed or denied to get access to the worldwide Internet.

Masquerading (or Native Address Translation) forwards requests from a computer on the internal network to a computer (server) on the worldwide Internet. Masquerading allows several computer from the internal network to simultaneously access servers on the Internet. For the server(s) on the internet the request looks like coming from one computer - i.e. the Router from the internal network.

`Credits:`

For a newbie like me it was pretty hard to seperate all the term associated with setting up a (secure and reliable) connection to an ISP. A big help was Heimo Schöns HOWTO (http://howto.htlw16.ac.at/at-highspeed-howto.html - in german) which allowed me to seperate the tasks and do them step by step.

The used script is a modification of the script published by Dennis G. Allard and Don Cohen unter http://oceanpark.com/notes/firewall_example.html .

Prerequisites:

Operating-system installed ;-).
Logged on as user root.
The connection to the internal network is over device eth0;
the connection to the ISP is over device ppp0 (if a dial-in-modem or a tunneling-protocol for DSL- or ADSL-modems is used) or eth1 (if a non-tunneling-connection - e.g. a cable-modem - is used) respectively.
If your configuration is different, please take care to replace the devices in the following script.

`Installation-instruction:`

Please obey: The following script referres the device for a connection to an ISP (eth1, ppp0) with the symbolic name EXTIF. The symbolic name is set to the device ppp0. The connection to the internal network is set to device eth0. Before running the script, please check if the commands suit your configuration.

The following script can be copied and directly transferred to the target; to do so follow this link for an explanation how to copy text from a web-browser to a file .

Create the file /etc/rc.d/rc.firewall-iptables with the following content:

#!/bin/sh

# rc.firewall-iptables

# Example for an firewall and masquerading using iptables

# October, 2004; configured by Kurt Gstöttner, http://www.javascout.biz

# This script is based on an example published by

# Dennis G. Allard and Don Cohen, http://oceanpark.com

# Permission to copy is granted provided that credit is given to all documentation

# you used to understand this stuff.

# No warranty is implied. Use at your own risk !!

# Definition of the interface to the Internet-Service-Provider (ISP)

# Use ppp0 if the connection to the ISP is over a modem or a tunneling-protocol

EXTIF="ppp0"

# Use eth1 if the connection to the ISP is directly over the ethernet (e.g. cable-modem)

#EXTIF=”eth1”

# Here we go – the commands start

# Extract the dynamic TCP/IP-address given by the ISP;

# a pretty compressed command-string but it works ;-)

EXTIP="`ifconfig $EXTIF | awk /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

echo -n "External Interface $EXTIF with IP $EXTIP ."

# check module-dependancy; missing modules are reloaded if neccessary

depmod -a

# Setting IP-forwarding and permit for dynamic adressing;

# a good installer should have it disabled by default.

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Setting default policies

# N.B.: all examples I found had INPUT DROP, but as soon as I uncomment it

# nothing works any more. K.G. October 2004

#iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

# Flushing all individual appended rules

iptables -F INPUT

iptables -F FORWARD

iptables -F OUTPUT

iptables -F -t nat

# Allow all input from the loopback-interface and from the internal network.

iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT

# Drop all packets from the external-interface which claim

# to originate from the internal network or the loopback-interface.

iptables -A INPUT -i $EXTIF -s 192.168.0.0/24 -d 0/0 -j DROP

iptables -A INPUT -i $EXTIF -s 127.0.0.0/8 -d 0/0 -j DROP

# Forward all packets from the internal network toward the external-interface

iptables -A FORWARD -i eth0 -o $EXTIF -j ACCEPT

# Forward all packets from the external-interface toward the internal network

# which are a response to requests from the internal network.

iptables -A FORWARD -i $EXTIF -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forward all packets from the external-interface toward the machine

# that is running the firewall

# if the packets are a response to requests.

# This commands enables, that a browser also works on the machine with the firewall.

iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable Native Address Translation for forwarded packets;

# this routes response-packets back to the address on the internal network

# from where the request was issued.

iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o $EXTIF -j SNAT --to-source $EXTIP

# END OF SCRIPT

`Setting the access-rights for an automated startup`

As a prerequisite for automated startup the access-rights of the firewall-script must be set as follows: chmod 4711 /etc/rc.d/rc.firewall-iptables

`Automatic start of the Firewall and Masquerading when Linux is started`

To start the firewall when a dial-in-connection is used, the following command can be added to the file /etc/rc.d/rc.local: # Start masquerading and firewall # Do this always after starting the dialer # to extract the dynamic TCP/IP-address assigned by the Internet-Service-Provider /etc/rc.d/rc.firewall-iptables

When using a pptp-Client. the firewall is started within the start | stop | restart script.

Additional hints:

The file can only be edited with access-rights as 'root'. That the change takes effect it is requiered to execute the file /etc/rc.d/rc.local or to restart Linux**.

Test:

* Go to a workstation within the internal network. * Define the default gateway of that workstation to be the computer where the just installed firewall and masquerading runs. * Shutdown and restart the workstation. * Open a Terminal window and 'ping' a known server on the Internet, e.g. 195.3.96.67 (command ping 195.3.96.67) * The server on the Internet should respond periodically.

top.