Firewall Installation
Why created this: Well I'd heard all kinds of stories about people getting
their machines hacked within hours of putting their machines on the big
bad Internet. So I wanted to protect my self.
My system: Gateway 450XL, two scsi disks (cheetah all the way baby),
ethernet card, printer, blah, blah, blah. I got a static IP address from
my ADSL provider (so I don't have to worry about DHCP). I am the only one
on the network (i.e., not ip masqerading or forwarding). I don't need to
run any services like DNS caching, NFS, etc, etc. So it's pretty basic,
but I don't want some ass to mess up what I finally got running.
Information is from: Reading ipchains howto (www.linux.org), studying Robert L.
Ziegler's scripts (http://www.linux-firewall-tools.com/linux/),
www.cert.org, and plain trial and error!
So here are the steps I took to put up a firewall for my little
computer:
Part 1 - Getting the system ready.
Step 1 - Disconnect from Internet :)
Step 2 - Kill all daemons you don?t want to run.
In /etc/inetd.conf comment out (put a # in front of) shell,
login, ftp, telnet, finger, talk, and ntalk.
Step 4 - Set up tcp wrappers to specify allowed and
non-allowed hosts.
Add to /etc/host.allow
# disallow connections from my local network (it's ADSL)
ALL: All@127.0.0.1 : DISALLOW
# allow connections from my static IP address
ALL: All@X.X.X.X : ALLOW
# allow unchecked ident connections from anywhere
in.identd. : ALL : ALLOW
Add to /etc/hosts.deny
# disallow everything not specifically allowed in /etc/hosts.allow
ALL: 0.0.0.0/0.0.0.0
Step 5 - Make sure you got ipchains.
How: (I) Downloaded ipchains
from Red Hat ftp site and used the command rpm -ivh
"filename" (also on the 2nd CD ROM provided by RH).
Note: It's not part of RH 5.1. It uses ipfwadm instead.
Why: Allows for ip packet
filtering (i.e., firewalling).
Note: Not sure I had to do this as it was "in the kernel",
but the binaries weren't in /sbin, where all binaries need
to be. Also couldn?t use any of the commands like ipchains
-L until I rpmed it. I'm still not sure it's "part of the
kernel" but it seems to at least be on the machine. There
was something in 2.3 of the HOWTO about kernel commands????
Note: The version from RH is 1.3.8 - the HOWTO is written
against 1.3.9.
Step 6 - Make sure the scripts are always added.
How: See ipchains HOWTO (version
1.0.7) section 2.3.
What: Create script and add
it before network runs in appropriate runlevels.
-------------
! /bin/sh
# script to control packet filtering.
# if no rules do nothing.
[ -f /etc/ipchains.rules ] || exit 0
case "$1" in
start)
echo -n "Turning on packet filtering:"
/sbin/ipchains-restore < /etc/ipchains.rules || exit
1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "."
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -X
/sbin/ipchains -F
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward ACCEPT
echo "."
;;
*)
echo "Usage: /etc/init.d/packetfilter (start|stop)"
exit 1
;;
esac
exit 0
------------
Note: Make sure to set the properties to allow everyone
to run it.
Note: Check to see what runlevels include network and make
sure it loads before them.
In the examples it said S39filename (S is for loaded and
K is for not loaded), but on mine it's got to come before
S10. I used SysV Init editor in KDE. Also on RH 6.0 put
the script (I called it packetfilter) in /etc/init.d directory.
When you use sysV init editor it will add the appropriate
s* (where * is the number).
Note: Make sure the last echo uses the right filename (in
my case packetfilter vice package). In the example they
used a different filename.
Note: The 2nd to last line has essac should be esac.
Step 7 - Add protection for regular ip spoofing.
How: See ipchains HOWTO section
5.7.
What: Create script and add
it before network runs in appropriate runlevels.
-----------
# This is the best method: turn on
Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
echo "CONTROL-D will exit from this shell and continue system
startup."
echo
# Start a single user shell on the console
/sbin/sulogin $CONSOLE
fi
-------------
Note: Check to see what runlevels include network and make
sure it loads before them.
I picked the file name no-ip-spoofing and added it into
the /etc/init.d directory.
Then used SysV Init to add it before network, but after
packetfilter. When you use sys5 init editor it will add
the appropriate s* (where * is the number).
Note: I don't think it matters which of the scripts gets
loaded first. I just picked the one from step 3 to load
first.
[-Next
Page-]
|