Linux Online - Firewall and Proxy Server HOWTO: Preparing the Linux system
Firewall and Proxy Server HOWTO: Preparing the Linux
systemNext
Previous
Contents
6. Preparing the Linux system
Install as little of the Linux system as you can. My installation
started with a server configuration and then I turn off ever un-needed
service in /etc/inetd.conf. For more security you should uninstall the
unneeded service.
Because most distributions don't dome with a kernel usefull to your
perpose. You will need to compile your own kernal. It is best if you do
this on a computer other then the firewall. If you do install a C compiler
and utilities on your firewall, remove them after you have completed
comfiguring your kernel.
6.1 Compiling the Kernel
Start with a clean minimal installation of your Linux distribution. The
less software you have loaded the less holes, backdoors and/or bugs there
will be to introduce security problems in your server.
Pick a stable kernel. I am using kernel 2.2.13 kernel for my system. So
this documentation is based on it's settings.
You well need to recompile the Linux kernel with the appropriate
options. If you haven't recompiled your kernel before you should read the
Kernel HOWTO, the Ethernet HOWTO, and the NET-2 HOWTO.
Here are the network related setting I know work. I have marked some
with a ?. If you will be using this feature, turn it on as well.
I use "make menuconfig" to edit my kernel settings.
<*> Packet socket
[ ] Kernel/User netlink socket
[*] Network firewalls
[ ] Socket Filtering
<*> Unix domain sockets
[*] TCP/IP networking
[ ] IP: multicasting
[*] IP: advanced router
[ ] IP: kernel level autoconfiguration
[*] IP: firewalling
[?] IP: always defragment (required for masquerading)
[?] IP: transparent proxy support
[?] IP: masquerading
--- Protocol-specific masquerading support will be built as modules.
[?] IP: ICMP masquerading
--- Protocol-specific masquerading support will be built as modules.
[ ] IP: masquerading special modules support
[*] IP: optimize as router not host
< > IP: tunneling
< > IP: GRE tunnels over IP
[?] IP: aliasing support
[*] IP: TCP syncookie support (not enabled per default)
--- (it is safe to leave these untouched)
< > IP: Reverse ARP
[*] IP: Allow large windows (not recommended if <16Mb of memory)
< > The IPv6 protocol (EXPERIMENTAL)
---
< > The IPX protocol
< > Appletalk DDP
< > CCITT X.25 Packet Layer (EXPERIMENTAL)
< > LAPB Data Link Driver (EXPERIMENTAL)
[ ] Bridging (EXPERIMENTAL)
[ ] 802.2 LLC (EXPERIMENTAL)
< > Acorn Econet/AUN protocols (EXPERIMENTAL)
< > WAN router
[ ] Fast switching (read help!)
[ ] Forwarding between high speed interfaces
[ ] PU is too slow to handle full bandwidth
QoS and/or fair queueing --->
After making all the setting you need you should recompile, reinstall
the kernel and reboot.
I use the command:
make dep;make clean;make bzlilo;make modules;make modules_install;init
6 to accomplish all of this in one step.
6.2 Configuring two network cards
If you have two network cards in your computer, you may need to add an
append statement to your /etc/lilo.conf file to describe the IRQ and
address of both cards. My lilo append statement looks like this:
append="ether=12,0x300,eth0 ether=15,0x340,eth1"
6.3 Configuring the Network Addresses
Now we arrive at the fun part of our setup. I'm not going to go deep
into how to setup a LAN. Read the Networking-HOWTO to solve your problems
here.
Your goal is to provide two network connection to your filtering
firewall system. One on the Internet (unsecured side) and one on the LAN
(secure side).
Anyway, you have a few decisions to make.
Will you use Real IP number or Make some up for your LAN.
Will your ISP assign the number or will you be using static IP
numbers?
Since you don't want the internet to have access to your private
network, you don't need to use "real addresses". You could just makeup
addresses for your private LAN. But this is not recommended. If data gets
routed out of your LAN, it might end up at another systems port.
There are a number of Internet address ranges set aside for private
networks. Of these, 192.168.1.xxx, is set aside and we will use it in our
examples.
You will need to use IP masquerading to make this happen. With this
process the firewall will forward packets and translate them into "REAL "
" IP address to travel on the Internet.
Using these non-routable IP address makes your network is more secure.
Internet routers will not pass packets with these addresses.
You may want to read the IP Masquerading HOWTO at this point.
24.94.1.123 __________ 192.168.1.1
_/\__/\_ \ | | / _______________
| | \| Firewall |/ | |
/ Internet \--------| System |------------| Workstation/s |
\_ _ _ _/ |__________| |_______________|
\/ \/ \/
You must have a "real" IP address to assign to your Internet network
card. This address can be permanently assigned to you. (A static IP
address) or it can be assigned at network connect time by the PPP process.
You assign your inside IP numbers. Like 192.168.1.1 to the LAN card.
This will be your gateway IP address. You can assign all the other
machines in the protected network (LAN) a number in the 192.168.1.xxx
range. (192.168.1.2 through 192.168.1.254)
I use RedHat Linux. To configure the network at boot time I added a
ifcfg-eth1 file in the /etc/sysconfig/network-scripts directory. You may
also find a ifcfg-ppp0 or ifcfg-tr0 in this directory. These 'ifcfg-'
files are used by RedHat to configure and enable your network devices at
boot time. The are named after the connection type.
Here is the ifcfg-eth1 (second ehternet card) for our example;
DEVICE=eth1
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
GATEWAY=24.94.1.123
ONBOOT=yes
If you are going to use a dialup connection you will need to look at
the ifcfg-ppp0 and the chat-ppp0 file. These control your PPP connection.
This ifcfg file might look like;
DEVICE="ppp0"
ONBOOT="yes"
USERCTL="no"
MODEMPORT="/dev/modem"
LINESPEED="115200"
PERSIST="yes"
DEFABORT="yes"
DEBUG="yes"
INITSTRING="ATZ"
DEFROUTE="yes"
HARDFLOWCTL="yes"
ESCAPECHARS="no"
PPPOPTIONS=""
PAPNAME="LoginID"
REMIP=""
NETMASK=""
IPADDR=""
MRU=""
MTU=""
DISCONNECTTIMEOUT=""
RETRYTIMEOUT="5"
BOOTPROTO="none"
6.4 Testing your network
Start by using the ifconfig and route commands. If you have two network
cards ifconfig should look something like:
#ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:1620 errors:0 dropped:0 overruns:0
TX packets:1620 errors:0 dropped:0 overruns:0
collisions:0 txqueuelan:0
eth0 Link encap:10Mbps Ethernet HWaddr 00:00:09:85:AC:55
inet addr:24.94.1.123 Bcast:24.94.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1000 errors:0 dropped:0 overruns:0
TX packets:1100 errors:0 dropped:0 overruns:0
collisions:0 txqueuelan:0
Interrupt:12 Base address:0x310
eth1 Link encap:10Mbps Ethernet HWaddr 00:00:09:80:1E:D7
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1110 errors:0 dropped:0 overruns:0
TX packets:1111 errors:0 dropped:0 overruns:0
collisions:0 txqueuelan:0
Interrupt:15 Base address:0x350
and your route table should look like:
#route -n
Kernel routing table
Destination Gateway Genmask Flags MSS Window Use Iface
24.94.1.0 * 255.255.255.0 U 1500 0 15 eth0
192.168.1.0 * 255.255.255.0 U 1500 0 0 eth1
127.0.0.0 * 255.0.0.0 U 3584 0 2 lo
default 24.94.1.123 * UG 1500 0 72 eth0
Note: 24.94.1.0 is the Internet side of this firewall and
192.168.1.0 is the private (LAN) side.
You should start by making sure every computer on your LAN can ping the
inside address of your firewall system. (192.168.1.1 in this example) If
not, go over the NET-2 HOWTO again and work on the network some more.
Next, from the firewall, try to ping a Internet system. I use
www.internic.net as my test point. If it doesn't work, try a server at
your ISP. If this doesn't work some part of your Internet connection is
wrong. You should be able to connect to the anywhere on the Internet from
the firewall. Try looking at your default gateway setting. If you are
using a dialup connection double check your user ID and Password. Reread
the Net-2 HOWTO, and try again.
Now try to ping the outside address of the firewall (24.94.1.123) from
a computer on your LAN. This shouldn't work. If it does, you have
masquerading or IP Forwarding turned on, or you already have some packet
filtering set. Turn them off and try again. You need to know the filtering
is in place.
For kernels newer then 2.1.102 you can issue the command;
echo "0" > /proc/sys/net/ipv4/ip_forward
If you are using an older kernel (WHY) you will need to re-compile your
kernel with forwarding turned off. (Just upgrade.)
Try pinging the outside address of the firewall (24.94.1.123) again. It
shouldn't work.
Now turn on IP forwarding and/or masquerading. You should be able to
ping the anywhere on the Internet from any system on your LAN.
echo "1" > /proc/sys/net/ipv4/ip_forward
BIG NOTE: If you are using "REAL" IP addresses on your LAN (not
192.168.1.*) and you can't ping the internet but you CAN ping the Internet
side of your firewall, make sure your ISP is routing packets for your
private network address.
A test for this problem is to have someone else on the Internet (say a
friend using a local provider) use traceroute to your network. If the
trace stops at your providers router, then they are not forwarding your
traffic.
It works? Great. The hard part is done. :-)
6.5 Securing the Firewall
A firewall isn't any good if the system it is build on is left wide
open to attacks. A "bad guy" could gain access to the through a non
firewall service and modify it for their own needs. You need to turning
off any unneeded services.
Look in your /etc/inetd.conf file. This file configures inetd also
known as the "super server". It controls a bunch of the server daemons and
starts them as they are requested by a packet arriving at a "well known"
port.
You should turn off echo, discard, daytime, chargen, ftp, gopher,
shell, login, exec, talk, ntalk, pop-2, pop-3, netstat, systat, tftp,
bootp, finger, cfinger, time, swat and linuxconfig if you have one.
To turn a service off, put # as the first character of the service
line. When your done, send a SIG-HUP to the process by typing "kill
-HUP <pid>", where <pid> is the process number of inetd.
This will make inetd re-read its configuration file (inetd.conf) and
restart without taking your system down.
Test this by telneting to port 15 (netstat) on firewall. If you get any
output you have not turned these services off.
telnet localhost 19
You can also create the file /etc/nologin. Put a few line of text in it
like (BUZZ OFF). When this file exists, login will not allow user to
logon. They will see the contents of this file and their logins refused.
Only root can logon.
You can also edit the file /etc/securetty. If the user is root, then
the login must be occurring on a tty listed in /etc/securetty. Failures
will be logged with the syslog facility. With both of these controls in
place the only way to logon to the firewall will be as root from the
console.
NEVER EVER TELNET to a system and log IN AS ROOT. If you need remote
root access SSH (Secure Shell). You might even turn off telnet.
If you are really paranoid you need to be using lids (Linux Intrusion
Detect System). It is an intrusion detection system patch for the Linux
kernel; it can protect important files from being changed. When it's in
effect, no one (including root) can change the protected files or
directories and their sub-directories. You have to reboot the system with
a security=1 LILO setting to modify secure files. (I'd also boot into
single user mode.)
Next
Previous
Contents
URLWatch: For
notice when this page changes, fill in your email address.
Maintained by: Webmaster, Linux Online Inc.Last
modified: 14-Mar-2000 09:50AM.Views since 16-Aug-2000: 2808.
Material copyright Linux
Documentation Project.Design and compilation copyright ©1994-2000
Linux Online
Inc.URLWatch provided by URLWatch Services.Internet services provided by AiNET.All rights
reserved.
Wyszukiwarka
Podobne podstrony:
Linux Online Firewall and Proxy Server HOWTO Installing the TIS Proxy serverLinux Online Firewall and Proxy Server HOWTO Setting up the Linux Filtering FirewallLinux Online Firewall and Proxy Server HOWTO Firewall ArchitectureLinux Online Firewall and Proxy Server HOWTO IntroductionLinux Online Firewall and Proxy Server HOWTO Software requirementsLinux Online Firewall and Proxy Server HOWTO Making Management EasyLinux Online Firewall and Proxy Server HOWTO Defeating a Proxy FirewallLinux Online Firewall and Proxy Server HOWTO The SOCKS Proxy ServerLinux Online Firewall and Proxy Server HOWTO Installing a Transparent SQUID proxyLinux Online Firewall and Proxy Server HOWTO APPENDEX A Example ScriptsLinux Online Firewall and Proxy Server HOWTO Understanding FirewallsLinux Online Firewall and Proxy Server HOWTO APPENDEX B An VPN RC Script for RedHatLinux Online Firewall and Proxy Server HOWTO IP filtering setup (IPCHAINS)Linux Online Firewall and Proxy Server HOWTO IP filtering setup (IPFWADM)Linux Online Firewall and Proxy Server HOWTO Advanced ConfigurationsLinux Online Firewall and Proxy Server HOWTOIntranet Server HOWTO pl 8 (2)Intranet Server HOWTO pl 2 (2)więcej podobnych podstron