Welcome to Notes on setting up a firewall using Debian 2.2 and Kernels 2.4.xx
________________________________________
Here are the basic steps to setting up a firewalling computer
1) Setup the ethernet cards (NIC's).
2) Edit /etc/lilo.conf (as needed)
3) Setup the file /etc/init.d/network.
4) Setup the file /etc/resolv.conf.
5) Setup the file /etc/hosts.conf.
6) Setup the file /etc/hostname.
7) finish Setting up in /etc/init.d/inetd
8) Compiling in the forwarding and IMASQ support into the kernel (see the ipmasq howto for more details)
9) Additional work for a modem
Ethernet - Debian 2.1/2.2
Network Card (NIC)
Start by editing /etc/modutils and add NIC modules one per line eg.
tulip
3c509
Now reboot using one of these commands:init 6 or reboot or shutdown -r now
Modular Kernel
Modconf is now available in 2.4.5 kernels
Enabling IP forwarding
Now for Debian 2.0/1/2 we probably need to turn ip_forwarding on, check with this line first,
cat /proc/sys/net/ipv4/ip_forward
if this returns 1 then forwarding is already on if it returns 0 then you need to cd /etc/networks and open options eg nano options,
change ipforward=no to yes so IPforwarding will be available after boot. Now reboot to check ipforwarding is on.
Firewalling script for a firewall
Generally you want ip_forwarding and the firewall scripts to be available automatically at boot, to do this we create a firewall script.
First cd to /etc/init.d then type touch nat-fw-up followed by chmod 0755 nat-fw-up This creates an empty file ready to fill woth firewall rules.
Generally we want the firewall rules to start after everything else, so therefore type, update-rc.d nat-fw-up start 99 2 3 4 5 . (note the . on the end).
This puts a symbolic link from nat-fw-up to the run levels 2, 3, 4 & 5 so the firewall rules start when ever one of the 4 run levels is entered.
99 means that this will be one of the last rules started (01 would be one of the first).
nat-fw-up
Now to construct the firewall script, first start ip_forward, then allow NAT (Network Address Translation) finally firewall rulesets to protect the firewall and the computers behind it.
It should be noted that most iptable modules will load when the kernel detects the modules are called for however these can be called manually.
My script below has 3 network cards, therefore normally ignore lines for inner_nic2/eth2/inner_nw2.
#!/bin/bash
#iptables firewall script
#rev 2 17/06/01
#rev 3 20/11/01 ipsec input rules added and tightened
#rev 4 8/12/01 Rule to allow netbios over ipsec added.
#rev 5 8/12/01 tidy up some unclean & invalid etc with rules
#individual port forwarding
#www
#iptables -A PREROUTING -t nat -p tcp -i $outer_nic --dport 80 \
#-j DNAT --to $web
#smtp
#iptables -A PREROUTING -t nat -p tcp -i $outer_nic --dport 25 \
#-j DNAT --to $smtp
#ident
#iptables -A PREROUTING -t nat -p tcp -i $outer_nic --dport 113 \
#-j DNAT --to $ident
#--to $ident
iptables -A PREROUTING -t nat -i eth0 -d $inner_nw1 -j Drop
#iptables -A PREROUTING -t nat -i eth0 -d $inner_nw2 -j Drop
echo "no portfw started"
#echo "portfw started"
#forward rules
iptables -t nat -A POSTROUTING -s $inner_nw1 -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $inner_nw1 -o inner_nic2 \
#-j MASQUERADE
iptables -A FORWARD -i $inner_nic1 -j ACCEPT
#iptables -A FORWARD -i $inner_nic2 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#ipsec rule for NETBIOS/SAMBA over the tunnel
iptables -A FORWARD -i ipsec0 -j ACCEPT
#clean up a bad syn which needs a specific rule
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j Drop
#clean these up as well
iptables -A FORWARD -m state --state INVALID -j Drop
iptables -A FORWARD -m unclean -j Drop
#Final default policy
iptables -P FORWARD Drop
echo "FORWARD rules now in place"
#INPUT rules
#specific ipsec lines
iptables -A INPUT -s $lh_fwall -p udp --dport 500 -j ACCEPT
iptables -A INPUT -s $lh_fwall -p 50 -j ACCEPT
iptables -A INPUT -s $lh_fwall -p 51 -j ACCEPT
echo "ipsec rules in place"
#general
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $outer_nic -j ACCEPT
#allow ping replies (may not be desired)
iptables -A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
iptables -P INPUT Drop
echo "INPUT rules now in place"
#limit logging levels to save clutter and /var from being swamped
#iptables -A FORWARD -m limit --limit 3/m -j LOG
#iptables -A FORWARD -j LOG
echo "log limiting in place"
#specific defence rules eg DoS attacks
#syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit -j ACCEPT
#furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
#ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit
echo "DoS defences setup"
exit
This is a basic setup and probably needs further work, however after tests with nmap and various other attacks it does look secure.
Firewalling script for a host
*************NB*****THIS****HAS***NOT****BEEN****TESTED****YET!**********
Generally you want ip_forwarding turned off and the firewall scripts to be available automatically at boot,
to do this we create a firewall script and make sure forwarding is off in /etc/network/options.
First cd to /etc/init.d then type touch nat-fw-up followed by chmod 0755 nat-fw-up This creates an empty file ready to fill woth firewall rules.
Generally we want the firewall rules to start after everything else, so therefore type, update-rc.d nat-fw-up start 99 2 3 4 5 . (note the . on the end).
This puts a symbolic link from nat-fw-up to the run levels 2, 3, 4 & 5 so the firewall rules start when ever one of the 4 run levels is entered.
99 means that this will be one of the last rules started (01 would be one of the first).
nat-fw-up
#!/bin/bash
#NAT iptables rule
#NB this script is not secure its still being worked on!
#ssj 6/10/01
#NB this has not been tested yet! its an example!
#setup some constants
outer_nic="eth0"
echo "firewall constants setup"
#load any modules needed for connection tracking
#allow passive ftp
/sbin/modprobe ip_conntrack_ftp
echo "started connection tracking"
#FORWARD rules
iptables -P FORWARD Drop
echo "FORWARD rules now in place."
#INPUT rules
#allow ssh to the firewall from any NIC
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
#enable these as needed for services (some may need to be tcp and udp eg Netbios)
#iptables -A INPUT -p tcp --syn --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 113 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 137 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 138 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 139 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 143 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow ping replies (may not be wanted)
iptables -A INPUT -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT
iptables -P INPUT Drop
echo "INPUT rules now in place."
#limit logging levels
iptables -A FORWARD -m limit -j LOG
echo "log limiting in place"
#specific defence rules eg DoS attacks
#syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit \
--limit 1/s -j ACCEPT
#ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit \
--limit 1/s -j ACCEPT
echo "Dos defences set up."
exit
Copyright Thing 8/12/2001 to be used freely without restriction,
however if this page is copied to your own web site please drop me a line with the URL - thanks.
The Debian logo is a trademark of Debian, who in no way endorse or take responsibility for information on this site.
QQ群⑧:
窥视卡
雷达卡
发表于 2018-5-16 07:19:44
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡