Fwiptables firewall setup script by Mike Gahagan This script is provided as a free community service by the author. NIETHER RED HAT NOR THE AUTHOR PROVIDE ANY TYPE OF WARRANTY OR TECHNICAL SUPPORT FOR THIS SCRIPT!! Please feel free however to email me any comments, bug reports or suggestions you might have. Description: sets up a basic firewall ruleset using iptables. Will also provide IP Masquerading, and transparent proxy support. This script was developed on a Red Hat 7.2 system and should work with Red Hat Linux 7.1 or later. It should be possible to get this working on any 2.4 based Linux distribution however only Red Hat has been tested. This script uses IPTABLES to protect a small network. It is considered to be 'medium-light' secure. NO WARRANTY This script is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (http://www.gnu.org/copyleft/gpl.html) for more details. Instructions PLEASE READ!! This script is for setting up a medium-light secure firewall to protect machines on a LAN from outside attacks while giving those machines access to the Internet. Please be aware that a properly configured firewall is only part of what is needed to secure a network. If you are unfamiliar with topics relating to system or network security please consult appropriate documentation BEFORE using this script. CONFIGURATION FILE OPTIONS Fwiptables.conf is read by fwiptables on startup to gather configuration information. It is imperative that you set up this file correctly to avoid problems or possible security vulnerabilities. The file uses your typical OPTION="value" syntax. It is very important that you do not place white space around the "=" sign. All values should be in doublequotes (""). Seperate multiple values with a single space. See examples below: MAKE_ME_WORK="TRUE" 3_STOOGES="curley moe larry" IPTABLES - This is the absolute pathname to the iptables binary. The default of "/sbin/iptables" should be sufficient. INET_DYN_IP - If you recieve your public Internet IP address via DHCP set this to "TRUE" (default), otherwise set to "FALSE" This will open the UDP port needed for your DHCP leases to renew properly. LAN_IFACE - The network interface your LAN is connected to. Default is "eth1" LAN_NETWORK - The network address of your LAN in the format "www.xxx.yyy.zzz/nnn.nnn.nnn.nnn" Default is "192.168.1.0/255.255.255.0" INET_IFACE - The network interface you have connected to the public Internet. Default is "eth0" TCP_ALLOW - TCP ports to open to the public Internet. Multiple port numbers are permitted. UCP_ALLOW - UDP ports to open to the public Intranet. Multiple port numbers are permitted. REJECT_AUTH - Rejects connections to the auth/ident port (113TCP) with a TCP reset. This prevents services like mail from hanging while waiting for an identd response which most likely will not happen. The default of "TRUE" is recommended for most configurations. DENY - Specifys what to do with packets that are not allowed. You may choose to "DROP" unwanted packets (default) or "REJECT" them. The difference is that REJECT will send an ICMP message back to the host which sent the packet telling it that the connection was refused. DROP causes the firewall to ignore the connection attempt while sending nothing back to the host. DENY_IPS - List any IP addresses you do not want connecting to any service on your network. This includes the LAN as well as the Internet. Default is none TRANS_PROX - set this to "TRUE" if you are running an HTTP proxy server on the firewall and wish to forceably redirect all web traffic to it. Read the section "TRANSPARENT PROXY SUPPORT" before attempting to use this option. The default is "FALSE" TRANS_PROX_PORT - The port number your transparent proxy server is actually listening on. This option is ignored if TRANS_PROX is not set to "TRUE". The default is "3128" IP_MASQ - Set to "TRUE" (default) if you want to IP Masquerade (NAT) your private LAN addresses to the Internet. i.e. share your Internet connection with the systems on your LAN. Read the section on IP MASQUERADING. FW_DEBUG - Set to TRUE to see lots of extra debugging information, handy if you are having problems getting things to work properly. Default is "FALSE" ALLOW_ICMP - Allow your firewall to recieve ICMP packets from the public Internet. Default is "TRUE" and is recommended. LIMIT_ICMP - Limits the type of ICMP messages and the rate at which the firewall will accept them. ALLOW_ICMP must be set to "TRUE" for this option to have any effect. Please read the "ICMP CONFIGURATION" section The default is "TRUE" and is recommended. FWLOG - Turns on logging of denied packets. The default is "TRUE" Read the section on "PACKET LOGGING". LIMIT_LOG - Limits the rate packets are logged to syslog to 1/sec with a burst of 3. If you log to syslog, the default of "TRUE" is recommended. LOG_TYPE - Sets how you log packets. "SYSLOG" or "QUEUE". The default of "SYSLOG" is recommended. LOG_IGNORE_IP - Do not log any denied packets matching these IP's or subnets. LOG_IGNORE_TCP - Do not log packets coming from or going to these TCP ports. LOG_IGNORE_UDP - Do not log these coming from or going to these UCP ports. LOG_IGNORE_ICMP - Set this to TRUE if you do not wish to log ICMP packets. ALLOWING OUTSIDE ACCESS TO SERVICES ON THE FIREWALL You may allow outside (public) access to services on the firewall by specifying the appropriate TCP and UDP ports in double quotes, seperated by spaces in the user-configureable variables TCP_ALLOW and UDP_ALLOW. Consult the file /etc/services for TCP and UDP ports used by most common network services. TRANSPARENT PROXY SUPPORT If you are running a proxy server on the firewall and wish to force all web browser traffic on the LAN through that proxy server, you will want to set the value of TRANS_PROX to TRUE. You also need to set TRANS_PROX_PORT to the port number your proxy server listens for connections on. This option is known to work with Squid once Squid is properly configured to work as a transparent proxy. It is likely that other proxy servers will work provided they support transparent proxying and are properly configured. It is important to realize that the browsers have no idea they are going through a proxy so DNS lookups will have to go directly to a DNS server either on the LAN or on the Internet through IP Masquerading. Also this will not work unless the destination web site is on port 80 and it is not possible to use a transparent proxy with HTTPS. ICMP CONFIGURATION The variables ALLOW_ICMP and LIMIT_ICMP allow one to control how the firewall handles ICMP packets comming from the Internet connected interface. Any setting other than TRUE is considered false. ALLOW_ICMP = FALSE ; will disallow all incomming ICMP, LIMIT_ICMP will be ignored ALLOW_ICMP = TRUE, LIMIT_ICMP = FALSE ; allow all ICMP packets without restrictions. ALLOW_ICMP = TRUE, LIMIT_ICMP = TRUE ; limit echo-request, echo-reply, destination-unreachable, ttl-exceeded, parameter-problem to 1 per second with a burst of 2, recommended setting for most configurations. THE AUTH SERVICE The auth service, also known as ident is a service often used to verify the identity of a user running a particular process. This service allthough not explotiable directly can be used to gather information about the system which could make it easier to compromise. Setting REJECT_AUTH to TRUE will prevent services which send an auth request from hanging. If you wish to allow machines on the Internet to connect to the auth port on your firewall You should allow access to TCP/UDP 113 and set REJECT_AUTH to "FALSE". PACKET LOGGING Fwiptables can log dropped packets either to syslog(8) or the iptables QUEUE target. The logs may then be analyzed by the many log analysis programs out there. Please note that public networks are often very "noisy" so seeing logged packets is not necessarily an indicator that someone is attempting to compromise your system. Systems such as routers, DHCP servers are nortiously chatty. There are several logging options which can help keep these irrelevant messages out of your logs. 1.) First of all if you don't really care about logging, just turn it off by setting FWLOG to FALSE. This causes all other logging options to be ignored. 2.) LIMIT_LOG This limits the rate of log messages sent by the kernel to syslog(8). It is recommended that you use this option to protect your system from possible DOS attacks. This has no effect with the "QUEUE" log type. 3.) The LOG_IGNORE options set rules which prevent certain types of packets from being logged, useful to reduce clutter in your log files. IP addresses may be listed as individual IP's (xxx.xxx.xxx.xxx) or network addresses in the form (xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy). LOG_IGNORE_ICMP only accepts TRUE or FALSE. LOG_TYPE allows you to choose between QUEUE or SYSLOG. QUEUE is a target type available to iptables which sends the entire packet(s) to a target which can be read by applications such as 'pdumpq'. Often these logs would be passed off to a program like Snort for further analysis or for logging into a SQL database. If you are just looking for a simple way to log packets, just use SYSLOG. IP MASQUERADING IP Masquerading is a type of many-to-one Network Address Translation (NAT) which has been around in Linux for years. In a nutshell it allows a number of machines on a LAN to use the Internet through 1 Internet IP address. There are several issues with using NAT you should be aware of: 1.) There will be a slight performance loss, although you are likely to saturate your Internet connection long before it becomes an issue. 2.) Machines on the Internet will not be able to connect to any services on the machines behind the firewall. From a security perspective this is a good thing, but if you want to run services on machines behind the firewall you will have to set up port forwarding. 3.) There are some network protocols or applications which do not work with this type of NAT, however the most common uses such as web surfing, email, instant messaging typically work very well. 4.) Use private IP addresses on your LAN, this prevents IP address conflicts as well as problems connecting to parts of the Internet from your internal network. 192.168.x.x, 10.x.x.x are the two most commonly used private netblocks. 5.) You will need to enable ip forwarding in the Linux kernel for NAT to work. INSTALLATION 1.) Place 'fwiptables' in /etc/rc.d/init.d. 2.) Make the script executable and configure your system to run this script at bootup by running the commands below. chkconfig --add fwiptables --level 2345 Make sure the script's executable bits are set. This can be done with chmod u+x fwiptables Usage: fwiptables {start|stop|status|restart} 3.) Place the file 'fwiptables.conf' in the /etc/sysconfig directory 4.) Modify fwiptables.conf to suit you needs and your network environment Note: downloading this script to a Windows machine then copying it over to a Linux machine may result in problems due to formatting differences between DOS/Windows text files and unix text files. The utility "dos2unix" can correct this once the script is on a Linux machine. Things to watch out for when using the script: a.) Networking must already be up before starting the script, If networking is not up, the script will fail with an error. Note there will be a short period of time where networking is up, but the firewall hasn't started. b.) Ensure that the box being the firewall can access the Internet and the LAN via the appropriate network interfaces before attempting to use this script. c.) Due to the fact that dhcp clients i.e. pump aren't too good about reporting a change in IP of the Internet interface of the firewall, Internet access may be blocked until this script is restarted. Whereever practical, this script is designed to control packets based on interface rather than IP addresses. d.) This script is an example and is provided as a community service. It is targeted for a small LAN (a single subnet). It is not guaranteed to be secure, though it should provide reasonable protection for a home user or small network. e.) This script uses iptables and requires a 2.4 kernel. Allthough the 2.4 kernel does support ipchains, you may not use ipchains and iptables at the same time. Make sure you do not have any ipchains modules loaded before attempting to run this script. If you wish to use ipchains or are using a 2.2 kernel, DO NOT use this script. Red Hat provides an example firewall script based on ipchains. f.) This script does not attempt to check or set any run-time kernel parameters required for features such as masquerading. Make sure those parameters are properly set prior to running this script. You will probably want these options set in /etc/sysctl.conf (run 'sysctl -p' after making changes) # enables packet forwarding - you want this on for IP Masquerading to work net.ipv4.ip_forward = 1 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # log martian packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 g.) This script does not attempt to load any kernel modules which may be required for certain configurations, you may need to load some kernel modules for certain types of traffic (i.e. FTP) to work properly.