Install as little of the Linux system as you can. My installation started with a server configuration and then I turn off ever un-needed service in /etc/inetd.conf. For more security you should uninstall the unneeded service.
Because most distributions don't dome with a kernel usefull to your perpose. You will need to compile your own kernal. It is best if you do this on a computer other then the firewall. If you do install a C compiler and utilities on your firewall, remove them after you have completed comfiguring your kernel.
6.1 Compiling the Kernel
Start with a clean minimal installation of your Linux distribution. The less software you have loaded the less holes, backdoors and/or bugs there will be to introduce security problems in your server.
Pick a stable kernel. I am using kernel 2.2.13 kernel for my system. So this documentation is based on it's settings.
You well need to recompile the Linux kernel with the appropriate options. If you haven't recompiled your kernel before you should read the Kernel HOWTO, the Ethernet HOWTO, and the NET-2 HOWTO.
Here are the network related setting I know work. I have marked some with a ?. If you will be using this feature, turn it on as well.
I use "make menuconfig" to edit my kernel settings.
<*> Packet socket
[ ] Kernel/User netlink socket
[*] Network firewalls
[ ] Socket Filtering
<*> Unix domain sockets
[*] TCP/IP networking
[ ] IP: multicasting
[*] IP: advanced router
[ ] IP: kernel level autoconfiguration
[*] IP: firewalling
[?] IP: always defragment (required for masquerading)
[?] IP: transparent proxy support
[?] IP: masquerading
--- Protocol-specific masquerading support will be built as modules.
[?] IP: ICMP masquerading
--- Protocol-specific masquerading support will be built as modules.
[ ] IP: masquerading special modules support
[*] IP: optimize as router not host
< > IP: tunneling
< > IP: GRE tunnels over IP
[?] IP: aliasing support
[*] IP: TCP syncookie support (not enabled per default)
--- (it is safe to leave these untouched)
< > IP: Reverse ARP
[*] IP: Allow large windows (not recommended if <16Mb of memory)
< > The IPv6 protocol (EXPERIMENTAL)
---
< > The IPX protocol
< > Appletalk DDP
< > CCITT X.25 Packet Layer (EXPERIMENTAL)
< > LAPB Data Link Driver (EXPERIMENTAL)
[ ] Bridging (EXPERIMENTAL)
[ ] 802.2 LLC (EXPERIMENTAL)
< > Acorn Econet/AUN protocols (EXPERIMENTAL)
< > WAN router
[ ] Fast switching (read help!)
[ ] Forwarding between high speed interfaces
[ ] PU is too slow to handle full bandwidth
QoS and/or fair queueing --->
After making all the setting you need you should recompile, reinstall the kernel and reboot.
I use the command:
make dep;make clean;make bzlilo;make modules;make modules_install;init 6 to accomplish all of this in one step.
6.2 Configuring two network cards
If you have two network cards in your computer, you may need to add an append statement to your /etc/lilo.conf file to describe the IRQ and address of both cards. My lilo append statement looks like this:
append="ether=12,0x300,eth0 ether=15,0x340,eth1"
6.3 Configuring the Network Addresses
Now we arrive at the fun part of our setup. I'm not going to go deep into how to setup a LAN. Read the Networking-HOWTO to solve your problems here.
Your goal is to provide two network connection to your filtering firewall system. One on the Internet (unsecured side) and one on the LAN (secure side).
Anyway, you have a few decisions to make.
1. Will you use Real IP number or Make some up for your LAN.
2. Will your ISP assign the number or will you be using static IP numbers?
Since you don't want the internet to have access to your private network, you don't need to use "real addresses". You could just makeup addresses for your private LAN. But this is not recommended. If data gets routed out of your LAN, it might end up at another systems port.
There are a number of Internet address ranges set aside for private networks. Of these, 192.168.1.xxx, is set aside and we will use it in our examples.
You will need to use IP masquerading to make this happen. With this process the firewall will forward packets and translate them into "REAL " " IP address to travel on the Internet.
Using these non-routable IP address makes your network is more secure. Internet routers will not pass packets with these addresses.
You may want to read the IP Masquerading HOWTO at this point.
24.94.1.123 __________ 192.168.1.1
_/\__/\_ \ | | / _______________
| | \| Firewall |/ | |
/ Internet \--------| System |------------| Workstation/s |
\_ _ _ _/ |__________| |_______________|
\/ \/ \/
You must have a "real" IP address to assign to your Internet network card. This address can be permanently assigned to you. (A static IP address) or it can be assigned at network connect time by the PPP process.
You assign your inside IP numbers. Like 192.168.1.1 to the LAN card. This will be your gateway IP address. You can assign all the other machines in the protected network (LAN) a number in the 192.168.1.xxx range. (192.168.1.2 through 192.168.1.254)
I use RedHat Linux. To configure the network at boot time I added a ifcfg-eth1 file in the /etc/sysconfig/network-scripts directory. You may also find a ifcfg-ppp0 or ifcfg-tr0 in this directory. These 'ifcfg-' files are used by RedHat to configure and enable your network devices at boot time. The are named after the connection type.
Here is the ifcfg-eth1 (second ehternet card) for our example;
DEVICE=eth1
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
GATEWAY=24.94.1.123
ONBOOT=yes
If you are going to use a dialup connection you will need to look at the ifcfg-ppp0 and the chat-ppp0 file. These control your PPP connection.
This ifcfg file might look like;
DEVICE="ppp0"
ONBOOT="yes"
USERCTL="no"
MODEMPORT="/dev/modem"
LINESPEED="115200"
PERSIST="yes"
DEFABORT="yes"
DEBUG="yes"
INITSTRING="ATZ"
DEFROUTE="yes"
HARDFLOWCTL="yes"
ESCAPECHARS="no"
PPPOPTIONS=""
PAPNAME="LoginID"
REMIP=""
NETMASK=""
IPADDR=""
MRU=""
MTU=""
DISCONNECTTIMEOUT=""
RETRYTIMEOUT="5"
BOOTPROTO="none"
6.4 Testing your network
Start by using the ifconfig and route commands. If you have two network cards ifconfig should look something like:
#ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:1620 errors:0 dropped:0 overruns:0
TX packets:1620 errors:0 dropped:0 overruns:0
collisions:0 txqueuelan:0
eth0 Link encap:10Mbps Ethernet HWaddr 00:00:09:85:AC:55
inet addr:24.94.1.123 Bcast:24.94.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1000 errors:0 dropped:0 overruns:0
TX packets:1100 errors:0 dropped:0 overruns:0
collisions:0 txqueuelan:0
Interrupt:12 Base address:0x310
eth1 Link encap:10Mbps Ethernet HWaddr 00:00:09:80:1E:D7
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1110 errors:0 dropped:0 overruns:0
TX packets:1111 errors:0 dropped:0 overruns:0
collisions:0 txqueuelan:0
Interrupt:15 Base address:0x350
and your route table should look like:
#route -n
Kernel routing table
Destination Gateway Genmask Flags MSS Window Use Iface
24.94.1.0 * 255.255.255.0 U 1500 0 15 eth0
192.168.1.0 * 255.255.255.0 U 1500 0 0 eth1
127.0.0.0 * 255.0.0.0 U 3584 0 2 lo
default 24.94.1.123 * UG 1500 0 72 eth0
Note: 24.94.1.0 is the Internet side of this firewall and 192.168.1.0 is the private (LAN) side.
You should start by making sure every computer on your LAN can ping the inside address of your firewall system. (192.168.1.1 in this example) If not, go over the NET-2 HOWTO again and work on the network some more.
Next, from the firewall, try to ping a Internet system. I use www.internic.net as my test point. If it doesn't work, try a server at your ISP. If this doesn't work some part of your Internet connection is wrong. You should be able to connect to the anywhere on the Internet from the firewall. Try looking at your default gateway setting. If you are using a dialup connection double check your user ID and Password. Reread the Net-2 HOWTO, and try again.
Now try to ping the outside address of the firewall (24.94.1.123) from a computer on your LAN. This shouldn't work. If it does, you have masquerading or IP Forwarding turned on, or you already have some packet filtering set. Turn them off and try again. You need to know the filtering is in place.
For kernels newer then 2.1.102 you can issue the command;
echo "0" > /proc/sys/net/ipv4/ip_forward
If you are using an older kernel (WHY) you will need to re-compile your kernel with forwarding turned off. (Just upgrade.)
Try pinging the outside address of the firewall (24.94.1.123) again. It shouldn't work.
Now turn on IP forwarding and/or masquerading. You should be able to ping the anywhere on the Internet from any system on your LAN.
echo "1" > /proc/sys/net/ipv4/ip_forward
BIG NOTE: If you are using "REAL" IP addresses on your LAN (not 192.168.1.*) and you can't ping the internet but you CAN ping the Internet side of your firewall, make sure your ISP is routing packets for your private network address.
A test for this problem is to have someone else on the Internet (say a friend using a local provider) use traceroute to your network. If the trace stops at your providers router, then they are not forwarding your traffic.
It works? Great. The hard part is done. :-)
6.5 Securing the Firewall
A firewall isn't any good if the system it is build on is left wide open to attacks. A "bad guy" could gain access to the through a non firewall service and modify it for their own needs. You need to turning off any unneeded services.
Look in your /etc/inetd.conf file. This file configures inetd also known as the "super server". It controls a bunch of the server daemons and starts them as they are requested by a packet arriving at a "well known" port.
You should turn off echo, discard, daytime, chargen, ftp, gopher, shell, login, exec, talk, ntalk, pop-2, pop-3, netstat, systat, tftp, bootp, finger, cfinger, time, swat and linuxconfig if you have one.
To turn a service off, put # as the first character of the service line. When your done, send a SIG-HUP to the process by typing "kill -HUP
", where is the process number of inetd. This will make inetd re-read its configuration file (inetd.conf) and restart without taking your system down.
Test this by telneting to port 15 (netstat) on firewall. If you get any output you have not turned these services off.
telnet localhost 19
You can also create the file /etc/nologin. Put a few line of text in it like (BUZZ OFF). When this file exists, login will not allow user to logon. They will see the contents of this file and their logins refused. Only root can logon.
You can also edit the file /etc/securetty. If the user is root, then the login must be occurring on a tty listed in /etc/securetty. Failures will be logged with the syslog facility. With both of these controls in place the only way to logon to the firewall will be as root from the console.
NEVER EVER TELNET to a system and log IN AS ROOT. If you need remote root access SSH (Secure Shell). You might even turn off telnet.
If you are really paranoid you need to be using lids (Linux Intrusion Detect System). It is an intrusion detection system patch for the Linux kernel; it can protect important files from being changed. When it's in effect, no one (including root) can change the protected files or directories and their sub-directories. You have to reboot the system with a security=1 LILO setting to modify secure files. (I'd also boot into single user mode.)
.jpg)
