ONLamp.com
oreilly.comSafari Books Online.Conferences.

advertisement


Feather Linux for Firewalls

by KIVILCIM Hindistan
02/10/2005

This is the second installment of "Feather Linux to the Rescue." The first article, Feather Linux: The Swiss Army Knife of Live CDs, introduced the project and demonstrated how to use it for easy disk imaging and restoration. This article shows off another important Linux feature: firewalling.

The firewall infrastructure of GNU/Linux consists of two parts, the kernel (netfilter) and the configuration structure (iptables). In order to build a firewall structure in GNU/Linux, you first need the proper netfilter support, which almost every Linux distribution includes by default. The second part is the set of rules that govern the packets (traffic) to be let in and the packets to deny.

These rule sets are called chains. To set your rules, you must set up a chain of them to manipulate packets appropriately. Apart from the basic functionality of the netfilter/iptables structure, there is another function called masquerading. Masquerading allows one GNU/Linux computer to serve as an internet provider--a gateway--for other computers. When a computer from the LAN (inside the firewall) sends a packet to the internet (outside), the gateway marks the packets and sends them from the IP address of the firewall, not the computer within the LAN. When a response comes in, the firewall changes the packet's destination address and resends the packet to the original computer. This is masquerading, or NAT (Network Address Translation), and is a very popular technique to share the internet among many computers.

Feather Linux makes it easy to create and configure a firewall. When would you do this? Consider setting up an ad hoc network for a LAN party or a trade show, where you want a good connection to the internet but don't want to expose everything on the local network to the world at large. Having a customizable, bootable LiveCD makes it easy to turn any single machine into the firewall.

Related Reading

Knoppix Hacks
100 Industrial-Strength Tips and Tools
By Kyle Rankin

As stated before, an iptables firewall consists of a set of rules. You can either make these rules and write a shell script, or configure a written script. Setting iptables chains and their parameters is beyond the scope of this article. Instead, I'll show off a prewritten script called Arno's Firewall and demonstrate how to configure it.

I chose Arno's Firewall for a few reasons. First of all, it is a well-rounded firewall script with a very easy-to-understand configuration file. Second, it is written in a one-for-all fashion, handling arcane details (such as antispoofing, loose UDP, and ICMP flooding) properly. The only absolutely necessary configurations are which interfaces to control, both internal and external; which ports to open; which ports to forward into the network; and which outside IPs to allow.

My demo setup has three computers. One is FW, the gateway. The second is SR, a web server inside firewall. The third is CL, a client.

The firewall computer has a Feather Linux CD (which coincidentally comes with everything I need: the netfilter module, iptables, and even Arno's Firewall script). As with all LiveCDs, this firewall does not even need to have a hard drive. It can operate completely from the CD.

Feather Linux has many boot options to choose from at the boot screen. The default is the multiuser X mode, also known as runlevel 5. Though this is the most used runlevel, the multiuser console mode (mode 2) is enough for a firewall. Enter knoppix 2 from the boot screen.

In a minute or two Feather Linux will boot, bringing up the Linux command line and terrorizing GUI-only users of some other operating systems. Don't let this fool you. There may not be a GUI configured, but other than that, Feather Linux has configured all the network interfaces and other peripherals.

Basic Configuration

Now comes the fun part: configuring the firewall.

Use your editor of choice. nano is nice for people familiar with standard editors, and vi works well for people who like the arcane Unix jungle. Open /etc/iptables-conf:

# vi /etc/iptables-firewall.conf

The first step in configuration is to choose your internal and external interfaces. On Feather Linux 0.61, EXT_IF (or external interface) is on the 34th line. Edit this to reflect the name of the interface you use to access the internet. If you access the internet via a DSL or cable net router, the interface is probably eth0 or eth1. If you are a dial-up modem user, the interface will be ppp0:

EXT_IF="eth0"

In the case of a cable modem or other DHCP-related, autoconfiguring interface, also change the line below EXT_IF from EXT_IF_DHCP_IP="0" to EXT_IF_DHCP_IP="1".

The second important step is to configure the internal interface. Network terminology usually refers to the external interface as the RED interface and the internal interface as GREEN, making an analogy to the traffic lights. RED is dangerous and GREEN is secure (you hope). Change INT_IF to reflect your external interface:

INT_IF="eth1"

That's it for configuring the GREEN side.

If your firewall will be your gateway--if it will distribute the internet to other computers--enable NAT:

NAT=1

That's all of the basic configuration. Now start the firewall:

# /etc/init.d/rc.iptables start

As the lines pass, you'll see the firewall script configuring the iptables.

Now check your firewall via some web sites. I like Sygate's S.O.S.. Use the Quick Scan option. After a few minutes, if the site reports all of your ports as Blocked, these ports are secure.

Advanced Configuration

Setting up a firewall can be simple, much like building a standard wall. Configuring it to your needs is a slightly different matter, like cutting out space for a window or door according to your needs. Fortunately, Arno's firewall script makes all of these configurations a matter of editing the configuration file (/etc/iptables-firewall.conf).

First, configure which ports will be open to everyone and which IP addresses will have full access to the firewall. For the example network, example ports 22 and 80 (SSH and WWW) are open to everyone and every port is open to the two IPs supplied (which are in fact bogus for the sake of example):

OPEN_TCP="22,80" OPEN_IP="555.12.234.155,555.15.200.4"

This may not be what you want. You may prefer to open the SSH port for only one IP address and the WWW port for another. The syntax to do this resembles:

HOST_OPEN_TCP="555.12.234.15>22, 555,15,200,4>80"

In this example, only the computer at 555.12.234.15 has access to SSH, and only 555.15.200.4 has access to the Web.

After reconfiguring the firewall, restart it for the changes to take place:

# /etc/init.d/rc.iptables restart

You may want to check the configuration via a remote scan again. That's it; your firewall is configured and fully operational.

For deeper configuration, read through the heavily annotated configuration file. If you're really into things, you can configure the script itself (/etc/init.d/rc.iptables) to give some traffic more bandwidth or priority above others.

If you want, you can install all of this configuration--including Feather Linux as an operating system--to your hard drive by using the /home/knoppix/featherhd-install script. After that, you won't need the CD anymore, but that is a subject for an other article.

By the way, at the time of this writing, Feather was a lean and mean distribution. The Feather Linux team recently made a policy change and decided to make a more complete live CD of 100MB-plus, which is still lean and mean but not as skinny. If you want to stay slim and trim, the 0.62 version is the last of the 64MB branch.

KIVILCIM Hindistan works as a full time computer security consultant with a CISSP, using Linux and Free Software as weapons of choice.


Return to the Linux DevCenter.



Sponsored by: