Daniel Kahlin: Easy firewalling with RedHat 6.2 Monday, 11 December 2017, 10:17 (Stockholm)
 

Easy firewalling with RedHat 6.2.

Version 0.2 (2003-02-27)

Daniel Kahlin <daniel at kahlin dot net>
The latest version may be found here: http://www.kahlin.net/daniel/artiklar/firewall.php

Contents

Abstract

This document describes how to set up a firewalled connection to the internet using masquerading, and how to forward this to 2 local nets. The firewall desribed here is less secure than a regular firewall, because the computer that runs it is intended to be used for other things aswell.

Disclaimer

The information contained within this document cannot be assumed to be correct and the author can not be held responsible for any damage this document may cause. Proceed at your own risk.

Article

First we must configure the interfaces.

  • eth0=local net 1 192.168.1.x
  • eth1=public net
  • eth2=local net 2 192.168.2.x
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:80:C8:F8:6B:1C  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:131177 errors:0 dropped:0 overruns:0 frame:0
          TX packets:142818 errors:327 dropped:0 overruns:0 carrier:327
          collisions:0 txqueuelen:100 
          Interrupt:11 Base address:0xe000 

eth1      Link encap:Ethernet  HWaddr 00:80:C8:F8:6B:1D  
          inet addr:213.200.165.181  Bcast:213.200.164.255  Mask:255.255.252.0
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:1397317 errors:0 dropped:0 overruns:0 frame:0
          TX packets:74832 errors:0 dropped:0 overruns:0 carrier:0
          collisions:2870 txqueuelen:100 
          Interrupt:10 Base address:0xe100 

eth2      Link encap:Ethernet  HWaddr 00:80:C8:F8:6B:1E  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21352 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25169 errors:3284 dropped:0 overruns:0 carrier:3284
          collisions:100 txqueuelen:100 
          Interrupt:9 Base address:0xe200 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:36 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 

#

First be sure to set a restrictive default policy for all interfaces.

# ipchains -P input DENY
# ipchains -P forward DENY
# ipchains -P output ACCEPT
In the previous set of rules all output is allowed, but it is recommended to strip all outgoing trafic from our local net to the public net.
# ipchains -A output -s 192.168.0.0/16 -d 0.0.0.0/0 -i eth1 -j DENY
First we must enable the public ports we wish to use. We enable all icmp trafic. (ping, traceroute) We also enable all non priviledged ports, i.e TCP and UDP ports 1024 to 65535.
# ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth1 -p icmp -j ACCEPT
# ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 1024:65535 -i eth1 -p udp -j ACCEPT
# ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 1024:65535 -i eth1 -p tcp -j ACCEPT
If we have services running on the non-priviledged ports which we want to block we must insert them at the top. Rules with a lower number are applied last.
Block MySQL:
# ipchains -I input 1 -s 0.0.0.0/0 -d 0.0.0.0/0 3306 -i eth1 -p udp -j DENY
# ipchains -I input 1 -s 0.0.0.0/0 -d 0.0.0.0/0 3306 -i eth1 -p tcp -j DENY
Block cvs remote:
# ipchains -I input 1 -s 0.0.0.0/0 -d 0.0.0.0/0 2401 -i eth1 -p udp -j DENY
# ipchains -I input 1 -s 0.0.0.0/0 -d 0.0.0.0/0 2401 -i eth1 -p tcp -j DENY
Enable all input from the loopback device, otherwise we cannot connect to ourselves.
# ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
Enable input of traffic from out local nets:
# ipchains -A input -s 192.168.1.0/24 -d 0.0.0.0/0 -i eth0 -j ACCEPT
# ipchains -A input -s 192.168.2.0/24 -d 0.0.0.0/0 -i eth2 -j ACCEPT
Ok, all set. Now we must enable forwarding to make the nets able to reach eachother.
The connection to the public net is handled using masquerading:
# ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth1 -j MASQ
Forward packets from net1 to net2, and packet from net2 to net1:
# ipchains -A forward -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth2 -j ACCEPT
# ipchains -A forward -s 192.168.2.0/24 -d 192.168.1.0/24 -i eth0 -j ACCEPT
Ok, now we have hopefully configured our new firewall. typing:
# ipchains-save
will output:
:input DENY
:forward DENY
:output ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2401:2401 -i eth1 -p 6 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2401:2401 -i eth1 -p 17 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 3306:3306 -i eth1 -p 6 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 3306:3306 -i eth1 -p 17 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 1024:65535 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 1024:65535 -i eth1 -p 17 -j ACCEPT
-A input -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j ACCEPT
-A input -s 192.168.2.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth2 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j MASQ
-A forward -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 -i eth2 -j\
 ACCEPT
-A forward -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j\
 ACCEPT
-A output -s 192.168.0.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j DENY

References

Copyright © 2000, 2003 Daniel Kahlin <daniel at kahlin dot net>

 

[kahlin.net]