Andreas Palsson wrote [in part]: > > I have been given the task to setup a firewall, but I'm no expert so I > have to ask a few questions. > > I have a Debian box (P166/64) with 3 NIC's (3Com). > I have an IP-range from .0 to .63. > A Cisco router is the current gateway on .62. > A mail/dns-server is placed on .33. > > What is a good solution with these tools?
Andreas, Below is an excerpt from a response I sent someone who asked basically the same question. I hope it is of some help. montefin --------- EXCERPT BEGINS HERE ------------ Jonathan, Man are you in luck. I found two things just this weekend that will make firewalling Potato a piece of cake for you! First, you want a 'spoonfed Kernel compilation guide' for ipchains and portfowarding? So did I, and here it is: http://members.home.net/ipmasq/ipmasq-HOWTO-1.82-3.html#ss3.1 I chose to compile into the kernel, but just about all of the choices can be modules. Second, how about a dandy ipchains firewall startup script that even 'slightly' cooled my passion for iptables? Here it is, plus portmapper and ssh scripts!: http://www.linuxdoc.org/HOWTO/Securing-Domain-HOWTO-8.html#ss8.1 I searched weeks for guidance in both those areas and persistence finally paid off. The only tricky part about the firewall.sh and firewall.portmap.sh scripts is 'where to put them in the Potato boottime sequence'. The author shows how to do it for Slackware, not Debian. Well guess what? I figured that out about 2AM this morning, and here it is too: Once you've customized firewall.sh for your routing table (hint: the author uses eth1 and you may have your 'outside' interface on eth0, as I do. Just change it to eth0, if that's the case), then place your revised firewall.sh and firewall.portmap.sh (WITH chmod 755 permissions) into /etc/init.d./ Then, go into /etc/rcS.d/ and create these two symlinks: [BIG NOTE: right after setting up my firewall, I upgraded to Woody which uses a single file called /etc/runlevel.conf to replace all the symlinks in the /etc/rcS.d directory. It very neatly retained the boottime order as described below for Potato.] ln -s ../init.d/firewall.sh S40firewall.sh [which boots the firewall alphabetically just BEFORE S40networking starts the network daemons.] and ln -s ../init.d/firewall.portmap.sh S42firewall.portmap.sh [which runs the portmap rules numerically just AFTER S41portmap starts the portmapper.] I probably learned more about ipchain'ing by reading that firewall.sh script real carefully, line-by-line, than I did from all the other HOWTO's and man pages I waded through over the last few weeks. The author really gives you 'the sense' of what you're doing and why with his comments, too. And that's a rarity. One thing however, where he says "Don't bother logging accesses on TCP port 80, the www port." on Line 139 in the original script, he really should have mentioned that what his lines were actually doing was blocking all port 80 requests and _incidentally_ not logging them (no -l option). I have ipmasqadm (http://juanjox.kernelnotes.org/ipmasqadm-0.4.2.tar.gz ), so I commented out Line 139 that DENY's access on port 80, and appended the following portforwarding routine to the bottom of my firewall.sh script. But _first_, I created a new variable in firewall.sh, $ETHINTERNAL. Right below Line 12, which sets up the 'inet addr' that the 'ifconfig' command will give you for eth0 (if that's where you connect to ppp/DSL) LINE 12 reads: ETHOUTSIDE="Your.eth0.inet.addr # fred.example.com's public IP On LINE 13, I added ETHINTERNAL="Your.eth1.inet.addr # montefin.example.com's internal webserver IP which sets up the 'inet addr' that again the 'ifconfig' command will give you for eth1, if that's where you connect to your internal machines with servers. Now, here's the addition to the firewall.sh script for portforwarding. Right after the final lines that turn on ip_portforwarding (Lines 201 thru 204 in the original script), which read: # # Turn on forwarding echo "1" > ${FORWARD_PROCENTRY} I added # -------- Portforwarding routine starts here ------------ sleep 5s # Just in case, give firewall a pause to complete. # # Enable IPPORTFW Redirection and forward all www accesses on # TCP port 80 to our internal webserver # /usr/sbin/ipmasqadm portfw -f /usr/sbin/ipmasqadm portfw -a -P tcp -L $ETHOUTSIDE 80 -R $ETHINTERNAL 80 # -------- Portforwarding routine ends here --------------- I rebooted to see if there were boottime problems, and WOW! it worked. Remember, to comment out that Line 139 (in the original script) mentioned above that DENY's access to the www port 80. Otherwise, the addition above will never get any www requests to forward, _if_, that is, you have a webserver on a machine(s) beyond the firewall. Jonathan, I hope I'm not overloading you here. This is all so fresh, it's just pouring out. I haven't tackled the shh routine yet, and I'm still trying to keep the log files from getting out of hand, but the firewall blocks and the portforwarding of www requests on to my internal network has been working fine all day today. Anyway, I hope I've been of some help. You sure helped me. Of course, your mileage may vary; but I hope it doesn't, because it's working well here. montefin ----------- EXCERPT ENDS HERE -----------------
