Welcome To suyashjain.blogspot.com

For Latest and more contents visit http://www.i3w.in

Friday, July 18, 2008

Very Simple and Strong Linux Firewall and Proxy Server


Note : This documentation is tested on RedHat/Fedora/Centos . You might need to change parameter based on your o/s.

This configuration is written on the bases on following.

    A. You have one external lan card eth0 and internal lan card eth1.
    B. Your users are connected through switch which is connected on eth1.
    C. Their is one/no servers in your local network
    D. Users can access entire internet but outsiders are not allowed to access your internal network.
    E. External ip is 10.10.10.10 and internal series is 192.168.168.0/24
    F. For example 192.168.168.2 is running RDP and  being accessed from outside users. , so if some one will hit 10.10.10.10 on RDP port 3389 , it will be forwarded to localip.


1. Enable the ip routing

in /etc/sysctl.conf

Find

net.ipv4.ip_forward = 0

change it to

net.ipv4.ip_forward = 1

and restart the server.

2. Next create one file

/etc/rc.d/rc.firewall

and put the following lines , edit the lines based on your environment.



#########################################################################
#------------------------------------------------------------------------------------------
#Step 1 -Declaration of Variables
#-------------------------------------------------------------------------------------------
#IP Tables
iptables=/sbin/iptables

#Internal Interface
INTIF="eth1"

#External Interface
EXTIF="eth0"


#------------------------------------------------------------------------------------------
#Step 2 -On Starting Clear all rules
#------------------------------------------------------------------------------------------
$iptables -F
$iptables -t nat -F

#------------------------------------------------------------------------------------------
#Step 3 - Allow all packets generated for/from "localhost"
#------------------------------------------------------------------------------------------
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

#-------------------------------------------------------------------------------------------
#Step 4 - Block the certain ports which should be allowed to access from internal users.
#-------------------------------------------------------------------------------------------

#Uncomment these lines if you don't want to allow your internal users to access smtp and telnet.

#$iptables -A FORWARD -i $INTIF -p tcp --dport 25 -j REJECT
#$iptables -A FORWARD -i $INTIF -p tcp --dport 23 -j REJECT

#----------------------------------------------------------------------------------------------
#Step 5 - Port Forwarding from External to Internal
#----------------------------------------------------------------------------------------------


#Example
#Forward the Remote desktop connect packets coming on external interface for external ip to internal ip 192.168.168.2

$iptables -t nat -A PREROUTING -i $EXTIF -j DNAT -p tcp --dport 3389 -d 10.10.10.10 --to 192.168.168.2:3389

#-----------------------------------------------------------------------------------------------
#Step 6 - Only allow Established and Related connection packets from outside to inside
#-----------------------------------------------------------------------------------------------

$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

#----------------------------------------------------------------------------------------------
#Step 7  - You will have to allow any new packet for the DNAT you will be doing in step 5
#-----------------------------------------------------------------------------------------------


#Example
#Permit incoming RPD which  you are didi in step 5.

$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW  -p tcp --dport 3389 -j REJECT


#Reject any new connection from outside to inside

$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -j REJECT

#Reject Fake connection attempts
$iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT
$iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT
$iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT
$iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j REJECT
$iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags FIN,ACK FIN -j REJECT
$iptables -A INPUT -i $EXTIF -p tcp -m tcp --tcp-flags ACK,URG URG -j REJECT

#----------------------------------------------------------------------------------
#Step 8 - do the Masquerading/Internet Sharing/NAT to allow users to access internet
#---------------------------------------------------------------------------------

$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#######################################################################################


3. Save the file and give the executable permission to root only.

chmod 700 /etc/rc.d/rc.firewall

chown root.root /etc/rc.d/rc.firewall


4. Put the following line in your  /etc/rc.d/rc.local , so the firewall script will be executed whenever the server is started.

sh /etc/rc.d/rc.firewall


Enjoy.................
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)