File Under: Backend, Security

Set Up a Linux Firewall on Your Network

Go outside and pop the hood of your car. You should see a thick metal barrier at the back of the engine compartment. This is called the firewall. To see how it works, poke a small hole in the fuel line so that a tiny amount of gasoline starts dripping on the engine block. Now close the hood, start the car, and head out on the highway (Some of you may choose to save life and limb (and time!) by merely visualizing this exercise).

If you have positioned the puncture correctly, within a few minutes the escaped gasoline should ignite and cause a small engine fire. At this point you may see smoke emerge from the engine compartment. Continue driving. You should be able to proceed a considerable distance before the heat becomes uncomfortable and toxic fumes and flames start to enter the passenger compartment.

The reason you can drive so far with a flaming engine is because the firewall is a highly effective barrier between the engine compartment and the passenger compartment. If your car had no firewall, the engine fire would have already melted the dashboard electronics and plastic, destroyed the upholstery, and toasted you to a crisp.

Now. Pull over and very carefully extinguish the fire.

A similar principle can be applied to networked computers. Picture your machine as the cozy, tricked-out interior of your automobile, and the outside world as the dirty but powerful engine that makes it go. It won’t do to have the vulnerable components of your network exposed to the engine’s maliciously raging heat — it’s best to install a firewall.

Let us abandon our weakening metaphor here before it carries us into a ping-pong tournament without a paddle. A firewall, in the networking sense, is a machine that straddles the interface between a private network and the Internet at large, and follows predetermined rules for allowing certain traffic to pass, while blocking traffic that’s unwanted.

So, how to get yourself one of those disaster-averting firewalls? You can start by reading on.


Contents

  1. A Firewall for the Home
    1. Sharing and Masquerading
  2. Tables and Chains
  3. Set up a Firewall with iptables
  4. Set up PMFirewall with ipchains

A Firewall for the Home

There are a hundred ways to build a firewall, from turnkey machines (am I the only one who always misreads that word as “turkey”?) that you can just plug in and ignore to a vast variety of software packages.

The elves who bring us Linux, though, have seen fit to incorporate into the Linux kernel the capacity to filter incoming and outgoing packets. They’ve also incorporated tools into Linux distributions to manage these packet-filtering capabilities, making it easy to turn a basic Linux box into a firewall. And all for free! Since we’re now saving up for a new car, we’ll go the thrifty route and set up our system using inexpensive hardware and gratis software.

For purposes of illustration, let’s imagine that you have a small home network. You have just one broadband line running into the house, and you want to share it amongst all the computers:your big desktop system, your laptop, the entertainment system in the livingroom, your live-in boyfriend’s laptop, and the iMac that the boyfriend’s mother, who lives in the basement, uses to surf eBay all day. (Just a temporary arrangement, the boyfriend assures you, until she gets back on her feet and finds a reasonably priced mobile home. Fine, you say, but you both know he owes you big.) Obviously, this is a small-scale example, but the principles can be applied to anything from a single machine to a gigantic network.

Or perhaps you want to run a web server and want it to be a bit less crackable. Whatever your setup, you need a firewall.

Sharing and Masquerading

First, if you want to share one connection among several machines, you can use a gateway masquerading machine for your firewall. As long as traffic is relatively low, it doesn’t have to be particularly powerful.

So exhume that old Pentium 150 from the closet, evict the dust bunnies, stick in US$20 worth of RAM to bring it up to 128 MB, and install a nice new copy of Linux. You will also need two network interface cards — one to talk to the outside world via the broadband line, and one to talk to the rest of the machines in the house. You split your connection amongst the machines in your house with an Ethernet hub, either the shmancy wireless laptop-on-the-roof kind or the traditional kind that you can trip over.

An IP masquerading setup means that, as far as the internet at large is concerned, there’s only one computer here in your house. It has one IP address. When packets come from the outside world, they are sent to that IP address. Our firewall and masquerading box figures out which of the computers inside the house (each of which has its own internal IP address known only to its LAN-mates) should get that packet.

Now you want to configure your firewall. There are a few major versions of the Linux kernel that are in widespread use — version 2.2, which is older but more tried-and-true, and versions 2.4 and 2.6, which are newer, with more and better features. Typically a Linux distribution that you acquire today will use 2.6, but some distros use older kernel versionss. Somewhat inconveniently for us, the firewalling code has changed significantly between these versions.

The Linux Firewall How-To and the Firewall FAQ are indispensable as well.

The first step, though, is to make sure your Linux box is reasonably secure in and of itself. The Linux Security HOWTO is an excellent guide. Basically you want to download any security updates that may exist for the version of Linux that you’re running, turn off any services you’re not using (which should mean most services), and generally lock everything down. A firewall that gets broken into is no good at all.

Tables and Chains

The 2.2 Linux kernel packet-filtering tool is called “ipchains.” The updated version that ships with version 2.4 and 2.6 is known as “iptables.” (There is an older version still, called “ipfwadm,” that works with the 2.0 kernel, but one can’t live in the past.) All of these tools operate on a very simple principle — apply sets of rules to control which sorts of traffic are allowed in and out, and which are not.

Each workstation in the house knows that the firewall machine is its gateway. When workstation number one sends a packet to the firewall machine, the latter assigns the packet to a particular port number (so as to keep track of where it came from), replaces the IP number in the originating header with its own real-world IP address, and sends the packet out. When it receives a reply to the packet from the outside world, the reply will come to the same TCP/IP port. The firewall machine knows that traffic on that port goes to workstation number one, so it replaces the port number and IP address with their original values and passes the packet on to the workstation. This process is completely transparent to both parties.

There are a number of tools that configure ipchains and iptables for you automatically. These easy-to-use tools include PMFirewall and Mason. PMFirewall involves making choices about the configuration you desire. Mason has a “learning mode” that simply looks at how you use your network and sets up firewalling rules automatically to accommodate you. Download and install one of these tools, and configuring your firewall is approximately as easy as pie.

Set up a Firewall with iptables

This section needs expanding. Please log in and edit it.


Set up PMFirewall with ipchains

Just for fun, let’s go over how to set up a firewall with PMFirewall. The installation of Mason is similar, but Mason takes care of detecting your network setup automatically. First, you have to make sure that you have ipchains installed. It should come with your Linux distribution. If you can’t find it on your system (and you’re running the 2.2 kernel), check the CDs or DVDs you installed from. If it’s not there either, it can be downloaded from here. You’ll also want to make sure your kernel is configured to work with ipchains. Chances are that it is … if you get a message that it’s not, the ipchains HOWTO will tell you how to check, and how to fix your configuration if you have to.

Download the zipped PMFirewall from the creator’s site and save it wherever you like to save such things on your system. Unpack the file by typing

tar -xzvf ./pmfirewall-x.x.x.tar.gz

where x.x.x is the version number. Then cd to the pmfirewall directory thus created, and, as the root user, type

sh install.sh

The installation process will prompt you for answers to some preliminary questions – where do you want config files installed, where does your copy of ipchains live, how are you connected to the Internet – for which the default answers should typically suffice. Then it will ask about how you want the firewall set up. Are there machines that you want to give unquestioned access to? Are there machines that you want to prohibit unilaterally? You will be asked to enter their IP addresses.

You also have to tell PMFirewall whether you have a static IP address or whether you’re given a new one every time you log on, via DHCP. Then it asks what services you are running on the firewall machine:FTP? SSH? Telnet? SMTP? DNS? POP? a Web server? IMAP? and so forth. And are there any other ports that you want left open?

Finally, you are asked to configure masquerading, supply information about your internal network, and specify startup behavior. Voila! PMFirewall has configured your firewall automatically. You can proceed to tweak the settings manually if you want or need to.

When your firewall is set up, you can test it by going to the Self Port Scan, which will check your machine for open ports. Try accessing the page from your firewall machine with the firewall turned off and then with it turned on. The difference should be striking … like, say, the difference between slightly elevated temperatures and third-degree burns all over your body.