Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I notice that there is a significant number of iptables firewall questions from new linux users. They are usually having difficulty designing a firewall that allows routing but is also reasonably secure. Typically, they are users that have set up a home network and want to get internal machines sharing the internet....
Sooo... I would like to propose a simple firewall template that will meet the needs of these users and provide a base template that keen firewallers can build on. The basic firewall that acts as a foundation for a more advanced firewall.
Assumptions
1. Users will be building a firewall that also acts as a gateway for a private LAN. i.e. users that want to share their high-speed internet access with other computers in their house.
2. Users are not providing service to untrusted machines inside their network. This means there is not any default protection against attacks or DoS attacks from inside the network - although, it could be added later.
3. Users are not paranoid and do not want to restrict how the Internet is used by their internal machines.
Ok... having said all that, I welcome any comments, requests, opinions and new ideas to incorporate into the script.
Eventually, I hope to publish a site with several out-of-the-box firewall scripts to help users but until my DNS service provider fixes their systems, I can't maintain my local site.
#!/bin/bash
################################################################################
# omato-firewall.sh v2.0
# The purpose of this script is to act as a template for typical home users
# that want to use linux as a secure firewall/gateway/router but who are not
# current on the iptables technology. It will provide a structured base for
# users to customize.
#
# The resulting firewall is reasonably secure for a home user and flexible
# enough to allow even the most paranoid of firewallers to expand on.
#
# Author: jordan_harkness @ hotmail.com
#
# note 1. You should disable logging when stable.
#
# We make these assumptions...
# 1. All internal machines are trusted.
# 2. All internal machines use private ip addresses and use this machine to
# share the internet. All ports are allowed.
# 3. All external machines are untrusted.
# 4. External connections will only be allowed if initiated from inside the
# network or from the firewall itself.
#
# Change History
# v2.0 Nov.28.2003
# Re-written based on what I learned from my v1.0 customized firewall.
################################################################################
################################################################################
# Default options
# These options configure the below script. It would be a good idea to move
# them to a conf file in /etc and then source it from this script.
################################################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
# location of iptables command
ipt=/sbin/iptables
#
# Interfaces
# Be sure to be accurate when defining these interfaces.
# ext is your external card, likely ppp0 for DSL or eth1 for cable
lo=lo
ext=ppp0
int=eth0
#
# Spoofing protection. List all networks and IP addresses that should NOT exist
# in the real world.
#
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
192.168.0.0/16 255.255.255.255"
#
# List all ports to open ON your firewall
#
tcp_ports="22"
udp_ports=""
#
# These logging options will be used for all logged packets
#
logops="--log-leve=3 -m limit --limit 1/second --limit-burst=3"
################################################################################
################################################################################
# Set policies and delete, flush and zero chains
################################################################################
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done
################################################################################
################################################################################
# BAD_IP
# Check and log all spoofed IP's from external hosts.
# !! Only call from external interface !!
################################################################################
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done
################################################################################
################################################################################
# IN_NETWORK
# These packets are entering our network
# 1. Allow related and established connections
# 2. Allow ICMP packets
# 3. Deny everything else.
################################################################################
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p icmp -j ACCEPT
$ipt -A IN_NETWORK -j LOG --log-prefix "IPT: IN_NETWORK: " $logops
$ipt -A IN_NETWORK -j DROP
################################################################################
################################################################################
# OUT_NETWORK
# These packets are leaving our network!
# 1. Allow all packets to leave our current network because we trust our users
################################################################################
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK -i $int -j ACCEPT
$ipt -A OUT_NETWORK -j LOG --log-prefix "IPT: OUT_NETWORK: " $logops
$ipt -A OUT_NETWORK -j DROP
################################################################################
################################################################################
# EXT_FIREWALL
# Packets entering firewall machine
# 1. Allow established and related connections
# 2. Allow new connections on specified ports
# 3. Log and Drop everything else
################################################################################
$ipt -N EXT_FIREWALL
$ipt -A EXT_FIREWALL -m state --state INVALID -j DROP
$ipt -A EXT_FIREWALL -j SPOOF
$ipt -A EXT_FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A EXT_FIREWALL -p icmp -j ACCEPT
#
# Open ports
#
for tcp_p in $tcp_ports
do
$ipt -A EXT_FIREWALL -p tcp --dport $tcp_p -m state --state NEW -j ACCEPT
done
for udp_p in $udp_ports
do
$ipt -A EXT_FIREWALL -p udp --dport $udp_p -m state --state NEW -j ACCEPT
done
$ipt -A EXT_FIREWALL -j LOG --log-prefix "IPT: EXT_FIREWALL: " $logops
$ipt -A EXT_FIREWALL -j DROP
################################################################################
################################################################################
# INT_FIREWALL
# Connections from internal LAN
# 1. Allow all connections from the internal machines because they are trusted
################################################################################
$ipt -N INT_FIREWALL
$ipt -A INT_FIREWALL -m state --state INVALID -j DROP
$ipt -A INT_FIREWALL -j ACCEPT
################################################################################
*bump* I hate to bump my own thread but I think it's necessary to help out our new users.
Edit:
*** DANG IT *** A fellow LQ member pointed out a typo in my script. My thanks to him. I have now corrected the loop variables so all works well... stupid typos.
What do you mean "route from to other boxes"? Do you mean that you want to redirect incoming traffic to an internal machine? (i.e. have a separate, internal web server)
To do that you will need to add some DNAT rules and then allow those forwarded connections. How and where do you do this? The DNAT portion is up to you where you do this but the forwarding connections naturally go into the IN_NETWORK chain. For an internal HTTP server, the rules look like this...
that i have the one machine, that has incoming traffic from ppp0, That machine has 2 LAN cards in (eth0 and eth1) i want a machine connected to each card and each to have internet connection.
Here is a nice little piccy i made in paint
erm, that cables are X-Over if that matters
The best case scenario would be to re-think your network design. A hub (preferrably a switch) connecting your 3 machines would be best and would require no changes to the above script.
Having said that...
The network, as depicted in your image is doable but if you are using multiple NICS, you want to separate each one onto their own subnets. I'm going to assume for a minute that your ppp0 is a modem or an ethernet NIC eth2... I'm also going to assume that when you say your network is 90.0.0.0/8 that you are incorrect and you really mean 10.0.0.0/8 or 192.168.0.0/16.
To do the above, you will have to separate your eth0 and eth1 onto two subnets. I suspect 192.168.0.0/24 and 192.168.1.0/24 will suffice. You will also need to ensure that your routing tables are up to date. Finally, you will need to copy/paste a couple rules from the script... I'll get into that later after we talk about your network setup.
Uhm... if your eth0 and eth1 are both on the same subnet, how do you plan to route traffic between your 90.0.0.3 and 90.0.0.4 machines? Machine 1 and Machine 2 have no way of knowing to send traffic to your linux box. In order to do this you need to separate the subnets. And... why did you pick 90.0.0.0/8 for your network?
Firstly, IANA has set aside specific ip address ranges for private use. 90.0.0.0/8 is not one of them. That particular network is reserved and although you *can* use that as your network, it is not a good idea.
Secondly, I can't think of a way to use Linux as a hub. As I see them, your options are hub/switch -or- separate your network into subnets. The hub/switch solution is best, however, for the $0 budget, you can split it into two subnets.
Lastly... SMB... To tell you the truth, I don't know. I suspect you should be able to share your files just fine however, I'm not the person to ask on this subject althought I would put my money on it.
Tell you how to config your network? ok.
Linux machine
eth0 192.168.0.1/24
eth1 192.168.1.1/24
Ensure routing table sends traffic to the correct cards
Ensure your iptables firewall allows forwarding between internal NICS
I have a very noobish question for you. Recently I havent been using my linux install over the internet because I want to gather a fair understanding of how to secure my box first, but from what I recall when I was originally connecting to the net via Linux I had both an eth0 and a ppp0 interface up when I connected. Currently I have ADSL access and am wondering if I was somehow doing something wrong. Should I only have one of these interfaces up to access the internet since I have no local network? Basically I want to know which I should consider of the two to be communicating with the outside world? Both? I dont remember ever checking, but I suppose that I should just look at the IP addresses that are displayed by ifconfig to answer my own question. If, however, having both interfaces up reveals that I am somehow doing something incorrect to connect to the internet via ADSL, I would like to know. I never really completely understood what I was doing when I originally connected. I configured both chat and pap and then ran pppoe or something similar, I think.
The short answer is this... You need both interfaces up in order to connect. You do not need to worry about people connecting over ethernet because a) your eth0 interface should not have an ip address attached to it and b) no ethernet network is connected to your computer (your ADSL modem is using the PPP protocol, not ethernet). You have nothing to worry about if your ppp0 interface is secured.
The longer answer...
[Service provider] ---- PPP ---- [ADSL Modem] ---- Ethernet ---- [Linux]
You are using ADSL which is a connection that uses Point-to-Point Protocol (PPP), however, the ADSL modem lets internal machines connect to it using ethernet - notice the switch in protocols! To overcome this change of protocols we use Point-to-Point Protocol over Ethernet (PPPoE). Ok, you probably already knew all that but reading it again may clear things up.
What follows is my experience but I do not guarantee that it is 100% accurate. ;-)
You need ppp0 up to connect to the internet because Linux is actually using PPP to speak to your service provider, but you also need an ethernet card up as well because you need to communicate with the modem before it connects to your ISP. This is where I'm a little fuzzy.... maybe someone else can explain how the interface configurations work in-depth. What I do know is that you can bring your eth0 card up with no IP information configured and your ADSL connection will still work but it has been my experience that if you do not bring your eth0 card up then it will not. (It makes sense to me because it's PPPoverEthernet... I've never thought to look for a further explanation)
In my case, eth1 happens to be the card I first plugged my ADSL modem into so that's the one I use. Here is my ifcfg-eth1 file in its entirety:
Quote:
DEVICE=eth1
ONBOOT=no
TYPE=Ethernet
The ADSL start script brings up this interface before its connection so I'm assuming it is required.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
