is this a bad idea ? fileserver/firewall...

epoo · 05-04-2005, 12:33 PM

i have a box right now that im thinking of using as a router/firewall. i currently use a dlink router, but that's not as much fun as this could be

currently im using this box as an ftp server and samba file server. would it be okay to keep the same services running (still use it as an ftp and file server) but include a firewall script and use it as a firewall/router ? my main concern is that someone gets in through the running services somehow, but i was thinking last nite that this might actually be possible.
any input is appreciated - thanks !

msound · 05-04-2005, 12:54 PM

if youre not an expert at configuring linux firewalls than i would keep your samba/ftp server BEHIND a real firewall until your confident in your firewalling skills. misconfiguring your firewall would compromise your fileserver and potentially put your entire network at risk.

if you want to have fun with linux, just setup your linux box as a proxy server behind your dlink router. that way you'll still have the security from the dlink, but you can have fun configuring your proxy settings and traffic logging with linux. its win-win

ex:

INTERNET --> DLINK --> LINUX SERVER --> NETWORK SWITCH --> THE REST OF YOUR NETWORK

epoo · 05-04-2005, 03:09 PM

thats a good idea, i think i'll try that this weekend.

another question - i have a 10mb 4 port hub, and a 16port switch. i have a laptop, desktop, and server (which would actually end up being the proxy server) - would it be worth it to use the switch, or should i stick with the hub ?

Mara · 05-04-2005, 03:29 PM

It depends. In most cases the hub will be enough. It also depends how 'inteligent' is the switch and how many interesting things you can do with it.

April · 05-04-2005, 11:35 PM

Do you need to allow access to samba file server and FTP only from inside your network? If so, you can configure iptables to allow this while blocking access to these services from the outside world

Example -

# Flush all previous iptables chains
iptables -F

# The first rule sets the default policy, i.e. what to do if a packet doesn't match any
# other rule, to drop any packet coming into (INPUT) through your box.

iptables -P INPUT DROP

# The next rule is added (-A) to the INPUT chain. This rule allows
# response packets from any connections established from within your system..

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Thist rule allows packets through the loopback interface.
iptables -A INPUT -i lo -j ACCEPT

# Allow internal network to function freely
iptables -A INPUT -j ACCEPT -p all -s 192.168.0.0/16 -i eth1

# Allow internal network machines to access internet and masquerade IP addresses
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allow access to FTP and SMB requests ONLY from within the internal network
iptables -A INPUT -p tcp -m multiport --destination-port 21,137,139 -s 192.168.0.0/16 -j ACCEPT

# Allow internal machines ONLY to make SMB requests (UDP)
iptables -A INPUT -p udp -m multiport --destination-port 137,139 -s 192.168.0.0/16 -j ACCEPT

epoo · 05-06-2005, 11:38 AM

id need access to the ftp server from outside the network, but thats the only service that anyone outside should be able to access.

if i were to make a rule to drop all packets coming in from outside, would web browsing still work ?

bulliver · 05-06-2005, 03:42 PM

Quote:

if i were to make a rule to drop all packets coming in from outside, would web browsing still work ?

Yes it would, because 'iptables' is a stateful packet filter. What this means is that iptables is smart enough to know if a packet arriving on the firewall is a response to a packet sent from your box originally. This is demonstrated by this rule, in April's example script above:

Code:

# The next rule is added (-A) to the INPUT chain. This rule allows
 # packets from any previously established connections.
 
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

epoo · 05-06-2005, 08:26 PM

Quote:

Originally posted by bulliver
Yes it would, because 'iptables' is a stateful packet filter. What this means is that iptables is smart enough to know if a packet arriving on the firewall is a response to a packet sent from your box originally. This is demonstrated by this rule, in April's example script above:

Code:

# The next rule is added (-A) to the INPUT chain. This rule allows # packets from any previously established connections. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

oh, ok. i read that, but i thought it meant that if there was a network connection already established when the script was run, it would leave it alone.

April · 05-07-2005, 02:44 PM

Woops! I just noticed that the syntax of the last rule was incorrect. So just in case you tryed this and had problems epoo, I corrected it above.

So if you need access to FTP from outside, then remove port 21 from the following rule in the example script

# Allow access to FTP and SMB requests ONLY from within the internal network
iptables -A INPUT -p tcp -m multiport --destination-port 21,137,139 -s 192.168.0.0/16 -j ACCEPT

and add a new rule below that one

# Allow access to FTP from outside the network
iptables -A INPUT -p tcp --destination-port 21 -j ACCEPT

BTW, you can save this script as (for example) rc.firewall, chmod 755 and place it in your /etc/rc.d folder, and the firewall will automatically load on boot.

Do some reading regarding iptables and you can expand this script to accomodate any future needs you may have.