How To Set Up A Debian Linux Firewall

The Firewall Script

If you haven't already done so, please read the Proxy/NAT page. Much of the information for proxy servers and firewalls is the same and we won't be repeating it here. As a matter of fact, if you created the proxy server on the previous page, all you have to do is add a few more IPTABLES commands to enhance the firewalling functionality of the system.

All we're going to do is take the proxy server shell script from the Proxy/NAT page and add some more rules to it. Whereas the proxy script only had specific rules related to forwarding, the modified script will have all three types of rules (input, ouput, and forwarding). To set this script up you'll need to:

Section A
• Enter your internal interface designation (INTIF)
• Enter your internal network address (INTNET)
• Enter your internal interface IP address (INTIP)
• Enter your external interface designation (EXTIF)
  Section B
• If your external interface uses a static IP address
  • Uncomment the EXTIP line and enter your static IP address
  Section C
• If your external interface uses a dynamic IP address
  • Uncomment the EXTIP line
  Optional
• If you plan to simultaneously use your firewall system as a Web server uncomment the two OPTIONAL: lines (echo and iptables) in the INPUT section.

The comments in the script give a little more information on what values to enter and what lines need to be uncommented for your situation. If you want to have a Web server but don't feel comfortable using your firewall system to act as one, we show you how to set up the firewall to forward traffic to a separate Web server that's behind the firewall in the DMZ section below.

#!/bin/sh # IPTABLES FIREWALL script for the Linux 2.4 kernel. # This script is a derivitive of the script presented in # the IP Masquerade HOWTO page at: # www.tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html # It was simplified to coincide with the configuration of # the sample system presented in the Guides section of # www.aboutdebian.com # # This script is presented as an example for testing ONLY # and should not be used on a production firewall server. # # PLEASE SET THE USER VARIABLES # IN SECTIONS A AND B OR C echo -e "\n\nSETTING UP IPTABLES FIREWALL..." # === SECTION A # ----------- FOR EVERYONE # SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS # FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK # The default value below is for "eth0". This value # could also be "eth1" if you have TWO NICs in your system. # You can use the ifconfig command to list the interfaces # on your system. The internal interface will likely have # have an address that is in one of the private IP address # ranges. # Note that this is an interface DESIGNATION - not # the IP address of the interface. # Enter the designation for the Internal Interface's INTIF="eth0" # Enter the NETWORK address the Internal Interface is on INTNET="192.168.1.0/24" # Enter the IP address of the Internal Interface INTIP="192.168.1.1/24" # SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION # The default value below is "ppp0" which is appropriate # for a MODEM connection. # If you have two NICs in your system change this value # to "eth0" or "eth1" (whichever is opposite of the value # set for INTIF above). This would be the NIC connected # to your cable or DSL modem (WITHOUT a cable/DSL router). # Note that this is an interface DESIGNATION - not # the IP address of the interface. # Enter the external interface's designation for the # EXTIF variable: EXTIF="ppp0" # ! ! ! ! ! Use ONLY Section B *OR* Section C depending on # ! ! ! ! the type of Internet connection you have. # ! ! ! ! ! Uncomment ONLY ONE of the EXTIP statements. # === SECTION B # ----------- FOR THOSE WITH STATIC PUBLIC IP ADDRESSES # SET YOUR EXTERNAL IP ADDRESS # If you specified a NIC (i.e. "eth0" or "eth1" for # the external interface (EXTIF) variable above, # AND if that external NIC is configured with a # static, public IP address (assigned by your ISP), # UNCOMMENT the following EXTIP line and enter the # IP address for the EXTIP variable: #EXTIP="your.static.IP.address" # === SECTION C # ---------- DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS # SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING # If you get your IP address dynamically from SLIP, PPP, # BOOTP, or DHCP, UNCOMMENT the command below. # (No values have to be entered.) # Note that if you are uncommenting these lines then # the EXTIP line in Section B must be commented out. #EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # -------- No more variable setting beyond this point -------- echo "Loading required stateful/NAT kernel modules..." /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc echo " Enabling IP forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " External interface: $EXTIF" echo " External interface IP address is: $EXTIP" echo " Loading firewall server rules..." UNIVERSE="0.0.0.0/0" # Clear any existing rules and setting default policy to DROP iptables -P INPUT DROP iptables -F INPUT iptables -P OUTPUT DROP iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -F -t nat # Flush the user chain.. if it exists if [ "`iptables -L | grep drop-and-log-it`" ]; then iptables -F drop-and-log-it fi # Delete all User-specified chains iptables -X # Reset all IPTABLES counters iptables -Z # Creating a DROP chain iptables -N drop-and-log-it iptables -A drop-and-log-it -j LOG --log-level info iptables -A drop-and-log-it -j REJECT echo -e " - Loading INPUT rulesets" ####################################################################### # INPUT: Incoming traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interfaces are valid. iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interface, local machines, going anywhere is valid iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it # remote interface, any source, going to permanent PPP address is valid iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT # OPTIONAL: Uncomment the following two commands if plan on running # an Apache Web site on the firewall server itself # #echo -e " - Allowing EXTERNAL access to the WWW server" #iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT # Catch all rule, all other incoming is denied and logged. iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading OUTPUT rulesets" ####################################################################### # OUTPUT: Outgoing traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interface is valid. iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, any source going to local net is valid iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it # anything else outgoing on remote interface is valid iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT # Catch all rule, all other outgoing is denied and logged. iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading FORWARD rulesets" ####################################################################### # FORWARD: Enable Forwarding and thus IPMASQ # Allow all connections OUT and only existing/related IN iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch all rule, all other forwarding is denied and logged. iptables -A FORWARD -j drop-and-log-it # Enable SNAT (MASQUERADE) functionality on $EXTIF iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP echo -e " Firewall server rule loading complete\n\n"

Not the 'drop-and-log-it' action in the 'catch all' rules. IPTABLES log messages are written to the /var/log/messages file and also to the 'console' (screen). These messages include the source and destintation address and interface information of dropped packets. This is useful in troubleshooting. If your firewall isn't acting the way you thought, you can see which packets are being dropped.

The UNIVERSE="0.0.0.0/0" line just means "any address".

If you read the script comments you saw there's a commented-out command that you can uncomment if you want to also have your firewall act as a Web server (not a real secure idea). But what if you wanted to set up a separate Web server system behind your firewall system? There's three statements that you have to add to the script. We show you how to do that in the Setting Up A DMZ section below. (You don't have to set up a full-blown DMZ to use these commands to have servers behind your firewall.)

As with the proxy script, you can simply copy/paste the above script into a text editor and make the necessary changes for your system, network, and type of external connection Then save it using the file name firewall.txt and anonymous FTP it to your Debian system.

Note that, also like the proxy script, you cannot set this script to run at boot up if you are using a dynamic IP-based modem connection for the external interface unless you add the commands to call the pon script.

Once the file is transferred, use the following commands to copy/rename it to the appropriate scripts directory and to make it executable for root:

cp /home/ftp/pub/incoming/firewall.txt /etc/init.d/firewall.sh
chmod 755 /etc/init.d/firewall.sh

Now all you have to do is connect to your ISP and enter the following command to run the script:


/etc/init.d/firewall.sh
Using IPTABLES sets up a "packet filtering firewall". It inspects packets for source or destination addresses, protocol (tcp, udp, or icmp), and port numbers (which indicate the type of Internet application being used such as 80 for http (Web browsing), 21 for ftp, 23 for telnet, etc.). There are other, more sophisticated types of firewalls. Those that examine the actual data in the packets to see if what's being transferred back and forth is a logical exchange of information are called "stateful" firewalls.

If you created a symbolic link on the Proxy/NAT page so the proxy script would run at bootup, you may want to delete it and recreate one for this script. The following two commands will take care of that:

rm /etc/rc2.d/S95proxy
ln -s /etc/init.d/firewall.sh /etc/rc2.d/S95firewall

If you added the commands to the proxy script to call the pon dialer you may want to add them to the firewall script also.

Posted in: Debian Linux Firewall