Earthweb.com Practically Networked Home Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation
Welcome to PractiallyNetworked
Product Reviews

 • Routers
 • Hubs/Switches
 • Wireless Gateway
 • Wireless AP
 • Wireless NIC
 • Network Storage
 • Print Servers
 • Bluetooth Adapters
Troubleshooting
& Tutorials

 • Networking
 • Internet Sharing
 • Security
 • Backgrounders
 • Troubleshooting
    Guides

 • PracNet How To's
User Opinions
Practicallynetworked Glossary

 Find a Network Term  
 
Forums
About
Jobs
Home

  Most Popular Tutorials

• Microsoft Vista Home Networking Setup and Options
The most daunting part of upgrading to Windows Vista may be trying to figure out where in the layers of menus the networking and file-sharing options are hidden.

• Do It Yourself: Roll Your Own Network Cables
It may not be something you do everyday, but having the supplies and know-how to whip up a network cable on the spot can be very handy.

• Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router and by extension, your network is as secure as possible.

  Most Popular Reviews

• Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.

• Iomega StorCenter Network Hard Drive
Iomega's fourth generation StorCenter Network Hard Drive brings many of the features found in higher-end storage devices down to an attractive price.

• MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.


Building Network Appliances With Linux, Part 5: Internet-connection Sharing Firewall


by Carla Schroder

In our previous installments we did a lot of important preliminary configuration, and hardening our firewall box. Today we'll take a quick tour of Webmin, and set up an iptables Internet-connection sharing firewall. Don't connect your firewall box to the Internet just yet, as there are some important steps to take first.

Cruising Webmin

Webmin is an excellent, flexible graphical configuration interface for Linux. You can find modules to configure and manage virtually every Linux service. Unlike a lot of graphical configurators, Webmin reads the source configuration files directly, so you can switch back and forth between using Webmin and editing the files yourself without making a mess.

A word of caution: Just having a good graphical interface does not mean you are instantly a system administrator. You need the same knowledge whether you use Webmin or edit text configuration files directly. Take some time to look around Webmin and see what you can do with it. You can't accidentally hurt anything, because you always have to a click a button to activate any changes.

Sharing an Internet Connection

We're going to use two scripts for our excellent iptables firewall; one to turn it on, and one to turn it off. Plus we're going to enter some important kernel parameters in /etc/sysctl.conf. Make it look just like this, with no other entries:

# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.

net.ipv4.ip_forward = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

Build a Linux Appliance

  • Part 1: Introduction and Hardware Requirements
  • Part 2: Install and Configure Linux
  • Part 3: The Firewall
  • Part 4: Locking Down the Firewall Box
  • The first line, net.ipv4.ip_forward = 1 is what turns on Internet connection sharing. The remaining items are security features.

    I call the firewall script firewall_nat; you may name it whatever you want. (Access the firewall_nat script here.)

    Copy this just as it's shown, with these exceptions:

    • Use your own network interface names
    • Use your own IP addresses
    • On the "Enable IP masquerading" line, you have two choices. If you have a static WAN IP, use the SNAT line, substituting your own IP. If you are on DHCP, use the MASQUERADE line

    Make this script executable, and read/write for root only:

    # chmod 0700 firewall_nat
    # chown root:root firewall_nat

    This is the "shutoff" script, which I call ipt_flush. Give it the same ownership and permissions as firewall_nat: (Access the ipt_flush script here.)

    Place firewall_nat in /etc/init.d, and ipt_flush in /usr/local/bin. As root, test both of them:

    # /etc/init.d/firewall_nat
    The firewall has now started up and is faithfully protecting your system
    # ipt_flush
    The firewall is now being shut down. All policies are set to ACCEPT, all rules and chains are deleted, all counters are set to zero

    Well OK then. They work!

    Testing the Firewall

    Fire up the firewall and run this command to verify that your iptables rulesets are active:
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     tcp  --  localnet/24          anywhere            tcp dpt:ssh state NEW
    ACCEPT     tcp  --  localnet/24          anywhere            tcp dpt:10000 state NEW
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
    DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/SYN
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    

    Connect your WAN interface to the big scary Internet, and disconnect the firewall box from the LAN. Ping Google and other sites you can reasonably expect will always work. When your ping tests succeed, boot up one of your LAN clients with a live Linux on CD-ROM, connect it to your switch/hub, and do a bit of Web-surfing to verify that everything works. This is the safest way to test LAN connectivity, since a CD-ROM cannot be compromised.

    The last step is to configure the firewall to start at boot. Do this in Webmin, using System -> Bootup and Shutdown.

    You now have a nice sturdy Internet-connection sharing iptables firewall. Next week we'll learn how to configure it for public services like a Web or mail server, and how to prevent bad packets from escaping your network.

    Resources


    For more help, don't forget to try one of our PracticallyNetworked Forums.


    Earthwebnews.com Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation


    Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums