View Full Version : Setting up Linux firewall and IP Masquerading...

05-31-2001, 08:05 PM
What is a firewall?

A firewall is a system, or group of systems, that enforces an access control policy between two networks. The firewall can be thought of as a pair of mechanisms-- one that blocks traffic and the other that permits traffic.

Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. The most important thing to recognize about a firewall is that it implements an access-control policy. You must know what type of access you want to permit or deny. Otherwise, the product or person configuring the firewall is making the access decisions.

What is IP Masquerading?

IP Masquerade is a networking function in Linux similar to one-to-many NAT (Network Address Translation) found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet the IP Masquerade feature allows other internal computers connected to this Linux box (via PPP, Ethernet, and so on) to also reach the Internet. Linux IP Masquerading allows for this functionality even though these internal machines don't have officially assigned IP addresses.

MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, all this outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation for a secure networking environment. It's considerably difficult to break the security of a well-configured masquerading system and internal LAN.

Set Up a Firewall and Masquerade Gateway
Comand-line tools

Ipchains is used to set up, maintain, and inspect the IP firewall rules in the Linux kernel. These rules can be divided into four different categories:
IP input chain
IP output chain
IP forwarding chain
User defined chains

Ipfwadm is a wrapper of Ipchains to emulate the old behavior of ipfwadm before ipchains was available.

Sample setup

The following script creates a secure internal network. It allows access to any resource on the public Internet, but denies all incoming traffic to an IP address other than that of the firewall. The script also redirects incoming email and Web traffic to a local mail server and Web server.

1) Flush everything and start Ipchains from scratch.
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

2) Create a new chain for our rules.
/sbin/ipchains -N new-chain
Allow email to get to the server
/sbin/ipchains -A new-chain -s smtp -d 1024: - j ACCEPT

3) Allow email connections to the outside world.
/sbin/ipchains -A new-chain -s -d smtp -j ACCEPT

4) Allow Web connections to our server.
/sbin/ipchains -A new-chain -s www -d 1024: -j ACCEPT

5) Allow Web connections to the outside world.
/sbin/ipchains -A new-chain -s 1024: -d www -j ACCEPT

6) Allow DNS traffic.
/sbin/ipchains -A new-chain -p UDP -s dns -d -j ACCEPT

7) Don't masquerade internal-internal traffic.
/sbin/ipchains -A forward -s -d -j ACCEPT

8) Don't masquerade external interface direct.
/sbin/ipchains -A forward -s -d -j ACCEPT

9) Masquerade all internal IPs going outside.
/sbin/ipchains -A forward -s -d -j MASQ

10) Deny everything else
/sbin/ipchains -P new-chain input DENY