Techware Labs Header

Forums have moved

See this announcement for more details, or just go directly there.

Go Back   Techwarelabs Community > Tech > Operating Systems

Thread Tools Display Modes
Old 05-31-2001, 09:05 PM
Posts: n/a
Default Setting up Linux firewall and IP Masquerading...

What is a firewall?

A firewall is a system, or group of systems, that enforces an access control policy between two networks. The firewall can be thought of as a pair of mechanisms-- one that blocks traffic and the other that permits traffic.

Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. The most important thing to recognize about a firewall is that it implements an access-control policy. You must know what type of access you want to permit or deny. Otherwise, the product or person configuring the firewall is making the access decisions.

What is IP Masquerading?

IP Masquerade is a networking function in Linux similar to one-to-many NAT (Network Address Translation) found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet the IP Masquerade feature allows other internal computers connected to this Linux box (via PPP, Ethernet, and so on) to also reach the Internet. Linux IP Masquerading allows for this functionality even though these internal machines don't have officially assigned IP addresses.

MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, all this outgoing traffic will appear to be from the IP MASQ Linux server itself. In addition to the added functionality, IP Masquerade provides the foundation for a secure networking environment. It's considerably difficult to break the security of a well-configured masquerading system and internal LAN.

Set Up a Firewall and Masquerade Gateway
Comand-line tools

Ipchains is used to set up, maintain, and inspect the IP firewall rules in the Linux kernel. These rules can be divided into four different categories:
IP input chain
IP output chain
IP forwarding chain
User defined chains

Ipfwadm is a wrapper of Ipchains to emulate the old behavior of ipfwadm before ipchains was available.

Sample setup

The following script creates a secure internal network. It allows access to any resource on the public Internet, but denies all incoming traffic to an IP address other than that of the firewall. The script also redirects incoming email and Web traffic to a local mail server and Web server.

1) Flush everything and start Ipchains from scratch.
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward

2) Create a new chain for our rules.
/sbin/ipchains -N new-chain
Allow email to get to the server
/sbin/ipchains -A new-chain -s smtp -d 1024: - j ACCEPT

3) Allow email connections to the outside world.
/sbin/ipchains -A new-chain -s -d smtp -j ACCEPT

4) Allow Web connections to our server.
/sbin/ipchains -A new-chain -s www -d 1024: -j ACCEPT

5) Allow Web connections to the outside world.
/sbin/ipchains -A new-chain -s 1024: -d www -j ACCEPT

6) Allow DNS traffic.
/sbin/ipchains -A new-chain -p UDP -s dns -d -j ACCEPT

7) Don't masquerade internal-internal traffic.
/sbin/ipchains -A forward -s -d -j ACCEPT

Don't masquerade external interface direct.
/sbin/ipchains -A forward -s -d -j ACCEPT

9) Masquerade all internal IPs going outside.
/sbin/ipchains -A forward -s -d -j MASQ

10) Deny everything else
/sbin/ipchains -P new-chain input DENY
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

All times are GMT -5. The time now is 12:04 AM. Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Forum style by ForumMonkeys.