UNIX System Administration Handbook - Evi Nemeth [197]
If you are set on using a Linux machine as a firewall, please at least make sure that it’s up to date with respect to security upgrades and patches. Chapter Security, reviews some of the many issues to consider when you are trying to make a machine as secure as possible. A firewall machine is an excellent place to put into practice all of that chapter’s recommendations. (The section that starts on page 675 discusses packet-filtering firewalls in general. If you are not familiar with the basic concept of a firewall, it would probably be wise to read that section before continuing.)
ipchains uses the concept of an ordered “chain” of rules against which network packets are checked. Each rule has a “target” clause that determines the disposition of matching packets. As soon as a packet matches a rule, its fate is sealed and no more rules need be checked. For this reason, the rules in a chain generally run from most to least specific.
Three chains are defined by default: input, output, and forward. You can also define your own chains (for accounting, for example). Each packet handled by the kernel is submitted to exactly one of the default chains. The forward chain sees all packets that arrive on one interface and need to be forwarded on another. The input chain processes all packets that come in from the network and are bound for the local machine. The output chain sees only packets that originate on the local host. Each network interface has its own copy of these chains, so you are free to establish different handling criteria for different interfaces.
The common targets are ACCEPT, DENY, REJECT, MASQ, REDIRECT, and RETURN. When a rule results in an ACCEPT, matching packets are allowed to proceed on their way. DENY and REJECT both drop their packets. DENY is silent, and REJECT returns an ICMP error message.
MASQ is used for IP masquerading, which is the Linux jargon for NAT.26
For masquerading to work, the variable FORWARD_IPV4 in the network file must be set to true and the kernel must be built with CONFIG_IP_MASQUERADE defined.
See page 279 for more information about NAT.
REDIRECT shunts packets to a proxy instead of letting them go on their merry way. Compile the kernel with CONFIG_IP_TRANSPARENT_PROXY defined in order to use REDIRECT. You might use this feature to force all your site’s web traffic to go through a web cache such as Squid, for example. RETURN terminates user-defined chains and is analogous to the return statement in a subroutine call.
A Red Hat firewall is usually implemented as a series of ipchains commands contained in an rc.firewall startup script. Individual ipchains commands usually take one of the following forms:
ipchains -F chain-name
ipchains -A chain-name -i interface -j target
The first form flushes all prior rules from the chain. The second form appends the current specification to the chain. The -i and -j parameters must be specified for each ipchains statement to be appended to the filter. ipchains can also take several other parameter clauses, shown in Table 13.22.
Table 13.22 Command-line flags for ipchains
Below are some complete examples. We assume that the ppp0 interface goes to the Internet and that the eth0 interface goes to the internal network. This first set of rules accepts all packets from the internal interfaces and drops any packets that arrive on the ppp0 interface with source addresses in the private address space (NAT) ranges. Such packets should also probably be dropped in the output chain, since we wouldn’t want to let them sneak out onto the Internet.
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i eth0 -j ACCEPT
ipchains -A input -i ppp0 -s 192.168.0.0/16 -j DENY
ipchains -A input -i ppp0 -s 172.16.0.0/12