| Author: | Francesco Poli |
|---|---|
| Contact: | invernomuto@paranoici.org |
| Version: | 0.20 |
| Copyright: | Expat license |
| Notice: | Copyright (c) 2012-2020 Francesco Poli Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
| About this document | |
|---|---|
| Web form | HyperText Markup Language |
| Source form | reStructuredText |
| Web stylesheet | Cascading StyleSheets |
| Build directives | Makefile |
Contents
In another document (HTML, reST) you saw how to install a Debian testing base system on a machine to be used as a network gateway/firewall/server. You also found references to other general workstation documents to follow in order to tune the system. Now it's time to begin shaping this machine for its primary purposes: being a network gateway and firewall.
In order to enable the secondary network interface (the one that will be connected to the LAN switch), edit the configuration file for network interfaces, until it looks like:
# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
# The local network interface
allow-hotplug eth1
iface eth1 inet static
address 192.168.7.1
netmask 255.255.255.0
Then, edit the /etc/hosts configuration file, so that the first (IPv4) part becomes:
$ head -n 2 /etc/hosts 127.0.0.1 localhost 192.168.7.1 $HOSTNAME
where $HOSTNAME is the name that was previously chosen for the machine.
Issue the following command, if you want to immediately see the effects of the above configuration changes:
# ifup eth1
We want our machine to work as DHCP server and caching DNS proxy for the LAN connected to the secondary network interface (eth1). In order to achieve this result, install the following package:
# aptitude install dnsmasq
Then, edit the Dnsmasq configuration file /etc/dnsmasq.conf so that:
$ grep domain-needed /etc/dnsmasq.conf domain-needed $ grep bogus-priv /etc/dnsmasq.conf bogus-priv $ grep ^address= /etc/dnsmasq.conf address=/double-click.net/127.0.0.1 address=/doubleclick.net/127.0.0.1 address=/ad.doubleclick.net/127.0.0.1 address=/ad.ca.doubleclick.net/127.0.0.1 address=/adremote.timeinc.net/127.0.0.1 address=/google-analytics.com/127.0.0.1 address=/googlesyndication.com/127.0.0.1 address=/adsremote.scripps.net/127.0.0.1 address=/a.as-us.falkag.net/127.0.0.1 address=/interclick.com/127.0.0.1 address=/a1.interclick.com/127.0.0.1 address=/media.fastclick.net/127.0.0.1 address=/network.realmedia.com/127.0.0.1 address=/ads.auctionads.com/127.0.0.1 address=/ads.adbrite.com/127.0.0.1 $ grep ^interface= /etc/dnsmasq.conf interface=eth1 $ grep ^dhcp-range= /etc/dnsmasq.conf dhcp-range=192.168.7.100,192.168.7.200 $ grep bogus-nx /etc/dnsmasq.conf bogus-nxdomain=64.94.110.11 bogus-nxdomain=54.72.52.58 $ grep '^dhcp.*wpad' /etc/dnsmasq.conf dhcp-name-match=set:wpad-ignore,wpad dhcp-ignore-names=tag:wpad-ignore
and restart the daemon:
# service dnsmasq restart
Add the following line to the /etc/dhcp/dhclient.conf configuration file:
$ grep ^prepend /etc/dhcp/dhclient.conf prepend domain-name-servers 127.0.0.1;
in order to use the DNS cache provided by Dnsmasq on the gateway box itself, as well as on the local network.
Add the following line, as well:
$ grep ^append /etc/dhcp/dhclient.conf append domain-name-servers 5.9.49.12;
This additional DNS server is from OpenNIC.
In order to enable this configuration change, take down and up the primary network interface:
# ifdown eth0 ; ifup eth0
We want the clock of our machine to be as accurate as possible. Install the following NTP client and server:
# aptitude install chrony
Then, edit its configuration file /etc/chrony/chrony.conf so that:
$ grep ^pool /etc/chrony/chrony.conf pool 2.debian.pool.ntp.org iburst minpoll 10 maxpoll 12 $ grep '^log ' /etc/chrony/chrony.conf log tracking measurements statistics $ grep -B 2 ^makestep /etc/chrony/chrony.conf # Step the system clock instead of slewing it if the adjustment is larger than # 200 seconds, but only in the first three clock updates. makestep 200 3 $ grep -B 1 ^allow /etc/chrony/chrony.conf # Allow local clients to connect to this server. allow 192.168/16
and restart the daemon:
# service chrony restart
We want our machine to act as a firewall and NAT (Network Address Translator). First of all, edit the configuration file /etc/sysctl.conf so that:
$ grep -v '^#\|^ *$' /etc/sysctl.conf net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.ip_forward=1
Then install the following firewall rules configuration tool:
# aptitude install ferm
You'll be asked whether you want to enable ferm on bootup: you can answer Yes. After doing so, prepare the following configuration file:
$ cat ferm.conf
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
@def $PUB = eth0; # interface to the public insecure net
@def $LAN = eth1; # interface to the local net to be protected
table filter
{
chain (INPUT FORWARD OUTPUT)
{
# set paranoid policy
policy DROP;
# allow established valid connections
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# always allow pinging
proto icmp ACCEPT;
# always reject connections to identd (see Securing Debian manual FAQ)
proto tcp dport auth REJECT;
}
# accept locally generated traffic to and from loopback interface
chain INPUT interface lo ACCEPT;
chain OUTPUT outerface lo ACCEPT;
chain OUTPUT
{
outerface $PUB @subchain "pub_out"
{
# public net remote services accessible from the local system
proto tcp dport (ftp ftps http https http-alt hkp) ACCEPT;
proto udp dport (domain bootps ntp) ACCEPT;
# log packets that failed to be accepted
mod limit LOG log-level warning;
}
outerface $LAN @subchain "lan_out"
{
# local net remote services accessible from the local system
proto udp dport bootpc ACCEPT;
# log packets that failed to be accepted
mod limit LOG log-level warning;
}
}
chain INPUT
{
interface $PUB @subchain "pub_in"
{
# local services for which access from the public net
# will be denied, without even logging connection attempts
# 135 Microsoft end-point mapper
# 137:139 NetBIOS noise
# 445 Windows Share attacks
# 1433 Microsoft SQL Server
# 2967 Symantec overflow attacks
proto tcp dport (135 137:139 445 1433 2967) DROP;
# 67:68 bootps & bootpc (for DHCP)
# 137:139 NetBIOS noise
# 631 Internet Printing Protocol
# 1025:1031 so-called "WinPopUP spam"
# 1433 Microsoft SQL Server
# 2222 MS-Office for MacOSX antipiracy
proto udp dport (67:68 137:139 631 1025:1031 1433 2222) DROP;
# make ssh service accessible from the public net
# (enable only when needed...)
# proto tcp dport ssh ACCEPT;
# log packets that weren't dropped (yet) or accepted
mod limit LOG log-level debug;
}
interface $LAN @subchain "lan_in"
{
# local services accessible from the local net
proto tcp dport ssh ACCEPT;
proto udp dport (domain bootps) ACCEPT;
# log packets that failed to be accepted
mod limit LOG log-level debug;
}
}
chain FORWARD
{
interface $LAN outerface $PUB @subchain "lan_to_pub"
{
# public net remote services accessible from the local net
proto tcp dport (ftp ftps http https http-alt ssh hkp
smtp ssmtp submission pop3 pop3s dict ircd
git whois) ACCEPT;
proto udp dport ntp ACCEPT;
# public net radio/video streams accessible from the local net
proto tcp dport (11590 8000 8294 9408 9968 8900) ACCEPT;
# public net remote proxy services accessible from the local net
proto tcp dport (8888) ACCEPT;
# public net remote media (audio/video) services accessible
# from the local net (for Google meet)
proto udp dport (19302:19309) ACCEPT;
# log packets that failed to be accepted
mod limit LOG log-level warning;
}
interface $PUB outerface $LAN @subchain "pub_to_lan"
{
# log packets that failed to be accepted
mod limit LOG log-level error;
}
}
}
table nat
{
# masquerade everything going out to the public net
chain POSTROUTING outerface $PUB MASQUERADE;
}
table raw
{
# make ftp service properly accessible
chain PREROUTING proto tcp dport ftp CT helper ftp;
}
If you want to safely test this firewall configuration, you can do so by issuing the following command:
# ferm --interactive ferm.conf
If you're satisfied with the result, you can copy this new configuration file to the directory where ferm expects to read it from:
# cp ferm.conf /etc/ferm/ferm.conf # chown root:adm /etc/ferm/ferm.conf # chmod 644 /etc/ferm/ferm.conf
and activate the new rules immediately:
# service ferm reload
Now the machine is ready to behave as a network gateway and firewall. But it could also be useful as a print server. More details in a separate document (HTML, reST).