Firewall with masquerading
From NewbieDOC
1 Introduction
The firewall in Debian is not activated by default. Here is a short example using shorewall 3.2.6-2 from etch. The configuration described here is very simple and should be sufficient for a simple setup. Shorewall is very powerfull, if you need more complicated stuff it can probably be done. Of course, you can set up a basic firewall much easier with a GUI-based frontend (ex. Firestarter), but it's much more difficult to do it remotely. The config files for shorewall can be edited very easy over ssh, which should work even on a dial-up connection without problems. This way you can have a headless machine (no monitor) for lots of stuff which can be done without a gui. I use the firewall machine for large downloads, listening to internet radio, playing mp3, ... everything over ssh, without ever needing a monitor.
Disclaimer: This is just a basic configuration. There is much more to security then setting up a firewall so don't blame me if you get cracked. If you are serious about security you should read more documentation. The Securing Debian Manual would be a good start.
2 Main
All actions will need root privileges, so make sure you change to root with su (or use sudo). First we need to install shorewall:
#aptitude install shorewall
shorewall is installed with an (almost) empty configuration. We can use the supplied default files with a few minor changes/additions. The files also contain lots of information and many more options. Note: when you need to add lines add them at the end of the file, just above the last line. Read the instructions in the file and you should figure it out.
#cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now use your prefered editor (ex. mcedit) to modify some files:
#mcedit /etc/shorewall/shorewall.conf
change IP_FORWARDING to On if you want to use your computer as a gateway:
IP_FORWARDING=On
I will assume eth0 is the internet connection (with dhcp) and eth1 is the connection to the rest of your network. Change to suit your configuration:
#mcedit /etc/shorewall/interfaces
add following lines:
net eth0 detect dhcp loc eth1 192.168.0.255
#mcedit /etc/shorewall/policy
add following lines (order is important):
loc all ACCEPT fw all ACCEPT net all DROP all all REJECT
#mcedit /etc/shorewall/zones
add following lines:
fw firewall net ipv4 loc ipv4
#mcedit /etc/shorewall/masq
If you need masquerading (use your computer as a gateway for your network) you will also need to change the following:
#mcedit /etc/shorewall/masq
add following line:
eth0 eth1
Now we need to activate our configuration:
#shorewall start
Check your configuration. You should be able to ping the net from the firewall machine and from the network. There are also sites that will perform a scan of your machine. If everything is ok you should have all ports "stealth" except 113 (IDENT). Don't worry if you get a warning about that, oppinions differ. Now we need to make one final change so shorewall will be started on every boot:
#mcedit /etc/default/shorewall
change the 'startup' option from 0 to 1:
startup=1
3 Goodies:
I use the firewall machine for large downloads with bittorrent. For bittorent to work correctly we need to open a few ports. This will NOT work for other machines on your network. For that you will need port forwarding which is not covered here. (Update: ktorrent seems to work very nice irrespective of the firewall)
#mcedit /etc/shorewall/rules
add following line:
ACCEPT net fw tcp 6881:6889
Allow connection to port 22 (ssh) of the firewall machine from a specific ip (great for remote administration):
ACCEPT net:123.234.123.234 fw tcp 22
--amp77 12:30, 23 September 2006 (BST)
This document has been released by the author under a Free license (which should be indicated beneath this notice). You may use it freely according to its particular license.
Free Software License: Either GNU FDL or GNU GPL at your choice. |
|
|