[LUNI] IPTables Firewall

[Fhealy at aol.com]

I had sent a message to this list about a month ago about using IPTables on 
Redhat 9 and I though I would let you know what happened.  Thanks for the help 
from all who responded.

I volunteer at my kids school (St. Dominic in Bolingbrook) and I manage a 
dual homed Linux server that provides Internet connectivity from a cable modem to 
the internal network.  Back with RedHat 6.2 I put together an addition to 
rc.local that would add IP forwarding to RedHat's IPChains firewall script.  This 
transferred well when I upgraded to RedHat 7.3 and I have been using this 
setup for about two years.  I have kept up with patches on the RedHat Network and 
have never had a compromise.  (I've also used this setup a few other places)  
Its been really reliable and I had this (quick and dirty) process down to 
where I could build a server like this in about 10 minutes over the base RedHat 
install.

This spring I got a donation of a nice Pentium III system and decided to 
upgrade to RedHat 9 (after some experimentation with Debian).  Unfortunately, the 
new Kernel they use only supports IPTables, though using IPChains is possible 
if you add a kernel module.  Also unfortunately, most of the "quick and dirty" 
documentation for this type of setup doesn't address IPTables yet.  RedHat's 
setup also locks the IPTables setup so that if you are playing with commands 
testing the setup, nothing happens (I found this out by searching the 
configuration files).  So here is my new setup that I have tested on both RedHat 8 and 
Redhat 9:

The system is built as dual homed (eth 0 is external on DHCP and eth1 is 
internal as 192.268.1.1).  To make life easy, I use different net cards for each 
interface (usually a 3com and and Inetl Pro100).  I used the RedHat default 
firewall setup to allow the system to get an IP address by DHCP on the external 
interface, allow Port 80 for Apache, and allow eth1 as the trusted interface.  
I shut down all unneeded services and set the host allow file to none (as I 
don't user remote access).  After setup install DHCPD to provide services to the 
internal network and create the appropriate configuration file remembering to 
specify the external networks dns servers.  I also use SQUID with a filtering 
setup.  Add the following lines to rc.local:

#unlock IPTables
rm -f /var/lock/sybsys/iptables
#enable masquerade and forwarding
iptables --table nat --append POSTROUTING --out-interface eth0 -h MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
#for dynamic IP on external interface
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#add denial of service protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#turn on source address verification
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
#add route for ethernet cards serving DHCP Clients
/sbin/route add -host 255.255.255.255 dev eth1
#turn on DHCP for the internal network
/usr/sbin/dhcpd/eth1

After a reboot this system works well.  I have scanned this setup with NMAP 
and Nessus from both inside and outside.  The external interface shows only the 
one tcp port OPEN (80) with UDP accepted on ports 67/68 to allow it to get an 
IP address.  Once patched, Nessus shows no vulnerabilities.  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://luni.org/pipermail/luni/attachments/20030607/ddf360c0/attachment.htm