1 |
fox2mike 05/07/27 21:03:55 |
2 |
|
3 |
Added: xml/htdocs/doc/en/articles linux-24-stateful-fw-design.xml |
4 |
Log: |
5 |
#99028 - Stateful firewall design, Initial Version. rane will surely stop crying now ;) |
6 |
|
7 |
Revision Changes Path |
8 |
1.1 xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml |
9 |
|
10 |
file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo |
11 |
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo |
12 |
|
13 |
Index: linux-24-stateful-fw-design.xml |
14 |
=================================================================== |
15 |
<?xml version='1.0' encoding="UTF-8"?> |
16 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml,v 1.1 2005/07/27 21:03:55 fox2mike Exp $ --> |
17 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
18 |
|
19 |
<guide link="/doc/en/articles/linux-24-stateful-fw-design.xml"> |
20 |
<title>Linux 2.4 stateful firewall design</title> |
21 |
|
22 |
<author title="Author"> |
23 |
<mail link="drobbins@g.o">Daniel Robbins</mail> |
24 |
</author> |
25 |
<author title="Editor"> |
26 |
<mail link="rane@××××××.pl">Łukasz Damentko</mail> |
27 |
</author> |
28 |
|
29 |
<abstract> |
30 |
This tutorial shows you how to use netfilter to set up a powerful Linux stateful |
31 |
firewall. |
32 |
</abstract> |
33 |
|
34 |
<!-- The original version of this article was published on IBM developerWorks, |
35 |
and is property of Westtech Information Services. This document is an updated |
36 |
version of the original article, and contains various improvements made by the |
37 |
Gentoo Linux Documentation team --> |
38 |
|
39 |
<version>1.0</version> |
40 |
<date>2005-07-28</date> |
41 |
|
42 |
<chapter> |
43 |
<title>About this tutorial</title> |
44 |
<section> |
45 |
<title>Should I take this tutorial?</title> |
46 |
<body> |
47 |
|
48 |
<note> |
49 |
The original version of this article was published on IBM developerWorks, and |
50 |
is property of Westtech Information Services. This document is an updated |
51 |
version of the original article, and contains various improvements made by the |
52 |
Gentoo Linux Documentation team. |
53 |
</note> |
54 |
|
55 |
<p> |
56 |
This tutorial shows you how to use netfilter to set up a powerful Linux stateful |
57 |
firewall. All you need is an existing Linux system that's currently using a |
58 |
Linux 2.4 kernel. A laptop, workstation, router or server with a Linux 2.4 |
59 |
kernel will do. |
60 |
</p> |
61 |
|
62 |
<p> |
63 |
You should be reasonably familiar with standard network terminology like IP |
64 |
addresses, source and destination port numbers, TCP, UDP and ICMP, etc. By the |
65 |
end of the tutorial, you'll understand how Linux stateful firewalls are put |
66 |
together and you'll have several example configurations to use in your own |
67 |
projects. |
68 |
</p> |
69 |
|
70 |
</body> |
71 |
</section> |
72 |
<section> |
73 |
<title>About the author</title> |
74 |
<body> |
75 |
|
76 |
<p> |
77 |
For technical questions about the content of this tutorial, contact the author, |
78 |
Daniel Robbins, at <mail link="drobbins@g.o">drobbins@g.o</mail>. |
79 |
</p> |
80 |
|
81 |
<p> |
82 |
Residing in Albuquerque, New Mexico, Daniel Robbins was the President/CEO of |
83 |
Gentoo Technologies, Inc., the creator of Gentoo Linux, an advanced Linux for |
84 |
the PC, and the Portage system, a next-generation ports system for Linux. He has |
85 |
also served as a contributing author for the Macmillan books Caldera OpenLinux |
86 |
Unleashed, SuSE Linux Unleashed, and Samba Unleashed. Daniel has been involved |
87 |
with computers in some fashion since the second grade, when he was first exposed |
88 |
to the Logo programming language as well as a potentially dangerous dose of Pac |
89 |
Man. This probably explains why he has since served as a Lead Graphic Artist at |
90 |
SONY Electronic Publishing/Psygnosis. Daniel enjoys spending time with his wife, |
91 |
Mary, and his new baby daughter, Hadassah. |
92 |
</p> |
93 |
|
94 |
</body> |
95 |
</section> |
96 |
</chapter> |
97 |
|
98 |
<chapter> |
99 |
<title>First steps</title> |
100 |
<section> |
101 |
<title>Defining our goal</title> |
102 |
<body> |
103 |
|
104 |
<p> |
105 |
In this tutorial, we're going to put together a Linux stateful firewall. Our |
106 |
firewall is going to run on a Linux laptop, workstation, server, or router; its |
107 |
primary goal is to allow only certain types of network traffic to pass through. |
108 |
To increase security, we're going to configure the firewall to drop or reject |
109 |
traffic that we're not interested in, as well as traffic that could pose a |
110 |
security threat. |
111 |
</p> |
112 |
|
113 |
</body> |
114 |
</section> |
115 |
<section> |
116 |
<title>Getting the tools</title> |
117 |
<body> |
118 |
|
119 |
<p> |
120 |
Before we start designing a firewall, we need to do two things. First, we need |
121 |
to make sure that the <c>iptables</c> command is available. As root, type |
122 |
<c>iptables</c> and see if it exists. If it doesn't, then we'll need to get it |
123 |
installed first. Here's how: head over to the netfilter/iptables project page |
124 |
(<uri>http://www.netfilter.org/</uri>) and grab the most recent version of |
125 |
<path>iptables.tar.gz</path> (currently <path>iptables-1.1.2.tar.gz</path>) you |
126 |
can find. Then, install it by typing in the following commands (output omitted |
127 |
for brevity): |
128 |
</p> |
129 |
|
130 |
<pre caption="Installing necessary tools"> |
131 |
# <i>tar xzvf iptables-1.1.2.tar.gz</i> |
132 |
# <i>cd iptables-1.1.2</i> |
133 |
# <i>make</i> |
134 |
# <i>make install</i> |
135 |
</pre> |
136 |
|
137 |
</body> |
138 |
</section> |
139 |
<section> |
140 |
<title>Kernel configuration</title> |
141 |
<body> |
142 |
|
143 |
<p> |
144 |
Once installed, you should have an <c>iptables</c> command available for use, as |
145 |
well as the handy iptables man page (<c>man iptables</c>). Great; now all we |
146 |
need is to make sure that we have the necessary functionality built into the |
147 |
kernel. This tutorial assumes that you compile your own kernels. Head over to |
148 |
<path>/usr/src/linux</path>, and type <c>make menuconfig</c> or <c>make |
149 |
xconfig</c>; we're going to enable some kernel network functionality. |
150 |
</p> |
151 |
|
152 |
<p> |
153 |
Under the "Networking options" section, make sure that you enable at least the |
154 |
following options: |
155 |
</p> |
156 |
|
157 |
<pre caption="Necessary kernel options"> |
158 |
<*> Packet socket |
159 |
[*] Network packet filtering (replaces ipchains) |
160 |
<*> Unix domain sockets |
161 |
[*] TCP/IP networking |
162 |
[*] IP: advanced router |
163 |
[*] IP: policy routing |
164 |
[*] IP: use netfilter MARK value as routing key |
165 |
[*] IP: fast network address translation |
166 |
[*] IP: use TOS value as routing key |
167 |
</pre> |
168 |
|
169 |
<p> |
170 |
Then, under the "IP: Netfilter Configuration ->" menu, enable every option so |
171 |
that we'll have full netfilter functionality. We won't use all the netfilter |
172 |
features, but it's good to enable them so that you can do some experimentation |
173 |
later on. |
174 |
</p> |
175 |
|
176 |
<p> |
177 |
There's one networking option under the "Networking options" category that you |
178 |
<e>shouldn't</e> enable: explicit congestion notification. Leave this option |
179 |
disabled: |
180 |
</p> |
181 |
|
182 |
<pre caption="Option we have to disable"> |
183 |
[ ] IP: TCP Explicit Congestion Notification support |
184 |
</pre> |
185 |
|
186 |
<p> |
187 |
If this option is enabled, your Linux machine won't be able to carry on network |
188 |
communications with 8% of the Internet. When ECN is enabled, some packets that |
189 |
your Linux box sends out will have the ECN bit set; however, this bit freaks out |
190 |
a number of Internet routers, so it's very important that ECN is disabled. |
191 |
</p> |
192 |
|
193 |
<p> |
194 |
OK, now that the kernel's configured correctly for our needs, compile a new one, |
195 |
install it, and reboot. Time to start playing with netfilter :) |
196 |
</p> |
197 |
|
198 |
</body> |
199 |
</section> |
200 |
<section> |
201 |
<title>Firewall design basics</title> |
202 |
<body> |
203 |
|
204 |
<p> |
205 |
In putting together our firewall, the <c>iptables</c> command is our friend. |
206 |
It's what we use to interact with the network packet filtering rules in the |
207 |
kernel. We'll use the <c>iptables</c> command to create new rules, list |
208 |
existing rules, flush rules, and set default packet handling policies. This |
209 |
means that to create our firewall, we're going to enter a series of iptables |
210 |
commands, and here's the first one we're going to take a look at (please don't |
211 |
type this in just yet!)... |
212 |
</p> |
213 |
|
214 |
|
215 |
|
216 |
|
217 |
-- |
218 |
gentoo-doc-cvs@g.o mailing list |