| 1 |
fox2mike 05/07/27 21:03:55 |
| 2 |
|
| 3 |
Added: xml/htdocs/doc/en/articles linux-24-stateful-fw-design.xml |
| 4 |
Log: |
| 5 |
#99028 - Stateful firewall design, Initial Version. rane will surely stop crying now ;) |
| 6 |
|
| 7 |
Revision Changes Path |
| 8 |
1.1 xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml |
| 9 |
|
| 10 |
file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo |
| 11 |
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo |
| 12 |
|
| 13 |
Index: linux-24-stateful-fw-design.xml |
| 14 |
=================================================================== |
| 15 |
<?xml version='1.0' encoding="UTF-8"?> |
| 16 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml,v 1.1 2005/07/27 21:03:55 fox2mike Exp $ --> |
| 17 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
| 18 |
|
| 19 |
<guide link="/doc/en/articles/linux-24-stateful-fw-design.xml"> |
| 20 |
<title>Linux 2.4 stateful firewall design</title> |
| 21 |
|
| 22 |
<author title="Author"> |
| 23 |
<mail link="drobbins@g.o">Daniel Robbins</mail> |
| 24 |
</author> |
| 25 |
<author title="Editor"> |
| 26 |
<mail link="rane@××××××.pl">Łukasz Damentko</mail> |
| 27 |
</author> |
| 28 |
|
| 29 |
<abstract> |
| 30 |
This tutorial shows you how to use netfilter to set up a powerful Linux stateful |
| 31 |
firewall. |
| 32 |
</abstract> |
| 33 |
|
| 34 |
<!-- The original version of this article was published on IBM developerWorks, |
| 35 |
and is property of Westtech Information Services. This document is an updated |
| 36 |
version of the original article, and contains various improvements made by the |
| 37 |
Gentoo Linux Documentation team --> |
| 38 |
|
| 39 |
<version>1.0</version> |
| 40 |
<date>2005-07-28</date> |
| 41 |
|
| 42 |
<chapter> |
| 43 |
<title>About this tutorial</title> |
| 44 |
<section> |
| 45 |
<title>Should I take this tutorial?</title> |
| 46 |
<body> |
| 47 |
|
| 48 |
<note> |
| 49 |
The original version of this article was published on IBM developerWorks, and |
| 50 |
is property of Westtech Information Services. This document is an updated |
| 51 |
version of the original article, and contains various improvements made by the |
| 52 |
Gentoo Linux Documentation team. |
| 53 |
</note> |
| 54 |
|
| 55 |
<p> |
| 56 |
This tutorial shows you how to use netfilter to set up a powerful Linux stateful |
| 57 |
firewall. All you need is an existing Linux system that's currently using a |
| 58 |
Linux 2.4 kernel. A laptop, workstation, router or server with a Linux 2.4 |
| 59 |
kernel will do. |
| 60 |
</p> |
| 61 |
|
| 62 |
<p> |
| 63 |
You should be reasonably familiar with standard network terminology like IP |
| 64 |
addresses, source and destination port numbers, TCP, UDP and ICMP, etc. By the |
| 65 |
end of the tutorial, you'll understand how Linux stateful firewalls are put |
| 66 |
together and you'll have several example configurations to use in your own |
| 67 |
projects. |
| 68 |
</p> |
| 69 |
|
| 70 |
</body> |
| 71 |
</section> |
| 72 |
<section> |
| 73 |
<title>About the author</title> |
| 74 |
<body> |
| 75 |
|
| 76 |
<p> |
| 77 |
For technical questions about the content of this tutorial, contact the author, |
| 78 |
Daniel Robbins, at <mail link="drobbins@g.o">drobbins@g.o</mail>. |
| 79 |
</p> |
| 80 |
|
| 81 |
<p> |
| 82 |
Residing in Albuquerque, New Mexico, Daniel Robbins was the President/CEO of |
| 83 |
Gentoo Technologies, Inc., the creator of Gentoo Linux, an advanced Linux for |
| 84 |
the PC, and the Portage system, a next-generation ports system for Linux. He has |
| 85 |
also served as a contributing author for the Macmillan books Caldera OpenLinux |
| 86 |
Unleashed, SuSE Linux Unleashed, and Samba Unleashed. Daniel has been involved |
| 87 |
with computers in some fashion since the second grade, when he was first exposed |
| 88 |
to the Logo programming language as well as a potentially dangerous dose of Pac |
| 89 |
Man. This probably explains why he has since served as a Lead Graphic Artist at |
| 90 |
SONY Electronic Publishing/Psygnosis. Daniel enjoys spending time with his wife, |
| 91 |
Mary, and his new baby daughter, Hadassah. |
| 92 |
</p> |
| 93 |
|
| 94 |
</body> |
| 95 |
</section> |
| 96 |
</chapter> |
| 97 |
|
| 98 |
<chapter> |
| 99 |
<title>First steps</title> |
| 100 |
<section> |
| 101 |
<title>Defining our goal</title> |
| 102 |
<body> |
| 103 |
|
| 104 |
<p> |
| 105 |
In this tutorial, we're going to put together a Linux stateful firewall. Our |
| 106 |
firewall is going to run on a Linux laptop, workstation, server, or router; its |
| 107 |
primary goal is to allow only certain types of network traffic to pass through. |
| 108 |
To increase security, we're going to configure the firewall to drop or reject |
| 109 |
traffic that we're not interested in, as well as traffic that could pose a |
| 110 |
security threat. |
| 111 |
</p> |
| 112 |
|
| 113 |
</body> |
| 114 |
</section> |
| 115 |
<section> |
| 116 |
<title>Getting the tools</title> |
| 117 |
<body> |
| 118 |
|
| 119 |
<p> |
| 120 |
Before we start designing a firewall, we need to do two things. First, we need |
| 121 |
to make sure that the <c>iptables</c> command is available. As root, type |
| 122 |
<c>iptables</c> and see if it exists. If it doesn't, then we'll need to get it |
| 123 |
installed first. Here's how: head over to the netfilter/iptables project page |
| 124 |
(<uri>http://www.netfilter.org/</uri>) and grab the most recent version of |
| 125 |
<path>iptables.tar.gz</path> (currently <path>iptables-1.1.2.tar.gz</path>) you |
| 126 |
can find. Then, install it by typing in the following commands (output omitted |
| 127 |
for brevity): |
| 128 |
</p> |
| 129 |
|
| 130 |
<pre caption="Installing necessary tools"> |
| 131 |
# <i>tar xzvf iptables-1.1.2.tar.gz</i> |
| 132 |
# <i>cd iptables-1.1.2</i> |
| 133 |
# <i>make</i> |
| 134 |
# <i>make install</i> |
| 135 |
</pre> |
| 136 |
|
| 137 |
</body> |
| 138 |
</section> |
| 139 |
<section> |
| 140 |
<title>Kernel configuration</title> |
| 141 |
<body> |
| 142 |
|
| 143 |
<p> |
| 144 |
Once installed, you should have an <c>iptables</c> command available for use, as |
| 145 |
well as the handy iptables man page (<c>man iptables</c>). Great; now all we |
| 146 |
need is to make sure that we have the necessary functionality built into the |
| 147 |
kernel. This tutorial assumes that you compile your own kernels. Head over to |
| 148 |
<path>/usr/src/linux</path>, and type <c>make menuconfig</c> or <c>make |
| 149 |
xconfig</c>; we're going to enable some kernel network functionality. |
| 150 |
</p> |
| 151 |
|
| 152 |
<p> |
| 153 |
Under the "Networking options" section, make sure that you enable at least the |
| 154 |
following options: |
| 155 |
</p> |
| 156 |
|
| 157 |
<pre caption="Necessary kernel options"> |
| 158 |
<*> Packet socket |
| 159 |
[*] Network packet filtering (replaces ipchains) |
| 160 |
<*> Unix domain sockets |
| 161 |
[*] TCP/IP networking |
| 162 |
[*] IP: advanced router |
| 163 |
[*] IP: policy routing |
| 164 |
[*] IP: use netfilter MARK value as routing key |
| 165 |
[*] IP: fast network address translation |
| 166 |
[*] IP: use TOS value as routing key |
| 167 |
</pre> |
| 168 |
|
| 169 |
<p> |
| 170 |
Then, under the "IP: Netfilter Configuration ->" menu, enable every option so |
| 171 |
that we'll have full netfilter functionality. We won't use all the netfilter |
| 172 |
features, but it's good to enable them so that you can do some experimentation |
| 173 |
later on. |
| 174 |
</p> |
| 175 |
|
| 176 |
<p> |
| 177 |
There's one networking option under the "Networking options" category that you |
| 178 |
<e>shouldn't</e> enable: explicit congestion notification. Leave this option |
| 179 |
disabled: |
| 180 |
</p> |
| 181 |
|
| 182 |
<pre caption="Option we have to disable"> |
| 183 |
[ ] IP: TCP Explicit Congestion Notification support |
| 184 |
</pre> |
| 185 |
|
| 186 |
<p> |
| 187 |
If this option is enabled, your Linux machine won't be able to carry on network |
| 188 |
communications with 8% of the Internet. When ECN is enabled, some packets that |
| 189 |
your Linux box sends out will have the ECN bit set; however, this bit freaks out |
| 190 |
a number of Internet routers, so it's very important that ECN is disabled. |
| 191 |
</p> |
| 192 |
|
| 193 |
<p> |
| 194 |
OK, now that the kernel's configured correctly for our needs, compile a new one, |
| 195 |
install it, and reboot. Time to start playing with netfilter :) |
| 196 |
</p> |
| 197 |
|
| 198 |
</body> |
| 199 |
</section> |
| 200 |
<section> |
| 201 |
<title>Firewall design basics</title> |
| 202 |
<body> |
| 203 |
|
| 204 |
<p> |
| 205 |
In putting together our firewall, the <c>iptables</c> command is our friend. |
| 206 |
It's what we use to interact with the network packet filtering rules in the |
| 207 |
kernel. We'll use the <c>iptables</c> command to create new rules, list |
| 208 |
existing rules, flush rules, and set default packet handling policies. This |
| 209 |
means that to create our firewall, we're going to enter a series of iptables |
| 210 |
commands, and here's the first one we're going to take a look at (please don't |
| 211 |
type this in just yet!)... |
| 212 |
</p> |
| 213 |
|
| 214 |
|
| 215 |
|
| 216 |
|
| 217 |
-- |
| 218 |
gentoo-doc-cvs@g.o mailing list |
Archives