 És força més sofisticat que el que hem estat comentant fins ara. Comentarem com instal·lar el tallafocs i com configurar-lo. Obtindrem el fitxer .deb (per instal·lar-lo a Debian o qualsevol altre distribució basada en Debian) aquí. També podeu instal·lar el paquet des del synaptic, però aquí podeu trobar alguna versió més recent. Instal·lem el paquet i ens farà preguntes, com ara quins són els dispositius interns i externs i quins ports volem deixar oberts. Si no entrem dades correctes després es rectifiquen quan estudiem els fitxers de configuració. En el meu cas el tallafocs està instal·lat en un proxy server/NAT/PAT darrera d'un router i davant d'un servidor web. El fitxer de configuració principal l'editem fent sudo gedit /etc/arno-iptables-firewall/firewall.conf Aquest fitxer és molt convenient llegir-lo a poc a poc abans de fer qualsevol modificació. De fet, les modificacions és millor fer-les sobre un altre fitxer que podem obrir fent: sudo gedit /etc/arno-iptables-firewall/conf.d/00debconf.conf El contingut del fitxer 00debconf.conf en el meu cas és: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- # The external interface EXT_IF="eth0" # Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP EXT_IF_DHCP_IP=0 # Specify here your internal network (LAN) interface(s) INT_IF="eth1" # Specify here the internal IPv4 subnet(s) INTERNAL_NET="192.168.2.0/24" # Enable this if you want to perform NAT (masquerading) for your internal network (LAN) NAT=1 # (EXPERT SETTING!) In case you would like to use SNAT instead of NAT_STATIC_IP="192.168.1.19" # NAT TCP/UDP/IP forwards. NAT_FORWARD_TCP="80>192.168.2.12" #Per desactivar sortides pel port 25 (SMTP) per evitar que utilitzin el nostre servidor per produir spam: LAN_INET_DENY_TCP="25" ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Per desactivar el tallafocs fem: sudo /usr/sbin/arno-iptables-firewall stop i per tornar-lo a activar fem: sudo /usr/sbin/arno-iptables-firewall start Per a altres configuracions més complexes incloc un extracte del fitxer README i de la secció FAQ: Fitxer README An explanation of the files in the package /etc/arno-iptables-firewall/firewall.conf : The configuration file used for Arno's iptables firewall script. Normally you should put it in /etc/arno-iptables-firewall/. Make sure root is owner/group (with "chown 0:0"). /etc/arno-iptables-firewall/conf.d/ : Put any (override) configuration files in the directory. Any files here with a .conf-extension(!) will be sourced AFTER the main firewall.conf file has been read. # START FIREWALL BEFORE ADSL 1) If possible try to start the firewall before you enable your (ADSL) internet connection (if possible). # INCOMING TRAFFIC BLOCKED BY DEFAULT 3) I get a lot of emails from people complaining that their webserver etc. stopped working after installing my firewall. This is the CORRECT behaviour for a firewall: BLOCKING ALL incoming traffic by default! Configure your eg. OPEN_TCP accordingly! # OPENING AND FORWARDING PORTS 5) For configuration-variables/rules which are related to the external (internet) interface one can restrict the interface(s) for which it is applied to by adding either "{interface1,interface2,...}#" or "{interface_ip1,interface_ip2}#" at the beginning of the rule. The latter is especially handy for aliased interfaces. Example 1: OPEN_TCP="eth0#22", would only open TCP port 22 (SSH) for interface eth0 Example 2: OPEN_TCP="1.2.3.4#22", would only open TCP port 22 (SSH) for interface which has the IP 1.2.3.4 This feature can also be used to enable NAT port forwarding for certain (external) interfaces. Examples: Example 1: NAT_FORWARD_TCP="eth0#0/0~22>{internal_host}" means: - Forwards TCP port 22; - Forward is available for the whole world (0/0); - Forward is applied to eth0 only; - {internal_host} is the host the port should be forwarded to. Example 2: NAT_FORWARD_TCP="1.2.3.4#0/0~80>{internal_host}" means: - Forwards TCP port 80; - Forward is available for the whole world (0/0); - Forward is applied to the (external) (aliased) interface with IP 1.2.3.4; - {internal_host} is the host the port should be forwarded to. # PORT RANGES 6) Port ranges should be written as port_start:port_end, eg. "137:139" would select ports 137,138 and 139. SELECTED FAQ ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- # PACKAGE TO INSTALL (bind9utils) Q: When I turn on host resolving, I get an error saying that 'dig' can not be found. A: You must install the bind-utilities (package), which contains the 'dig'-utility ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- # PROXY WITH FIREWALL Q: (How) can I use a proxy with your firewall then? A: Yes, you can. You should use the $PROXY_PORT variable for this. You should set this variable to the value of the port your proxy is listening on. Note that the proxy should run on the gateway itself! ------------------------------------------------------------------------------------------- IMPORTANT / FORWARDING PORTS / DNAT ------------------------------------------------------------------------------------------- # FORWARD PORTS WITH DIFFERENT NUMBERS Q: I want to forward (DNAT) from port 81 on my the firewall machine to port 80 on a local host (192.168.0.3). How can I do this? A: You can do this in almost the same way is a normal forward, only thing you need to add is :81 to the destination host in the TCP_FORWARD / UDP_FORWARD variables. In this case it would become "81>192.168.0.3:80" # FORWARDING CERTAIN (RANGES OF) PORTS TO CERTAIN MACHINES Q: How can I forward port 21 and 25 to 192.168.0.5 and forward port 5000-5010 to 192.168.0.6? A: Use NAT_FORWARD_TCP and/or NAT_FORWARD_UDP variable(s) in this way: NAT_FORWARD_TCP="21,25>192.168.0.5 5000:5010>192.168.0.6" NAT_FORWARD_UDP="21,25>192.168.0.5 5000:5010>192.168.0.6" # RESTRICT ENTRANCE TO PORTS Q: How can restrict the access of certain forwarded ports? I only want to allow IP's 1.2.3.4 and 5.6.7.8 for the forwarded HTTP(port 80) service. A: Enter the allowed source IP address(es) in front of a forward specification. Example: NAT_FORWARD_TCP="1.2.3.4,5.6.7.8~80>192.168.0.5" NAT_FORWARD_UDP="1.2.3.4,5.6.7.8~80>192.168.0.5" # MULTIPLE PORTS Q: How can I enter multiple ports in any of the variables? A: You can enter multiple ports seperated by spaces except for the xxx_FORWARD variables. Normally the comment in the config file shows a good example on how the use the variables. # IP RANGES How can I use IP address ranges in the configuration file and/or the block hosts file? A: Version 1.8 does NOT support IP ranges (except for the blocked hosts file), and never will. However starting with version 1.9, you can use class C IPv4 ranges like ie. 192.168.1.10-20, which would include all IP's between 192.168.1.10 en 192.168.1.20. ------------------------------------------------------------------------------------------- IMPORTANT / DMZ ------------------------------------------------------------------------------------------- # DMZ Q: How can I implement a DMZ with your firewall? A: To accomplish this you should add an additional ethernet adapter to the computer (gateway) running my firewall and this interface to the DMZ_IF-variable. You can also create multiple DMZ interfaces (although I doubt the benefit of having more than one) by adding multiple interfaces to DMZ_IF (space seperated). ------------------------------------------------------------------------------------------- OTHER THINGS ------------------------------------------------------------------------------------------- # MULTIPLE INTERFACES FOR INTERNAL NETWORK Q: Is there a way to define 2 or more ethernet adapters for internal networks? A: Yes you can! You can actually specify as many internal nets as you want. There are two ways to accomplish this: 1) Only specify multiple local interfaces in INT_IF (space seperated) and specify one(!) big local subnet in INTERNAL_NET. In this way you only need to make sure that both subnet "fit" in the large one. For example: - INT_IF="eth0 eth1 eth2" - INTERNAL_NET="192.168.0.0/16" or 2) Specify multiple local interfaces in INT_IF (space seperated) and specify an equal amount of subnets in INTERNAL_NET. This means that the each entry of INTERNAL_NET & INT_IF form a combined interface/subnet pair! For example: - INT_IF="eth0 eth1 eth2" - INTERNAL_NET="192.168.0.0/24 192.168.1.0/24 192.168.2.0/24" Note that my script figures out itself which method you (want to) use! # MULTIPLE INTERFACES FOR EXTERNAL NETWORK Q: Is there a way to define 2 or more ethernet adapters for external networks? A: Yes, simply add ALL interfaces to your EXT_IF. # BLOCKING MAIL Q: How can I block outgoing SMTP(TCP port 25) traffic for my internal LAN hosts except for one host (the mailserver relay) to prevent eg. SMTP blacklisting because of possible spam bots? A: Set these variables: - LAN_INET_DENY_TCP="25" - LAN_INET_HOST_OPEN_TCP="mailserver_lan_ip>0/0~25" # EMULE Q: How can I make eDonkey/eMule work so that I don't get low ID (firewalled)? A: You need to forward TCP/UDP port 4662 and UDP port 4672 to your internal host (eg. 192.168.0.5): NAT_FORWARD_TCP="4662>192.168.0.5" NAT_FORWARD_UDP="4662,4672>192.168.0.5" # BLOCK HOSTILE IP Q: What's the proper way to use the blocked hosts file? A: Just put the hostname or IP of the host(s) you want to block in "/etc/iptables-blocked-hosts" (default location). You can use comments (starting with the #-character) but it can only be used when the whole line is a comment! # UPNP Q: How can enable the use of protocols like UPnP for my internal network? A: You should install "LINUX UPNP INTERNET GATEWAY DEVICE" which is available from http://linux-igd.sourceforge.net/. To enable support for it in my firewall you should make FORWARD_LOOSE=1. This will allow any FORWARD (not INPUT) packet from the outside world into the local network. Note that it's less secure when you use this feature. # TESTING Q: I did a nmap(port scan) from my internal network against my public IP and everything is open!!! I thought your firewall was very secure by default! Shouldn't it block all ports then? A: This is caused by the fact that many people still don't understand that for security reasons some actions are only performed on the network interfaces for which it should actually apply. Portforwarding & default portblocking is only performed on the EXTERNAL interface. In other words: performing tests on your public IP from your internal network will NEVER,EVER work -> you should always use another public machine! # CUSTOM IP TABLES Q: How can I add custom iptables rules? A: Just put your custom iptables rules in "/etc/iptables-custom-rules" (default location). CAUTION!: All custom rules are loaded at the beginning of the script so you could break some of security of my script if you don't exactly know what you're doing. # The location of the dedicated firewall log file When enabled the firewall script will also log start/stop etc. info to this file as well. Note that in order to make this work, you should also configure syslogd to log firewall messages to this file (see LOGLEVEL below for further info). FIREWALL_LOG="/var/log/arno-iptables-firewall" --------------------------------------------------------------------------------------------------------------------------------------------------------------------- Visualizing log data It is possible to use a special program fwfilter in this way: cat /var/log/arno-iptables-firewall | arno-fwfilter -s | grep -i -E 'stealth|blocked' which shows information only of the lines containing the words stealth and blocked, for example. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- Si necessiteu resoldre algun dubte, poseu-vos en contacte a través d'aquest enllaç. |
|
11. Arno's Iptables Firewall |