How to Setup a Firewall
using Arno's IPTABLES Firewall (AIF)
Arno's IPTABLES Firewall (AIF) is a secure stateful firewall for both single and multi-homed machines. Unlike other lean iptables frontends in Debian, arno-iptables-firewall will setup and load a secure, restrictive firewall by just asking a few questions. This includes configuring internal networks for internet access via NAT and potential network services (e.g. http or ssh). However, it is in no way restricted to this simple setup. Some catch words of additional features, that can be enabled in the well documented configuration file are: DSL/ADSL, Port forwarding, DMZ's, portscan detection, MAC address filtering.
To install the firewall, we first download the newest version avalaible from here. You could use synaptic directly, but then you do not get the newest version. Arno's IPTABLES firewall (AIF) is a well developed project tested along many years with few additional changes. So it is good to take the newest version from Sid (unstable). AIF has few dependences, like gawk, iproute, iptables, libcurl3 and libsigsegv0 (Squeeze) or libsigsegv2 (Wheezy). Just make sure they are installed in your system:
sudo apt-get install gawk iproute iptables libcurl3 libsigsegv2
We install the .deb package using dpkg:
sudo dpkg -i arno-iptables-firewall.deb
During the installation you have to answer a few questions (internal net addresses, internal and external nics, which ports should be opened, etc.). If you do not know the correct answers do not worry, because you will have to edit the configuration file anyway. The questions to answer are:
Do you want to manage the firewall setup with debconf?
Your answer: yes
The external network interfaces
You write: eth0 wlan0. If your wireless is not connected it will complain, but do not worry.
Open external TCP-ports:
You leave it blank.
We may edit the main configuration file:
sudo gedit /etc/arno-iptables-firewall/firewall.conf
This is a rather long file, but it is good to read it slowly.
There is a smaller configuration file which includes the data entered during the installation process. This small file, located at /etc/arno-iptables-firewall/conf.d/00debconf.conf is the file to be used to configure the firewall. It is better to enter any changes of the configuration only in this file.
3.1 FIREWALL FOR A "NORMAL USER" (no servers of any kind working at the computer)
In this case, the configuration file 00debconf.conf (with some extra comments that you should read!) may look just like this:
# The external interface(s) that will be protected (and used as internet
# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
# be space separated.
EXT_IF="eth0 wlan0"
# Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
# and/or (IPv6) DHCPv6 (from your ISP)
EXT_IF_DHCP_IP=1
OPEN_TCP=""
OPEN_UDP=""
INT_IF=""
NAT=0
INTERNAL_NET=""
NAT_INTERNAL_NET=""
OPEN_ICMP=0
A "normal user" using Debian should have a configuration file like this one. You can get all the information of the external interfaces by issuing "sudo ifconfig" in the terminal. If you use a static IP then you should have EXT_IF_DHCP_IP=0.
3.2 FIREWALL FOR A MAIL SERVER
Imagine you have an internal network with IPs 192,168.1.X where X= 2, 3, 4... identifies every computer of the internal network. Imagine the computer X=14 is a mail server working with squirrelmail, which means every user manages mail only by using a browser. The administrator, using the computer X=10 also needs to access the computer using ssh. Then the configuration file 00debconf.conf should look like this one:
EXT_IF="eth0"
EXT_IF_DHCP_IP=0
#We open port 25 so the mail server may send and receive mail from everyone.
OPEN_TCP="25"
OPEN_UDP=""
# We only allow access to port 80 to computers of the internal network
# X=11,12,14 using the mail server. We allow the administrator with X=10 to
# access the ports 22 for ssh and 80 for http access.
HOST_OPEN_TCP="192.168.1.11,192.168.1.12,192.168.1.14~80 192.168.1.10~22,80"
INT_IF=""
NAT=0
INTERNAL_NET=""
NAT_INTERNAL_NET=""
OPEN_ICMP=0
# Specify here the location of the file that contains a list of
# hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
# w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
# should always contain a carriage-return (enter)!
BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"
# Put in the following variables which hosts you want to DENY(DROP) for certain
# services but NOT logged.
DENY_UDP_NOLOG="67 68 137 138 8610 8611 8612"
If you have a mail server it will probably be under attack from the external network so you probably want to blacklist the bad guys. Then you create the file /etc/arno-iptables-firewall/blocked-hosts and put there the list of the very bad IPs.
AIF will log anything unusual in the file /var/log/arno-iptables-firewall. Some devices using the internal network (cell phones, PLCs and so on) may generate lots of false alarms due to UDP packets being transfered continously over the network. In such case you watch the logs carefully. Check wich ports are being used (indicated by "SPT" and "DPT"). Then you tell the firewall not to log such activity by using DENY_UDP_NOLOG="portnumber1 portnumber2..."
3.3 FIREWALL FOR A PROXY SERVER
Imagine now that in our internal network we have also a web server located behind a PROXY server.
The Proxy server has the IP 192.168.1.19 and the web server has the IP 192.168.2.15.
The Proxy server works with Squid3 (configured as a reverse Proxy) and accepts requests at the port 3128.
We have a router forwarding port 80 (from the external internet) to 192.168.1.19:3128 (in our internal network).
Squid will get the content of the web server through the port 80 of the web server.
The Proxy server has an "external NIC" (eth0) and three "internal NICS" (eth1, eth2, eth3).
The internal NIC eth1 works with addresses 192.168.2.X.
However only eth1 is used and it is connected directly to the web server.
The Proxy server also has Apache working in order to access some information provided by some programs (for instance Snort) and should only be avalaible for the administrator.
The web server works with Apache listening at port 80 as already stated.
In the web server we also have an ftp server, vsftpd working with ports 20, 21, and 30020 to 30031 (only for the administrator).
There is also an active VNC server that should only be accessed by the administrator (remember with IP 192.168.1.10).
Then the configuration file 00debconf.conf for the Proxy server should look like this one (please read the comments to adapt this file to your needs):
# The external interface
EXT_IF="eth0"
# Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
# This is a proxy server with static IP so:
EXT_IF_DHCP_IP=0
# Specify here your internal network (LAN) interface(s)
INT_IF="eth1 eth2 eth3"
# Specify here the internal IPv4 subnet(s) for every NIC (we have three NICs)
INTERNAL_NET="192.168.2.0/24,192.168.3.0/24,192.168.4.0/24"
# We only allow the administrator to access ports 80 (Apache), 667 (darkstat)
# and 5900 (default VNC port) of the Proxy Server
HOST_OPEN_TCP="192.168.1.10~80,667,5900"
# We allow anyone to access port 3128 (Squid working as a reverse Proxy server). #
OPEN_TCP="3128"
# Enable this if you want to perform NAT (masquerading) for your internal network (LAN)
NAT=1
# (EXPERT SETTING!) In case you would like to use SNAT (Static NAT)
NAT_STATIC_IP="192.168.1.19"
# NAT TCP/UDP/IP forwards.
# We ask the proxy server to forward certain ports so the administrator may access the web server.
# We forward ports 20,21,30020-30031 for vsftpd and 5901 for VNC
NAT_FORWARD_TCP="192.168.1.10~30,31,30020:30031,5901>192.168.2.15"
NAT_FORWARD_UDP="192.168.1.10~30,31,30020:30031,5901>192.168.2.15"
# No mail! (we only have a web server and a Proxy server, so we make sure
# no one uses our machines as e-mail servers to send spam)
# The following ports are blocked
LAN_INET_DENY_TCP="25,110,143,465,585,993,995"
# We do not log UDP requests from devices as PLCs and cell phones
DENY_UDP_NOLOG="67 68 137 138 631"
# Blacklist of the IPs attacking our servers
BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"
3.4 STOPPING AND STARTING THE FIREWALL
After changing the configuration you need to restart the firewall. You may call arno-iptables-firewall with the following arguments
start = Start firewall
stop = Stop firewall
stop-block = Stop firewall & block all internet packets
restart = Restart firewall
force-reload = Reload blocked hosts (blackhole) file
For example, to stop the firewall:
sudo /usr/sbin/arno-iptables-firewall stop
To start the firewall:
sudo /usr/sbin/arno-iptables-firewall start
You are also encouraged to read the following text, which has been extracted from the README file and a FAQ section:
-------------------------------------FROM FILE README
-------------------------------------An explanation of the files in the package
/etc/arno-iptables-firewall/firewall.conf:
The configuration file used for Arno's iptables firewall script. Normally you should put it in /etc/arno-iptables-firewall/. Make sure root is owner/group (with "chown 0:0").
/etc/arno-iptables-firewall/conf.d/ :
Put any (override) configuration files in the directory. Any files here with a .conf-extension(!) will be sourced AFTER the main firewall.conf file has been read.
# START FIREWALL BEFORE ADSL
1) If possible try to start the firewall before you enable your (ADSL) internet
connection (if possible).
# INCOMING TRAFFIC BLOCKED BY DEFAULT
3) I get a lot of emails from people complaining that their webserver etc.
stopped working after installing my firewall. This is the CORRECT
behaviour for a firewall: BLOCKING ALL incoming traffic by default!
Configure your eg. OPEN_TCP accordingly!
# OPENING AND FORWARDING PORTS
5) For configuration-variables/rules which are related to the external (internet) interface one can restrict the interface(s) for which it is applied to by adding either "{interface1,interface2,...}#" or "{interface_ip1,interface_ip2}#" at the beginning of the rule. The latter is especially handy for aliased interfaces.
Example 1: OPEN_TCP="eth0#22", would only open TCP port 22 (SSH) for interface eth0
Example 2: OPEN_TCP="1.2.3.4#22", would only open TCP port 22 (SSH) for interface which has the IP 1.2.3.4
This feature can also be used to enable NAT port forwarding for certain (external) interfaces. Examples:
Example 1: NAT_FORWARD_TCP="eth0#0/0~22>{internal_host}" means:
- Forwards TCP port 22;
- Forward is available for the whole world (0/0);
- Forward is applied to eth0 only;
- {internal_host} is the host the port should be forwarded to.
Example 2: NAT_FORWARD_TCP="1.2.3.4#0/0~80>{internal_host}" means:
- Forwards TCP port 80;
- Forward is available for the whole world (0/0);
- Forward is applied to the (external) (aliased) interface with IP 1.2.3.4;
- {internal_host} is the host the port should be forwarded to.
# PORT RANGES
6) Port ranges should be written as port_start:port_end, eg. "137:139" would select ports 137,138 and 139.
-----------------------------
SELECTED FAQ
-----------------------------
# PACKAGE TO INSTALL (bind9utils)
Q: When I turn on host resolving, I get an error saying that 'dig' can not be found.
A: You must install the bind-utilities (package), which contains the 'dig'-utility
# PROXY WITH FIREWALL
Q: (How) can I use a proxy with your firewall then?
A: Yes, you can. You should use the $PROXY_PORT variable for this. You should set this variable to the value of the port your proxy is listening on. Note that the proxy should run on the gateway itself!
IMPORTANT / FORWARDING PORTS / DNAT ---------------------------
# FORWARD PORTS WITH DIFFERENT NUMBERS
Q: I want to forward (DNAT) from port 81 on my the firewall machine to port 80 on a local host (192.168.0.3). How can I do this?
A: You can do this in almost the same way is a normal forward, only thing you need to add is :81 to the destination host in the TCP_FORWARD / UDP_FORWARD variables. In this case it would become "81>192.168.0.3:80"
# FORWARDING CERTAIN (RANGES OF) PORTS TO CERTAIN MACHINES
Q: How can I forward port 21 and 25 to 192.168.0.5 and forward port 5000-5010 to 192.168.0.6?
A: Use NAT_FORWARD_TCP and/or NAT_FORWARD_UDP variable(s) in this way:
NAT_FORWARD_TCP="21,25>192.168.0.5 5000:5010>192.168.0.6"
NAT_FORWARD_UDP="21,25>192.168.0.5 5000:5010>192.168.0.6"
# RESTRICT ENTRANCE TO PORTS
Q: How can restrict the access of certain forwarded ports? I only want to allow IP's 1.2.3.4 and 5.6.7.8 for the forwarded HTTP(port 80) service.
A: Enter the allowed source IP address(es) in front of a forward specification. Example:
NAT_FORWARD_TCP="1.2.3.4,5.6.7.8~80>192.168.0.5"
NAT_FORWARD_UDP="1.2.3.4,5.6.7.8~80>192.168.0.5"
# MULTIPLE PORTS
Q: How can I enter multiple ports in any of the variables?
A: You can enter multiple ports seperated by spaces except for the xxx_FORWARD variables. Normally the comment in the config file shows a good example on how the use the variables.
# IP RANGES
Q: How can I use IP address ranges in the configuration file and/or the block hosts file?
A: You can use class C IPv4 ranges like ie. 192.168.1.10-20, which would include all IP's between 192.168.1.10 en 192.168.1.20.
IMPORTANT / DMZ-------------------------------------
# DMZ
Q: How can I implement a DMZ with your firewall?
A: To accomplish this you should add an additional ethernet adapter to the computer (gateway) running my firewall and this interface to the DMZ_IF-variable. You can also create multiple DMZ interfaces (although I doubt the benefit of having more than one) by adding multiple interfaces to DMZ_IF (space seperated).
-------------------------------------------------------------------------------------------
OTHER THINGS
-------------------------------------------------------------------------------------------
# MULTIPLE INTERFACES FOR INTERNAL NETWORK
Q: Is there a way to define 2 or more ethernet adapters for internal networks?
A: Yes you can! You can actually specify as many internal nets as you want. There are two ways to accomplish this:
1) Only specify multiple local interfaces in INT_IF (space seperated) and specify one(!) big local subnet in INTERNAL_NET. In this way you only need to make sure that both subnet "fit" in the large one. For example:
- INT_IF="eth0 eth1 eth2"
- INTERNAL_NET="192.168.0.0/16"
or
2) Specify multiple local interfaces in INT_IF (space seperated) and specify an equal amount of subnets in INTERNAL_NET. This means that the each entry of INTERNAL_NET & INT_IF form a combined interface/subnet pair!
For example:
- INT_IF="eth0 eth1 eth2"
- INTERNAL_NET="192.168.0.0/24 192.168.1.0/24 192.168.2.0/24"
Note that my script figures out itself which method you (want to) use!
# MULTIPLE INTERFACES FOR EXTERNAL NETWORK
Q: Is there a way to define 2 or more ethernet adapters for external networks?
A: Yes, simply add ALL interfaces to your EXT_IF.
# BLOCKING MAIL
Q: How can I block outgoing SMTP(TCP port 25) traffic for my internal LAN hosts except for one host (the mailserver relay) to prevent eg. SMTP blacklisting because of possible spam bots?
A: Set these variables:
- LAN_INET_DENY_TCP="25"
- LAN_INET_HOST_OPEN_TCP="mailserver_lan_ip>0/0~25"
# EMULE
Q: How can I make eDonkey/eMule work so that I don't get low ID (firewalled)?
A: You need to forward TCP/UDP port 4662 and UDP port 4672 to your internal host (eg. 192.168.0.5):
NAT_FORWARD_TCP="4662>192.168.0.5"
NAT_FORWARD_UDP="4662,4672>192.168.0.5"
# BLOCK HOSTILE IP
Q: What's the proper way to use the blocked hosts file?
A: Just put the hostname or IP of the host(s) you want to block in "/etc/iptables-blocked-hosts" (default location). You can use comments (starting with the #-character) but it can only be used when the whole line is a comment!
# UPNP
Q: How can enable the use of protocols like UPnP for my internal network?
A: You should install "LINUX UPNP INTERNET GATEWAY DEVICE" which is available from http://linux-igd.sourceforge.net/. To enable support for it in my firewall you should make FORWARD_LOOSE=1. This will allow any FORWARD (not INPUT) packet from the outside world into the local network. Note that it's less secure when you use this feature.
# TESTING
Q: I did a nmap(port scan) from my internal network against my public IP and everything is open!!! I thought your firewall was very secure by default! Shouldn't it block all ports then?
A: This is caused by the fact that many people still don't understand that for security reasons some actions are only performed on the network interfaces for which it should actually apply. Portforwarding & default portblocking is only performed on the EXTERNAL interface. In other words: performing tests on your public IP from your internal network will NEVER,EVER work -> you should always use another public machine!
# CUSTOM IP TABLES
Q: How can I add custom iptables rules?
A: Just put your custom iptables rules in "/etc/iptables-custom-rules" (default location). CAUTION!: All custom rules are loaded at the beginning of the script so you could break some of security of my script if you don't exactly know what you're doing.
# The location of the dedicated firewall log file
When enabled the firewall script will also log start/stop etc. info to this file as well.
Note that in order to make this work, you should also configure syslogd to log firewall messages to this file (see LOGLEVEL below for further info).
FIREWALL_LOG="/var/log/arno-iptables-firewall"
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Visualizing log data
It is possible to use a special program fwfilter in this way:
cat /var/log/arno-iptables-firewall | arno-fwfilter -s | grep -i -E 'stealth|blocked'
which shows information only of the lines containing the words stealth and blocked, for example.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
