How to Setup a Firewall
using Arno's IPTABLES Firewall (AIF)
Arno's IPTABLES Firewall (AIF) is a secure stateful firewall for both single and multi-homed machines. Unlike other lean iptables frontends in Debian, arno-iptables-firewall will setup and load a secure, restrictive firewall by just asking a few questions. This includes configuring internal networks for internet access via NAT and potential network services (e.g. http or ssh). However, it is in no way restricted to this simple setup. Some catch words of additional features, that can be enabled in the well documented configuration file are: DSL/ADSL, Port forwarding, DMZ's, portscan detection, MAC address filtering.
To install the firewall, we first download the newest version avalaible from here. You could use synaptic directly, but then you do not get the newest version. Arno's IPTABLES firewall (AIF) is a well developed project tested along many years with few additional changes. So it is good to take the newest version from Sid (unstable). AIF has few dependences, like gawk, iproute, iptables, libcurl3 and libsigsegv0 (Squeeze) or libsigsegv2 (Wheezy). Just make sure they are installed in your system:
sudo apt-get install gawk iproute iptables libcurl3 libsigsegv2
We install the .deb package using dpkg:
sudo dpkg -i arno-iptables-firewall.deb
During the installation you have to answer a few questions (internal net addresses, internal and external nics, which ports should be opened, etc.). If you do not know the correct answers do not worry, because you will have to edit the configuration file anyway. The questions to answer are:
Do you want to manage the firewall setup with debconf?
Your answer: yes
The external network interfaces
You write: eth0 wlan0. If your wireless is not connected it will complain, but do not worry.
Open external TCP-ports:
You leave it blank.
We may edit the main configuration file:
sudo gedit /etc/arno-iptables-firewall/firewall.conf
This is a rather long file, but it is good to read it slowly.
There is a smaller configuration file which includes the data entered during the installation process. This small file, located at /etc/arno-iptables-firewall/conf.d/00debconf.conf is the file to be used to configure the firewall. It is better to enter any changes of the configuration only in this file.
3.1 FIREWALL FOR A "NORMAL USER" (no servers of any kind working at the computer)
In this case, the configuration file 00debconf.conf (with some extra comments that you should read!) may look just like this:
# The external interface(s) that will be protected (and used as internet
# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
# be space separated.
# Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
# and/or (IPv6) DHCPv6 (from your ISP)
A "normal user" using Debian should have a configuration file like this one. You can get all the information of the external interfaces by issuing "sudo ifconfig" in the terminal. If you use a static IP then you should have EXT_IF_DHCP_IP=0.
3.2 FIREWALL FOR A MAIL SERVER
Imagine you have an internal network with IPs 192,168.1.X where X= 2, 3, 4... identifies every computer of the internal network. Imagine the computer X=14 is a mail server working with squirrelmail, which means every user manages mail only by using a browser. The administrator, using the computer X=10 also needs to access the computer using ssh. Then the configuration file 00debconf.conf should look like this one:
#We open port 25 so the mail server may send and receive mail from everyone.
# We only allow access to port 80 to computers of the internal network
# X=11,12,14 using the mail server. We allow the administrator with X=10 to
# access the ports 22 for ssh and 80 for http access.
# Specify here the location of the file that contains a list of
# hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
# w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
# should always contain a carriage-return (enter)!
# Put in the following variables which hosts you want to DENY(DROP) for certain
# services but NOT logged.
DENY_UDP_NOLOG="67 68 137 138 8610 8611 8612"
If you have a mail server it will probably be under attack from the external network so you probably want to blacklist the bad guys. Then you create the file /etc/arno-iptables-firewall/blocked-hosts and put there the list of the very bad IPs.
AIF will log anything unusual in the file /var/log/arno-iptables-firewall. Some devices using the internal network (cell phones, PLCs and so on) may generate lots of false alarms due to UDP packets being transfered continously over the network. In such case you watch the logs carefully. Check wich ports are being used (indicated by "SPT" and "DPT"). Then you tell the firewall not to log such activity by using DENY_UDP_NOLOG="portnumber1 portnumber2..."
3.3 FIREWALL FOR A PROXY SERVER
Imagine now that in our internal network we have also a web server located behind a PROXY server.
The Proxy server has the IP 192.168.1.19 and the web server has the IP 192.168.2.15.
The Proxy server works with Squid3 (configured as a reverse Proxy) and accepts requests at the port 3128. We have a router forwarding port 80 (from the external internet) to 192.168.1.19:3128 (in our internal network).
Squid will get the content of the web server through the port 80 of the web server.
The Proxy server has an "external NIC" (eth0) and three "internal NICS" (eth1, eth2, eth3).
The internal NIC eth1 works with addresses 192.168.2.X.
However only eth1 is used and it is connected directly to the web server.
The Proxy server also has Apache working in order to access some information provided by some programs (for instance Snort) and should only be avalaible for the administrator.
The web server works with Apache listening at port 80 as already stated.
In the web server we also have an ftp server, vsftpd working with ports 20, 21, and 30020 to 30031 (only for the administrator).
There is also an active VNC server that should only be accessed by the administrator (remember with IP 192.168.1.10).
Then the configuration file 00debconf.conf for the Proxy server should look like this one (please read the comments to adapt this file to your needs):
# The external interface
# Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
# This is a proxy server with static IP so:
# Specify here your internal network (LAN) interface(s)
INT_IF="eth1 eth2 eth3"
# Specify here the internal IPv4 subnet(s) for every NIC (we have three NICs)
# We only allow the administrator to access ports 80 (Apache), 667 (darkstat)
# and 5900 (default VNC port) of the Proxy Server
# We allow anyone to access port 3128 (Squid working as a reverse Proxy server). #
# Enable this if you want to perform NAT (masquerading) for your internal network (LAN)
# (EXPERT SETTING!) In case you would like to use SNAT (Static NAT)
# NAT TCP/UDP/IP forwards.
# We ask the proxy server to forward certain ports so the administrator may access the web server.
# We forward ports 20,21,30020-30031 for vsftpd and 5901 for VNC
# No mail! (we only have a web server and a Proxy server, so we make sure
# no one uses our machines as e-mail servers to send spam)
# The following ports are blocked
# We do not log UDP requests from devices as PLCs and cell phones
DENY_UDP_NOLOG="67 68 137 138 631"
# Blacklist of the IPs attacking our servers
3.4 STOPPING AND STARTING THE FIREWALL
After changing the configuration you need to restart the firewall. You may call arno-iptables-firewall with the following arguments
start = Start firewall
stop = Stop firewall
stop-block = Stop firewall & block all internet packets
restart = Restart firewall
force-reload = Reload blocked hosts (blackhole) file
For example, to stop the firewall:
sudo /usr/sbin/arno-iptables-firewall stop
To start the firewall:
sudo /usr/sbin/arno-iptables-firewall start
You are also encouraged to read the following text, which has been extracted from the README file and a FAQ section:-------------------------------------
FROM FILE README-------------------------------------