Creating Firewall and Virtual Networks with Linux Operating System
 
 Editor's Note
 Firewall and Virtual  Networks with Linux
 Hints for Creating Web  Pages
 Windows Security - II
 To be an IT Specialist  and to be a Southerner
 Billions of Dollars Have  Been Wasted!
 Neck & Back Problems  of Office Workers
 CISN Archive
 Questionnaire
 Send Feedback
 
     
 

In the previous article, Linux versions were carefully studied to provide an insight about the versions that are made available in the METU Computer Center. However, shortly after this study, the versions announced the distribution of their new releases Slackware 9.0, Mandrake 9.1 and RedHat 9.0 versions were quick to put a new face upon Linux. We will continue to examine the new features of these new versions in the later issues of CISN.

This article will mainly address a technical issue, especially an extremely useful tool that is most frequently resorted to by the users who would like to solve the problem of security attacks to their systems. These security problems are most frequently addressed to by such software which is typically named as firewall or operating systems are now introduced with built-in solutions to address this issue of security.

Linux operating systems provide a firewalling solution at the level of kernel of the system. For that a support should be provided as built in the kernel or as modular. Linux operating system carries out the filtering tasks on 2.0.x Kernel with ipfwadm, on 2.2.x Kernel with ipchains and on 2.4.x Kernel with iptables programs. During the configuration of the kernel, the required programs should be selected or they should later be added to the kernel as modules.

The recent Linux systems use Kernel 2.4 or above. For this reason, we are going to concentrate on iptables program in this article.

On Linux under the following path, you should select the modules that suit the purpose of firewalling; Networking options è IP: Netfilter Configuration è IP tables support (required for filtering/masq/NAT)

Using Linux operating system as a standard security firewall:

If it is not provided as built-in in the kernel, the following commands will install the modules (this is the most frequently used method);

/sbin/insmod ip_tables
/sbin/insmod iptables_filter

There are three main chains on the firewall of the Linux operating system: INPUT, FORWARD and OUTPUT. Here, you must specify the default settings of these chains. Default setting of the firewall will DROP all the packets and only the packets that are allowed will be ACCEPTED. To specify the default settings, you should first define the exact location of the iptables program:

IPTABLES=/sbin/iptables

Then the default settings of the three main chains will be specified:

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD

After that you should set the rules to accept the packets that are wanted. For example, to accept the packets that come from and that is sent to the IP number 144.122.202.19, the following commands should be entered;

$IPTABLES -A INPUT -s 144.122.202.19 -j ACCEPT
$IPTABLES -A OUTPUT -d 144.122.202.19 -j ACCEPT
In a similar way, you can specify a single IP number or you can specify block IPs: $IPTABLES -A INPUT -s 144.122.202.0/255.255.202.0 -j ACCEPT
$IPTABLES -A OUTPUT -d 144.122.202.0/255.255.202.0 -j ACCEPT
You can also set restrictions according to the type of the packet (tcp, udp, icmp etc.) and according to its port number. One must know the types of the packets and their port numbers for the proper operation of this filtering. To get more information about the standard services, you can refer to the /etc/services file on the Linux operating systems. ftp-data         20/tcp
ftp-data         20/udp
# 21 is registered to ftp, but also used by fsp
Ftp              21/tcp
ftp              21/udp         fsp fspd
ssh              22/tcp         # SSH Remote Login Protocol
ssh              22/udp         # SSH Remote Login Protocol
telnet           23/tcp
telnet           23/udp
# 24 - private mail system
smtp             25/tcp         mail
smtp             25/udp         mail
For example, web servers provide service on 80th port with tcp packets. The following rules should be entered to the system to make the Web server accessible from everywhere: $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
In a similar way, DNS servers use both tcp and udp packets on the 53rd port. For example, the following rules must be specified, if you want the DNS server to be accessible only by the IPs (144.122 block) allocated to METU: $IPTABLES -A INPUT -p tcp -s 144.122.0.0/255.255.0.0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 144.122.0.0/255.255.0.0 --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d 144.122.0.0/255.255.0.0 --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d 144.122.0.0/255.255.0.0 --sport 53 -j ACCEPT
Various options available on the kernel will allow you to use such features as advanced level filtering and keeping LOG information with iptables program.

Creating Virtual Networks with Iptables program:

According to the international standards, the following IP blocks are allocated for virtual networks;

10.0.0.0      10.255.255.255
172.16.0.0    172.16.31.255
192.168.0.0   192.168.255.255

In Internet cafes and centers, in places where there is not sufficient IPs, or due to the safety measures that must be taken, the Internet access is provided over virtual networks or Internet access is provided over several computers. To do this, an athernet card (or a modem), on which the real IP is designated, should be affixed to the computer, where the Internet access will be provided from; and a secondary ethernet card should also be fixed to furnish the virtual network connection inside. To use the operating system as IP MASQUERADE, the required module should be installed on the kernel with /sbin/insmod iptable_nat command.

For example let's assume that the real access is provided over the first ethernet card (eth0), the virtual network access is provided over the second ethernet card (eth1) and a virtual network with 10 computers is created. Then the following designations should be done;

DISAG="eth0"
ICAG="eth1"
GERCEKIP="144.122.202.19"
SANALIP="10.0.0.1"
SANALAG="10.0.0.0/255.0.0.0"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -t nat -F
$IPTABLES -t nat -A POSTROUTING -o $DISAG -j MASQUERADE
Then, the IP should be entered as 10.x.x.x, subnet mask should be entered as 255.0.0.0 and the gateway should be entered as10.0.0.1. The Internet is now accessible after all these settings are completed.

Please visit the following address to download Iptaples program and to get more information about the subject; http://www.netfilter.org

Have fun with Linux operating system's reliable and secure computing...

Selçuk Han AYDIN

 
     
  - TOP -