Tuesday, July 24, 2007

Setting up Linux firewall using IPTABLES

    There are 8 Linux workstations and 4 WinXP PCs in our lab. Originally every computer has a static global IP address. Besides the fee cost of these static IP addresses, it's a mess to manage and secure all these machines. Hence, I set up a Linux gateway and put all computers behind it. In this way, I don't need to update WinXP anymore in most cases and only need to update LPD, SSH, Sendmail and Apache on corresponding Linux to remove security vulnerabilities. The following figure shows the basic architecture:
    I put three 100M Ethernet cards on the Linux gateway (an old P2 with 128MB memory is enough). In the Linux, "eth0" connects outside Internet with static IP address "Out.IP"; "eth2" uses IP "" to connect the Web Server of our lab (DMZ zone); "eth1" uses IP "" to connect Internal network. 
    My firewall IPTABLES script is modified from the code in Ziegler's book "Linux Firewalls". You can check the script here: 
1.nat-dmz-firewall.txt: firewall script on the gateway.
2.stand-alone.txt:      a simple standalone firewall.
3.open-all.txt:         iptable script to open all connection (Useful when debugging gateway firewall).
    Then I put these scripts under /etc/rc.d/ and add one line in /etc/rc.d/rc.local as
        sh /etc/rc.d/nat-dmz-firewall.txt
     In this way, the iptables script will automatically run when the gateway boots up.
    Explanation on firewall script:
1. The default policy for OUTPUT and FORWARD is drop. In this way, if the web server or an internal computer is compromised, the hack will not be able to use our computer to scan Internet. However, if you install some software in LAN that needs a particular port to connect to Internet, you need to open that port for the machine in the script. For example, if the machine with IP is installed a program that needs port 8080 to outside, you add one line like this:
iptables -A FORWARD -i $LAN_IF -o $EXT_IF -p tcp -s --sport $UNPRIVPORTS --dport 8080 -m state --state NEW -j ACCEPT
2. The internal "Main Server" holds email service (SMTP and IMAPS), users home directories, internal SAMBA service, network printer, NIS. The gateway will forward SSH (port 22), SMTP (port 25), IMAP4+SSL (port 993) to the internal Main Server. It also forwards LPD printing request from an outside trusted computer to Main Server.
3. From outside Internet, our users can use SSH port 3023 to connect to DMZ webserver to modify homepage. As the administrator, I can use SSH port 3022 to connect the gateway.
4. For security reason, no NFS traffic will go across gateway. In the internal network, users can only use SSH and the file transfer of SSH (sftp) to modify their homepages on web server. Another way is to use RSYNC. However, a user wants to see his modification immediately and it's a little bit complicated to do that by using Rsync.
5. From Redhat 7.2 on, the default installation of openSSH has the function of X11-forwarding, so we don't need to consider X windows connections.
6. I can't set the default policy of NAT and MANGLE chains to be DROP. Otherwise, even DNS requests can't pass the firewall.
7. Not like other client requests, the client's LPD printing request will use privilege port (1~1024) occasionally.
8. I open the Ftp mode on the Apache Web server in The DMZ zone. In this way, I don't need to open ftp service on the Webserver. Our lab users can use ssh and sftp to upload files. If someone besides our lab users wants to upload files from outside, I create a temporary account to let them use SSH and Sftp to upload files. Another way is to setup Javascripts to achieve the file upload job.
   If your IE in your internal network can't browse a ftp server outside and has "500 illegal port command" error, it means that you didn't open "passive for FTP" option in the IE. Go to the menu "Tools" ==> "Internet Options..." ==> "Advanced", check the "Use Passive for FTP" at the end of "Browsing" category.
9. Traffic allowed:
(1). Internet ==> LAN
   To Main Server: SSH, SMTP,IMAP+SSL, LPD request from a trusted IP.
(2). Internet ==> DMZ Web Server
   SSH, Web request.
(3). Internet ==> Gateway
(4). DMZ Web Server==> LAN, Internet
   SSH to Internet and only to Main Server in LAN; DNS request; WWW/FTP request to Internet.
(5). LAN ==> Internet, DMZ WebServer
   SSH, DNS request, WWW/FTP request, Matlab license request to the outside matlab license server; SMTP request, RealPlay.
(6). LAN ==> LAN
    Internal traffic with no constraint.

Park yourself in front of a world of choices in alternative vehicles.
Visit the Yahoo! Auto Green Center.