Home > Security > Linux IP Masquerading and Firewalling

Linux IP Masquerading and Firewalling

This paper includes my notes on setting up my Linux box as a firewall and to provide IP forwarding, or masquerading, from private networks. All I know I learned from the excellent articles in the next section.

Background Reading

Linux Network Administrators Guide - TCP/IP Firewall (previously at http://www.ibiblio.org/mdw/LDP/nag2/x-087-2-firewall.html)
Linux Network Administrators Guide - IP Masquerade and Network Address Translation (previously at http://www.ibiblio.org/mdw/LDP/nag2/x-087-2-ipmasq.html)
Firewalls HOWTO (previously at http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html)
IP Masquerading HOWTO (previously at http://metalab.unc.edu/mdw/HOWTO/IP-Masquerade-HOWTO.html)
ipchains HOWTO (previously at http://metalab.unc.edu/mdw/HOWTO/IPCHAINS-HOWTO.html)

Configuration

In order to get the kernel talking to the Ethernet card that PacBell delivered, I added the following to /etc/conf.modules:

alias eth1 tulip

I had to obtain and install the latest version of DHCP (1.0.2) to handle both Ethernet cards.

I reconfigured the kernel, which should be 2.2.X, as follows:

CONFIG_IP_FIREWALL=y
CONFIG_IP_ALWAYS_DEFRAG=y
CONFIG_IP_TRANSPARENT_PROXY=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_NOSR=y

Note that I didn't turn on CONFIG_EXPERIMENTAL as per the HOWTOs and it worked just the same.

See Section 3 of RFC 1918 for the IP addresses you should use on your private network. You can also simply use the network that I've used in the initialization file below [192.168.69.0].

ipchains is used for packet filtering and replaces ipfwadm in newer kernels. It currently handles masquerading, but the masquerading commands are expected to be pulled out into their own command in the future.

I've put these commands after my first Ethernet commands in /etc/init.d/network.local and slimelinked it from /etc/rcS.d/S40network.local so they get run at boot time.

Notes:

Values marked in red must be changed to match your own IP address and your Internet gateway.
Values marked in orange may be changed to if you don't want to use the IP address I use on my private network.
Text marked in blue is used to perform IP masquerading between the private network and the outside world.
Text marked in green is used to configure the firewall. The place to put holes in your dike begins with the comment, "Open various ports." You'll probably remove a couple of those lines if you're not running a Web server, and you'll probably need to add a whole lot more lines to let you do your thing. The last line logs unauthorized network traffic to /var/log/syslog. You'll want to keep on eye on this to see which ports you may wish to open, or to watch losers get snuffed by your firewall.

#! /bin/sh
#
# Local network configuration.
#

IP=209.233.16.176

# Configure first Ethernet card connected to Internet as default gateway.
ifconfig eth0 $IP				> /dev/null 2>&1
route add default gw 209.233.16.254

# Set up IP forwarding.
ipchains -F forward
ipchains -P forward DENY
echo "1" > /proc/sys/net/ipv4/ip_forward

# Configure second Ethernet on private network. Forward and masquerade
# packets going to Internet.
ifconfig eth1 192.168.69.1			> /dev/null 2>&1
ipchains -A forward -j MASQ -s 192.168.69.0/24 -d 0.0.0.0/0

# Firewalling.
ipchains -F input
ipchains -P input REJECT

# ICMP and local packets cool.
ipchains -A input -p icmp -j ACCEPT
ipchains -A input -i lo -j ACCEPT

# As are local networks.
ipchains -A input -i ppp0 -j ACCEPT
ipchains -A input -i eth1 -j ACCEPT

# Open various ports.
ipchains -A input -p tcp -d $IP www -j ACCEPT
ipchains -A input -p udp -d $IP www -j ACCEPT
ipchains -A input -p tcp -s 0.0.0.0/0 www -d $IP 1024: -j ACCEPT
ipchains -A input -p tcp -s 0.0.0.0/0 https -d $IP 1024: -j ACCEPT

# RealAudio input stream (see RealNetworks RealSystem Firewall Support).
ipchains -A input -p udp -s 0.0.0.0/0 1024: -d $IP 6970:7170 -j ACCEPT

# Log anything that fell through.
ipchains -A input -d $IP -l

Free DNS