|
Using Debian linux as a network firewall
Introduction to this web pageThis web page is about setting up Debian linux as a network firewall. As with SuSE Linux, it was done as an experiment, and the aim was to use my existing firewall script. It is based on Debian 30r2 - known as Woody, using the kernel option bf24.
Installation and initial set upDebian linux by default uses kernel 2.2, in various versions. However you can choose to install kernel 2.4 by entering "bf24" right at the start of the installation. My understanding is that iptables didn`t exist until kernel 2.4, so using kernel 2.4 would appear to be essential. Apart from that, a minimum default was done, with no added software. This provides a minimal installation of Linux, which takes up about 70 Mb of hard drive space. Once Debian linux is installed, you may decide to add some applications - such as vim and less. Using the apt-get suite is the easiest way to do it, apt-get install vim does the job. The installation process will only allow the configuration of one network card, although two are installed. You can elect whether to configure eth0 or eth1. The second network card can be configured by manually editing the file /etc/network/interfaces. Unlike Red Hat and SuSE, Debian has the configuration for all network devices in the one file. On the assumption that eth0 was configured during the install of Linux, open the file /etc/network/interfaces, and add a section at the end such as :- auto eth1
iface eth1 inet static
address 10.0.0.1
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
Setting up as a firewallThe user space application called iptables is installed with the minimum installation, and lives in /sbin, along with iptables-save and iptables-restore. There is also an initialisation script in /etc/init.d, which comes with a host of warnings that it should not be used. It is not linked to within the directories /etc/rc2.d up to /etc/rc6.d Taking the warnings on board, I opted not to use it, but this left a problem in how to configure Debian linux as a firewall. In Debian linux, the use of the /etc/rc.boot directory is now deprecated, and should not be used. I could not find any way of configuring the firewall from existing initialisation files. So eventually I wrote my own iptables configurations script, and put it into /etc/init.d. Debian linux provides a sample skeleton initialisation script in /etc/init.d, so my script is based on that model. It is however somewhat different, as we are not starting a daemon in this case. We are loading a ruleset into kernel space, and configuring ip forwarding. Here is the script, if you want it. This is not a web page, but is a link to the actual shell script. However some browsers will display it as a web page. The script does some testing to ensure that the executables are there, that the saved ruleset is available, loads the ruleset into kernel space, and enables ip forwarding. After saving the shell script in /etc/init.d, the link files in /etc/rc0.d through to /etc/rc6.d can be created using the update-rc.d utility. The point during the boot-up process that this script is run is important - we want the firewall ruleset in place before the network cards are enabled. We don`t want a period of time, however short, that the network cards are enabled, and no ruleset is in place, because during that perod of time our firewall or the protected subnet may be open to attack. The network cards are enabled by the /etc/init.d/inet script, which is given the 20 qualifier. So we need to give our firewall script a qualifier lower than this, such as 15, so the init process runs our firewall script before the inet script. So the line at the command line which gives us what we want is update-rc.d iptables-2 start 15 2 3 4 5 . stop 15 0 1 6 . So that is now our script set up to run during start up and during shutdown. The script restores the ruleset from a file /ipt/saved, so we need to save the ruleset into this file. Manually create the /ipt directory, and import the firewall ruleset script into somewhere convenient. ( Here is a sample of the type of script I am using, this link is to a bash shell script , not a web page, but as before, some browsers display it as a web page anyway. It was originally written for a Red Hat linux firewall, hence the opening comments. ) Run this script, to load the ruleset into kernel space - sh /...../iptables-17c then load the ruleset from kernel space into our restoration file - iptables-save > /ipt/saved That`s the ruleset now stored so that the firewall initialisation script /etc/init.d/iptables-2 can recover it as required.
© 2004 Ron Turner Return to the Index page
|
|