|
Using Red Hat Linux 9 as a network firewall
Introduction to this webpageThis page describes a possible way to use Red Hat Linux 9 as a firewall. It is based on the use of iptables, which is packaged with Red Hat Linux 9. This page is about using a Red Hat Linux 9 box to protect a secure subnet behind the firewall, and is based on the restriction that the Linux box is not used for any other purpose - that means no other purpose - the GUI is not used, no server functions, nothing. All control is done from the command line, using a shell script for convenience.
Personal viewpointThe protection provided by a firewall is only as good as the protection which is given to the firewall itself against cracking by attackers via the internet. By also using the Linux firewall box as any kind of server means that you are opening up your Linux box to attacks through the ports that have to be opened to allow the Linux box to function as a server. I therefore strongly recommend that the Linux box which is running as the firewall is used for no other purpose.
Initial setup of the Linux box - 1If you have installed Red Hat Linux 9 as an upgrade from a previous version of Red Hat Linux, then it is very probable that your linux box has on it an earlier firewall technology called "Ipchains". Ipchains must be removed from your linux box before you can use iptables - iptables will detect if ipchains is on the linux box, and will not run. If you install Red Hat Linux 9 as a new installation, then the default is to use iptables. On the basis of my personal viewpoint expressed above, I don`t see any justification for doing an upgrade from a previous version of Red Hat Linux - wipe the box, and start with a new installation. When you do the new install, select the minimum installation option, and during the setup configuration, accept the option to install the firewall ( referred to as Lokkit ). It doesn`t really matter which of the firewall options you select, you are going to remove their settings anyway. However by installing the standard firewall, it means that the Linux installation has the various bits and pieces of iptables already installed.
Initial setup of the Linux box - 2Even if you do the mininum installation, Red Hat Linux 9 is still rather fat - it is still over 470 Mb`s of stuff, much of which you don`t need, and some of which you definitely don`t want on a network firewall. Especially Sendmail. Even in the minimum installation, Sendmail is not only installed by default, it also runs by default in run level 3. So at the command prompt enter service sendmail stop It is then neccessary to stop Sendmail running when the Linux box is restarted, so you can use Setup for this. However it is preferable to remove Sendmail all together from the System V initialisation sequence, so at the command prompt enter chkconfig --del sendmail Whilst you are at it, it might be worthwhile getting rid of stuff like isdn, pcmcia, portmap, rhnsd, and sshd. By default, in the minimum installation, these services are all started at boot-up. There is no point in wasting processing resources on services that are not required, and any service that is runnable is a source of weakness for attackers to exploit. In addition, three other services, ie, irda, nfs, and saslauthd, don`t start by default at boot-up time in run level 3, however they do exist in the System V installation sequence, so it might be advisable to "chkconfig --del ....." them as well.
Introduction to iptablesThe first thing to know about iptables is that it is not an application or a daemon. Iptables itself is in essence a set of rules that the kernel uses to process packets of data that arrive via either of the network interfaces eth0 or eth1. However having said that, there is an application associated with iptables, it is the application that interprets commands entered at the command prompt, or via a shell script, and turns these commands into a set of rules understood by the kernel.
The background to this firewallThis firewall is being used within the following network configuration :- There are no servers on the 192.168.100.0 subnet. DHCP is not being used. The workstations are manually configured with their ip addresses within the 192.168.100.0 subnet, and with the default gateway in each workstation set to 192.168.100.1. The Linux firewall has two network cards :-
The protection given by the firewall as configured below is based on several features of the iptables system :-
As mentioned above, the kernel part of iptables is "programmed" through the user interface also called iptables, which user interface is based on the command line environment. So in theory it is possible to do the programming directly at the command prompt - however my preference is to use a shell script, which can be fully commented. The shell script attached to this page is sufficiently commented that no other description or explanation should be required. The shell script shown is a sanitised version of a working script, with several Microsoft Windows XP workstations hiding behind the firewall. You will of course have to modify it to suit your particular environment. To use such a script, there are a number of ways to get it to run at boot-up time.
Still to doThe production of this firewall script is not the end of the development to use Red Hat Linux 9 as a firewall - there are other things that can be done to improve perfomance.
Finally ...Here is the firewall script - version 13 - it is a bash shell script, not an html page, and was written using Vi. It should be possible to download it from here as a shell script through your browser. Some browsers actually manage to display it as a web page.
© 2004 Ron Turner Return to the Firewall index page
|
|