Building a Linux Firewall
In this tutorial, you'll learn how to build a Linux iptables firewall from scratch. DSL and cable Internet users, they also work for T1/E1 customers. In fact, a Linux box with a T1 interface card is a great alternative to expensive commercial routers. If you're a normal business user and not an ISP that needs Buicksized routers handling routing tables with hundreds of thousands of entries, then Linux on good-quality x86 hardware will serve your needs just fine.
A Linux border firewall can provide security and share an Internet connection for a whole LAN, which can contain Linux, Windows, Mac, and other PCs. A host firewall protects a single PC. There are a multitude of hardware choices for your firewall box, from small single-board computers, to recycled old PCs, to rackmount units. Any Linux distribution contains everything you need to build a sophisticated, configurable, reliable firewall on any hardware.
Definitions and roles get a bit blurry, as an iptables firewall does both packet filtering and routing. You could call it a filtering router. iptables is the key to making everything work.
Firewalls and routers are often combined on the same device, which is often called an Internet gateway. Strictly speaking, a gateway moves traffic between networks that use different protocols, such as NETBEUI and TCP/IP, which is not something we see much anymore. These days, it means any network devices that connect networks.
Routers forward traffic between networks. You always need a router between your LAN and other networks. You may also add intrusion detection, traffic control, proxies, secure remote access, DNS/DHCP, and any other services you want, though in my opinion, it's better to limit your firewall to routing, firewalling, and traffic control. Other services should sit on separate boxes behind your Internet firewall, though of course this is up to you. In small shops, it's not uncommon for a single box to host a multitude of services. The risks are that any successful intruder will have a feast of yummy services to exploit, or you may simply overload the box to the point that performance suffers.
Any computer or network device that is exposed to untrusted networks is called a bastion host. Obviously, bastion hosts have special needs-they must be wellhardened, not share authentication services with your LAN hosts, and must have strict access controls.
Separating Private and Public
If you are going to run Internet-accessible services, you need to isolate your public servers from your private LAN. If you are sharing a single Internet connection, the simplest way is to build a tri-homed (three network interfaces) Linux router; one NIC connects to the Internet, the second one connects to your LAN, and the third one connects to your demilitarized zone (DMZ). A demilitarized zone is a neutral zone between two opposing groups. In computer terms, it's a separate subnet where you segegrate your public servers from your private LAN hosts, and your DMZ hosts are treated as only slightly less untrustworthy than the big bad Internet.
Simply placing your public servers on a different subnet adds a useful layer of protection. DMZ hosts are not able to initiate connections back into the private network without being explicitly allowed to do so. If a DMZ server is compromised, an attacker should not find a path into your private network.
It doesn't matter if your DMZ hosts have public or private IP addresses. Never run public services from inside your LAN. The last thing you want to do is introduce a big fat Internet hole into your LAN.
If your servers have public routable IP addresses, then you may elect to connect them directly to the Internet or on a separate Internet connection. Host firewalls are useful for restricting traffic to the server and blocking the zillions of automated attacks that infest the Internet. A nice thing is a standalone firewall in front of your public servers to filter out unwanted traffic before it hits them.
While firewalls are useful, remember to give a lot of attention to your applicationlevel and OS security. Some admins recommend configuring your servers as though you have no firewall, and that is a good strategy. Linux and Unix servers can be hardened to the point where they really don't need a firewall. Windows systems are impossible to harden to this degree. Nor is a firewall a cure-all. A nice strong iptables firewall is a good umbrella to place over Windows hosts, but a firewall will not protect them from email-borne malware, infected web sites, or the increasing hordes of spyware, adware, Trojan horses, and rootkits that come in legitimate commercial software products, or the inability of commercial security products to detect all the bad stuff.
In this tutorial:
- Iptables and NAT, SNAT, and DNAT
- Assembling a Linux Firewall Box
- Configuring Network Interface Cards on Debian
- Configuring Network Interface Cards on Fedora
- Identifying Which NIC Is Which
- Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
- Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
- Displaying the Status of Your Firewall
- Turning an iptables Firewall Off
- Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
- Testing Your Firewall
- Configuring the Firewall for Remote SSH Administration
- Allowing Remote SSH Through a NAT Firewall
- Multiple SSH Host Keys Past NAT
- Running Public Services on Private IP Addresses
- Setting Up a Single-Host Firewall
- Setting Up a Server Firewall
- Configuring iptables Logging
- Writing Egress Rules