JohnConover_medium.jpg 
john@email.johncon.com
http://www.johncon.com/john/

SOHO Ipchains Firewall Rule Set for Linux


Home | John | Connie | Publications | Software | Correspondence | NtropiX | NdustriX | NformatiX | NdeX | Thanks



home.jpg
john.jpg
connie.jpg
publications.jpg
software.jpg
correspondence.jpg
ntropix.jpg
ndustrix.jpg
nformatix.jpg
ndex.jpg
thanks.jpg

The Linux OS is an excellent choice to provide low cost firewall services for SOHO LAN security. An Intel 486 class machine, with several hundred Mbytes of hard disk, 64 Mbytes of memory, and two inexpensive Ethernet cards, (NE2000 clones are a good choice, as are Netgear's FA310tx cards,) is a more than adequate hardware configuration for constructing a SOHO LAN firewall.

The configuration of the Linux firewall rules is a daunting task for the uninitiated, and many SOHO administrators do not have the time to commit to learn the complexities of the Internet communication protocols.

The file ipchains.gateway.txt is an example set of Linux firewall rules for a SOHO Internet gateway and provides Network Address Translation, (i.e., NAT, or IP masquerading,) that will allow all machines on the SOHO LAN to connect to the Internet, at will, through a single IP address, such as provided by a PPP dial connection to an ISP, DSL, or cable modem. The SOHO IP address range is the 10.x.x.x private address range, for security. There is no practical limit to the number of machines that can be accommodated on the SOHO LAN by the firewall gateway. For security, the firewall rules do not permit initiating connectivity from the Internet to the LAN-only from the LAN to the Internet. This configuration is also useful as an intranet gateway for an organization/function in an enterprise. If support of ftp can be avoided, then comment out the "passive ftp" section of the firewall rules. If not, and Microsoft IE is a supported platform on the network, then from IE's "Internet Tools"->"Internet Options"->"Advanced"->"Use Passive FTP for compatibility with some firewalls and DSL modems" to enable passive ftp. The use of active ftp is discouraged-but if mandatory, un-comment the "active ftp" section of the firewall rules.

The file ipchains.terminal.txt is an example set of Linux firewall rules for a Linux computer that is internal on a SOHO LAN. The rule set controls access to/from the SOHO LAN for providing shared services to others on the LAN such as print spooling, etc. The rule set is adequate for personal Linux computers residing on the LAN, and provides control over access, privileges, and services to/from others on the LAN. The LAN architecture is discussed in Appendix I, and its application to enterprise IT systems in Appendix II. If support of ftp can be avoided, then comment out the "passive ftp" section of the firewall rules. If not, and Microsoft IE is a supported platform on the network, then from IE's "Internet Tools"->"Internet Options"->"Advanced"->"Use Passive FTP for compatibility with some firewalls and DSL modems" to enable passive ftp. The use of active ftp is discouraged-but if mandatory, un-comment the "active ftp" section of the firewall rules.

Note: There is a recent addendum to the ipchains.terminal.txt script for iptables at iptables.txt; it is based on the ipchains.terminal.txt script.

It is recommended, also, that you consider a strategy for quarantining malicious Microsoft Outlook® e-mail attachments passing through the SOHO LAN's e-mail gateway from the Internet. Many attempts at surreptitious network entry are initiated through worms, trojan horses, and virii embedded in attachments.

As a final precaution, no computer connected to the Internet can be considered secure. All that can be done is to increase the difficulty of exploiting the insecurity. The first line of defense is always meticulous diligence-well written firewalls and properly maintained gateways can be of signficant help, but often provide a false sense of security, too.

Additional recommendations:

  • The nmap program to test the security of a firewall against port scanning.

  • The excellent portsentry suite by Craig Rowland for additional security against port scanning, (and provides monitoring, too.)

  • The logcheck suite by Craig Rowland that facilitates monitoring system security.

  • The excellent daemontools and ucspi-tcp suites by Daniel Bernstein for controlling access to port daemons, (and keeping them running in the hostile environment of the Internet.)

  • The bugtraq security mailing list for providing virtually instantaneous information on widespread security related issues on the Internet.

  • The ssh program, which should be the only permitted external access mechanism to the LAN, (it should be a written corporate policy.) It is the "crescent wrench" of network security, and can be used to build encrypted tunnels in and out of the machines on the LAN for various services.

References:

  • "Maximum Linux Security", Anonymous, Sams Publishing, 1999, ISBN 0-672-31670-6.

  • "Linux Firewalls", Robert L. Ziegler, New Riders Publishing, 2000, ISBN 0-7357-0900-9.

  • "Building Linux and OpenBSD Firewalls", Wes Sonnenrich, Tom Yates, Wiley & Sons, Inc., New York, New York, 2000, ISBN 0-471-35366-3.

  • "Linux System Security", Scott Mann, Ellen L. Mitchell, Prentice Hall PTR, Upper Saddle River, NJ 07458, 2000, ISBN 0-13-015807-0.

All are available from Amazon or FatBrain, (which used to be Computer Literacy, before being acquired by Barnes & Noble.)

As a concluding reference, Linux is the most documented operating system ever developed. The documentation is verbose and available in HOWTO "cookbook" format for any conceivable application, and there is a very active user community that is quite literate and shares techniques and methodologies via the Internet. A search of google will usually yield the answer to a question on Linux.


Appendix I

Note the subtle architectural hint for SOHO/enterprise networks: an enterprise or SOHO LAN should be divided and compartmentalized by IP address range-10.1.x.x, 10.2.x.x, and so on-each with its own gateway to the corporate/enterprise intranet, and each gateway handling a specific corporate organization and/or function, (which may be geographically disperse.) Linux gateways are very inexpensive and reliable, and can compartmentalize security breaches. Linux, FreeBSD, and OpenBSD are free, and suitable hardware can be found for a couple of hundred dollars, street price-a very small price to pay for the added security.

As an additional architectural hint that makes use of readily available and inexpensive hardware and free software, is to run an organization's domain name services, (DNS,) and email services, (SMTP,) distributed, on each gateway. Such redundancy is free, and can be centrally managed. The organization's computational resources do not depend on the reliability and availability of any central service. A good choice of DNS software that is highly regarded in security circles is djbdns by Daniel Bernstein, who also wrote the qmail SMTP software, which is held in high regard, also.

Note, as another hint, that the gateways should not be "visible" to the Internet for security reasons. Run a separate server on the Internet side of the SOHO LAN for each individual service that will be provided to the Internet-one per server. Again, this capitalizes on the availability of inexpensive hardware and free software, and may include the Apache web server, DNS and SMTP services, authentication, etc.

As a side bar, since the Internet visible DNS services are not required to support the LAN, they are largely static, serving only IP addresses of the external servers. A lot of corporate web pages are static, too. Embedded Linux is a preferred alternative where static data is served-it does not require a hard disk, (which can be defaced.) The strategy is to make a custom CD, with the OS, Apache, etc., and boot from the CD, and then serve data from it. Linux is a "heavily cached" system, meaning that it will cache data from the CD in memory-so embedded Linux in a machine with a lot of memory, and only a CD can make a very resilient Internet server. With the addition of intrusion detection, (to self boot,) it is largely maintenance free-although probably not as cost effective as out sourcing these functions.

Every machine on the SOHO LAN, gateways, and external services, can be remote administered from a central location using the rsync program-even if the SOHO LAN is geographically disperse. The savings in resource allocation, can be very significant in total-cost-of-ownership, (TCO.)

Note that the paradigm, or maxim, is to capitalize on the availability of inexpensive hardware and high quality free software to minimize life-time maintenance and administrative costs and control TCO of the IT infrastructure for an organization or SOHO.


Appendix II

For enterprise class networks, the hardware should be built to a specification by a vendor like VA Linux, or to an in-house specification with a known MTBF, (five years of 24/7 system operation is readily available from all PC hardware vendors-component and subsystem MTBF is available from all manufacturers, and published on their respective web sites for computation of system MTBF.) To get the lowest TCO, identical hardware throughout an organization can be efficiently maintained, and "cannibalized," should the need arise, as old equipment moves "down the line," to less critical applications, and replaced by new. How this is done should be a strategic agenda of the IT staff. The idea is to get as much return on IT investment as possible to reduce TCO per unit time of operation.

Likewise, for enterprise class networks, the software and OS vendor should be specified. The Debian brand of Linux is highly regarded by many, (at zero cost-a single CD set can be copied into an unlimited number of computers,) but if fee-for-support is required, Red Hat Linux is recommended by many. A standardized software configuration will contribute significantly to a reliable, secure, and low TCO enterprise network system. Like the hardware, the software has an installation specification.

Since the system is standardized, obviously, ready-to-go spares, (some even on line-they are called "hot spares",) can enhance total network and system availability. Note that the network systems do not have to be backed up in their entirety-disaster recovery can be initiated with the standard CD, (which is free,) and restoring the file system to its original specification-the configuration files are small, and can be backed up and restored across the network from a central network facility; about 90% are identical for all machines on the network. This also facilitates enterprise wide updates, (perhaps DNS, for example, or SMTP configuration, firewall configuration, etc.)

Note that migration and extensibility issues are addressed-the Linux machines can be replaced, at any time, with systems from Sun, Hewlett Packard, or Cisco, often running on the same, exact, and unmodified, configuration files. The firewalls and routers from HP are highly recommended, and provide mission critical availability and accessibility-albeit at a price.


A license is hereby granted to reproduce this software for personal, non-commercial use.

THIS PROGRAM IS PROVIDED "AS IS". THE AUTHOR PROVIDES NO WARRANTIES WHATSOEVER, EXPRESSED OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, OR FITNESS FOR ANY PARTICULAR PURPOSE. THE AUTHOR DOES NOT WARRANT THAT USE OF THIS PROGRAM DOES NOT INFRINGE THE INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY IN ANY COUNTRY.

So there.

Copyright © 1992-2005, John Conover, All Rights Reserved.

Comments and/or problem reports should be addressed to:

john@email.johncon.com

http://www.johncon.com/john/
http://www.johncon.com/ntropix/
http://www.johncon.com/ndustrix/
http://www.johncon.com/nformatix/
http://www.johncon.com/ndex/



Home | John | Connie | Publications | Software | Correspondence | NtropiX | NdustriX | NformatiX | NdeX | Thanks


Copyright © 1992-2005 John Conover, john@email.johncon.com. All Rights Reserved.
Last modified: Sat Aug 20 02:00:36 PDT 2005 $Id: index.html,v 1.0 2005/08/20 09:00:44 conover Exp $
Valid HTML 4.0!