Linux Certifications

Firewall Configuration Example

May 1, 2008 Linux Security | admin @ 11:08 pm

Gateway Firewall

Is connector between internal network and external network, In this case use connecting with Lease Line you need to have 2 network card for connect to external network (eth0) and connect to internal network (eth1 for LAN and have private ip such as 192.168.1.1) . Next, Create firewall file in /etc/rc.d/init.d/ by command :

#vi /etc/rc.d/init.d/firewall

Add firewall script as below, some services is disable if you need to use you can uncomment that service line for enable it to working.

#!/bin/sh
#chkconfig: 2345 60 95
#description: IPTABLES Firewall \
#CALL FUNCTION——————————-
. /etc/rc.d/init.d/functions
#CHECK NETWORK—————————-
. /etc/sysconfig/network
#CHECK NETWORK STATUS—————–
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi

#CREATE SCRIPT FOR PARAMETER BEHIND SERVICE—————————
case “$1″ in
start)
echo -n “Starting Firewall : ”
#————————————————————————

#YOUR NETWORK INFORMATION————————————————
IP_ADDR=”your Public IP Address”
EXT_INTERFACE=”eth0″
LO_INTERFACE=”lo”
LOCAL_INTERFACE_1=”eth1″
LOCALNET=”192.168.1.0/24″
PRI_DNS=”your Primary DNS”
LOOPBACK=”127.0.0.0/8″
CLASS_A=”10.0.0.0/8″
CLASS_B=”172.16.0.0/12″
CLASS_C=”192.168.0.0/16″
CLASS_D_MULTICAST=”224.0.0.0/4″
CLASS_E_RESERVED_NET=”240.0.0.0/5″
BROADCAST_SRC=”0.0.0.0″
BROADCAST_DEST=”255.255.255.255″
PRIV_PORTS=”0:1023″
UNPRIV_PORTS=”1024:”
#——————————————————————————————–
#USE SSH CLIENT—————————————————————
SSH_LOCAL_PORTS=”1022:65535″
SSH_REMOTE_PORTS=”513:65535″
#USE TRACEROUTE————————————————————
TRACEROUTE_SRC_PORTS=”32769:65535″
TRACEROUTE_DEST_PORTS=”33434:33523″
#———————————————————————————————-
#FIREWALL MODULES———————————————————
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_MARK
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ipt_REDIRECT
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_TOS
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_mac
#/sbin/modprobe ipt_mark
#/sbin/modprobe ipt_multiport
#/sbin/modprobe ipt_state
#/sbin/modprobe ipt_tos
#/sbin/modprobe iptable_mangle
#———————————————————————————————–
#DELTE ALL OLD CHAINS—————————————-
iptables -F
iptables -F -t nat
#DELETE CHAINS FOR USER CREATE————————-
iptables -X
#SET POLICY ALL TO DENY————————————–
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#—————————————————————————————————
#UNLIMITED TRAFFIC ON LOOPBACK—————————–
iptables -A INPUT -i $LO_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LO_INTERFACE -j ACCEPT
#—————————————————————————————————-
#UNLIMITED TRAFFIC ON LOCAL NETWORK—————————–
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $LOCALNET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $LOCALNET -j ACCEPT
#—————————————————————————————————-
#DROP PACKAGE FOR ERROR——————————————————
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp –tcp-flags ALL ALL -j DROP
#DROP NONE DATA PACKAGE——————————————————
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp –tcp-flags ALL NONE -j DROP
#BLOCK PACKAGE——————————————————
iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $LOCALNET -j DROP
#SEND PACKAGE FROM LOCAL TO OUT NETWORK——————————————————
iptables -A FORWARD -m state –state NEW,ESTABLISHED \
-i $LOCAL_INTERFACE_1 -s $LOCALNET -j ACCEPT
#RECEIVE PACKAGE GROUP IN——————————————————
iptables -A FORWARD -m state –state ESTABLISHED,RELATED \
-i $EXT_INTERFACE -s ! $LOCALNET -j ACCEPT
#SET INTERNAL TRAFFIC OUTGOING——————————————————
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -o $EXT_INTERFACE -j MASQUERADE
#—————————————————————————————————————————–
#PROTECT FOR NETWORK ERROR————————————————————————-
#/etc/rc.d/rc.firewall.blocked contains a list of
#iptables -A INPUT -i $EXT_INTERFACE -s address -j DROP
#MANAGE FOR WEBSITE ERROR————————————————————-
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
deny_file=”/etc/rc.d/rc.firewall.blocked”
temp_file=”/tmp/temp.ip.addresses”
cat $deny_file | sed -n -e “s/^[ ]*\ ([0-9.]*\).*$/\ 1/p” \
| awk ‘$1′ > $temp_file
while read ip_addy
do
case $ip_addy in
*) iptables -A INPUT -i $EXT_INTERFACE -s $ip_addy -j DROP
iptables -A INPUT -i $EXT_INTERFACE -d $ip_addy -j DROP
iptables -A OUTPUT -o $EXT_INTERFACE -s $ip_addy -j REJECT
iptables -A OUTPUT -o $EXT_INTERFACE -d $ip_addy -j REJECT
;;
esac
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
#————————————————————————————————————————
#SPOOFING & BAD ADDRESSES————————————————–
iptables -A INPUT -s $IP_ADDR -j DROP
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
#iptables -A INPUT -s $CLASS_C -j DROP
#DROP BROADCAST ADDRESS SOURCE PACKETS————————
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
#DROP CLASS D MULTICAST ADDRESS————————
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
#DROP CLASS E RESERVED IP ADDRESS————————
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
#DROP SPECIAL ADDRESSES BY IANA.—————————–
#Note: This list includes the loopback, multicast, & reserved addresses.
#0.*.*.* NOT USE DHCP USERS.
#127.*.*.*————–LoopBack
#169.254.*.*———–Link Local Networks
#192.0.2.*—————TEST-NET
#224-255.*.*.*———Classes D & E, plus unallocated.
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
#——————————————————————————————————–
#UDP TRACEROUTE
#traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXT_INTERFACE -p udp \
–source-port $TRACEROUTE_SRC_PORTS \
-d $IP_ADDR –destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
-s $IP_ADDR –source-port $TRACEROUTE_SRC_PORTS \
–destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
#———————————————————————————————————
#DNS forward-only nameserver
iptables -A INPUT -i $EXT_INTERFACE -p udp \
-s $PRI_DNS –source-port 53 \
-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
-s $IP_ADDR –source-port $UNPRIV_PORTS \
-d $PRI_DNS –destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
-s $PRI_DNS –source-port 53 \
-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
-s $IP_ADDR –source-port $UNPRIV_PORTS \
-d $PRI_DNS –destination-port 53 -j ACCEPT
#—————————————————————————————————————-
#HTTP CLIENT (80)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 80 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 80 -j ACCEPT
#—————————————————————————————————————-
#HTTPS CLIENT (443)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 443 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 443 -j ACCEPT
#—————————————————————————————————————-
#WWW-CACHE CLIENT
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 3128 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 3128 -j ACCEPT
#—————————————————————————————————————-
#NNTP NEWS CLIENT (119)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 119 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 119 -j ACCEPT
#—————————————————————————————————————-
#POP CLIENT (110)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 110 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 110 -j ACCEPT
#—————————————————————————————————————-
#IMAP CLIENT (143)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 143 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 143 -j ACCEPT
#—————————————————————————————————————-
#SMTP CLIENT (25)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 25 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 25 -j ACCEPT
#—————————————————————————————————————-
#SSH SERVER (22)
iptables -A INPUT -i $EXT_INTERFACE -p tcp \
–source-port $SSH_REMOTE_PORTS \
-d $IP_ADDR –destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp ! –syn \
-s $IP_ADDR –source-port 22 \
–destination-port $SSH_REMOTE_PORTS -j ACCEPT
#SSH CLIENT (22)
iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
–source-port 22 \
-d $IP_ADDR –destination-port $SSH_LOCAL_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
-s $IP_ADDR –source-port $SSH_LOCAL_PORTS \
–destination-port 22 -j ACCEPT
#—————————————————————————————————————-
#TELNET CLIENT (23)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 23 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 23 -j ACCEPT
#—————————————————————————————————————-
#AUTH SERVER (113)
#Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp \
#–source-port $UNPRIV_PORTS \
#-d $IP_ADDR –destination-port 113 -j REJECT
#AUTH CLIENT (113)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 113 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 113 -j ACCEPT
#—————————————————————————————————————-
#WHOIS CLIENT (43)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 43 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 43 -j ACCEPT
#—————————————————————————————————————-
#FINGER CLIENT (79)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 79 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 79 -j ACCEPT
#—————————————————————————————————————-
#FTP CLIENT (21)
#outgoing request
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 21 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 21 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#PORT mode data channel
#iptables -A INPUT -i $EXT_INTERFACE -p tcp \
#–source-port 20 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp ! –syn \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 20 -j ACCEPT
#——-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 6667 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p tcp \
#–source-port $UNPRIV_PORTS \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port $UNPRIV_PORTS -j ACCEPT
#—————————————————————————————————————-
#RealAudio / QuickTime Client
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 554 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 554 -j ACCEPT
#TCP is a more secure method : 7070:7071
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 7070:7071 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 7070:7071 -j ACCEPT
#UDP is the preferred method: 6970:6999
#For LAN machines, UDP requires the RealAudio masquerading module and
#the ipmasqadm third-party software.
#iptables -A INPUT -i $EXT_INTERFACE -p udp \
#–source-port $UNPRIV_PORTS \
#-d $IP_ADDR –destination-port 6970:6999 -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
#-s $IP_ADDR –source-port 6970:6999 \
#–destination-port $UNPRIV_PORTS -j ACCEPT
#————————————————————————————-
#ICQ client (4000)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! –syn \
#–source-port 2000:4000 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 2000:4000 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p udp \
#–source-port 4000 \
#-d $IP_ADDR –destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
#-s $IP_ADDR –source-port $UNPRIV_PORTS \
#–destination-port 4000 -j ACCEPT
#————————————————————————————-
#SYSLOG client (514)
#iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
#-s $IP_ADDR -source-port 514 \
#-d $SYSLOG_SERVER -destination-port $UNPRIV_PORTS -j ACCEPT
#————————————————————————————-
#ICMP
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#–icmp-type echo-reply \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#–icmp-type destination-unreachable \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#–icmp-type source-quench \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#–icmp-type time-exceeded \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#–icmp-type parameter-problem \
#-d $IP_ADDR -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR –icmp-type fragmentation-needed -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR –icmp-type source-quench -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR –icmp-type echo-request -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR –icmp-type parameter-problem -j ACCEPT
#————————————————————————————-
#Enable logging for selected denied packets
iptables -A INPUT -i $EXT_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p udp \
–destination-port $PRIV_PORTS -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p udp \
–destination-port $UNPRIV_PORTS -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p icmp \
–icmp-type 5 -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p icmp \
–icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $EXT_INTERFACE -j REJECT \
#————————————————————————————-
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp -s $IP_ADDR -d website ipaddress –dport www -j REJECT
iptables -A OUTPUT -d www.example.com -j REJECT
iptables -L OUTPUT
;;
stop)
echo -n “Shutting Firewall : ”
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
#Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo “Usage: iptables {start|stop|status|restart|reload}”
exit 1
esac
echo “done”
exit 0

Next, save this file and change file permission with command as below :

#chmod 700 /etc/rc.d/init.d/firewall
#chmod 0.0 /etc/rc.d/init.d/firewall
#chkconfig - -add firewall
#chkconfig - -level 2345 firewall on

Starting your firewall with command :

#/etc/init.d/firewall start or #service firewall start

If no have problem your firewall is running
Command you can use for control your firewall :
Start Firewall : #service firewall start
Stop Firewall : #service firewall stop
Status Firewall : #service firewall status
Restart Firewall : #service firewall restart
Reload Firewall : #service firewall reload