Sometimes the hardest part in starting a new project is knowing
what you want to do. I knew that I wanted to set up a firewall, as
I saw the example the IPCHAINS
HOWTO. I had created a simple one at home, and I told my boss that
this was the solution that we wanted to go with for setting up our company.
After a certain amount of convincing, and a lot of trust on his part, I
was given the "Go Ahead" to replicate the chapter 7 model, "A
Serious Example". So, with gleaming optimisim, I gave copied their
example, and made changes to only the ip address and interface names.
Router ( To Internet)
| 209.83.9.193
|
External Network (To router)
|
|
eth1 |
---------------
| 209.83.9.194 |
Server Network (DMZ)
|
|eth2
|
|-------------------------------------------------
|
|209.83.9.195 |
|
|
|
|
|
|
|
| 192.168.1.0 |
|
|
|
---------------
-------- ------------
-------
| eth0
| mail | |workstation |
| WWW |
|
-------- ------------
-------
|
209.83.9.198 209.83.9.199 209.83.9.196
|
Internal Network (198.168.1.X)
None of the machines could get to the outside world, the machines on the internal network couldn't get their mail, and I was perplexed. It was time to take a step backwards.
I went back to very simple rules for the chains.
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward DENY
(This flushes the rule set, and sets new base rules)
/sbin/ipchains -A forward -p all -i
eth0 -s 192.168.1.0/24 -j MASQ
/sbin/ipchains -A forward -p all -s
209.83.9.194 -j ACCEPT
/sbin/ipchains -A forward -p all -s
209.83.9.198 -j ACCEPT
/sbin/ipchains -A forward -p all -s
209.83.9.199 -j ACCEPT
/sbin/ipchains -A forward -p all -s
209.83.9.196 -j ACCEPT
(This sets up new rules to forward packets from these machines to the
internet.)
The internal networked machines were now able to see out to the internet,
but the mail and web servers were still not working right. I didn't
know enough about ipchains to even ask the right question. Why was masquerading
working, but not the machines with real IP addresses?
Bill Stearns took pity on
me, and told me about a simple, strange rule in ipchains. Masquerading
a network only requires ONE rule, but forwarding public IP packets require
TWO rules, one for incoming packets, and one for outgoing. This inconsistancy,
while well known about, didn't jump out and make itself obvious.
My new rules looked like this:
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward DENY
(This flushes the rule set, and sets new base rules)
/sbin/ipchains -A forward -p all -i
eth0 -s 192.168.1.0/24 -j MASQ
/sbin/ipchains -A forward -p all -s
209.83.9.194 -j ACCEPT
/sbin/ipchains -A forward -p all -d
209.83.9.194 -j ACCEPT
/sbin/ipchains -A forward -p all -s
209.83.9.198 -j ACCEPT
/sbin/ipchains -A forward -p all -d
209.83.9.198 -j ACCEPT
/sbin/ipchains -A forward -p all -s
209.83.9.199 -j ACCEPT
/sbin/ipchains -A forward -p all -d
209.83.9.199 -j ACCEPT
/sbin/ipchains -A forward -p all -s
209.83.9.196 -j ACCEPT
/sbin/ipchains -A forward -p all -d
209.83.9.196 -j ACCEPT
(This sets up new rules to forward packets from these machines to the
internet.)
Huzzah, it worked! I now had all of the machines able to see each other, and get out to the internet. I couldn't see in to our web server, though, from the outside. After more pondering, and another conversation with Bill, I found out that packets directed to our web server were getting lost at the router. The web server hadn't changed addresses, but it was removed by one hop from the router. Bill suggested that I try to fool the router by setting the external interface network card on the firewall to answer calls for the MAC hardware address of the web server. This complicated sounding procedure is actually very easy.
/sbin/arp -s 209.83.9.198 00:A0:CC:26:B5:67
pub
/sbin/arp -s 209.83.9.199 00:A0:CC:26:B5:67
pub
/sbin/arp -s 209.83.9.196 00:A0:CC:26:B5:67
pub
The (00:A0:CC:26:B5:67)number is the MAC address for the external interface card. When packets come in from the internet, the router would then send the packets to the MAC address of the external card. The routing tables that linux uses then figure out that the packet actually does not belong to it, and forwards them to the correct machine.
With this fix, I could now see our webserver from the outside, send
and receive email, and interoperate. I contacted our ISP, Chorus
, to help make this permanent. The tech staff at our ISP created
a static route, from their router, through ours, directly to the web, and
email servers. With this change, I could take out the arp commands,
and the traffic would route correctly.
This basic set of rules is not secure, and does not take advantage
of all of the power of ipchains. It is only to get you started, and
then I suggest that you look into Mason,
a really cool firewall building tool that Bill wrote. Mason will
take you the rest of the way towards a secure, well thought out firewall.
Greg Mader
gmader@geoanalytics.com