This article presents a way to convert any spare machine you have into a useful security gateway for your network, utilizing Network Address Translation (NAT), and the firewalling features present in Linux. This article will assume you have already read and applied the techniques discussed in the Installation and Securing Linux articles in the Linux Focus Area here on SecurityFocus.com.

Some basic issues need to be addressed. This is not an ordinary host, and should not be seen that way. This host should be exclusively used for firewalling and NAT, and nothing else. This means that you should not run other services. Also, if you are going to redirect some service to an inside machine, make sure the service is not susceptible to known vulnerabilities, and that you keep up to date with patches. Failure to do this can render your firewall useless.

The latest versions of the Linux kernel are not necessarily the most stable and reliable versions that have been made available. If your machine does not need the latest drivers, download and install a reliable, stable, well tested kernel; kernel 2.0.38 is known to be all three. You should enable IP Forwarding, IP Masquerading, IP Firewalling, IP Transparent Proxying and IP Routing. If you are having trouble compiling this kernel, take a look at http://www.suse.de/~florian/kernel+egcs.html. This site has a patch for compiling this kernel with egcs.

Now that you have installed and compiled a reliable kernel, and read applied the installation and securing articles previously mentioned, we are going to start configuring your firewall. I have created a series of shell scripts that are going to help with basic configuration. As I present them, I am going to explain what they are for, how to use them, and where to place them. Please keep in mind that I am assuming you are using RedHat and that directories may be different in other distributions. Adjust accordingly.

Also, you should change the internal address block I used (10.x.x.x) to whatever suits your network. Using non-routed IP addresses on the internal network is a good idea for a number of reasons, the least of which being you will not have any incidents with colliding external IPs belonging to another site.

File name: firewall
File Location: /etc/rc.d/init.d/

# Flush all commands
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
#
# setup IP packet Accounting and Forwarding
#
# Forwarding
#
# By default DENY all services
ipfwadm -F -p deny
# And ACCEPT all connections from the internal interface and do NAT
ipfwadm -F -a accept -m -P all -S 10.0.0.0/8
#
# setup IP packet for Transparent Proxying
# use this ONLY if you also have SQUID on this machine
#
# Incoming
#
# By default ACCEPT all services
ipfwadm -I -p accept
# This is going to redirect any incoming inside connection to your proxy
ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 80 -r 3128
#
# Setup to DENY ALL connections from an IP
#
# Incoming
#
# ipfwadm -I -a deny -P all -S IPnumber



Set it to run when the machine comes up.

Editing your /etc/hosts.allow and /etc/hosts.deny is a good idea. They should look similar to these:

File name: hosts.allow
File Location: /etc/

ALL: 10.
22: ALL
80: ALL

File name: hosts.deny
File Location: /etc/

ALL: ALL


This way you are ALLOWING every connection inbound to SSH and HTTP, connections from 10.x.x.x to reach the daemons installed on the firewall, and denying all other connections.

The next scripts are used to check if everything is running, and tries to solve simple problems such as an interface being down or a masquerade proxy stops working.

File name: crontab --> edit to add these lines (crontab -e)
File Location: /etc/

0-59 * * * * root /usr/local/gateway/bin/check-ALL-masq
0-59 * * * * root /usr/local/gateway/bin/check-ALL-eth

File name: check-ALL-masq
File Location: /usr/local/gateway/bin/

#!/bin/sh
/usr/local/gateway/bin/check-CU_Seeme `lsmod | awk '{print $1}' | grep ip_masq_cuseeme`
/usr/local/gateway/bin/check-FTP `lsmod | awk '{print $1}' | grep ip_masq_ftp`
/usr/local/gateway/bin/check-IRC `lsmod | awk '{print $1}' | grep ip_masq_irc`
/usr/local/gateway/bin/check-Quake `lsmod | awk '{print $1}' | grep ip_masq_quake`
/usr/local/gateway/bin/check-RealPlayer `lsmod | awk '{print $1}' | grep ip_masq_raudio`
/usr/local/gateway/bin/check-VDOLive `lsmod | awk '{print $1}' | grep ip_masq_vdolive`

File name: check-CU_Seeme; check-FTP; check-IRC; check-Quake; check-RealPlayer; check-VDOLive
File Location: /usr/local/gateway/bin/

#!/bin/sh case "$1" in

OPTION_1)

exit 0
esac
/usr/local/gateway/bin/solve-ALL-masq OPTION_2


Where OPTION_1 and OPTION_2 should be taken from the table bellow. Remember that you have to create 6 different files.

File Name	OPTION_1	OPTION_2
check-CU_Seeme	ip_masq_cuseeme	cuseeme
check-FTP	ip_masq_ftp	ftp
check-IRC	ip_masq_irc	irc
check-Quake	ip_masq_quake	quake
check-RealPlayer	ip_masq_raudio	raudio
check-VDOLive	ip_masq_vdolive	vdolive

File name: solve-ALL-masq
File Location: /usr/local/gateway/bin/

#!/bin/sh
case "$1" in


all)


  cd /lib/modules/2.0.38/ipv4

  modprobe -s ip_masq_cuseeme.o

  modprobe -s ip_masq_ftp.o

  modprobe -s ip_masq_irc.o

  modprobe -s ip_masq_quake.o

  modprobe -s ip_masq_raudio.o

  modprobe -s ip_masq_vdolive.o

;;

cuseeme)

  cd /lib/modules/2.0.38/ipv4

  modprobe -s ip_masq_cuseeme.o

;;

ftp)

  cd /lib/modules/2.0.38/ipv4

  modprobe -s ip_masq_ftp.o

;;

irc)

   cd /lib/modules/2.0.38/ipv4

   modprobe -s ip_masq_irc.o

;;

quake)

   cd /lib/modules/2.0.38/ipv4

   modprobe -s ip_masq_quake.o

;;

raudio)

  cd /lib/modules/2.0.38/ipv4

  modprobe -s ip_masq_raudio.o

;;

vdolive)

  cd /lib/modules/2.0.38/ipv4

  modprobe -s ip_masq_vdolive.o

;;

*)

  echo ""

  echo "Usage: solve-ALL-masq {all|cuseeme|ftp|irc|quake|raudio|vdolive}"

  echo ""

exit 1
esac

File name: check-ALL-eth
File Location: /usr/local/gateway/bin/

#!/bin/sh
/usr/local/gateway/bin/check-ETH0 `ifconfig | awk '{print $1}' | grep eth0`
/usr/local/gateway/bin/check-ETH1 `ifconfig | awk '{print $1}' | grep eth1`

File name: check-ETH0; check-ETH1
File Location: /usr/local/gateway/bin/

#!/bin/sh
case "$1" in


eth0)


exit 0
esac
/usr/local/gateway/bin/solve-ALL-eth eth0


Just change eth0 to eth1 to create both files.

File name: solve-ALL-eth
File Location: /usr/local/gateway/bin/

#!/bin/sh
case "$1" in

all)

  /etc/rc.d/init.d/network restart

;;

eth0)

  echo ""

  echo "Reinitializing eth0"

  echo ""

  /sbin/ifup eth0

;;

eth1)

  echo ""

  echo "Reinitializing eth1"

  echo ""

  /sbin/ifup eth1

;;

*)

  echo ""

  echo "Usage: solve-ALL-masq {all|eth0|eth1}"

  echo ""

  exit 1
esac


After this, you have a firewall with masquerading, along with some availability checking, in place.

Final steps: download, install and learn to use some tools that are going to help you maintain and solve future problems with your firewall.

• Sniffer : the best way to solve network problems is knowing what is going on. Packet sniffers show you traffic on your network. The one I think is the best sniffer is called Sniffit, available with documentation at: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
  
• Redirect : this tool is used to redirect connections coming to an IP and port to another IP and port. You can use this on the firewall to redirect connections to an internal machine, or ideally, a machine sitting on a dmz hanging off the firewall. This will allow you to have services accessible to the outside, without needing to run them on the firewall. The tool I use is called rinet and can be found, along with documentation, at: http://www.boutell.com/rinetd/
  
• Network Utilization Monitoring : it is very important to know how much, and how, your network is being utilized, so you can make plans for upgrading, learn the needs of your clients and do traffic pattern analysis. One tool that is one of the most widely used for monitoring network usage is called NTop. It is similar to the Unix command top and has a text and web based interface. You can find it at: http://www.ntop.org/
  
• Proxy : most administrators want to install a proxy server, to reduce the amount of bandwidth used by people accessing common web pages. The easiest way to do this is to set up a Transparent Proxy on the Firewall/NAT machine. In the firewall configuration above there is a rule for Transparent Proxying. If you are going to set it, take a look at Squid, the most widely used proxy server: http://www.squid-cache.org/
  
• VPN : if you want to set up a Virtual Private Network, you should take a look at my article on the SecurityFocus Linux Focus Area -> Securing Linux -> Linux and IPSec: http://www.securityfocus.com/
  
• Other NAT resources : there are several web pages on NAT, and they can help you if you have any specific case not covered here, or need more information:
  
  • Linux IP Masquerade HOWTO : http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html
    
  • IP Masq ICQ : "http://members.tripod.com/~djsf/masq-icq/
    
  • TkMasqdialer : Control PPP connections on a Masq server: http://www.midcoast.com.au/~mvoase/tkmasq.html
  
  
• HTTP Server : the Apache server has options to set virtual hosts and also to redirect incoming HTTP connections. The best way to use and internal host as an HTTP server to the external world is to use Apache with virtual host redirecting to the internal host: http://www.apache.org/

  This is probably all you want to know about a Firewall/NAT server if you do not want to get too complex in your configuration. I hope you can make a good use of the scripts I have presented, and that you find them easy to change to fit your network. I have used this configuration for about 2 years now, on several machines, and none of them has ever been cracked into - and my logs tell me that people has been trying. This does not mean that it is impossible to get into them, as one could find a mistake and exploit it. As such, you should always keep an eye open and read about security on your operating system and applications, and always keep it up-to-date on patches.