Previous Page | Next Page

  1. Introduction
  2. Network Topology
  3. Hardware Connections
  4. TCP/IP Ports and Addresses
  5. Network Protocol Levels
  6. Data Link Layer and IEEE
  7. Network Protocol Categories
  8. Repeaters, Bridges, Routers
  9. ARP and RARP Address Translation
  10. Basic Addressing
  11. IP (Network)
  12. TCP (Transport)
  13. UDP (Transport)
  14. ICMP
  15. Hardware Cabling
  16. Wireless media
  17. Outside Connections
  18. Ethernet
  19. Token Ring
  20. ARCnet
  21. AppleTalk
  22. FDDI
  23. IPX/SPX
  24. NetBEUI
  25. AppleTalk
  26. SNA
  27. Others
  28. Simple Routing
  29. More Complex Routing
  30. IP Masquerading
  31. Firewalls
  32. Domain Name Service (DNS)
  33. Virtual Private Networking
  34. DHCP
  35. BOOTP
  36. RPC and NFS
  37. Broadcasting and Multicasting
  38. IGMP
  39. Dynamic Routing Protocols
  40. Simple Mail Transfer Protocol (SMTP)
  41. Simple Network Management Protocol
  42. Network Services
  43. Installing Drivers
  44. Network Operating Systems
  45. Applications
  46. Wide Area Networks
  47. Backing up the network
  48. Fault Tolerance
  49. Troubleshooting
  50. Commonly used Network Ports
  51. Networking Terms and Definitions
  52. Networking RFCs and Protocols
  53. Further Reading
  54. Credits

Firewalls

Firewalls are mainly used as a means to protect an organization's internal network from those on the outside (internet). It is used to keep outsiders from gaining information to secrets or from doing damage to internal computer systems. Firewalls are also used to limit the access of individuals on the internal network to services on the internet along with keeping track of what is done through the firewall. Please note the difference between firewalls and routers as described in the second paragraph in the IP Masquerading section.

Firewall between Internet and Network

Types of Firewalls

  1. Packet Filtering - Blocks selected network packets.
  2. Circuit Level Relay - SOCKS is an example of this type of firewall. This type of proxy is not aware of applications but just cross links your connects to another outside connection. It can log activity, but not as detailed as an application proxy. It only works with TCP connections, and doesn't provide for user authentication.
  3. Application Proxy Gateway - The users connect to the outside using the proxy. The proxy gets the information and returns it to the user. The proxy can record everything that is done. This type of proxy may require a user login to use it. Rules may be set to allow some functions of an application to be done and other functions denied. The "get" function may be allowed in the FTP application, but the "put" function may not.

Proxy Servers can be used to perform the following functions.

  • Control outbound connections and data.
  • Monitor outbound connections and data.
  • Cache requested data which can increase system bandwidth performance and decrease the time it takes for other users to read the same data.

Application proxy servers can perform the following additional functions:

  • Provide for user authentication.
  • Allow and deny application specific functions.
  • Apply stronger authentication mechanisms to some applications.

Packet Filtering Firewalls

In a packet filtering firewall, data is forwarded based on a set of firewall rules. This firewall works at the network level. Packets are filtered by type, source address, destination address, and port information. These rules are similar to the routing rules explained in an earlier section and may be thought of as a set of instructions similar to a case statement or if statement. This type of firewall is fast, but cannot allow access to a particular user since there is no way to identify the user except by using the IP address of the user's computer, which may be an unreliable method. Also the user does not need to configure any software to use a packet filtering firewall such as setting a web browser to use a proxy for access to the web. The user may be unaware of the firewall. This means the firewall is transparent to the client.

Circuit Level Relay Firewall

A circuit level relay firewall is also transparent to the client. It listens on a port such as port 80 for http requests and redirect the request to a proxy server running on the machine. Basically, the redirect function is set up using ipchains then the proxy will filter the package at the port that received the redirect.

Configuring a Proxy Server

The following packages are available in Linux:

  • Ipchains soon to be replaced by netfilter (Packet filtering supported by the Linux kernel). It comes with Linux and is used to modify the kernel packet routing tables.
  • SOCKS - Circuit Switching firewall. Normally doesn't come with Linux, but is free.
  • Squid - A circuit switching proxy. Normally comes with Linux.
  • Juniper Firewall Toolkit - A firewall toolkit product used to build a firewall. It uses transparent filtering, and is circuit switching. It is available as open source.
  • The TIS Firewall Toolkit (FWTK). A toolkit that comes with application level proxies. The applications include Telnet, Rlogin, SMTP mail, FTP, http, and X windows. it can also perform as a transparent proxy for other services.

Ipchains and Linux Packet filtering

For complete information on the use of IP chains and setting up a firewall, see the following Linux how-tos:

  • IPCHAINS-HOWTO
  • Firewall-HOWTO
  • IP-Masquerade-HOWTO

Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up a firewall. It is not meant as a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the websites listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.

The administration of data packet management is controlled by the kernel. Therefore to provide support for things like IP masquerading, packet forwarding, and port redirects, the support must be compiled into the kernel. The kernel contains a series of tables that each contain 0 or more rules. Each table is called a chain. A chain is a sequence of rules. Each rule contains two items.

  1. Characteristics - Characteristics such as source address, destination address, protocol type (UDP, TCP, ICMP), and port numbers.
  2. Instructions - Instructions are carried out if the rule characteristics match the data packet.

The kernel filters each data packet for a specific chain. For instance when a data packet is received, the "input" chain rules are checked to determine the acceptance policy for the data packet. The rules are checked starting with the first rule (rule 1). If the rule characteristics match the data packet, the associated rule instruction is carried out. If they don't match, the next rule is checked. The rules are sequentially checked, and if the end of the chain is reached, the default policy for the chain is returned.

Chains are specified by name. There are three chains that are available and can't be deleted. They are:

  1. Input - Regulates acceptance of incoming data packets.
  2. Forward - Defines permissions to forward packets that have another host as a destination.
  3. Output - Permissions for sending packets.

Each rule has a branch name or policy. Policies are listed below:

  • ACCEPT - Accept the data packet.
  • REJECT - Drop and the packet but send a ICMP message indicating the packet was refused.
  • DENY - Drop and ignore the packet.
  • REDIRECT - Redirect to a local socket with input rules only even if the packet is for a remote host. This applies to TCP or UDP packets.
  • MASQ - Sets up IP masquerading. Works on TCP or UDP packets.
  • RETURN - The next rule in the previous calling chain is examined.

You can create more chains then add rules to them. The commands used to modify chains are as follows:

  • -N Create a new chain
  • -X Delete an empty chain
  • -L List the rules in the chain
  • -P Change the policy for a chain
  • -F Flush=Delete all the rules in a chain
  • -Z Zero the packet and byte counters in all chains

Commands to manipulate rules inside the chain are:

  • -A Append a new rule to a chain.
  • -I Insert a new rule at some position in a chain.
  • -R Replace a rule at some position in a chain.
  • -D Delete a rule at some position in a chain.
  • Options for masquerading:
    • -M with -L to list the currently masqueraded connection.
    • -M with -S to set the masquerading timeout values.

IPchains Options for setting rule specifications:

  • -s Source
  • -d Destination
  • -p Protocol=tcp, upd, icmp, all or a name from /etc/protocols
  • -j Jump target, Specifies the target of the rule. The target can be a user defined chain, but not the one this rule is in.
  • -i Interface=Name of the interface the packet is received on or the interface where the packet will be sent
  • -t Mask used to modify the type of service (TOS) field in the IP header. This option is followed by two values, the first one is and'ed with the TOS field, and the second is exclusive or'ed. The masks are eight bit hexadecimal values. An example of use is "ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10" These bits are used to set priority. See the section on IP message formats.
  • -f Fragment

When making changes to firewall rules, it is a good idea to deny all packages prior to making changes with the following three commands:

ipchains -I input 1 -j DENY
ipchains -I output 1 -j DENY
ipchains -I forward 1 -j DENY

These commands inserts a rule at location 1 that denies all packages for input, output, or forwarding. This is done so no unauthorized packets are not let through while doing the changes. When your changes have been completed, you need to remove the rules at position 1 with the following commands:

ipchains -D input 1
ipchains -D output 1
ipchains -D forward 1

Examples of the use of ipchains to allow various services

Create a new chain:

ipchains -N chainame

The option "-N" creates the chain.

Add the chain to the input chain:

ipchains -A input -j chainame

Allow connections to outside http servers from inside our network:

ipchains -A chainame -s 10.1.0.0/16 1024: -d 0.0.0.0/0 www -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.0.0/16 1024:" specifies any traffic on network 10.1.0.0 at port 1024 or above. The "-d 0.0.0.0/0 www" specifies any destination for www service (in the /etc/services file) and the "-j ACCEPT" sets the rule to accept the traffic.

Allow connections from the internet to connect with your http server:

ipchains -A chainame -s 0.0.0.0/0 www -d 10.1.1.36 1024: -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 0.0.0.0/0 www" specifies traffic from any source for www service. The "-d 10.1.1.36 1024:" specifies the http server at IP address 10.1.1.36 at ports above 1024 and the "-j ACCEPT" sets the rule to accept the traffic.

Allow DNS to go through the firewall:

ipchains -A chainame -p UDP -s 0/0 dns -d 10.1.0.0/16 -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-p UDP" specifies UDP protocol. The "-s 0/0 dns" specifies any dns traffic from any location. The "-d 10.1.0.0/16" specifies our network and the "-j ACCEPT" sets the rule to accept the traffic. This allows DNS queries from computers inside our network to be received.

Allow e-mail to go from our internal mail server to mailservers outside the network.

ipchains -A chainame -s 10.1.1.24 -d 0/0 smtp -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.1.24" specifies any traffic from 10.1.1.24 IP address. The "-d 0/0 smtp" specifies any smtp type of service going anywhere and the "-j ACCEPT" sets the rule to accept the traffic.

Allow e-mail to come from any location to our mail server:

ipchains -A chainame -s 0/0 smtp -d 10.1.1.24 smtp -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 0/0 smtp" specifies mail traffic from anywhere. The "-d 10.1.1.24 smtp" specifies mail traffic going to our mail server and the "-j ACCEPT" sets the rule to accept the traffic.

Perform a HTTP port redirect for a transparent proxy server:

ipchains -A input -p tcp -s 10.1.0.0/16 -d 0/0 80 -j REDIRECT 8080

The "-A input" adds a rule to the input chain. The "-p tcp" specifies the protocol TCP. The "-s 10.1.0.0/16" specifies the source as a network with netmask 255.255.0.0. The "-d 0/0" specifies a destination of anywhere. The number 80 is the HTTP port number, and the command "-j REDIRECT 8080" redirects the traffic to port 8080.

Give telnet transmissions a higher priority

ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10"

The bits at the end of the line specified in hexadecimal format are used to set the priority of the IP message on the network. The first value is and'ed with the TOS field in the IP message header, and the second value is exclusive or'ed. See the section on IP message formats for more information.

Using ipchains-save and ipchains-restore to make rules permanent

When you are done setting your ipchains rules, use the following procedure while logged on as root to make them permanent:

  1. Type the command "ipchains-save > /etc/iprules.save".
  2. Create the following script named "packetfw":
    #! /bin/sh
    # Packet filtering firewall script to be used turn the firewall on or off
     
    if [ -f /etc/iprules.save ]
    then
       case "$1" in
          start)
              echo -n "Turning on packet filtering firewall:"
              /sbin/ipchains-restore < /etc/iprules.save
              echo 1 > /proc/sys/net/ipv4/ip_forward
              echo "."
              ;;
           stop)
              echo -n "Turning off packet filtering:"
              echo 0 > /proc/sys/net/ipv4/ip_forward
              /sbin/ipchains -X
              /sbin/ipchains -F
              /sbin/ipchains -P input ACCEPT
              /sbin/ipchains -P output ACCEPT
              /sbin/ipchains -P forward ACCEPT
              echo "."
              ;;
           *)
              echo "Usage: /etc/init.d/packetfw {start|stop}"
              exit 1
              ;;
       esac
       exit 0
    else
       echo the /etc/iprules.save file does not exist.
       exit 1
    fi
    
  3. Save the file in the /etc/rc.d/init.d directory.
  4. In the /etc/rc.d/rc3.d and the /etc/rc.d/rc5.d directories make a symbolic link called S07packetfw to the /etc/rc.d/init.d/packetfw file with the command "ln -s /etc/rc.d/rc3/S07packetfw /etc/rc.d/init.d/packetfw". This applies to runlevel 3. Do the same for the runlevel 5 initialization directory. Note: You may need to use a different number than the "S07" string to number your link file. Look in your /etc/rc.d/rc3.d and /etc/rc.d/rc5.d directories to determine what number is available to give this file. Try to give it a number just below your network number file. On my system the S10network file is used to start my network.