|
|
||
A Flexible Firewall Strategy© Copyright Darrell Anderson. For some people a frustrating aspect about Slackware is the lack of any iptables firewall script. Like much of Slackware, end-users are left to discover their own solution. Offered here in this mini how-to is one possible solution. The solution provides an appropriate firewall strategy for stand-alone computers, LAN computers, and internet gateways. The scripts are easily revised and adapted for individual needs. What is offered here is more than adequate for a majority of people’s needs, however. The scripts offered here originally were created using the online Easy Firewall Generator. However, that particular script generator does not support the Slackware directory tree. An identical script generator that directly supports the Slackware directory tree is available at Alien Bob’s web site. Users can generate their own scripts or use the ones offered here. The base Slackware rc.d scripts already support an rc.firewall script (see /etc/rc.d/rc.inet2), although no rc.firewall script is included with the stock Slackware. The strategy provided here includes an rc.firewall script as well as three additional scripts to support the particular needs of the end-user. Which subsequent script is used is determined how the end-user selects and configures various environment variables. The scripts offered here provide ample on screen messages to inform users how the firewall is configured. The environment variables are stored in /etc/rc.d/rc.inet1.conf. The variables could be created and stored directly in the /etc/rc.d/rc.firewall script, but housing any and all network related variables in inet1.conf is more favorable toward supporting other scripts too, such as rc.ntpd. Containing all such variables in one location provides for easier maintenance. Based upon which variables are set and configured, when the rc.inet2 script calls the rc.firewall script, the system is then configured with the appropriate iptables rule set to protect the computer. Simply copy the four rc.firewall scripts to the /etc/rc.d directory. Then merge and amend the rc.inet1.conf file to the existing rc.inet1.conf file. Presumed in these scripts is that all boxes connected to the local network are trusted. These scripts are intended for small business or home networks only. Although the rc.firewall-gateway script creates firewall rules to protect a computer providing gateway and network address translation services, that same box may also be used as a workstation on the network. Before installing and testing these scripts, be sure that basic network connections already function. The ping and nmap commands are sufficient for this. Of course, for people connecting to the internet with a stand-alone box and no local network, users will have to ping internet addresses to test the internet connection. Users should run a basic port test before and after installing the firewall scripts. A well-known location for those tests is the Shields Up! test site at www.grc.com. Do know that some internet service providers block ports or mask some ports as “stealth” and that subsequently an external port test might not provide conclusive results that the firewall is working as intended. In that case port testing will have to be performed from within the ISP’s network but outside the user’s home network. To enable the scripts to provide gateway protection, ensure the NAT_SERVER variable is set to "yes". This type of box assumes two network cards, one for the local network traffic and one for internet traffic. As can be seen from the scripts, IP forwarding will be enabled. Usually the internet IP address is assigned dynamically. Local IP addresses are assigned dynamically or statically, depending upon the needs and desires of the users. For small home networks, static addresses are just fine, even with wireless connections. If the computer is connected to a LAN and the IP address is statically assigned, then the scripts provide protection for a LAN workstation (even if behind another firewall or router this is a good precaution). If no network card is defined in rc.inet1.conf, or the IP address is dynamically assigned, then the firewall scripts will default to the stand-alone configuration. This setting is also for dial-up users. Dial-up users should configure the INET_IFACE variable for pp0 as appropriate. The design of these scripts are intended to be flexible for many users, but are by no means intended to cover all possible circumstances. Improvements and suggestions are welcomed. Files included: /etc/rc.d/rc.firewall-standalone /etc/rc.d/rc.inet1.conf (snippet only — amend this file to your existing rc.inet1.conf) Finis. |
||