Firewall and my home network

[johanl]

Hello,

 

I am planning to make my Linux server act as a firewall as well and let all inet traffic pass through my server. That means I want to install a second network card, connect that one to my ADSL modem/router and leave the rest of my network connected to the other network card. I already downloaded Arno's iptables script and I want to use that one unless someone has a better suggestion?

 

My server works as a proxy/mail/www/FTP/CS (Halflife) server, when I use Arno's script will this still be working? What do I have to keep in mind when I want to do this? Also, can my server be used as a transparent firewall?

[MottS]

Don't know why you would use a proxy server to do that since the NAT protocol works quite well for that. And there is a nice wizard in the mandrake control center that configure this for your.

 

I have pretty much the same setup as you. Ie one MDK 9.0 box with 2 ethernet cards. Card1 (eth0) is connected to my cable modem and Card2 (eth1) to a hub .. and me & my girlfriend are connected to this hub. I only had to run the wizard in MCC->Server->ICS (internet connection sharing) and configure the clients on the LAN to use dhcp at boot and everything was working. I mean my computer and the one of my gf were able to surf the net no prob .. that mean that my server (the MDK 9.0 box) shares the net.

 

This wizard installs a firewall (Shorewall). If you want to run some services on your server (CS for instance), you will have to configure it. Ie write some lines in the config script of Shorewall (located at /etc/shorewall/rules) so that some ports are opened for remote connections. By default the server is really secured. I mean that all ports are hidden from the net so even if you run a CS server, no one will be able to connect to it. I wrote a simple FAQ about Shorewall some time ago. Here is the link for ya:

 

http://www.mandrakeusers.org/index.php?showtopic=4731

 

Good luck !

 

If you want some help to set things up, don't be afraid to ask !

 

MOttS

[linux_learner]

a proxy is a good idea. arno's firewall is a good choice. linux can do NAT, 256 NAT addresses at that. dynamic NAT can be accomplished, and technically, you can do dynamic NAT and dynamic PAT (port address translation). its all up to you, what you want to use it for and so on.

 

the way you described it, it sounds like you want linux to be a firewall. a server is something that gives information. ie. google. what you described sounds like you want linux to filter the incomming packets from the net. proxy's do just that. a proxy is one type of firewall. routers are another, and software firewalls are yet another. all three can be employed.

 

the http://tldp.org has a great (but lengthy) howto on all this. look up 'ip masquerading'.

[paul]

http://dictionary.reference.com/search?q=proxy

prox·y    ( P )  Pronunciation Key  (prks)

n. pl. prox·ies

 

1. A person authorized to act for another; an agent or substitute.

2. The authority to act for another.

3. The written authorization to act in place of another.

 

A proxy is a server that pretends to be a browser, it acts like a really big cache, and can be used to filter content ... like removing any thing with the F@#K word in it

 

A Stateful inspection Firewall (iptables and NETFILTER) receives a TCP/IP packet, opens the packet, and qualifies what the packet is, then based on rules, it decides whehther or not the the packet can be let through

 

example 1: ... internet --> firewall --> webserver

this firewall will allow port 80 (http packets) through to the server ... a packet that PRETENDS to be a http packet is not allowed through

 

example 2: ... internet --> firewall --> desktop

A user on the desktop types in www.F@#K.com into a browser. The firewall allows this packet through to the net because it is a valid http packet

 

example 3: ... internet --> firewall --> proxy --> desktop

A user on the desktop types in www.F@#K.com into a browser. The proxy stops the request because it is filtering content. The same user types in www.mandrakeusers.org into a browser, the proxy allows the traffic through to the firewall, because it does not contain F@#K, the firewall allows the packet (the http packet) through to the internet because it is a valid http packet

 

 

just to clarify :D

[ac_dispatcher]

I have my house wired CAT5 for every room. (found a 1000' spool of CAT5 wire in a garbage can you believe it)

 

I had a old Pentium 75mhz computer with 16mb of ram. I turned it into a router/firewall. No hard drive, Cdrom needed. I you need is an old computer (486 or above), 12mb of ram with a floppy. The Linux distro is called Coyote Linux.

 

http://www.coyotelinux.com/

 

The newest version comes with iptables set for full stealth except the ssh port. Thats an easy fix. After it boots I can access it from any home computer via a web browser http://192.168.0.1:8180. From there I can set up port fowarding via GUI and edit my firewall rules via GUI also. If I need to reboot it can be done also from the web browser. I have mine set up to logoff my DSL if no activity within 120mins. It will automatically log back on when I attempt to use the internet again.

[johanl]

Ok maybe I haven't been very clear about my network, but the server running Mandrake 9.0 right now and being a mail/FTP/CS/www/SSH server , is going to be the firewall as well. So do I really need to setup the firewall (iptables or something similar) to do port forwarding to itself for those ports?

 

Do you guys think it's a better idea to use a separate pc as a firewall only ?

[MottS]

No, you can use this PC to do port forwarding and firewalling as well. If you are a geek you can install IPtable and play with it right away. However, I suggest you to install Shorewall, which is a nice frontend to IPtable.

 

Good luck

 

MOtts

[jleaman]

Ive always liked the idea of having a separate machine to be the firewall..i dunno why but it just makes more sense to have that service on it's own.

[pmpatrick]

I agree. Most of the security experts I've read recommend having a separate dedicated box for the firewall. The main rationale seems to be that with a separate firwall box you will not have potentially vulnerable software/services running on the firewall box like you might have/need with a full featured box.

Edited February 24, 2004 by pmpatrick

[jlc]

To go one more step further, use openbsd on that seperate p.c. :P

 

 

Or you could also use firestarter on your mdk pc

 

http://firestarter.sourceforge.net/

 

 

Firestarter is a GTK+/GNOME front end to the various firewalling subsystems available in the Linux kernel, for example Netfilter. It's aim is to provide a functional, secure yet easy to use front end for for modern advanced firewalling technologies to the GNOME desktop.

 

http://www.netfilter.org/

[johanl]

Well having a separate firewall is nice and probably better I think, but on the other end it's

just my home network we're talking about. That firestarter frontend sounds interesting I think I'm gonna play with it.

Edited March 9, 2004 by johanl