Linux Consulting: Firewalls that Work Under Kernel 2.2Aug 12, 1999, 15:37 (20 Talkback[s])
(Other stories by Tom Adelstein)
Businesses of all sizes use the Internet on a global basis.
Estimates of the number of high-speed lines to the Internet
backbone from the business community ranges from one to three
million depending on who publishes the reports. Whatever the number
of connections to the Internet from business most analysts agree,
including the major backbone provider, that about 85% of those
lines remain unprotected by a firewall of any kind.
The consequences for the use of Linux solutions provide its most significant market edge and one many people have overlooked. The Linux solution requires no user licenses and can provide rule and hardware based firewall protection. Consider the consequences of providing a secure environment for users on your network and the ability to access the Internet without revealing your internal IP addresses.
The cost of firewalls and proxy servers from major vendors have
prevented many businesses from utilizing the Internet. With this
barrier removed, IT departments have no excuses left for providing
a safe environment. If you want to test the security of your
network, trying pinging your workstation from your home. First,
find out its IP address. When at home, go to a dos command prompt
or the command line of a Linux machine and type in "ping
xxx.xxx.xxx" where "x" represents a number such as 192.168.2.1.
Don't use the quotes in the command. If your command returns a
reply such as this:
Last year, I took a contract with a national consultancy and immediately noticed their exposure to the Internet. When I raised the issue with the CTO, he gave me numerous excuses. He even told me that he had the main router configured to filter packets and keep intruders out. I saw a Cisco 2501 and a Kentronics CSU/DSU on the rack.
Seeing that we had reached a stalemate, I brought it to management's attention. In a very polite and non-intrusive way, one of the executives asked him to test the network from home. The next morning, I received a call before 6:00 AM from the CTO asking me to come to the office at once. He had pinged his Notes server from his son's computer. Call the rest history.
This article describes how to enable the Linux IP Masquerade feature on a given Linux host. IP Masq is a form of Network Address Translation that allows internally connected computers that do not have one or more registered Internet IP addresses to have the ability to communicate to the Internet via your Linux box's single Internet IP address.
What is IP Masquerade for Linux?
IP Masquerade is a networking feature in Linux. If a Linux host
is connected to the Internet with IP Masquerade enabled, then
computers connecting to it (usually on the same LAN, but can also
be connected with other links such as modems or PLIP) can reach the
Internet as well, even though they have no officially assigned IP
Who Can Benefit From IP Masquerade?
If you have a Linux host connected to the Internet and
IP Masquerading Example:
| | |
In this example, there are (4) computer systems that we are concerned about. There is also presumably something on the far right that your PPP connection to the Internet comes through (terminal server, etc.) and that there is some remote host (very far off to the right of the page) out on the Internet that you are interested communicating with). The Linux system Masq-Gate is the IP Masquerading gateway for ALL the internal network of machines A-box, B-box and C-box to get to the Internet. The internal network uses one of the several RFC-1918 assigned private network addresses where in this case, the Class-C network 192.168.0.0. The Linux box having the TCP/IP address 192.168.0.1 while the other systems having the addresses:
A- Box: 192.168.0.2
The three machines, A-box, B-box and C-box, can be running any
operating system as long as they can speak TCP/IP. OSes such as
Windows 95, Macintosh MacTCP or OpenTransport or even another Linux
box can connect to other machines on the Internet. When running,
the masquerading system or MASQ-gate converts all of these internal
connections so that they appear to originate from masq-gate itself.
MASQ then arranges so that data coming back in to a masqueraded
connection is relayed back to the proper originating system.
Because of this, the systems on the internal network see a direct
route to the internet and are unaware that their data is being
masqueraded. This is called a "Transparent" connection.
Linux 2.2.x Kernels
# Needed to initially load modules
# Supports the proper masquerading of FTP file transfers using
the PORT method
# Supports the masquerading of RealAudio over UDP. Without this
# Supports the masquerading of IRC DCC file transfers
# Supports the masquerading of Quake and QuakeWorld by default.
This modules is
# Supports the masquerading of the CuSeeme video conferencing
#Supports the masquerading of the VDO-live video conferencing
#CRITICAL: Enable IP forwarding since it is disabled by default
# Dynamic IP users:
# MASQ timeouts
# Enable simple IP forwarding and Masquerading
# DHCP: For people who receive their external IP address from
either DHCP or BOOTP
Once you are finished with editing the /etc/rc.d/rc.firewall ruleset, make it executable by typing in chmod 700 /etc/rc.d/rc.firewall
You could have also enabled IP Masquerading on a PER MACHINE basis instead of the above method enabling an ENTIRE TCP/IP network. For example, say if I wanted only the 192.168.0.2 and 192.168.0.8 hosts to have access to the Internet and NOT any of the other internal machines. I would change the in the "Enable simple IP forwarding and Masquerading" section (shown above) of the /etc/rc.d/rc.firewall ruleset.
What appears to be a common mistake with new IP Masq users is to
make the first command:
Do NOT make your default policy MASQUERADING. Otherwise someone who can manipulate the routing tables will be able to tunnel straight back through your gateway, using it to masquerade their OWN identity!
Again, you can add these lines to the /etc/rc.d/rc.firewall file, one of the other rc files you prefer, or do it manually every time you need IP Masquerade.
Configuring the other internal to-be MASQed machines
For the Domain Name Service, you can add in any DNS servers that
are available. The most apparent one should be the one that your
Linux server is using. You can optionally add any "domain search"
suffix as well.
The following configuration instructions assume that you are
using a Class C network with 192.168.0.1 as your Linux MASQ
server's address. Please note that 192.168.0.0 and 192.168.0.255
are reserved TCP/IP address.
Linux 1.2.x, 1.3.x, 2.0.x, 2.1.x, 2.2.x
Configuring Microsoft Windows 95
1.If you haven't installed your network card and adapter driver, do so now. Description of this is beyond the scope of this document.
2.Go to the 'Control Panel' --> 'Network'.
3.Click on Add --> Protocol --> Manufacture: Microsoft --> Protocol: 'TCP/IP protocol' if you don't already have it.
4.Highlight the TCP/IP item bound to your Windows95 network card and select 'Properties'. Now goto the 'IP Address' tab and set IP Address to 192.168.0.x, (1 <x < 255), and then set the Subnet Mask to 255.255.255.0
5. Now select the "Gateway" tab and add 192.168.0.1 as your gateway under 'Gateway' and hit 'Add'."
6.Under the 'DNS Configuration' tab, make sure to put in a name for this machine and enter in your official domain name. If you don't have your own domain, put in the domain of your ISP. Now, add all of the DNS server that your Linux host uses (usually found in /etc/resolv.conf). Usually these DNS servers are located at your ISP though you can be running either your own CACHING or Authoritative DNS server on your Linux MASQ server as well. Optionally, you can add any appropriate domain search suffixes as well.
7.Leave all the other settings as they are unless you know what you're doing.
8.Click 'OK' on all dialog boxes and restart system.
9.Ping the linux box to test the network connection:
'Start/Run', type: ping 192.168.0.1
10.You can optionally create a HOSTS file in the C:\Windows directory so that you can ping the "hostname" of the machines on your LAN without the need for a DNS server. There is an example called HOSTS.SAM in the C:\windows directory.
Linux provides an inexpensive solution for a secure network. Some companies with whom I've consulted have insisted that they spend tens of thousands of dollars on a lesser but proprietary system. I remember a CIO of a large hotel chain discussing this with me. He said, " when I make decisions, I imagine I'm having a conversation with the CEO. I imagine that someone broke into our network and took sensitive financial data. The CEO, Don, then asks me why I used the system I did. I say, because it was cheap. He then fires me."
I consider this one of the ultimate rationalizations I have ever heard. First, Linux isn't cheap, it's free. Secondly, if it's good enough for the Department of Defense, it's good enough for me.