Linux Consulting: Firewalls that Work Under Kernel 2.2

by Tom Adelstein of
Bynari, Inc.
with Emmanuel Stalin and
Prabhakar Vijayarangam

Businesses of all sizes use the Internet on a global basis.
Estimates of the number of high-speed lines to the Internet
backbone from the business community ranges from one to three
million depending on who publishes the reports. Whatever the number
of connections to the Internet from business most analysts agree,
including the major backbone provider, that about 85% of those
lines remain unprotected by a firewall of any kind.

The consequences for the use of Linux solutions provide its most
significant market edge and one many people have overlooked. The
Linux solution requires no user licenses and can provide rule and
hardware based firewall protection. Consider the consequences of
providing a secure environment for users on your network and the
ability to access the Internet without revealing your internal IP
addresses.

The cost of firewalls and proxy servers from major vendors have
prevented many businesses from utilizing the Internet. With this
barrier removed, IT departments have no excuses left for providing
a safe environment. If you want to test the security of your
network, trying pinging your workstation from your home. First,
find out its IP address. When at home, go to a dos command prompt
or the command line of a Linux machine and type in “ping
xxx.xxx.xxx” where “x” represents a number such as 192.168.2.1.
Don’t use the quotes in the command. If your command returns a
reply such as this:

$ ping 198.6.1.2
PING 198.6.1.2 (198.6.1.2): 56 data
bytes
64 bytes from 198.6.1.2: icmp_seq=0 ttl=248
time=430.1 ms
64 bytes from 198.6.1.2: icmp_seq=1 ttl=248
time=718.7 ms
64 bytes from 198.6.1.2: icmp_seq=2 ttl=248
time=240.1 ms
64 bytes from 198.6.1.2: icmp_seq=3 ttl=248
time=64.8 ms
64 bytes from 198.6.1.2: icmp_seq=4 ttl=248
time=56.7 ms

— 198.6.1.2 ping statistics —
5 packets transmitted, 5 packets received, 0%
packet loss
round-trip min/avg/max = 56.7/302.0/718.7
ms

and that’s the IP of your workstation then you’re exposed to the
public Internet.

Last year, I took a contract with a national consultancy and
immediately noticed their exposure to the Internet. When I raised
the issue with the CTO, he gave me numerous excuses. He even told
me that he had the main router configured to filter packets and
keep intruders out. I saw a Cisco 2501 and a Kentronics CSU/DSU on
the rack.

Seeing that we had reached a stalemate, I brought it to
management’s attention. In a very polite and non-intrusive way, one
of the executives asked him to test the network from home. The next
morning, I received a call before 6:00 AM from the CTO asking me to
come to the office at once. He had pinged his Notes server from his
son’s computer. Call the rest history.

This article describes how to enable the Linux IP Masquerade
feature on a given Linux host. IP Masq is a form of Network Address
Translation that allows internally connected computers that do not
have one or more registered Internet IP addresses to have the
ability to communicate to the Internet via your Linux box’s single
Internet IP address.

What is IP Masquerade for Linux?

IP Masquerade is a networking feature in Linux. If a Linux host
is connected to the Internet with IP Masquerade enabled, then
computers connecting to it (usually on the same LAN, but can also
be connected with other links such as modems or PLIP) can reach the
Internet as well, even though they have no officially assigned IP
addresses.
MASQ allows a set of machines to invisibly access the Internet via
the MASQ gateway. To other machines on the Internet, all this
outgoing traffic will appear to be from the IP MASQ Linux server
itself. In addition to the added functionality, IP Masquerade
provides the foundation to create a VERY secure networking
environment. With a well built firewall, breaking the security of a
well configured masquerading system and internal LAN should be
considerably difficult.

Who Can Benefit From IP Masquerade?

If you have a Linux host connected to the Internet and
if you have some computers running TCP/IP connected to a Linux box
on a local subnet, and/or
if your Linux host has more than one modem and acts as a PPP or
SLIP server connecting other computers, which
those OTHER machines do not have official or public assigned IP
addresses (i.e. addressed with private TCP/IP numbers).
And of course, if you want those OTHER machines to communicate to
the Internet without spending extra money to get additional Public
/ Official TCP/IP addresses from your ISP and either configure
Linux to be a router or purchase an external router.

IP Masquerading Example:
A typical example is given in the diagram below:

+———-+
| |192.168.0.2
| A-box
|:::::::::::::
| |
::
+———-+
::
::

+———-+ ::
+——-+ +———-+
| |192.168.0.3::::::::::::::::| |
eth1| Linux |eth0
| B-box |:::::::::::::::::::::::::::| Hub
|:::::::::::::::::|Masq-Gate |::::::::::::::://
Internet
| |
::::::::::::::::| | 192.168.0.1| |208.210.208.79

+———-+ ::
+——-+ +———-+
::
+———-+ ::
| |192.168.0.4::
| C-box
|:::::::::::::
|
|
+———-+

| | |
| Internal Network | | External Network
| | |

In this example, there are (4) computer systems that we are
concerned about. There is also presumably something on the far
right that your PPP connection to the Internet comes through
(terminal server, etc.) and that there is some remote host (very
far off to the right of the page) out on the Internet that you are
interested communicating with). The Linux system Masq-Gate is the
IP Masquerading gateway for ALL the internal network of machines
A-box, B-box and C-box to get to the Internet. The internal network
uses one of the several RFC-1918 assigned private network addresses
where in this case, the Class-C network 192.168.0.0. The Linux box
having the TCP/IP address 192.168.0.1 while the other systems
having the addresses:

A- Box: 192.168.0.2
B- Box: 192.168.0.3
C- Box: 192.168.0.4

The three machines, A-box, B-box and C-box, can be running any
operating system as long as they can speak TCP/IP. OSes such as
Windows 95, Macintosh MacTCP or OpenTransport or even another Linux
box can connect to other machines on the Internet. When running,
the masquerading system or MASQ-gate converts all of these internal
connections so that they appear to originate from masq-gate itself.
MASQ then arranges so that data coming back in to a masqueraded
connection is relayed back to the proper originating system.
Because of this, the systems on the internal network see a direct
route to the internet and are unaware that their data is being
masqueraded. This is called a “Transparent” connection.

Linux 2.2.x Kernels

Please note that IPFWADM is no longer the firewall tool for
manipulating IP Masquerading rules for both the 2.1.x and 2.2.x
kernels. These new kernels now use the IPCHAINS tool.
Create the file /etc/rc.d/rc.firewall with the following initial
SIMPLE ruleset:

#!/bin/sh
#
# rc.firewall – Initial SIMPLE IP Masquerade test for 2.1.x and
2.2.x kernels using IPCHAINS
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
modules
# are shown below but are commented out from loading.

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using
the PORT method
#
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP. Without this
module,
# RealAudio WILL function but in TCP mode. This can cause a
reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc

# Supports the masquerading of Quake and QuakeWorld by default.
This modules is
# for for multiple users behind the Linux MASQ server. If you are
going to play
# Quake II and/or Quake I/II on other server ports, use the second
example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I / QuakeWorld / and Quake II (ports 26000, 27000,
27910)
#/sbin/modprobe ports=ip_masq_quake 26000,27000,27910

# Supports the masquerading of the CuSeeme video conferencing
software
#
#/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing
software
#
#/sbin/modprobe ip_masq_vdolive

#CRITICAL: Enable IP forwarding since it is disabled by default
since
#
# Red Hat Users: you may try changing the options in
/etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo “1” > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
enable this following
# option. This enables dynamic-ip address hacking in IP MASQ,
making the life
# with Diald and similar programs much easier.
#
#echo “1” > /proc/sys/net/ipv4/ip_dynaddr

# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP “FIN” packet is
received
# 60 sec timeout for UDP traffic (MASQ’ed ICQ users must enable a
30sec firewall timeout in ICQ itself)
#
ipchains -M -S 7200 10 60

# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example for an internal LAN address in
the 192.168.0.x
# network with a 255.255.255.0 or a “24” bit subnet mask.
#
# Please change this network number and subnet mask to match your
internal LAN setup
#
ipchains -P forward DENY
ipchains -A forward -s 192.168.0.0/24 -j MASQ

# DHCP: For people who receive their external IP address from
either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the
following
# before the deny command. The “bootp_client_net_if_name” should be
replaced
# the name of the link that the DHCP/BOOTP server will put an
address on to?
# This will be something like “eth0”, “eth1”, etc.
#
# This example is currently commented out.
#
#
#ipchains -A input -j ACCEPT -w bootp_clients_net_if_name -s 0/0 68
-d 0/0 67 -p udp

Once you are finished with editing the /etc/rc.d/rc.firewall
ruleset, make it executable by typing in chmod 700
/etc/rc.d/rc.firewall

You could have also enabled IP Masquerading on a PER MACHINE
basis instead of the above method enabling an ENTIRE TCP/IP
network. For example, say if I wanted only the 192.168.0.2 and
192.168.0.8 hosts to have access to the Internet and NOT any of the
other internal machines. I would change the in the “Enable simple
IP forwarding and Masquerading” section (shown above) of the
/etc/rc.d/rc.firewall ruleset.

#!/bin/sh
#
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example to only allow IP Masquerading
for the 192.168.0.2
# and 192.168.0.8 machines with a 255.255.255.0 or a “24” bit
subnet mask.
#
# Please change this network number and subnet mask to match your
internal LAN setup
#
ipchains -P forward deny
ipchains -A forward -s 192.168.0.2/32 -j MASQ
ipchains -A forward -s 192.168.0.8/32 -j MASQ

What appears to be a common mistake with new IP Masq users is to
make the first command:
ipchains -P forward masquerade

Do NOT make your default policy MASQUERADING. Otherwise someone
who can manipulate the routing tables will be able to tunnel
straight back through your gateway, using it to masquerade their
OWN identity!

Again, you can add these lines to the /etc/rc.d/rc.firewall
file, one of the other rc files you prefer, or do it manually every
time you need IP Masquerade.

Configuring the other internal to-be MASQed machines

Besides setting the appropriate IP address for each internal MASQed
machine, you should also set each internal machine with the
appropriate gateway IP address of the Linux MASQ server and
required DNS servers. In general, this is rather straight forward.
You simply enter the address of your Linux host (usually
192.168.0.1) as the machine’s gateway address.

For the Domain Name Service, you can add in any DNS servers that
are available. The most apparent one should be the one that your
Linux server is using. You can optionally add any “domain search”
suffix as well.
After you have properly reconfigured the internal MASQed machines,
remember to restart their appropriate network services or reboot
them.

The following configuration instructions assume that you are
using a Class C network with 192.168.0.1 as your Linux MASQ
server’s address. Please note that 192.168.0.0 and 192.168.0.255
are reserved TCP/IP address.
As it stands, the following Platforms have been tested as internal
MASQed machines:

Linux 1.2.x, 1.3.x, 2.0.x, 2.1.x, 2.2.x
Solaris 2.51, 2.6, 7
Windows 95, OSR2, 98
Windows NT 3.51, 4.0, 2000 (both workstation and server)
Windows For Workgroup 3.11 (with TCP/IP package)
Windows 3.1 (with the Netmanage Chameleon package)
Novell 4.01 Server with the TCP/IP service
OS/2 (including Warp v3)
Macintosh OS (with MacTCP or Open Transport)
DOS (with NCSA Telnet package, DOS Trumpet works partially)
Amiga (with AmiTCP or AS225-stack)
VAX Stations 3520 and 3100 with UCX (TCP/IP stack for VMS)
Alpha/AXP with Linux/Redhat
SCO Openserver (v3.2.4.2 and 5)
IBM RS/6000 running AIX

Configuring Microsoft Windows 95

1.If you haven’t installed your network card and adapter driver,
do so now. Description of this is beyond the scope of this
document.

2.Go to the ‘Control Panel’ –> ‘Network’.

3.Click on Add –> Protocol –> Manufacture: Microsoft
–> Protocol: ‘TCP/IP protocol’ if you don’t already have
it.

4.Highlight the TCP/IP item bound to your Windows95 network card
and select ‘Properties’. Now goto the ‘IP Address’ tab and set IP
Address to 192.168.0.x, (1 <x < 255), and then set the Subnet
Mask to 255.255.255.0

5. Now select the “Gateway” tab and add 192.168.0.1 as your
gateway under ‘Gateway’ and hit ‘Add’.”

6.Under the ‘DNS Configuration’ tab, make sure to put in a name
for this machine and enter in your official domain name. If you
don’t have your own domain, put in the domain of your ISP. Now, add
all of the DNS server that your Linux host uses (usually found in
/etc/resolv.conf). Usually these DNS servers are located at your
ISP though you can be running either your own CACHING or
Authoritative DNS server on your Linux MASQ server as well.
Optionally, you can add any appropriate domain search suffixes as
well.

7.Leave all the other settings as they are unless you know what
you’re doing.

8.Click ‘OK’ on all dialog boxes and restart system.

9.Ping the linux box to test the network connection:
‘Start/Run’, type: ping 192.168.0.1
(This is only an INTERNAL LAN connection test, you can’t ping the
outside world yet.) If you don’t see “replies” to your PINGs,
please verify your network configuration.

10.You can optionally create a HOSTS file in the C:Windows
directory so that you can ping the “hostname” of the machines on
your LAN without the need for a DNS server. There is an example
called HOSTS.SAM in the C:windows directory.

Linux provides an inexpensive solution for a secure network.
Some companies with whom I’ve consulted have insisted that they
spend tens of thousands of dollars on a lesser but proprietary
system. I remember a CIO of a large hotel chain discussing this
with me. He said, ” when I make decisions, I imagine I’m having a
conversation with the CEO. I imagine that someone broke into our
network and took sensitive financial data. The CEO, Don, then asks
me why I used the system I did. I say, because it was cheap. He
then fires me.”

I consider this one of the ultimate rationalizations I have ever
heard. First, Linux isn’t cheap, it’s free. Secondly, if it’s good
enough for the Department of Defense, it’s good enough for me.