Previous Next Contents

5. Preparing the Linux system

5.1 Compiling the Kernel

Start with a clean installation of your Linux distribution. (I used RedHat 3.0.3 and the examples here are based on this distribution.) The less software you have loaded the less holes, backdoors and/or bugs there will be to introduce security problems in your system, so load only a minimal set of applications.

Pick a stable kernel. I used the Linux 2.0.14 kernel for my system. So this documentation is based on it's settings.

You well need to recompile the Linux kernel with the appropriate options. At this point, you should look at the Kernel HOWTO, the Ethernet HOWTO, and the NET-2 HOWTO if you haven't done this before.

Here are the network related setting I know work in 'make config'

  1. Under General setup
    1. Turn Networking Support ON
  2. Under Networking Options
    1. Turn Network firewalls ON
    2. Turn TCP/IP Networking ON
    3. Turn IP forwarding/gatewaying OFF (UNLESS you wish to use IP filtering)
    4. Turn IP Firewalling ON
    5. Turn IP firewall packet loggin ON (this is not required but it is a good idea)
    6. Turn IP: masquerading OFF (I am not covering this subject here.)
    7. Turn IP: accounting ON
    8. Turn IP: tunneling OFF
    9. Turn IP: aliasing OFF
    10. Turn IP: PC/TCP compatibility mode OFF
    11. Turn IP: Reverse ARP OFF
    12. Turn Drop source routed frames ON
  3. Under Network device support
    1. Turn Network device support ON
    2. Turn Dummy net driver support ON
    3. Turn Ethernet (10 or 100Mbit) ON
    4. Select your network card

Now you can recompile, reinstall the kernel and reboot. Your network card/s should show up in the boot-up sequence. If not, go over the other HOWTOs again until it is working.

5.2 Configuring two network cards

If you have two network cards in your computer, you most likely will need to add an append statement to your /etc/lilo.conf file to describe the IRQ and address of both cards. My lilo append statement looks like this:

    append="ether=12,0x300,eth0 ether=15,0x340,eth1"

5.3 Configuring the Network Addresses

This is the real interesting part. Now you have a few decisions to make. Since we don't want the internet to have access to any part of the private network, we do not need to use real addresses. There are a number of internet addresses set aside for private networks. Because everyone needs more addresses and because these addresses can not cross the Internet they are a good choice.

Of these, 192.168.2.xxx, is set aside and we will use it in our examples.

Your proxy firewall will be a member of both networks and so it can pass the data through to and from the private network.

            199.1.2.10   __________    192.168.2.1
      _  __  _        \ |          | /           _______________
     | \/  \/ |        \| Firewall |/           |               |
    / Internet \--------|  System  |------------| Workstation/s |
    \_/\_/\_/\_/        |__________|            |_______________|

If your going to use a filtering firewall you can still use these numbers. You will need to use IP masquerading to make this happen. With this process the firewall will forward packets and translate them into "REAL " " IP address to travel on the Internet.

You must assign the real IP address to the network card on the Internet (out) side. And, assign 192.168.2.1 to the Ethernet card on inside. This will be your proxy/gateway IP address. You can assign all the other machines in the protected network some number in that 192.168.2.xxx range. (192.168.2.2 through 192.168.2.254)

Since I use RedHat Linux (Hey guys, want to give me a copy for the plugs? ;-) to configure the network at boot time I added a 'ifcfg-eth1' file in the /etc/sysconfig/network-scripts directory. This file is read during the boot process to set your network and routing tables.

Here is what my ifcfg-eth1 looks like;

    #!/bin/sh
    #>>>Device type: ethernet
    #>>>Variable declarations:
    DEVICE=eth1
    IPADDR=192.168.2.1
    NETMASK=255.255.255.0
    NETWORK=192.168.2.0
    BROADCAST=192.168.2.255
    GATEWAY=199.1.2.10
    ONBOOT=yes
    #>>>End variable declarations

You can also use these scripts to automatically connect by modem to your provider. Look at the ipup-ppp script.

If your going to use a modem for your internet connection your outside IP address will be assigned for you by your provider at connect time.

5.4 Testing your network

Start by checking ifconfig and route. If you have two network cards your ifconfig should look something like:

  #ifconfig
  lo        Link encap:Local Loopback
            inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
            UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
            RX packets:1620 errors:0 dropped:0 overruns:0
            TX packets:1620 errors:0 dropped:0 overruns:0

  eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
            inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0
            TX packets:0 errors:0 dropped:0 overruns:0
            Interrupt:12 Base address:0x310

  eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
            inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0
            TX packets:0 errors:0 dropped:0 overruns:0
            Interrupt:15 Base address:0x350

and your route table sould look like:

  #route -n
  Kernel routing table
  Destination     Gateway         Genmask         Flags MSS    Window Use Iface
  199.1.2.0       *               255.255.255.0   U     1500   0       15 eth0
  192.168.2.0     *               255.255.255.0   U     1500   0        0 eth1
  127.0.0.0       *               255.0.0.0       U     3584   0        2 lo
  default         199.1.2.10      *               UG    1500   0       72 eth0

Note: 199.1.2.0 is the Internet side of this firewall and 192.168.2.0 is the private side.

Now try to ping the internet from the firewall. I used to use nic.ddn.mil as my test point. It's still a good test, but has proven to be less reliable than I had hoped. If it doesn't work at first, try pinging a couple other places that are not connected to your LAN. If this doesn't work, then your PPP is incorrectly setup. Reread the Net-2 HOWTO, and try again.

Next, try pinging a host within the protected network from the firewall. All the computers should be able to ping each other. If not, go over the NET-2 HOWTO again and work on the network some more.

Then, try to ping the outside address of firewall from inside the protected network. (NOTE: this is not any of the 192.168.2.xxx IP numbers.) If you can, then you have not turned off IP Forwarding. Make sure this is the way you want it. If you leave it turned on you will have to go through the IP filtering section of this document as well.

Now try pinging the internet from behind your firewall. Use the same address that worked for you before. (I.E. nic.ddn.mil) Again, if you have IP Forwarding turned off, this should not work. But, if you have it turned on, it should.

If have IP Forwarding turned on and your using a "REAL" (not 192.168.2.*) IP address for your private network, and you can't ping the internet but you can ping the internet side your firewall, check if the next router up stream is routing packets for your private network address. (Your provider may have to do this for you.)

If you have assigned your protected network to 192.168.2.*, then no can packets can be routed to it anyway. If you have skipped ahead and you already have IP masquerading turn on, this test should work.

Now, you have your basic system setup.

5.5 Securing the Firewall

A firewall isn't any good if it is left wide open to attacks through a unused service. A "bad guy" could gain access to the firewall and modify it for their own needs.

Start by turning off any unneeded services. Look at /etc/inetd.conf file. This file controls what are called the "super server". It controls a bunch of the server daemons and starts them as they are requested.

Definitely turn off netstat, systat, tftp, bootp, and finger. To turn a service off, put # as the first character of the service line. When your done, send a SIG-HUP to the process by typing "kill -HUP <pid>", where <pid> is the process number of inetd. This will make inetd re-read its configuration file (inetd.conf) and restart.

Test it out by telneting to port 15 on firewall, the netstat port. If you get an output of netstat, you have not restarted it correctly.


Previous Next Contents