You are here

HomeForumsIT infrastructureSecurity

Inexpensive Internet Security Firewall Solution

Sun, 07/11/2010 - 07:18 — KETTANEH

 

Setting up network protection is very important for any company that has access to the outside world via the Internet. A secure network firewall can be installed at very little cost by using a Linux server. All that is needed is a Linux server with at least two network cards.

Linux Firewall

Linux firewalls use “iptables”. The best way of creating a firewall with “iptables” is to write a scripts.

The first item in the script is a routine that deletes out any previous firewall rules (flushing) and then blocks everything. Once everything has been blocked, add to the script to allow connections as needed.

Creating a Linux Firewall Script

Create a file called “firewall.sh” and give it execute permissions. The correct permissions can be given using the “chmod” command as follows:

chmod 777 firewall.sh

Save the file in /usr/local/sbin directory. That way the script can be run from anywhere within the directory structure by typing “firewall.sh”.

Declaring the Network Cards

In order for the firewall script to be more readable, declare network cards at the top of the script as follows:

EXT=eth0

INT=eth2

DMZ=eth1

From now on use $EXT when referring to eth0 and $INT when referring to eth1, and so on.

Flushing all your Rules

The next thing is to flush the Filter table. Any NAT tables will need to be flushed. This can be accomplished with the “iptables -F” command. Type the following into the script. The -F serves to flush the tables.

iptables -t nat -F

iptables -t mangle -F

iptables -t filter -F

Logging

One of the important things needed on a firewall is a logging system. To set up logging on for the firewall, add the following right a the bottom of the firewall.

iptables -A INPUT -j LOG –log-prefix “Denied INPUT:”

iptables -A OUTPUT -j LOG –log-prefix “Denied OUTPUT:”

iptables -A FORWARD -j LOG –log-prefix “Denied FORWARD:”

In some distributions of Linux, the firewall logging is captured in the /var/log/messages file by default. It is a very good idea to enable logging as this will assist in trouble shooting if the firewall doesn't work as expected.

Setting up a Default Policy to Block all

The default policy for the INPUT, OUTPUT and FORWARD filters table should be DROP/DENY all packets. This should come after the tables have been flushed, telling the firewall to block everything. Once the firewall has been told to drop all traffic by default one can go about opening the ports as needed.

Below the section for flushing the firewall add the following to “drop all” in each of the filter tables:

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

Anything that doesn’t match any of the policies that follow, will be subject to the default policy, which in this case is “DROP".

Open up the Network Firewall only for what is Needed

After the firewall is closed to all traffic by default and logging has been enabled, it is time to allow just the ports and protocols that are really needed

Before embarking on designing and implementing a firewall one should research all aspects of network security. This will ensure optimal security from any risk, whether from within or from outside the company.

Source: Peter Hupston, IT Manager Legalwise S.A., Article "Linux Firewall", 21 October 2009

Forums: 
Security

Copyright© 2010-2012 Grook network
sitemap | Privacy Policy

Follow us on: GROOK on facebook GROOK On Twitter GROOK on youtube GROOK in Linkedin GROOK network feed