[gentoo-doc-cvs] cvs commit: linux-24-stateful-fw-design.xml

[gentoo-doc-cvs] cvs commit: linux-24-stateful-fw-design.xml

[Shyam Mani]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 7637 bytes --]

fox2mike    05/07/27 21:03:55

  Added:       xml/htdocs/doc/en/articles linux-24-stateful-fw-design.xml
  Log:
  #99028 - Stateful firewall design, Initial Version. rane will surely stop crying now ;)

Revision  Changes    Path
1.1                  xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml

file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml?rev=1.1&content-type=text/x-cvsweb-markup&cvsroot=gentoo
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml?rev=1.1&content-type=text/plain&cvsroot=gentoo

Index: linux-24-stateful-fw-design.xml
===================================================================
<?xml version='1.0' encoding="UTF-8"?>
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml,v 1.1 2005/07/27 21:03:55 fox2mike Exp $ -->
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

<guide link="/doc/en/articles/linux-24-stateful-fw-design.xml">
<title>Linux 2.4 stateful firewall design</title>

<author title="Author">
  <mail link="drobbins@gentoo.org">Daniel Robbins</mail>
</author>
<author title="Editor">
  <mail link="rane@gentoo.pl">Łukasz Damentko</mail>
</author>

<abstract>
This tutorial shows you how to use netfilter to set up a powerful Linux stateful
firewall.
</abstract>

<!-- The original version of this article was published on IBM developerWorks,
and is property of Westtech Information Services. This document is an updated
version of the original article, and contains various improvements made by the
Gentoo Linux Documentation team -->

<version>1.0</version>
<date>2005-07-28</date>

<chapter>
<title>About this tutorial</title>
<section>
<title>Should I take this tutorial?</title>
<body>

<note>
The original version of this article was published on IBM developerWorks, and
is property of Westtech Information Services. This document is an updated
version of the original article, and contains various improvements made by the
Gentoo Linux Documentation team.
</note>

<p>
This tutorial shows you how to use netfilter to set up a powerful Linux stateful
firewall. All you need is an existing Linux system that's currently using a
Linux 2.4 kernel. A laptop, workstation, router or server with a Linux 2.4
kernel will do.
</p>

<p>
You should be reasonably familiar with standard network terminology like IP
addresses, source and destination port numbers, TCP, UDP and ICMP, etc. By the
end of the tutorial, you'll understand how Linux stateful firewalls are put
together and you'll have several example configurations to use in your own
projects.
</p>

</body>
</section>
<section>
<title>About the author</title>
<body>

<p>
For technical questions about the content of this tutorial, contact the author,
Daniel Robbins, at <mail link="drobbins@gentoo.org">drobbins@gentoo.org</mail>.
</p>

<p>
Residing in Albuquerque, New Mexico, Daniel Robbins was the President/CEO of
Gentoo Technologies, Inc., the creator of Gentoo Linux, an advanced Linux for
the PC, and the Portage system, a next-generation ports system for Linux. He has
also served as a contributing author for the Macmillan books Caldera OpenLinux
Unleashed, SuSE Linux Unleashed, and Samba Unleashed. Daniel has been involved
with computers in some fashion since the second grade, when he was first exposed
to the Logo programming language as well as a potentially dangerous dose of Pac
Man. This probably explains why he has since served as a Lead Graphic Artist at
SONY Electronic Publishing/Psygnosis. Daniel enjoys spending time with his wife,
Mary, and his new baby daughter, Hadassah.
</p>

</body>
</section>
</chapter>

<chapter>
<title>First steps</title>
<section>
<title>Defining our goal</title>
<body>

<p>
In this tutorial, we're going to put together a Linux stateful firewall. Our
firewall is going to run on a Linux laptop, workstation, server, or router; its
primary goal is to allow only certain types of network traffic to pass through.
To increase security, we're going to configure the firewall to drop or reject
traffic that we're not interested in, as well as traffic that could pose a
security threat.
</p>

</body>
</section>
<section>
<title>Getting the tools</title>
<body>

<p>
Before we start designing a firewall, we need to do two things. First, we need
to make sure that the <c>iptables</c> command is available. As root, type
<c>iptables</c> and see if it exists. If it doesn't, then we'll need to get it
installed first.  Here's how: head over to the netfilter/iptables project page
(<uri>http://www.netfilter.org/</uri>) and grab the most recent version of
<path>iptables.tar.gz</path> (currently <path>iptables-1.1.2.tar.gz</path>) you
can find. Then, install it by typing in the following commands (output omitted
for brevity):
</p>

<pre caption="Installing necessary tools">
# <i>tar xzvf iptables-1.1.2.tar.gz</i>
# <i>cd iptables-1.1.2</i>
# <i>make</i>
# <i>make install</i>
</pre>

</body>
</section>
<section>
<title>Kernel configuration</title>
<body>

<p>
Once installed, you should have an <c>iptables</c> command available for use, as
well as the handy iptables man page (<c>man iptables</c>). Great; now all we
need is to make sure that we have the necessary functionality built into the
kernel. This tutorial assumes that you compile your own kernels. Head over to
<path>/usr/src/linux</path>, and type <c>make menuconfig</c> or <c>make
xconfig</c>; we're going to enable some kernel network functionality.
</p>

<p>
Under the "Networking options" section, make sure that you enable at least the
following options:
</p>

<pre caption="Necessary kernel options">
&lt;*&gt; Packet socket
[*] Network packet filtering (replaces ipchains)
&lt;*&gt; Unix domain sockets
[*] TCP/IP networking
[*]   IP: advanced router
[*]   IP: policy routing
[*]    IP: use netfilter MARK value as routing key
[*]    IP: fast network address translation
[*]   IP: use TOS value as routing key
</pre>

<p>
Then, under the "IP: Netfilter Configuration -&gt;" menu, enable every option so
that we'll have full netfilter functionality. We won't use all the netfilter
features, but it's good to enable them so that you can do some experimentation
later on.
</p>

<p>
There's one networking option under the "Networking options" category that you
<e>shouldn't</e> enable: explicit congestion notification. Leave this option
disabled:
</p>

<pre caption="Option we have to disable">
[ ]   IP: TCP Explicit Congestion Notification support
</pre>

<p>
If this option is enabled, your Linux machine won't be able to carry on network
communications with 8% of the Internet. When ECN is enabled, some packets that
your Linux box sends out will have the ECN bit set; however, this bit freaks out
a number of Internet routers, so it's very important that ECN is disabled.
</p>

<p>
OK, now that the kernel's configured correctly for our needs, compile a new one,
install it, and reboot. Time to start playing with netfilter :)
</p>

</body>
</section>
<section>
<title>Firewall design basics</title>
<body>

<p>
In putting together our firewall, the <c>iptables</c> command is our friend.
It's what we use to interact with the network packet filtering rules in the
kernel.  We'll use the <c>iptables</c> command to create new rules, list
existing rules, flush rules, and set default packet handling policies. This
means that to create our firewall, we're going to enter a series of iptables
commands, and here's the first one we're going to take a look at (please don't
type this in just yet!)...
</p>




-- 
gentoo-doc-cvs@gentoo.org mailing list

[gentoo-doc-cvs] cvs commit: linux-24-stateful-fw-design.xml

[Xavier Neys]

neysx       05/08/26 23:30:10

  Modified:    xml/htdocs/doc/en/articles linux-24-stateful-fw-design.xml
  Log:
  #103863 Install iptables w/ emerge instead of ./configure....

Revision  Changes    Path
1.3       +15 -22    xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml

file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml?rev=1.3&content-type=text/x-cvsweb-markup&cvsroot=gentoo
plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml?rev=1.3&content-type=text/plain&cvsroot=gentoo
diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml.diff?r1=1.2&r2=1.3&cvsroot=gentoo

Index: linux-24-stateful-fw-design.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- linux-24-stateful-fw-design.xml	15 Aug 2005 23:16:06 -0000	1.2
+++ linux-24-stateful-fw-design.xml	26 Aug 2005 23:30:10 -0000	1.3
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding="UTF-8"?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml,v 1.2 2005/08/15 23:16:06 cam Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/linux-24-stateful-fw-design.xml,v 1.3 2005/08/26 23:30:10 neysx Exp $ -->
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
 
 <guide link="/doc/en/articles/linux-24-stateful-fw-design.xml">
@@ -22,8 +22,8 @@
 version of the original article, and contains various improvements made by the
 Gentoo Linux Documentation team -->
 
-<version>1.0</version>
-<date>2005-07-28</date>
+<version>1.1</version>
+<date>2005-08-27</date>
 
 <chapter>
 <title>About this tutorial</title>
@@ -106,18 +106,11 @@
 Before we start designing a firewall, we need to do two things. First, we need
 to make sure that the <c>iptables</c> command is available. As root, type
 <c>iptables</c> and see if it exists. If it doesn't, then we'll need to get it
-installed first.  Here's how: head over to the netfilter/iptables project page
-(<uri>http://www.netfilter.org/</uri>) and grab the most recent version of
-<path>iptables.tar.gz</path> (currently <path>iptables-1.1.2.tar.gz</path>) you
-can find. Then, install it by typing in the following commands (output omitted
-for brevity):
+installed first. Here's how we do that:
 </p>
 
 <pre caption="Installing necessary tools">
-# <i>tar xzvf iptables-1.1.2.tar.gz</i>
-# <i>cd iptables-1.1.2</i>
-# <i>make</i>
-# <i>make install</i>
+# <i>emerge iptables</i>
 </pre>
 
 </body>
@@ -620,7 +613,7 @@
 if [ -e /proc/sys/net/ipv4/tcp_ecn ]
 then
         echo 0 > /proc/sys/net/ipv4/tcp_ecn
-fi   
+fi
 </pre>
 
 </body>
@@ -710,7 +703,7 @@
 <pre caption="Spoof protection">
 for x in lo eth0 eth1
 do
-        echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter     
+        echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
 done
 </pre>
 
@@ -873,12 +866,12 @@
         if [ -e /proc/sys/net/ipv4/tcp_ecn ]
         then
                 echo 0 > /proc/sys/net/ipv4/tcp_ecn
-        fi   
+        fi
 
         <comment># Disable spoofing on all interfaces</comment>
-        for x in ${INTERFACES} 
-        do        
-                echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter     
+        for x in ${INTERFACES}
+        do
+                echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
         done
 
         if [ "$ROUTER" = "yes" ]
@@ -897,7 +890,7 @@
                         iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
                 fi
         fi
-        
+
 elif [ "$1" = "stop" ]
 then
         echo "Stopping firewall..."
@@ -1068,12 +1061,12 @@
         if [ -e /proc/sys/net/ipv4/tcp_ecn ]
         then
                 echo 0 > /proc/sys/net/ipv4/tcp_ecn
-        fi   
+        fi
 
         <comment># Disable spoofing on all interfaces</comment>
-        for x in ${INTERFACES} 
+        for x in ${INTERFACES}
         do
-        echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter     
+        echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
         done
 
         if [ "$ROUTER" = "yes" ]



-- 
gentoo-doc-cvs@gentoo.org mailing list