Firewalls - IP Masquerading with Iptables (Page 7 of 10 )
When the Internet was originally designed, several large blocks of addresses were set aside for use on private networks. These addresses will not be routed by the Internet and can be used without worrying that they will conflict with other networks. The private address ranges are:
10.0.0.0 – 10.255.255.255
192.168.0.0 – 192.68.255.255
172.16.0.0 – 172.31.255.255
By using these addresses on your internal LAN and having one external, routable IP on your firewall, you effectively shield your internal machines from outside access. You can provide this additional layer of protection easily with Iptables using IP masquerading. The internal IP header is stripped off at the firewall and replaced with a header showing the firewall as the source IP. The data packet is then sent out to its destination with a source IP address of the public interface of the firewall. When it comes back, the firewall remembers which internal IP it goes to and re-addresses it for internal delivery. This process is also known as Network Address Translation (NAT). You can do this in Iptables with the following statements.
iptables –t nat –P POSTROUTING DROP
iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE
The MASQUERADE flag can be abbreviated to MASQ. One of the improvements of Iptables over previous systems like Ipchains and Ipfwadm is the way that it handles secondary tasks like NAT.
So now you know how to build a basic firewall. This is just a simple configuration; the possible variations are endless. You can forward certain ports to internal servers so they don’t have to have a public IP address. You can put another network card in your firewall box and make it a DMZ interface for servers with public addresses. There are entire books on advanced firewall configuration and many mailing lists. One of the better lists is firewall-wizards. To subscribe to this list, send an e-mail with “subscribe” in the body to:
firewall-wizards-request@honor.icsalabs.com
The firewall-wizards list hosts discussions about all levels of firewall configuration and is vendor agnostic, that is, all firewall brands are discussed, from open source to commercial.
If you want to build a quick firewall without entering all those Iptables statements and remembering the syntax, there is tool that builds the firewall statements using a graphical interface—so it’s all done for you in the background.
Turtle Firewall: An lptables-based Firewall with a Graphical User Interface
Turtle Firewall Author/primary contact: Andrea Frigido
Web site: www.turtlefirewall.com/
Platforms: Most Linux-compatibles that support Iptables
License: GPL 2.0
Contact information: andrea@friweb.com
System requirements: Linux operating system with kernel 2.4 or newer
Perl with expat library
Webmin server |
This neat little contraption, called Turtle Firewall, was created by Andrea Frigido. Turtle is basically a set of Perl scripts that do all the dirty work for you to set up an Iptables firewall. This program makes it much easier to see your rules and to make sure you are getting the statements in the right order. It runs as a service, so you don’t have to worry about initializing your firewall with a shell script. It uses the Linux Webmin service, which is a little Web server that allows you to make configuration changes to your server via a Web browser. While this might introduce some insecurity into your system by running a Web server on the firewall, it may be worth it for the ease of configuration it brings. Many commercial vendors now use a Web browser interface for configuration. A big benefit of this application is that you can reach the configuration screen from any Windows or UNIX machine.
For support, Andrea offers a commercial support option. For a mere 100 euros (don’t ask me to convert that to dollars exactly, but when this book was printed it was about $100.00), you can get 30 days of e-mail support so you can get help setting it up. It also might be worth subscribing if you have a problem with an existing installation that you can’t solve on your own.
Next: Installing Turtle Firewall >>
More Security Articles
More By Addison-Wesley Prentice Hall PTR
|
 This article is excerpted from Open Source Security Tools by Tony Howlett (Addison-Wesley Professional, 2004; ISBN 0321194438). Check it out at your favorite bookstore today. Buy this book now.
|
|
/ 10 
