Want to Set up a Firewall server

[mattig89ch]

hi guys, I wanted to set up a firewall server. one that will run on crap parts.

I was talking to a guy in england who said open bsd was the best way to do it. but i'm thinking a simple linux distro might do the job better.

This is for my home, if that makes any difference.

mind you, my linux skills aren't exactly the best (I don't use it often, and when I do, its normally not for more then surfing the web).

[Lazydog]

I run a system at home here for a firewall. It is a PIII with 768 Ram. It isn't that hard and it is cheaper, cost wise, to use a linksys router as they use a lot less electricity.

How many interfaces are going to be on this box?
You you looking for a simple firewall or complex? (Mine is complex with 4 networks)

[mattig89ch]

well this was going to be simple at first. then get more complex as i understand it better. basically, I hope to replace all my antivirus software with this thing.

I was thinking of 2 interfaces. its not going to be asigning Ip addresses or anything, just stopping viruses from coming through.

I'm also well aware that this could slow down performance of the whole network. so I have to achieve a balance.

edit: its been a while since i've been here. when did all the ads come in?

[Lazydog]

Simple is easy and good.

eth0 = Internet connection
eth1 = LAN

Code:

iptables -F
iptables -X
iptables -Z
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
iptables -A INPUT  -i lo -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT
iptbales -A INPUT -j DROP
#
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
#
iptables -A FORWARD -i eth0 -j WAN
iptables -A FORWARD -i eth1 -j LAN
#
iptables -N LAN
iptables -A LAN -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A LAN -i eth1 -m state --state NEW -j ACCEPT
iptables -A LAN -j DROP
#
iptables -N WAN
iptables -A WAN -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A WAN -i eth0 -j DROP

Do not forget to turn on forwarding on the firewall system. Since you are going to be using this all the time to forward I would recommend editing /etc/sysctl.conf and look for the following line;

Code:

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

and ensure that the number at the end of forward is 1 to turn on forwarding as above.
After this is done a simple

Code:

sysctl -p

will re-read the file and turn on forwarding for you.

After you setup the firewall make sure you save it so that every time the system reboots the firewall is setup properly. Check for how to turn on the firewall at boot.

The above will allow all connections from the LAN to the internet and only allow established connection back in.

If you are looking to learn about iptables then take a look at this TUTORIAL.

[mattig89ch]

that you!

praytell, what os is that for?

oh and were to I enter those values?


like I said, used linux for websurfing and just about nothing else, aside from an apache server like 2 years ago (still running the libraries website btw).

[zenwalker]

Untangle or Vyatta -- both Debian-based -- as a suggestion for us firewall dummies!

[Lazydog]

that you!

praytell, what os is that for?

Should work on any linux based iptables firewall.

oh and were to I enter those values?

Setup a script to build the firewall from the above then run it. Afterwards save the firewall rules and ensure the firewall is configured to start at boot.

like I said, used linux for websurfing and just about nothing else, aside from an apache server like 2 years ago (still running the libraries website btw).

Well if you need web server access from the outside then you are going to have to open those ports. See the Tutorial I posted on how to do this. Once you know what rules you need to add you should add them to the WAN side of the rules using the same formate I have above.

[Lazydog]

Untangle or Vyatta -- both Debian-based -- as a suggestion for us firewall dummies!

Take a look at lokkit. It is a CLI basic firewall builder. I configure my firewalls by hand on the CLI. If you are looking for a GUI based firewall tool then search GOOGLE for one. I cannot tell you which one is best as I don't use them.

[mattig89ch]

cool, thanks guys. i'll take a look at those.

oh, do both of those os's run on antique parts? because thats what i'm going to use.

[Lazydog]

How antique are we talking? If it is too only you might not be able to load the latest distro onto them. I used to have 4 pentium machines here that would not run anything new then CentOS 4. As long as the distro loads the firewall rules should work.