Step by Step
TM
Linux Guide.
Page 160
8.2. rc.firewall.txt
The
rc.firewall.txt script is the main core on which the rest of the scripts
are based upon. The rc.firewall file
chapter should explain every detail in the script most thoroughly. Mainly it was written for a dual homed
network. For example, where you have one LAN and one Internet Connection. This script also makes the assumption that you have a static
IP to the Internet, and hence dont use DHCP, PPP, SLIP or some other protocol that assigns you an IP automatically. If you are looking for a
script that will work with those setups, please take a closer look at the
rc.DHCP.firewall.txt script.
Step by Step
TM
Linux Guide.
Page 161
The
rc.firewall.txt
script requires the following options to be compiled statically to the kernel, or as modules. Without one or more of
these, the script will become more or less flawed since parts of the scripts required functionalities will be unusable. As you change the script
you use, you could possibly need more options to be compiled into your kernel depending on what you want to use.
CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK
CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_MATCH_LIMIT
CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_FILTER
CONFIG_IP_NF_NAT CONFIG_IP_NF_TARGET_LOG
Step by Step
TM
Linux Guide.
Page 162
8.3. rc.DMZ.firewall.txt
The rc.DMZ.firewall.txt
script was written for those people out there that have one Trusted Internal Network, one De-Militarized Zone and one
Internet Connection. The De-Militarized Zone is in this case 1-to-1 NATed and requires you to do some IP aliasing on your firewall, i.e.,
you must make the box recognize packets for more than one IP. There are several ways to get this to work, one is to set 1-to-1 NAT, another
one if you have a whole subnet is to create a subnetwork, giving the firewall one IP both internally and externally. You could then set the IPs
to the DMZed boxes as you wish. Do note that this will steal two IPs for you, one for the broadcast address and one for the network address.
Step by Step
TM
Linux Guide.
Page 163
This is pretty much up to you to decide and to implement, this tutorial will give you the tools to actually accomplish the firewalling and
NATing part, but it will not tell you exactly what you need to do since it is out of the scope of the tutorial.
The rc.DMZ.firewall.txt script requires these options to be compiled into your kernel, either statically or as modules. Without these options, at the
very least, available in your kernel, you will not be able to use this scripts functionality. You may in other words get a lot of errors
complaining about modules and targetsjumps or matches missing. If you are planning to do traffic control or any other things like that, you should
see to it that you have all the required options compiled into your kernel there as well.
CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK
CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_MATCH_LIMIT
CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_FILTER
CONFIG_IP_NF_NAT CONFIG_IP_NF_TARGET_LOG
You need to have two internal networks with this script as you can see from the picture. One uses IP range 192.168.0.024 and consists of a
Trusted Internal Network. The other one uses IP range 192.168.1.024 and consists of the De-Militarized Zone which we will do 1-to-1 NAT to.
For example, if someone from the Internet sends a packet to our
DNS_IP
, then we use DNAT, to send the packet on to our DNS on the DMZ
network. When the DNS sees our packet, the packet will be destined for the actual DNS internal network IP, and not to our external DNS IP. If
the packet would not have been translated, the DNS wouldnt have answered the packet. We will show a short example of how the DNAT
code looks:
IPTABLES -t nat -A PREROUTING -p TCP -i INET_IFACE -d DNS_IP \ --dport 53 -j DNAT --to-destination DMZ_DNS_IP
Step by Step
TM
Linux Guide.
Page 164
First of all, DNAT can only be performed in the PREROUTING chain of the nat table. Then we look for TCP protocol on our
INET_IFACE
with destination IP that matches our
DNS_IP
, and is directed to port 53, which is the TCP port for zone transfers between name servers. If we
actually get such a packet we give a target of DNAT, in other words DNAT. After that we specify where we want the packet to go with the --
to-destination option and give it the value of
DMZ_DNS_IP
, in other words the IP of the DNS on our DMZ network. This is how basic DNAT
works. When the reply to the DNATed packet is sent through the firewall, it automatically gets un-DNATed.
By now you should have enough understanding of how everything works to be able to understand this script pretty well without any huge
complications. If there is something you dont understand, that hasnt been gone through in the rest of the tutorial, mail me since it is probably
a fault on my side.
8.4. rc.DHCP.firewall.txt