Index.
- Introduction.
- Firewall generic setup.
- Firewall Policy.
- Firewall NAT.
- Forwarding.
- Modules loading.
17-Jun-2011: initial release. 10-Aug-2011: added modules loading.
Introduction.
Our simple home server needs a firewall for two reasons. First, we must stop all traffic coming from the Internet, but not the traffic that we want to get in such as for a web server. Second, we need to translate the IPv4 traffic coming from the client computers who have private IPv4 addresses, to the external public IPv4 address. Reply packets need to go back and translated to the right clients. This is called Network Address Translation, in short NAT. For Linux we have the netfilter firewall that can do all these things for us. It consists of a lot of kernel modules and some command line tools that manipulate the firewall settings. A good starting point to find more information is www.yourwebexperts.com and a good book about this subject is Policy Routing with Linux written by Matthew G. Marsh.
A good graphical tool to maintain your firewall is Firewall Builder. The good thing about this program is that it can manage all your firewalls from one single setup. So if you change something in one host that affects other hosts, then all other hosts will be changed too. Firewall builder will download the new rules to all affected hosts.
You should install Firewall builder on your Linux workstation and not on your home server. On Arch Linux you can install it as root with pacman -S fwbuilder. It is a good thing to make sure that your Linux workstation with firewall builder has a fixed IP address so that you can take advantage of always allowing your workstation to access the hosts you will manage with firewall builder.
The scripts that are produced by firewall builder are not perfect for Arch Linux, or it’s just the other way round, it depends on how you see it. Firewall builder writes (if you turn it on) which kernel modules to load. But the start/stop scripts in Arch use the iptables-save and iptables-restore commands instead of the uploaded script. So, what we need to do, and that’s for one time only, figure out which kernel modules are needed and load them via the standard Arch scripts. Further, in the generated firewall scripts by Firewall builder, we will write a epilog command so that our generated rules will be stored permanently on our home server. It’s not too difficult as we will see later.
Firewall generic setup.
Firewall Home Server settings
I will not tell you how to work with Firewall Builder, there is enough information on the official website. I will just show how to configure it for our home server. Because there is no nice way to provide a listing of generated rules, I will show the screenshots about the rules.
First give your firewall a meaningful name and create a host. The host should have the official internal name, homsrv.wpl.ym like in our example from the network setup. Then, set the Platform to iptables and the version to 1.4.4 or later.
The following screens show the Host OS settings and Firewall settings for this host.
Next, the settings for eth0 and eth1.
Home Sever eth0
Home Server eth0 IPv4
In the image on the left you see that the label is set to homsrv-int. This is simple the hostname plus the function of the interface. Doing it this way will prove it’s use when we later have a more complicated firewall with several hosts. The interface is marked as the Management interface, you should mark one interface as Management interface, because that is where our firewall upload comes from. The image on the right shows the IPv4 settings.
Home Server eth1 interface
Left is the setting of the outgoing interface eth1.
Firewall Policy.
Below you see a screen dump of the installed policy.
Home Server Policy rules
The policy is grouped in 4 parts. The first part, “Generic”, shows the rules we use in all firewalls, anti spoofing, unlimited loopback traffic and allow ping.
The next group is “local originated traffic”, this is traffic coming from the workstations or the firewall itself. Here you need a DHCP rule, allow all traffic doesn’t cover the DHCP broadcast traffic.
The third group is “incoming traffic” from the Internet. We allow DHCP because the external interface uses DHCP. Then we block all incoming traffic without logging. You could be more selective here if you want to see some hacking attempts. With this setup you will see nothing.
The “final” group is a catch all rule, just log anything we have missed. This one gives you the information about things you forgot to add to your firewall.
Firewall NAT.
Below you see a screen dump of the NAT rule.
Home Server NAT rule
There is just one rule, all traffic from the workstations network not going to our own network will be translated to look like coming from the address of the external network interface. Because the external interface is marked dynamic, the Firewall Builder script will generate a masquerade rule.
Forwarding.
Our Home Server needs packet forwarding (and routing rules). In /etc/conf.d/iptables set IPTABLES_FORWARD=1 The routing rules are setup by the default network behaviour and NAT rules in the firewall.
Modules loading.
We already mentioned that we need to load some modules somewhere in the Arch initscripts. I use the MODULES=() array in /etc/rc.conf for this. A generic set of modules to add is: nf_conntrack_ftp, nf_conntrack_irc, nf_conntrack_h323, nf_nat_ftp, nf_nat_irc and nf_nat_h323.