7. IP filtering setup (IPFWADM)

If you are using kernel 2.1.102 or newer skip to the next section on IPCHAINS.

In older kernels IP Forwarding is turned on by default in the kernel. Because of this, your network should start by denying access to everything and flushing any ipfw rules in place from the last time it was run. This script fragment should go in your network startup script. (/etc/rc.d/init.d/network)

  #
  # setup IP packet Accounting and Forwarding
  #
  #   Forwarding
  #
  # By default DENY all services
  ipfwadm -F -p deny
  # Flush all commands
  ipfwadm -F -f
  ipfwadm -I -f
  ipfwadm -O -f

Now we have the ultimate firewall. Nothing can get through.

Now create the file /etc/rc.d/rc.firewall. This script should allow email, Web and DNS traffic through. ;-)

#! /bin/sh
#
# rc.firewall
#
# Source function library.
. /etc/rc.d/init.d/functions

# Get config.
. /etc/sysconfig/network

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
        exit 0
fi
case "$1" in
  start)
  echo -n "Starting Firewall Services: "
  # Allow email to got to the server
  /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.10 25
  # Allow email connections to outside email servers
  /sbin/ipfwadm -F -a accept -b -P tcp -S 192.1.2.10 25 -D 0.0.0.0/0 1024:65535
  # Allow Web connections to your Web Server
  /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 192.1.2.11 80
  # Allow Web connections to outside Web Server
  /sbin/ipfwadm -F -a accept -b -P tcp -S 192.1.2.* 80 -D 0.0.0.0/0 1024:65535 
  # Allow DNS traffic
  /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 192.1.2.0/24
  ;;
  stop)
  echo -n "Stooping Firewall Services: "
  ipfwadm -F -p deny
  ;;
  status)
  echo -n "Now do you show firewall stats?"
  ;;
  restart|reload)
        $0 stop
        $0 start
        ;;
  *)
        echo "Usage: firewall {start|stop|status|restart|reload}"
        exit 1
esac

NOTE: In this example we have the email (smtp) server running at 192.1.2.10 that must be able to send and receive on port 25. The web server running at 192.1.2.11. We are allowing anyone on the LAN to get to outside web and DNS servers.

This is not perfectly secure. Because port 80 doesn't have to used as a web port, a smart hacker might use this port to create a virtual private network (VPN) through the firewall. The way around this is to setup a web proxy. and only allow the proxy through the firewall. Users on the LAN will have to go through the proxy to get to outside web servers.

You might also be interested in accounting for traffic going through your firewall. This script will count ever packet. You could add a line or two to account for packets going to just a single system.

          
  # Flush the current accounting rules
  ipfwadm -A -f
  # Accounting
  /sbin/ipfwadm -A -f
  /sbin/ipfwadm -A out -i -S 192.1.2.0/24 -D 0.0.0.0/0
  /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 192.1.2.0/24
  /sbin/ipfwadm -A in -i -S 192.1.2.0/24 -D 0.0.0.0/0
  /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 192.1.2.0/24

If all you need is a filtering firewall you can stop here. Test it and Enjoy.