In Part 3, we installed Webmin. Now we turn our sites to configure the network interfaces and firewall box security. Obviously, a firewall, like any network border device, must be highly secure.
Configuring Networking
Since your firewall box has two network cards, you need to configure one with your WAN IP and one with a LAN IP. Additionally, it’s a good idea to label each physical card so you know which one is which, and then use ifrename to ensure that the configurations stick to the correct cards. Please refer to Nail Down Network Interface Names with ifrename for this. You’ll need to take two more steps than the article gives, because Debian Stable does not include a startup script. Copy the one in the article to your firewall box and name it /etc/init.d/ifrename. Then make it start at boot by adding it to runlevels 2, 3, 4, and 5 with the update-rc.d command:
firewall1:~# update-rc.d ifrename start 40 2 3 4 5 . stop 0 1 6 .
firewall1:~# nano /etc/network/interfaces
# The loopback network interfaceauto loiface lo inet loopback
#lan and wan interfaces
auto lan wan
iface lan inet static
address 192.168.1.26
netmask 255.255.255.0
iface wan inet dhcp
If your Internet account gives you a static IP, use your account information. You’ll need the address, netmask, and gateway.
You’ll also need to enter your ISP’s DNS servers in /etc/resolv.conf. Note that the interface names “lan” and “wan” are arbitrary.
I like to use descriptive names, rather than the default eth0, eth1, etc. so I instantly know what their roles are. These names are assigned with the ifrename program. Reboot, then run ifconfig -a to make sure everything is correct.
Locking it Down
Debian Stable installs with a number of services you don
’
t need, so they should be turned off. You can see these with the
netstatcommand:
firewall1:~# netstat -untap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:643 0.0.0.0:* LISTEN 1733/rpc.statd
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 1616/inetd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1340/portmap
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1821/perl
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1726/sshd
udp 0 0 0.0.0.0:640 0.0.0.0:* 1733/rpc.statd
udp 0 0 0.0.0.0:10000 0.0.0.0:* 1821/perl
udp 0 0 0.0.0.0:111 0.0.0.0:* 1340/portmap
udp 0 0 0.0.0.0:637 0.0.0.0:* 1733/rpc.statd
That’s a whole lot of unnecessary open ports. All that’s needed are sshd, for secure remote administration, and port 10000 for Webmin. To fix this, use the update-rc.d command to remove them from the startup directory, /etc/init.d/. Then reboot and run netstat again to verify that it worked:
firewall1:~# update-rc.d -f nfs-common remove
firewall1:~# update-rc.d -f portmap remove
firewall1:~# update-rc.d -f inetd remove
firewall1:~# nano /etc/ssh/sshd_config
firewall1:~# /etc/init.d/ssh restart
Restarting OpenBSD Secure Shell server: sshd.
That locks down the firewall box pretty tightly. Come back next week to learn how to build your actual Internet-connection sharing firewall.
Resources
Nail Down Network Interface Names with ifrename
The Penguin’s Practical Network Troubleshooting Guide, Part 1
The Penguin’s Practical Network Troubleshooting Guide, Part 2
the Linux Cookbook
, step-by-step Linux system administration
Adapted from PracticallyNetworked.com, part of the EarthWeb.com Network.
| Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today! |