Tuxas Firewall

Tuxas Firewall is a init script for Linux kernel 2.4 (iptables), which can be used to set up the interior/exterior router of a firewall network.

The script has been specifically made for the interior/exterior router configuration as described in O'Reillys Building Internet Firewalls.

The router connects 3 networks: [1] a small internet subnet, with fixed addresses, [2] a perimeter net and [3] an interior network (intranet). Perimeter and intranet networks use private RFC 1918 address space. Addresses for hosts which need global internet access get translated from private to internet addresses.

     Internet address space <---|---> private address Space

          .                  +-----+   (~~~~~~~~~~~~)
         / \                 |     |--( perimeternet )
        /   \   (~~~~~~~~)   |     |   ( publicDMZ  )
(SDSL)-< igw >-( interfix )--| IER |    ~~~~~~~~~~~~
        \   /   (        )   |     |        (~~~~~~~~~~~~)
         \ /     ~~~~~~~~    |     |-------(   intranet   )
          '                  +-----+        ( privateDMZ )
                                             ~~~~~~~~~~~~

A typical application would be connection of a handful of systems by a DSL line, where the assigned address space would be a network for 6 hosts (/29) or such:

                        interior/            +-----+ Bastion
                     exterior router         | www | Host
          .              +-----+             +--+--+
         / \             |     |perimnetIF      | public DMZ
        /   \  internetIF|     |----------------+-
(SDSL)-< igw >-----------| IER |
        \   / igw        |     |intranetIF  private DMZ
         \ /             |     |----+------+-----+---
          '              +-----+    |      |     |
                                  +-+-+  +-+-+ +-+-+
                                  |srv|  |dt1| |dt2|
                                  +---+  +---+ +---+
                                  Server  Desktops

Firewall policy is deny all and then open up on a per service base. Services are roughly set up as follows:

TELNET: From Internet allowed to bastion host only. From bastion host any host in Intranet can be reached. Outbound telnet allowed from Intranet to Perimeternet and from Intranet to Internet and IER.
HTTP, HTTPS: Inbound from internet to bastion host. Outbound from intranet to Internet. nfstate mode 2 allows bastion host and IER to Intranet connection, i.e. for apt updates.
NTP: There are 2 NTP server: bastion host and srv in Intranet. IER is ntp client, which gets its time sync from bastion host. Intranet clients talk to intranet server srv.
DNS: Works with a server each in perimeternet and intranet, similar to NTP. In nfstate mode 2 Internet DNS queries can be performed from intranet as well.

For an exact list run firewall show and check output messages.

The script has been structured using separate functions for all inbound or outbound services all paths through/to IER (tf means to/from):

                   -<>-----------------------------<>- internet_tf_perimnet
                           +-----+ perimeter  ,----<>- perimnet_tf_intranet
                           |     |-netIF     |    -<>- ier_tf_perimnet
                   internet|     |         D |
 ier_tf_internet -<>-  IF -| IER |         M |
                           |     |         Z |
                           |     |-intranet  |    -<>- ier_tf_intranet
                           +-----+ IF         `----->-
                   -<>-----------------------------<>- internet_tf_intranet

All address translations get defined in array natHOSTS. Besides the addresses, it also contains the host type, which is used for specific filtering rules for that particular host. There is no port level NAT for simplicity, therefore all addresses in this array must be unique. Note, that in case a host has a NATed address, the NAT address is used if it goes through IER from one interface to another, for example from intra to perimeternet. And don't forget to load "ip_conntrack_ftp" module for FTP.

License

This software is under the BSD license.

Download

Download the code from here.

Installation and Usage

Edit the parameters in the configurable section. Copy the script to /etc/init.d, then symlink like ln -s ../init.d/firewall S90firewall in the startup script directory of the init state you are using. On Debian Linux this is /etc/rc2.d.
It is most likely that you also want to add or delete services in the body section of the script. See the functions for inbound and outbound services, as described above.

Reporting bugs

Send comments and information to my email account skat@tuxas.net. I am also interested to know if you find the script useful and are actually using it, and what you added to it. Reason behind this is that if you find the script useful I'd then prepare a Debian package with an extra configure script.

Author

Stefan Katerkamp <skat@tuxas.net>

Links

Building Internet Firewalls, Second Edition

Tuxas Firewall Project @ SourceForge

last update: Sun Feb 4 19:09:32 CET 2001