Table of Contents
F- Fw-prs
Auto start VM
# cd /etc/xen/auto/ # ln -s /var/xen/fw-prs/fw-prs.conf 1-fw-prs.conf
The number at the beginning of the file is used to ordered vm starts
How to wait between starts
kernel = "/usr/src/vmlinuz" memory = 200 maxmem = 350 name = "fw-prs" vcpus = 1 vif = [ 'bridge=xendmz', 'bridge=xenred', 'bridge=xengreen' ] disk = [ 'file:/var/xen/fw-prs/fw-prs.img,hda1,w', 'file:/var/xen/fw-prs/fw-prs.swap,hda2,w' ] root = "/dev/hda1 ro" extra = "xencons=tty"
Network
Configure networks :
config_eth0=("192.168.1.2")
config_eth1=("192.168.0.2")
config_eth2=("192.168.2.2")
routes_eth1=("default via 192.168.0.1")Auto start networks :
# cd /etc/init.d/ # ln -s net.lo net.eth1 # ln -s net.lo net.eth2 # rc-update add net.eth0 default # rc-update add net.eth1 default # rc-update add net.eth2 default
install Iptables
fw-prs ~ # emerge -vp iptables
configure iptable :
#!/bin/sh -x INET_IP="192.168.0.2" INET_IFACE="eth1" LAN_IP="192.168.2.2" LAN_IFACE="eth2" DMZ_IP="192.168.1.2" DMZ_IFACE="eth0" LO_IFACE="lo" LO_IP="127.0.0.1" #SERVERS DMZ_GATE="192.168.1.4" DMZ_AWIRED="192.168.1.6" LAN_EX="192.168.2.4" LAN_MNG="192.168.2.6" IPTABLES="/sbin/iptables" ########################################################################### #clean iptables -F iptables -t nat -F iptables -X # start drop all $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # Create chain for bad tcp packets $IPTABLES -N bad_tcp_packets $IPTABLES -N allowed $IPTABLES -N icmp_packets # bad_tcp_packets chain $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # allowed chain $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT ################################################################## # Bad TCP packets we don't want $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # Packets from the Internet to this box $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # From DMZ Interface to DMZ firewall IP $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT # From LAN Interface to LAN firewall IP $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT # From Localhost interface to Localhost IP's $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # Special rule for DHCP requests from LAN, which are not caught properly otherwise. $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT # All established and related packets incoming from the internet to the firewall $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT # In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs. #$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP # If we get DHCP requests from the Outside of our network, our logs will be swamped as well. This rule will block them from getting logged. #$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP # If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs #$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP # Log weird packets that don't match the above. $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # Bad TCP packets we don't want $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # DMZ General rules $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT ############################################################################################### ############################################################################################### # LAN section $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Log weird packets that don't match the above. $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # Bad TCP packets we don't want. $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # Special OUTPUT rules to decide which IP's to allow. $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # Log weird packets that don't match the above. $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ############################################################################### ## PREROUTING chain and FORWARD ############################################################################### #$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP #$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP #$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP #dns $IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -i $INET_IFACE -j DNAT --to $DMZ_GATE $IPTABLES -t nat -A PREROUTING -p udp --dport 53 -i $INET_IFACE -j DNAT --to $DMZ_GATE $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_GATE --dport 53 -j allowed $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_GATE --dport 53 -j ACCEPT #www $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i $INET_IFACE -j DNAT --to $DMZ_GATE $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_GATE --dport 80 -j allowed $IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $LAN_IFACE -d $LAN_EX --dport 80 -j allowed #www ssl $IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i $INET_IFACE -j DNAT --to $DMZ_GATE $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_GATE --dport 443 -j allowed $IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $LAN_IFACE -d $LAN_EX --dport 443 -j allowed #mail $IPTABLES -t nat -A PREROUTING -p tcp --dport 25 -i $INET_IFACE -j DNAT --to $DMZ_GATE $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_GATE --dport 25 -j allowed ################################################################################# # Enable simple IP Forwarding and Network Address Translation $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
use SNAT instead of MASQUARADE
run iptable configuration and save it as init.d
# chmod +x ~/fw.sh # ~/fw.sh # /etc/init.d/iptables save # /etc/init.d/iptables start # rc-update add iptables default
allow routing :
# echo 1 > /proc/sys/net/ipv4/ip_forward #
net.ipv4.ip_forward = 1 # Enables source route verification net.ipv4.conf.default.rp_filter = 1 # Enable reverse path net.ipv4.conf.all.rp_filter = 1