3-legged 'Transparent Proxy' firewall using IPFilter 4.1.8, Squid on Fedora Core 1
Date: Oct 8, 2005
by Jett Tayer <>
Download and install apt for Fedora Core 1
# cd /usr/local/src
# wget http://apt.sw.be/fedora/1/en/i386/dag/RPMS/apt-0.5.15cnc6-4.1.fc1.rf.i386.rpm
# wget http://apt.sw.be/fedora/1/en/i386/dag/RPMS/apt-devel-0.5.15cnc6-4.1.fc1.rf.i386.rpm
# rpm -ivh apt-0.5.15cnc6-4.1.fc1.rf.i386.rpm
# rpm -ivh apt-devel-0.5.15cnc6-4.1.fc1.rf.i386.rpm
Update your apt database
# apt-get update
Upgrade your packages
# apt-get upgrade
Upgrade the kernel
# apt-get install kernel#2.4.22-1.2199.nptl kernel-source#2.4.22-1.2199.nptl
Install some needed apps
# apt-get install patch rpm-build
Restart your machine and boot the newly installed kernel.
Download and extract the Squid package.
# apt-get install squid
Configure Squid to do 'transparent proxying'
# vi /etc/squid/squid.conf
You will need to make at least the following changes in /etc/squid/squid.conf
http_port 3128
http_access deny to_localhost
acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks
visible_hostname your.server.name.dom
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Fire up Squid!
# service squid start
Install Bind 9: Provide caching DNS service to LAN only
# apt-get install bind bind-chroot
# service named start
Install IPFilter
Download and extract ipfilter software package
# wget http://coombs.anu.edu.au/~avalon/ip_fil4.1.8.tar.gz
# gzip -cd ip_fil4.1.8.tar.gz tar xvf -
# cd ip_fil4.1.8
Edit Makefile
# vi Makefile
look for the line,
LINUXKERNEL=/usr/src/linux
and change it to,
LINUXKERNEL=/usr/src/linux-2.4
Uncomment the following 3 lines
STATETOP_CFLAGS=-DSTATETOP
STATETOP_INC=
STATETOP_INC=-I/usr/local/include
and change the last line
STATETOP_INC=-I/usr/local/include
to
STATETOP_INC=-I/usr/include
Uncomment the following 2 lines
STATETOP_LIB=-lncurses
STATETOP_LIB=-L/usr/local/lib -lncurses
and change the last line
STATETOP_LIB=-L/usr/local/lib -lncurses
to
STATETOP_LIB=-L/usr/lib -lncurses
Next look for the line
POLICY=-DIPF_DEFAULT_PASS=FR_PASS
and change it to
POLICY=-DIPF_DEFAULT_PASS=FR_BLOCK
Save the file
# wq!
Compile IPFilter
# make linux
# make install-linux
Note:
There will be errors about ipfilter.o not being found.
Just copy ipfilter.o created in 'make-linux' command above in
/usr/src/redhat/BUILD/ipfilter/lib/modules/2.4.22-1.2199.nptl/kernel/net/ipv4/
then do a "make install-linux" again.
Still there will be errors, but don't worry because ipfilter RPM file will
be written in /usr/src/redhat/RPMS/i386. In that case just go directly
to the location of IPFilter RPM file and install it manually.
# cd /usr/src/redhat/RPMS/i386/
# rpm -ivh ipfilter-4.1.8-1.i386.rpm
IPFilter is now installed.
Config file (/etc/ipf.conf)
Here is my working ipf.conf for a 3-legged firewall
############################
### ipf.conf starts here ###
#
# $Linux ipf.conf 2005/07/17 16:15:55 tayer Exp $
#
# See /usr/share/ipfilter/examples for syntax and examples.
# eth0 is connected to the Internet with ip address 10.10.10.1 which is part of
# 10.10.10.0/24 network (not my real ip block of course!)
# eth1 is connected to the private subnet 192.168.1.0/24, 192.168.1.1 is the IP of eth1
# eth2 is connected to the private subnet 192.168.2.0/24, 192.168.2.1 is the IP of eth2
# Filtering:
block in all
block out all
block in quick on eth0 from 127.0.0.0/8 to any
block in quick on eth0 from 192.168.0.0/16 to any
block in quick on eth0 from 172.16.0.0/12 to any
block in quick on eth0 from 10.0.0.0/8 to any
block in quick on eth0 from 169.254.0.0/16 to any
block in quick on eth0 from 223.0.0.0/8 to any
block in quick on eth0 from 198.18.0.0/15 to any
block in quick on eth0 from 197.0.0.0/8 to any
block in quick on eth0 from 224.0.0.0/3 to any
block out quick on eth0 from any to 127.0.0.0/8
block out quick on eth0 from any to 192.168.0.0/16
block out quick on eth0 from any to 172.16.0.0/12
block out quick on eth0 from any to 10.0.0.0/8
block out quick on eth0 from any to 169.254.0.0/16
block out quick on eth0 from any to 223.0.0.0/8
block out quick on eth0 from any to 198.18.0.0/15
block out quick on eth0 from any to 197.0.0.0/8
block out quick on eth0 from any to 224.0.0.0/3
# What's these?? :)
block in log quick on eth0 from any to 10.10.10.0
block in log quick on eth0 from any to 10.10.10.255
block in log quick on eth0 from any to 255.255.255.255
##### Block a bunch of different nasty things. ############
# That I don"t want to see in the log
#
# Block frags
block in log quick on eth0 all with frags
# Block short tcp packets
block in log quick from any to any with ipopts
block in log quick all with short
# Block anything with special options
block in log quick all with ipopts
#
# Log packets with BOTH ssrr and lsrr set
log in all with opt lsrr,ssrr
# block source routed packets
block in log quick all with opt lsrr
block in log quick all with opt ssrr
# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on eth0 proto tcp from any to any flags FUP
# Block public pings
#block in log quick on eth0 proto icmp all
# Allow loopback packets freely
pass in quick on lo
pass out quick on lo
# Allow LAN packets freely
# allow freely packets from 192.168.1.0/24 LAN
pass in quick on eth1
pass out quick on eth1
# allow freely packets from 192.168.2.0/24 LAN
pass in quick on eth2
pass out quick on eth2
# Allow incoming data channel for outgoing connections, reject
# and log all incoming control connections
pass out quick on eth0 proto tcp from any to any port = 21 flags S keep state
# Allow SSH
pass in on eth0 proto tcp from any to eth0/32 port = 22 flags S/SA keep state
# Allow SMTP traffic
#pass in on eth0 proto tcp from any to eth0/32 port = 25 flags S/SA keep state
# Allow DNS traffic (tcp & axfr)
#pass in on eth0 proto tcp from any to eth0/32 port = 53 flags S/SA keep state
# Allow DNS traffic (udp)
#pass in on eth0 proto udp from any to eth0/32 port = 53 keep state
# Allow outside world to ping me (bad idea)
#pass in on eth0 proto icmp from any to any icmp-type 8 code 0 keep state keep frags
# Allow me to ping the outside world
pass out quick proto icmp from any to any icmp-type 8 code 0 keep state keep frags
# Allow all outgoing tcp traffic
pass out on eth0 proto tcp all flags S/SA keep state
# Allow all outgoing udp traffic
pass out on eth0 proto udp all keep state
#
### ipf.conf ends here ###
##########################
Config file (/etc/ipnat.conf)
Here is my working ipnat.conf for my 3-legged firewall
### ipnat.conf starts here ###
#
map eth0 192.168.1.0/24 -> 10.10.10.1/32 proxy port ftp ftp/tcp
map eth0 192.168.1.0/24 -> 10.10.10.1/32 portmap tcp/udp 40000:60000
map eth0 192.168.1.0/24 -> 10.10.10.1/32
map eth0 192.168.2.0/24 -> 10.10.10.1/32 proxy port ftp ftp/tcp
map eth0 192.168.2.0/24 -> 10.10.10.1/32 portmap tcp/udp 40000:60000
map eth0 192.168.2.0/24 -> 10.10.10.1/32
#
# Redirection is triggered for input packets.
# For example, to redirect FTP connections through this box, to the local ftp
# port, forcing them to connect through a proxy, you would use:
#
rdr eth0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
#
# squid transparent proxy
rdr eth1 192.168.1.1/32 port 80 -> 192.168.1.1 port 80
rdr eth1 0.0.0.0/0 port 80 -> 192.168.1.1 port 3128
rdr eth1 192.168.2.1/32 port 80 -> 192.168.2.1 port 80
rdr eth1 0.0.0.0/0 port 80 -> 192.168.2.1 port 3128
#
### ipnat.conf ends here ###
Enable IP Forwarding:
Add this line in /etc/sysctl.conf if not already there
# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
Re-read /etc/sysctl.conf
# sysctl -p
Fire up IPFilter
# service ipfilter start
IPFilter admin commands
Display a table of data detailing firewall performance,
including how many packets have been passed or blocked.
# ipfstat -hio
To flush and load ipfilter rules
# ipf -Fa -f /etc/ipf.conf
To flush and load ipnat rules
# ipnat -CF -f /etc/ipnat.conf
1 comment:
Great article! Only one problem, Free Blacklists Suck!
We specialize in serving intelligent network administrators high quality blacklists for effective, targeted inline web filtering.
There is a demand for a better blacklist. And with few alternatives available, we intend to fill that gap.
Signed,
Benjamin E. Nichols
http://www.squidblacklist.org
Post a Comment