Increasing Your Masquerading Gateway Security
All it takes is a few simple lines of code
By Trevor Marshall
September 13, 1999
In July's column we looked at how Linux uses Masquerading toprovide a simple firewall between your local Intranet and theInternet itself, and I gave an example of a very simple firewall.
But just a few extra lines of code can make your machine much more immune to attack. Before we can implement them, however, we need to look at how a hacker could break through your simple firewall.
The task is trivial, of course, if you have left the door open. The first thing a hacker will do is to check if you have bothered to implement passwords on all the common administrator handles.
Hackers will try to login to TELNET as admin, and the host of other user-IDs listed in your /etc/passwd file. If that fails, there are several programs they will use to try to log in with a dictionary of common passwords. When the program is set running it looks sequentially through its database of most common passwords trying to log in as root or any other known user name. It is amazing how often this technique works. Several years ago one of my colleagues managed to crack nearly all of the passwords in our staff mail server.
Once TELNET access is obtained into your firewall then every machine on your internal network becomes vulnerable. Unless they have been protected in other ways, the firewall can then TELNET and FTP into each and every machine on your internal network. And, of course, the Linux configuration files of the firewall itself may be altered in any way the hacker desires.
By protecting your system from these simple password-based attacks you can force a hacker to become more crafty. At this point it becomes a battle of wits, and as the WebMaster at the Department of Defense regularly finds out, you cannot lock out all the attacks all of the time. Many IT Professionals devote their whole careers to Network Security. Complete coverage of the various attack strategies covers the pages of several magazines, and goes way beyond my own expertise.
(Network Associates has published an overview of these more advanced hacker technologies at http://www.nai.com/media/doc/nai_labs/ids-simple.doc.)
But there are several simple, quick, and free (other than the admin's time) things you can do to make your Masquerading Firewall secure from all but the most dedicated attacker. They are based on stopping communication packets coming to, and through, your firewall unless they are from a trusted source.
Who can you trust? If the answer is "nobody" then you might as well disconnect from the Internet right now, it is of no use to you. After all, that website you were just surfing could very well have left a hostile Java applet on your system. Clearly, paranoia is not the solution. Risk Management is what Internet Security is all about.
So let us tell ipfwadm to lock out all incoming traffic from the Internet by adding the following lines to the rc.inet1 start-up file that we created last column:
#First flush all Incoming, Outgoing and Forwarding rules
(initialization) /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f
#deny all incoming traffic from all sources to the firewall
/sbin/ipfwadm -I -p deny
So, now we are safe. Nothing can get into our firewall, not our mail, not our --- oops! Let's let in the SMTP mail access:
#enable incoming mail from the internet, needed if you want #incoming SMTP mail to the firewall machine
/sbin/ipfwadm -I -a accept -S 0.0.0.0/0 -D 22.214.171.124/32 25 P tcp
Maybe we should also let TELNET into the firewall from our internal network. (We trust out colleagues, don't we?):
# allow telnet access from internal machines
ipfwadm -I -a accept -S 192.168.1.0/32 -D 126.96.36.199/32 telnet P tcp
Now we can open up all the other ports, one by one, to our internal network. That could get tedious. Why don't we open up ALL access from the internal network to the firewall
# allow all internal incoming
ipfwadm -I -a accept -S 192.168.1.0/32 -D 188.8.131.52/32
And don't forget the IP Forwarding commands from last month so that our internal networks are coupled through to the Internet:
#Set up the Forwarding rules
/sbin/ipfwadm -F -p deny
#deny all accessess other than these below #Turn on the forwarding from 192.168.1.X
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 /sbin/ipfwadm -M -s 600 30 120
So, now your Masquerading firewall is reasonably secure. There is still a possibility that an experienced hacker could "spoof" as IP address in the 192.168.1.x range and get access to the firewall that way, but it is unlikely. If you want to read more about Masquerading security start at 'The IP Masquerade Resource Site' and 'The Strong RuleSets Masq HOWTO'. You also should secure any open SMTP mail port by listing only the trusted source domains in the /etc/mail-relay-domains file.
Prior to kernel version 2, Masquerading used to be handled solely by the IP Forwarding Administration module IPFWADM (IP fw adm).
Version 2 kernels provide the faster, more sophisticated, and more secure, IPCHAINS program. But they also provide an IPFWADM wrapper for backward compatibility, so, in order to reach as wide an audience as possible, I have only discussed Masquerading using IPFWADM.
A complete description of how to use IPCHAINS is at this URL and more detailed explanation of Masquerading can be found at this URL.
Many thanks to Andrew Norman for helping me sort through the ipfwadm rulesets and Michal Jaegermann for pointing out the advantages of IPCHAINS.
Trevor Marshall is an engineering management consultant, with interests ranging from RF and Hardware design to Linux internals, Internet infrastructure, MPEG, and Digital Video. He started his career in the '70s, designing the Maplin Electronic Music Synthesizers. When the Microcomputer came along, he got sidetracked into computer software, programming the 2650, 8080, Z80, Z8000, 8048, 8306, 6805, 80x86, and Power PC families. Along the way, he also picked up a little expertise in RF system design, biomedical engineering, and the printing industry. His web site is www.trevormarshall.com. Page 1 of 1
A list of all 75 papers Trevor has published is available at this link.
All information published at this website is (C)Copyright 1995-2003 Trevor G Marshall.
Link to "Trevors View" image Copyright (C) 1999-2003 CMP Media Inc
All rights are expressly reserved. Click to email webmaster