[ Pobierz całość w formacie PDF ]

Once the gateway hardware has been assembled, it is time to install the
operating system and configure it to provide the necessary services. The
installation should be as minimal as possible. Any unnecessary services and
programs that are installed only increase the risk that one of the programs on
the gateway may be vulnerable. Do not install the X Windows System or
any of the optional applications.
It is important to install the development tools and the system source code.
After installation, the kernel will be recompiled and the new versions of
several services might need to be downloaded and compiled, so the
development tools will be necessary.
Make the /var partition of decent size during the drive setup. A couple
hundred megabytes should be more than sufficient. A gateway can generate
many logs, and this is where they will be stored.
If the installer for the distribution you are using has a firewall-configuration
section (like the current RedHat installers), leave it unchanged for now. The
firewall rules will be changed once the system is running and will be more
complex than the basic configuration tool in the installer can generate.
11.2.1 Linux Kernel Configuration
The kernel configuration should be reviewed to remove unneeded support.
Take out support for anything that won't be needed for the hardware
configuration of the gateway. The general process for doing this is described
in Chapter 5 (see Section 5.2 and especially Section 5.2.2). Enable the
optional modules for Netfilter; the firewall on the gateway will use several
of these modules. The gateway will also need support for SYN cookies and
IP forwarding.
If the gateway is going to connect to the wireless network using HostAP or a
wireless network card instead of an Ethernet connection to the AP, make
sure the kernel has support for the wireless drivers selected.
11.2.2 Disabling Unneeded Services
Just as with the clients, the unneeded services on the gateway should be
disabled. The basic approach to doing this for Linux is described in Chapter
5.
Check to see what services are running and disable all of the unneeded
remotely accessible services. Don't forget to check the inetd or xinetd
services as well as the rc-based services.
The services that will be used, and should be enabled, are arpwatch, syslog,
dhcpd, and sshd. arpwatch and syslog will be used for monitoring and
logging. dhcpd will provide DHCP addresses to clients. To allow remote
administration of the gateway sshd must be running. This will provide
encrypted shell sessions from the ssh client program.
Disable the iptables and ipchains services in rc; a replacement script will be
developed later in this chapter to configure the iptables service.
11.3 Configuring Network Interfaces
The three network interfaces need to be configured with the proper settings
for the network layout we are putting together.
The file /etc/sysconfig/network-scripts/ifcfg-eth0 will contain the settings for
eth0. If your ISP provides IP addresses by DHCP, the file should contain:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=DHCP
Otherwise, it should contain the following:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
BROADCAST=192.0.2.255
NETWORK=192.0.2.0
NETMASK=255.255.255.0
IPADDR=192.0.2.230
GATEWAY=192.0.2.1
USERCTL=no
Replace NETWORK, BROADCAST, IPADDR, and GATEWAY with the proper
values assigned to you by the ISP.
The file /etc/sysconfig/network-scripts/ifcfg-eth1 will contain the settings for
the interface connected to the wired network:
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
BROADCAST=192.168.1.255
NETWORK=192.168.1.0
NETMASK=255.255.255.0
IPADDR=192.168.1.1
USERCTL=no
This will set eth1 to have the IP address 192.168.1.1 and be connected
to the network 192.168.1.0/24.
If the wireless network is going to be provided by using HostAP on the
gateway itself, set up that interface as described in Chapter 9. Otherwise,
eth2 will be connected to the access point and will be configured in
/etc/sysconfig/network-scripts/ifcfg-eth1:
DEVICE=eth2
BOOTPROTO=none
ONBOOT=yes
BROADCAST=192.168.0.255
NETWORK=192.168.0.0
NETMASK=255.255.255.0
IPADDR=192.168.0.1
USERCTL=no
This will set eth2 to have the IP address 192.168.0.1 and be connected
to the network 192.168.0.0/24.
11.4 Building the Firewall Rules
The most important responsibility of the gateway is to firewall our three
separate network segments. We will again use the Netfilter functionality that
was introduced in Section 5.3.1. See that section for a basic introduction to
the functioning of Netfilter.
The rc.firewall script for the gateway is significantly more complex that the
one laid out for use on the clients. It has to protect not only the gateway
itself, but also ensure separation between the networks while allowing vital
services on the gateway to be accessed by local users. This script is also
much more aggressive in preventing abusive behavior since it will be the
frontline against often hazardous Internet traffic.
This script is quite long; we will examine it section by section. To build the
completed script, concatenate each of the example sections that follow into
/etc/init.d/rc.firewall.
First, we establish several variables that will be used throughout the rest of
the script. By placing these values into variables, we can easily update the
script if these values change in the future. Here we define the three network
interfaces that will be used for the upstream, wired, and wireless
connections, respectively. Change these to match the configuration of your
machine.
#!/bin/sh
# rc.firewall for gateway
# --- SETUP ---
# Variables (for easier changes)
IPTABLES=/sbin/iptables
INT_GW="eth0"
INT_WIRED="eth1"
INT_WIRELESS="eth2"
INT_ALL="$INT_GW $INT_WIRED $INT_WIRELESS lo"
The IP_ variables hold the IP addresses or ranges that will be used in the
firewall rules. IP_GW is the address of the upstream connection interface. If
your ISP assigns addresses using DHCP instead of static IP addresses, use
the commented-out example, which will extract the DHCP-assigned address
from ifconfig. (Note the command is enclosed in backticks, not quotes.)
IP_WIRED holds the address range for our internal wired network, and
IP_WIRELESS holds the address range for the internal wireless network.
IP_GW_WIRED and IP_GW_WIRELESS hold the respective IP addresses
for the network interfaces on the gateway that are connected to those
networks. Change these to match the configuration of your networks and
your ISP's network.
# For DHCP use: IP_GW=`/sbin/ifconfig $INT_GW |
grep inet | cut -f2 -d: | cut -f1 -d\ `
IP_GW="192.0.2.230"
IP_WIRED="192.168.1.0/24"
IP_WIRELESS="192.168.0.0/24"
IP_GW_WIRED="192.168.1.1"
IP_GW_WIRELESS="192.168.0.1"xxxxxxx
The next section in the script sets a number of values in the /proc file [ Pobierz całość w formacie PDF ]