Custom Firewall

So why am I publishing my firewall? What's the Big Deal?

Document the ability to grant specific services to sepecific computers (Access Control)
Provide examples of ICMP packet handling
Provide examples of the correct usage of iptables' MARK target
Show how to prevent an unauthorized client from obtaining a dynamic IP address
Firewall computers running Windows. They must also run an antivirus program but do not need any other firewall.

Features

Per User access control by function
Limitation on sending Email (spam control)
Wireless security
Internet gateway for LAN computers
DROP activity to/from IANA Reseerved IP addresses
Informative logging
Port Scan detection
Limit the number of concurrent FTP transfers
Limit SSH connection attempts
Explicit Congestion Notification ("ECN")
"By country" Email (SMTP) limits
Detailed ICMP packet handling
"String" matching
Specific incoming port (per service) control
Use REJECT rather than DROP where possible
Port forwarding to specific LAN computers
Transparent FTP and HTTP proxy

Known Bugs

There is a problem in the code that reloads the firewall while attempting to preserve existing connections. If anyone finds a solution, please send your fix.

Download

Download the tarball. Extract it into a temporary directory so you don't overwrite any critical files!
mkdir -p /path/to/extract
chdir /path/to/extract
tar xjvf /path/to/custom_firewall.tbz2

If you decide to use this, search EDIT and TUNE in firewall.sh and read all the files in /path/to/extract/etc.

Scenario

This is a Slackware Linux machine with 2 NICs (Network Interface Cards), one connected to a Motorola cable modem ("WAN facing"), designated IFE meaning "InterFace External", and the other connected to the LAN switch, designated IFI meaning "InterFace Internal". This computer provides a substantial number of services such as an FTP server, HTTP server and SMTP server. Because my internet IP is provided by Time Warner Cable, my WAN/internet IP is not static. This means that security conscious SMTP administrators are going to reject my SMTP server via the use of a "black hole" (RBL) service. If you also have a dynamic IP, don't try to run a mail (SMTP) server.

My kernel has been configured to create modules for iptables. The exception is CONFIG_IP_NF_CONNTRACK=y which configures ip_conntrack into the kernel. This prevents it from being unloaded during a restart of the firewall, which helps prevent disconnections by maintaining the ESTABLISHED state of connections. In addition, my iptables is enhanced to contain extensions. The most important extension for anyone wishing to use my firewall is mport, a clone of multiport but with different syntax.

There are two wireless access points connected to the LAN switch; neither needs WEP/WPA/Etc security, so they are both open and unencrypted.

LAN computers run Linux or Windows. Any LAN computer that wants to access the internet must set the Slackware box as the default gateway. IP addresses of permanently connected computers are assigned statically, but the Slackware box runs a DHCP daemon so that "walk in" users may connect - but with extremely limited access and only after their MAC addresses are added to the DHCP server's list of ethernet addresses.

Iptables ramblings

Additional functionality for iptables rules is provided by xtables-addons, which you will need to install if you decide to use this firewall. Although I can't really use my SMTP server (Postfix) because my IP is dynaamic, this firewall is what I start with when setting up a secure system for a customer.

Using a Linux box rather than a firewall appliance such as SonicWALL is more expensive, but iptables allows an unlimited number of rules where most appliances do not. Neither are any "for a fee" subscription services necessary, and because Linux is free, the customer does not need to purchase any software. So, in the long run, a Linux based firewall plus internet services server is both cheaper and more secure than the alternatives.

The original for this firewall came from malibyte.net.

Unencrypted Wireless

Although it is certainly possible for anyone to "sniff" the activity on my unencrypted wireless access points, my position is

Nobody is going to spend the money to buy the hardware and software necessary to listen in on the activity and then park outside my house hoping to capture packets. Even if they actually do, how interesting can my Google searches and Email access be?
The combination of DHCP daemon setup and this firewall is 100% bulletproof in this respect: only those authorized are able to connect.
Although it is possible to fake a MAC address, the probability of anyone using one that is in my list of approved MACs is infinitesimally small. However, that possibility does exist.

I certainly don't advocate that you use unencryped wireless. Your internet access might not be as boring as mine. However, if you really have that much at stake, you should probably completely avoid wireless.

DHCP daemon setup

The terms daemon or server or service are synonymous and refer to ISC dhcp 3.0p12

The configuration for dhcpd (dhcpd.conf) is in the tarball. The important thing is "deny unknown-clients;" because that prevents the daemon from assigning an IP unless the client's MAC is present in dhcpd.conf. This works in conjunction with an access list, which is a file containing the IP address of each computer and a list of the ports each is allowed to use. In short, internet access requres that both the computer's MAC and the IP be manually configured before internet access is granted. In an environment where there are a large number of computers or where the administrator is lazy, this setup is inappropriate. It should also be noted that most of the computers in the LAN have static IPs. That's because machines that obtain an IP dynamically are restricted to ports 53, 80, 110, 123 and 443 which are dns, http, pop3, time and https, respectively. Refer to /etc/services.

Access Control setup

You should refer to the ACL file you downloaded in order to facilitate your understanding of the access control used. A computer that will be granted access to this server and to the internet has one or more line entries in a file named ACL. A line is a semicolon delimited list in a strict format so that the firewall script can parse it and create iptables rules from it. Each line must begin with the LAN IP of the workstation, the protocol (tcp or udp), source port list, and either -m mport --dports or --dport. An optional comment may follow, which I use to cross reference the IP to the workstation's name or describe the purpose of the entry.

An example line is
192.168.EDIT.8/31;udp;24664;--dport;1024:65535 # uTorrent
which allows an incoming udp connection on source port 24664 where the destination port is any high port. This creates an iptables line iptables -A FORWARD -p udp -i eth0 -o eth1 -s 192.168.EDIT.8/32 --sport 24664 --dport 1024:65535 -j ACCEPT
Note that only the FORWARD chain is involved with access control.

Together with dhcpd.conf, this either allows or disallows the 2 computers with MAC addresses matching IPs ending in .8 or .9 to use uTorrent. If the MAC is present but the ACL record is not, or vice versa, the connection is denied. Only if both are present is the connection allowed. In short, everything that is not specifically allowed is disallowed, but an existing ESTABLISHED connection will probably survive the reloading of the firewall script after you have altered the ACL or dhcpd.conf. See Known Bugs above.