|
|
[ Pobierz całość w formacie PDF ]
have different Ethernet cards. IP Forwarding on it is turned off. IP Forwarding on both Linux boxes is also turned off. The router will not forward packets destined for 192.168.1.xxx unless explicitly told to do so, so the internet will not be able to get in. The reason for turning off IP Forwarding here is so that packets from the Troop's network will not be able to reach the Mercenary network, and vica versa. The NFS server can also be set to offer different files to the different networks. This can come in handy, and a little trickery with symbolic links can make it so that the common files can be shared with all. Using this setup and another ethernet card can offer this one file server for all three networks. The Proxy Setup Now, since all three levels want to be able to monitor the network for their own devious purposes, all three need to have net access. The external network is connected directly into the internet, so we don't have to mess with proxy servers here. The Mercenary and Troop networks are behind firewalls, so it is necessary to set up proxy servers here. Both networks will be setup very similarly. They both have the same IP addresses assigned to them. I will throw in a couple of parameters, just to make things more interesting though. 1. No one can use the file server for internet access. This exposes the file server to viruses and other nasty things, and it is rather important, so its off limits. The Network Setup 31 Firewall and Proxy Server HOWTO 2. We will not allow troop access to the World Wide Web. They are in training, and this kind of information retrieval power might prove to be damaging. So, the sockd.conf file on the Troop's Linux box will have this line: deny 192.168.1.17 255.255.255.255 and on the Mercenary machine: deny 192.168.1.23 255.255.255.255 And, the Troop's Linux box will have this line deny 0.0.0.0 0.0.0.0 eq 80 This says to deny access to all machines trying to access the port equal (eq) to 80, the http port. This will still allow all other services, just deny Web access. Then, both files will have: permit 192.168.1.0 255.255.255.0 to allow all the computers on the 192.168.1.xxx network to use this proxy server except for those that have already been denied (ie. The file server and Web access from the Troop network). The Troop's sockd.conf file will look like: deny 192.168.1.17 255.255.255.255 deny 0.0.0.0 0.0.0.0 eq 80 permit 192.168.1.0 255.255.255.0 and the Mercenary file will look like: deny 192.168.1.23 255.255.255.255 permit 192.168.1.0 255.255.255.0 This should configure everything correctly. Each network is isolated accordingly, with the proper amount of interaction. Everyone should be happy. The Network Setup 32 Firewall and Proxy Server HOWTO 13.Making Management Easy 13.1 Firewall tools There are several software packages that will make managing your firewall easier. Be carefull, don't use these tools unless you can do without them. These scripts make it just as easy to make a misstake as they do to help you get it wright. Both graphical and web based interfaces are being developed to work with the Linux filtering rules. Some companies have even create commercial firewalls based on Linux by putting it in their own box with their own management code. (nice) I'm not realy a GUI guy. However, I have been using firewalls with GUI interfaces for some time. I've found they help by providing a nice report of all the rules in one easy glance. gfcc (GTK+ Firewall Control Center) is a GTK+ application which can control Linux firewall policies and rules, based on ipchains package. Go to http://icarus.autostock.co.kr and get your copy. This is a realy good tool. I have included RC scripts in appendex A. These scripts work with and without gfcc. There a lots of scripts avaible to setup a firewall. One very complete script is avaible at http://www.jasmine.org.uk/~simon/bookshelf/papers/instant-firewall/instant-firewall.html. Another will done script is at http://www.pointman.org/. Kfirewall is a GUI frontend for ipchains or ipfwadm (depending on your kernel version). http://megaman.ypsilonia.net/kfirewall/ FCT is an HTML based tool for the configuration of a firewall. It features automatic script-generation for IP-filtering commands (ipfwadm) on a firewall for multiple interfaces and any internet services. http://www.fen.baynet.de/~ft114/FCT/firewall.htm 13.2 General tools WebMin is a general system admin package. It will not help you manage the firewall rules but it will help you with turning on and off damons and processes. This program is VERY good, I'm hoping the J. Cameron will include a IPCHAINS module. http://www.webmin.com/ If you are an ISP, you will want to know about IPFA (IP Firewall Acounting) http://www.soaring-bird.com/ipfa/. It can do Per-Month/Per-day/per-min/ logs and has a Web based GUI administation. httptunnel. httptunnel creates a bidirectional virtual data path tunnelled in HTTP requests. The HTTP requests 13.Making Management Easy 33 Firewall and Proxy Server HOWTO can be sent via an HTTP proxy if so desired. Or, on their system they install a Virtual Private Network (vpn). See: http://sunsite.auc.dk/vpnd/ Or, Maybe this user simply puts a modem on their NT system and turns on routing. Finally, on the workstation, on the private LAN, change the default gateway to point to the new route to the Internet. Now, from this workstation, you can go anywhere. The only thing the firewall admin might see is one connect with nowill see is a really long DNS lookup. Now, take over the world! 15.APPENDEX A - Example Scripts 15.1 RC Script useing GFCC #!/bin/bash # # Firewall Script - Version 0.9.1 # # chkconfig: 2345 09 99 # description: firewall script for 2.2.x kernel # Set for testing # set -x # # NOTES: # # This script is written for RedHat 6.1 or better. # # Be careful about offering public services like web or ftp servers. # # INSTALLATION: # 1. place this file in /etc/rc.d/init.d (you'll have to be root..) # call it something like "firewall" :-) # make it root owned --> "chown root.root (filename)" # make it executable --> "chmod 755 (filename)" # # 2. use GFCC to create your firewall rules and export them to a file # named /etc/gfcc/rules/firewall.rule.sh. #
[ Pobierz całość w formacie PDF ] zanotowane.pldoc.pisz.plpdf.pisz.plblacksoulman.xlx.pl |
|
|
|
|