5.3. Firewall Configuration

The external interface will be protected using an iptables / netfilter based firewall. The iptables tool was installed in Section 4.2, “Firewall (iptables)”.

5.3.1. Policies

Policies are the rules that the firewall enforces. The ordered list below gives an example of firewall policies.

  1. Network Address/Port Translation (NAT) is a technique in which the source and/or destination addresses/port of IP packets are rewritten as they pass through a router or firewall.

    1. Only packets that were received over ESP (IPsec), are allowed access to the L2TP tunnel. Place a kernel mark on ESP (IPsec) traffic. A separate rule will restrict access to the L2TP tunnel to packets with these kernel marks.

    2. Do not translate between hosts on the internal network.

    3. Redirect SYSLOG directed to the firewall to the SYSLOG host.

    4. Masquerade the hosts on the internal network (so that they can all share one external IP address)

  2. Loopback interface policies

    1. Allow all outgoing and incoming traffic.

  3. LAN interface policies

    1. Allow all outbound traffic to the LAN

    2. Allow inbound DHCP requests

    3. Allow inbound traffic with an IP address on the LAN subnet

    4. Deny all other inbound traffic

  4. WiFi interface policies

    1. Allow all traffic going to the WiFi

    2. Allow inbound DHCP requests

    3. Allow inbound traffic with an IP address on the WiFi subnet

    4. Deny all other inbound traffic

  5. WAN interface (external)

    1. Allow outbound traffic to the WAN

    2. Allow inbound traffic with ESP (IPsec) kernel marks

    3. Allow inbound NTP responses from specific NTP servers

    4. Allow inbound SSH and ESP (IPsec)

    5. Allow inbound RealPlayer and MS Media Player

    6. Allow inbound TFTP and SYSLOG from the remote access router

    7. Deny RIP updates from the remote access router

    8. Deny all other traffic from WAN

  6. Global policies

    1. Accept traffic from the internal network or external interface.

    2. Deny all other traffic NAT and IPsec

NAT modifies the IP address and port number of packets. This is exactly what IPsec prevents. Instead of trying to fix the problem on the NAT, the Linux 2.6 kernel (and thereby the SISO) supports the "IPsec within UDP" RFC [33]. For this to work, both the IPsec clients and server have to support the RFC. Currently only one client behind the NAT will be able to connect. Most clients automatically detect if NAT-T has to be enabled. To allow multiple L2TP/IPsec clients from behind the same NAT the Stinghorn patch may need to be applied [34].

5.3.2. Firewall Builder

Firewall Builder [35] is an intuitive graphical interface to configure firewall policies. The binaries for "Fedora Core 5" can be installed as follows.

yum install fwbuilder

The tar ball of this HOWTO [36] contains an example fwbuilder source implementing the policies listed above. The file name of the example is examples/apps/fwbuilder/firewall.fwb. Tweak for SISO

Compile the firewall, and save it as $PRJ_DIR/apps/fwbuilder/firewall.fw. The following changes are needed to the compiled firewall configuration script:

  • The busybox build-in ip command does not support the ls option, used by the firewall script. Simply replaces ls with show.

  • Only traffic that was received over an IPsec tunnel should be allowed to access the L2TP port. This is implemented by putting kernel marks on ESP protocol traffic. When this packet is then decrypted, it enters the firewall again. This time, the firewall will recognize the mark and let the packet through. These rules however can not be generated from fwbuilder. Instead the fwbuilder source firewall.fwb contains comments that function as markers. The script below replaces these markers with iptable rules.

  • When a client pings the server over an IPsec tunnel, (for some unexplained reason) the generated ICMP reply passes through the netfilter in the INVALID state. Allow packets in this state to be OUTPUT from the firewall.

The script below modifies the firewall.fw file to make these changes.

MARK_IPSEC="\$IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 15"
ALLOW_MARKED="\$IPTABLES -A INPUT -i eth1 -m mark --mark 15 -j ACCEPT"
sed "s, ls , show ,g;
     /^# @MARK_IPSEC/s,.*,$MARK_IPSEC,g
     < firewall.fw > $ROOTFS_DIR/etc/init.d/firewall
chmod 755 $ROOTFS_DIR/etc/init.d/firewall

An example firewall script and configuration file: