By John C. Rucker (Page 4 of 8)
Shorewall Logo
The firewall is arguably the most important part of this entire project. It is what is going to keep all of those patron laptops—and potentially virus-laden ones at that!—safely away from your staff network where you conduct your business and store sensitive personal data. The firewall will also let you set rules to limit abuse of your service. Finally, the firewall does the work of transparently routing the web traffic from the visiting laptops through the content filter. This means that everyone who brings a laptop to your library will be filtered without you lifting a finger.
First thing's first: we need to install the firewall management software. Linux comes with a built-in firewall system, iptables, but it can be a bit tricky. To make it less so, we'll use a front-end to iptables called the Shoreline Firewall, or Shorewall for short. To install, run the following:
# apt-get install shorewall
Now we need to edit a number of files. First edit
/etc/default/shorewall by typing
# nano /etc/default/shorewall
Change startup=0 to startup=1,
then exit and save your file. This will enable the
automatic running of Shorewall. Next, we need to copy
Shorewall's example configuration files to the
working location by typing
# cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now we'll need to edit some of these configuration files. First, we'll make a single change to the main configuration file:
# nano /etc/shorewall/shorewall.conf
Find the line that reads IP_FORWARDING=Keep
and change that to IP_FORWARDING=On. Save
and exit this file. Next, we'll edit
/etc/shorewall/interfaces:
# nano /etc/shorewall/interfaces
Go all the way to the bottom of the file, then add two lines before the last line so that your file looks like this:
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect loc eth1 detect dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
This tells Shorewall which network cards correspond to
which zones in our firewall schema, and on which one
we're serving DHCP information. loc
represents any computer behind our firewall: "local"
traffic—all the patron laptops, for example.
net refers
to any computer in front of the firewall: your staff
computers, and any computers on the larger Internet. You
can now save and exit this file.
In a similar fashion, edit
/etc/shorewall/masq, putting the following
lines at the end of the file:
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 eth0 192.168.0.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
This lets the firewall know that it can process traffic comming into either of your network cards. This will let you use your server as a filter for your staff workstations, too. Save and exit the file.
Next, we'll edit the /etc/shorewall/policy
file to setup the default actions for the firewall.
Add the following lines to the end of the file:
#SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc all REJECT fw all ACCEPT net all DROP all all REJECT #LAST LINE -- DO NOT REMOVE
This file is processed if the traffic going through the firewall doesn't match any of the explicit rules that we'll set later; in other words, the policy provides the default rules. In a nutshell, the above policies mean that all traffic not explicity allowed is blocked, and the server can talk to any other computer. Save and exit the file.
Next, we'll edit the /etc/shorewall/rules
file to setup the exceptions to the above policies.
These exceptions are critical if you actually want your
public Internet to be useful. One the second-to-last
line, you'll see "SECTION NEW". Delete that then add
the following lines in its place:
# Allow SSH connections to the firewall from both sides ACCEPT loc fw tcp 22 ACCEPT net fw tcp 22 # Allow DHCP requests ACCEPT loc fw tcp 546,547 # Allow DNS requests ACCEPT loc net tcp 53 ACCEPT loc net udp 53 # Allow HTTPS ACCEPT loc net tcp 443 # Allow POP3 email access ACCEPT loc net tcp 110 # Allow SSL POP3 Access ACCEPT loc net tcp 995 # Allow IMAP email Access ACCEPT loc net tcp 143 # Forward access to the WAP DNAT net loc:192.168.1.2:80 tcp 8086 # Allow access on both sides of the firewall to the web content filter # 8081 is our children's level # 8082 is our adult level ACCEPT net fw tcp 8081,8082 ACCEPT loc fw tcp 8081,8082 # Route all HTTP traffic from patron laptops to the passive # filter (adult level) REDIRECT loc:192.168.1.100-192.168.1.200 8082 tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Most of that should be clear enough from the inline
comments, but let's break it down anyway. The first few
rules will allow normal and secure web pages. They will
also allow people to check their email with a client
like Outlook or Thunderbird, but not send mail.
Checking and sending mail via web-based mail like Yahoo!
or Hotmail is unaffected. We block outgoing mail via
clients so that people won't use our free Internet
access to send spam. We also allow access to the web
content filter from either the public side or your staff
side. The last rule is where all the magic happens:
patron laptops (that IP address range corresponds to the
range we setup in the dhcpd.conf file
earlier) will send all non-secure web page traffic to
port 8082 on the server. This is the port that we'll
setup our content filter—one of them,
anyway—to listen on. Save and exit this file.
There are other exceptions you might want to make, if you deem it appropriate. VPN access for business travelers or instant messenger services, among other things. For these, you'll need to find out what protocols and ports to make exceptions for. Look at the Shorewall documentation for more information.
The last file to edit is
/etc/shorewall/zones. Go to the end of the
file and edit it to look like this:
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Save and exit the file. That's it! Now, let's restart the firewall to make sure we got everything right. Issue the following command:
# shorewall restart
You'll see a lot of text rapidly scroll by. At the end you should see "Shorewall Restarted." If you see "Shorewall Terminated" or an error message, go back and check your work.
With that finished, we can now move on to the content filter!
Previous Page: Installing and Configuring Ubuntu Server
Next Page: Configuring Your Web Content Filter