Configuring the Firewall on SLES

Introduction

To fully secure your server from unnecessary or damaging traffic, you need to implement a Firewall. A Firewall allows you to route and control network traffic travelling into your network or between two or more different networks. For instance, You will want to implement a firewall wherever you want computers on another network to have limited or no access to your network. The classic example of this is the Internet. You should put a firewall between your local network and the Internet to protect your computers from unnecessary or unwanted traffic coming from the Internet.

Another good use for a firewall is to separate any Wireless Access Points on your network, so all traffic will go through a firewall before entering your network. This actually allows you to offer Internet Access to any one using a wireless connection without compromising the security of your local network. You could also use a firewall to separate a "testing network" from a production network, especially if you need Internet Access for your testing network. Doing this allows you to fully configure and test any servers without harming the current network, this is especially useful when working with Windows Domains.

Firewall Yast Module

Basically, the way the Linux Kernel implements it's firewall is it allows you to create "Zones" where you control network traffic. You can implement any number of "Zones" you want, but normally you use only 3 - Internal Zone, External Zone and Demilitarized Zone. You can then use these Zones to implement "Rules" that mananage the network traffic coming into the zone. You can even use rules to manipulate the traffic to move from one zone to another.

Maintaining these rules can be a daunting task, but since the inception of Linux IP Tables many tools have been created to make this job much easier. Suse Linux has the "Firewall" Yast Module to help you with this task.

Controlling Firewall Startup

Assigning Zones to Network Adapters

Controlling the Firewall Startup and Assigning Zones to Network Cards

So, the first step in configuring your firewall is to assign these "Zones" to your network devices. This is done under the "Interfaces" section of the Yast Firewall module. These "zones" will be used to determine what network traffic will be allowed to enter each interface.

External Zone - This zone is primarily used for any Interface that is directly connected to the Internet or other "unsecure" network. With any Interface that you assign "External Zone", you must manually allow certain traffic to communicate with your server.

Internal Zone - This assignment should be placed on the Interface that is connected to your Local Area Network. By default, all network traffic is allowed on any interface that is designated "Internal Zone".

Demilitarized Zone - Similar to "External Zone", you must manually allow certain traffic through on any Interface designated "Demilitarized Zone". This zone is mainly used on larger networks where, for security reasons, Internet Servers (such as web, mail, etc.) are placed on a separate network than the local network.

Allowing Services through the Firewall

Adjusting Broadcast through the Firewall

Allowing Services and adjusting Broadcasts through the Firewall

Once you setup all of your zones, you may want to "open" some ports on your Intefaces that you set to "External" or "Demilitarized" to allow access to certain services (such as Web Sites or Internet Mail). To do this go to the "Allowed Services" section and ensure that the correct Zone is selected in the "Allowed SErvices for Selected Zone" drop-down box. Then, simply select which service(s) to allow from the "Service to Allow" drop-down and hit "Add".

If you really want to, you can block all services from the "Internal Zone" and manually open the required ports for your server to work properly. Do this by checking the "Protect Firewall from Internal Zone" box. I highly recommend that you do not do this unless you know exactly what you are doing.

Masquerading and Port Forwarding

Another popular role for GNU/Linux Servers within networks is to configure the server to "share" it's Internet connection with the rest of your network (configure it as a router). To do this, ensure that you configure "zones" for all of your network interfaces. Usually you will have one "External Zone" for the interface that is your Internet connection and one "Internal Zone" for your local network (and possibly a "Demilitarized Zone" for other servers).

To "share" the Internet connection (External Zone interface) with your network (Internal Zone interface), simply go to the "Masquerading" section of the Yast Firewall module and check the "Masquerade Networks" box. This will allow you to configure your network clients to utilize your server as a "Gateway" to the Internet. Not only will this allow your clients to access the Internet through your server, but it also gives you an added security layer for your workstations since they will not be "directly" connected to the Internet.

Configuring Network Masquerading

Adding a Port Forwarding Rule

 

Configuring Network Masquerading and Adding a Port Forwarding Rule

Even though masquerading gives you the benefit of providing a layer between the Internet and your network clients, sometimes you may wish to allow certain services located on one of your workstations or another server to directly communicate over the Internet. To enable this, you "Forward" a port on your firewall computer to the appropriate network client.

So, let's say I have a web server on my network that I want Internet clients to be able to access. What I need to do is go to the "Masquerading" section of the Yast Firewall module and "Add" a "Redirect Request to Masquerading IP". This will open a dialog box that will allow you to specify a port that will be "Forwarded" to another network address on your network. In this case the "Requested Port" will be "80" and the "Redirect to Masqueraded IP" will be the address to the Web Server within the local network.

You should be aware that the "Requested Port" and the "Redirect to Port" do not have to be the same. This may allow you to allow remote access to the SSH ports of your other servers by simply forwarding a random port on your Firewall to the SSH port (22) on a client workstation/server.

Also note that any port that you "Forward" to another computer on your network does not have to be "open" first (included in the "Allowed Services" portion of the Yast Firewall module). Yast will automatically open the port to allow it to be forwarded.

Utilizing the Squid Proxy Server

Now that we have the firewall completely configured for your enviornment, we can now cover how to implemement a "Proxy Server" to complement your firewall. A Proxy Server allows you to improve the Internet speed by "cacheing" all the data for faster retrieval, as well as allow you to apply Access Control Lists for Internet traffic, block access to certain sites, as well as utilize the statistics to create advanced usage reports. For more advanced networks you can even configure multiple Proxy Servers together to "load-balance" your Internet connection.

The proxy server that Suse Linux Enterprise Server utilizes is called "Squid" and is available on the installation media. As of this writing, Novell has not implemented a "Yast Module" to configure Squid, but one is being developed (and is already implemented into OpenSuse 10.3). Fortunately, squid is not that difficult to manually configure, so it is relatively easy to get it up and running on Suse Linux Enterprise Server.

Once you get Squid installed (ex. "yast -i squid") it is relatively easy to adjust it to fit into your network. The main configuration file is located at "/etc/squid/squid.conf" and the defaults should suffice as a good starting point. However, you will need to grant your workstations the ability to utilize the Squid proxy server. To do this, you must add an "Access Control List" that includes your local network. For instance simply adjust the configuration file (around line number 1873) to include something similar to:

acl our_network src 192.186.1.0/24
http_access allow our_network

Then, simply launch (or restart squid) with "/etc/init.d/squid restart" or "rcsquid restart" to allow your clients to access the Internet through squid. Also make sure that you ensure Squid will start when the computer boots up with: "chkconfig squid on".

By default, Squid will utilize port 3128 on your server. To be able to use Squid, you must manually configure all of your Internet Clients (Internet Explorer, Firefox, etc.) to utilize your proxy server through port 3128. Alternatively, you could also configure your firewall to automatically use the Squid Proxy Server for all HTTP traffic. This is called implementing a "Transparent Proxy".

Enabling a Transparent Proxy

To enable a "Transparent Proxy" you must first configure Squid to be used as a transparent proxy. To do this simply open the squid configuration file at "/etc/squid/squid.conf" and ensure that the following options are enabled (restart squid after implemented).

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Then you need to change your firewall settings to redirect any HTTP traffic coming from your network to the proxy server. To do this, you must open the "/etc/sysconfig Editor" Yast Module (located under the System section). Then browse to "Network - Firewall - SuSEfirewall2" and find the "FW_REDIRECT" option. This must be set to something similar to the following (also restart the firewall once this is configured).

192.168.1.0/24,0/0,tcp,80,3128

Squid should now be configured as a "Transparent Proxy" and all HTTP traffic coming from your network should automatically be redirected through your Squid Proxy Server.

Internet Filtering with SquidGuard

With your Squid Proxy Server configured, you may now want to implement a way to block access to certain "undesireable" websites. To accomplish this you can use the "squidGuard" program to complement your Squid installation.

To install SquidGuard, simply issue the command "yast -i squidGuard" to install the package. Now you will need to get a list of sites that you wish to block. There are many sites that offer "Blacklists" to utilize with SquidGuard, for instance:

  • http://www.shallalist.de/
  • http://squidguard.mesd.k12.or.us/blacklists.tgz
  • http://urlblacklist.com/ - Requires Subscription

Once you download a list, extract it into the "/var/lib/squidGuard/db" directory. For instance, if using the blacklists.tgz file:

cd /var/lib/squidGuard/db
tar zxf /home/serveradmin/blacklists.tgz

Now, once you have the list downloaded, you must now create/edit the "/etc/squidguard.conf" file. A good example using the above list would be:

logdir	/var/log/squidGuard
dbhome	/var/lib/squidGuard/db
dest porn{
	domainlist	blacklists/porn/domains
	urllist		blacklists/porn/urls
}
dest spyware{
	domainlist	blacklists/spyware/domains
	urllist		blacklists/spyware/urls
}
dest white{
	domainlist	whitelist/domains
	urllist		whitelist/urls
}
acl {
	default {
		pass white !porn !spyware all
		redirect 302:http://www.google.com/
	}
}

Once you have a basic squidguard.conf file, you can generate the databases for squidguard with the following commands:

squidGuard -C all
chown squid /var/lib/squidGuard/db/* -R

Now you can tell Squid to utilize SquidGuard by editing the "/etc/squid/squid.conf" file and adding "redirect_program /usr/sbin/squidGuard", then restart Squid.

A few Notes:

Any changes made to the squidguard.conf file, or any of the lists, you must recreate the databases and restart Squid in order for the changes to have any effect.

In the above example I include a "Whitelist" that will allow the user to access the site reguardless if the site is listed in one of the other lists. You will probably want to create this "Whitelist" as well a custom "Blacklist" that you can manually maintain for your site.

Also, you can see that I simply used http://www.google.com/ as a redirect site, you will probably want to use a custom page that informs your users why the site is blocked. A few examples can be found in the SquidGuard documentation. Alternatively, you can utilize the configuration I use, which can be downloaded from:

http://www.pcc-services.com/files/squidguard_stuff.tar.gz
or http://files.pcc-services.com/files/SLES10/.

Squid Cache and Network Traffic Reporting

To take full advantage of your Proxy Server you really need to implement some type of reporting for your Internet stats. In this section I will cover a few of these solutions to see if they could be useful for your network. In many cases you may want to implement a few of these since they all have their own strengths and weaknesses.

CacheManager - This is a cgi web page that displays the memory usage and other information from the running Squid Process. If you have Apache configured on your server, you can install the CacheManager by issuing the following command.

install -m 0755 /usr/share/doc/packages/squid/scripts/cachemgr.cgi /srv/www/cgi-bin/cachemgr

Then simply go to "http://your_server/cgi-bin/cachemgr" to view the stats.

Cachemgr Page

Calamaris Page

The Cachemgr and Calamaris Web Pages

Calamaris - This is a script that will "convert" the squid log files into a nice HTML page to allow you to easily view detailed statistics from your Squid server. To generate the page simply run the following command (this makes a nice daily cron job).

cat /var/log/squid/access.log | calamaris -a -F 'html' > /srv/www/htdocs/calamaris.html

Squid Analysis Report Generator - http://sarg.sourceforge.net/

Although this report generator is not available on the Suse Linux Enterprise installation media, this is definately worth the download as it allows you to keep track of every site that each user on your network.

To install this application, go to it's website and download the Suse RPM, then install it with "rpm -Uvh sarg*". Then edit the "/etc/squid/sarg/sarg.conf" file for your enviornment (especially the output directory). Finally, simply run "sarg" to generate the reports (best to create a daily cron job for this).

The Sarg Main Page

Detailed Daily Page

Example SARG Pages

Multi-Router Traffic Grapher - This tool monitors your network interfaces on your server and provides a web page detailing the traffic generated through your server.

MRTG utilizes the SNMP data from your server to capture the data it needs to process. So, in order to use MRTG, you must configure and start the SNMP Daemon. Basic configuration of SNMP is quite simple, all you need to do is specify a "user" that has Read-Only access to the resources. To do this edit the /etc/snmp/snmpd.conf file and add something similar to:

rocommunity fwuser

Now start snmpd, test it to make sure it works, then add it to the runlevel:

/etc/init.d/snmpd start
snmpwalk -v1 -c fwuser localhost system
chkconfig snmpd on

Now you will want to install mrtg, create the relevant directories and configure it.

yast -i mrtg
	mkdir /etc/mrtg
	mkdir /srv/www/htdocs/mrtg
cfgmaker --output=/etc/mrtg/mrtg.cfg \ 
 	--global "workdir:/srv/www/htdocs/mrtg" fwuser@localhost

Note - This is a very simple MRTG configuration that should get you started. You will definitely want to adjust the configuration to provide more or better information for your environment. Check the man page for cfgmaker for more information. Also note that you can simply edit the /etc/mrtg/mrtg.cfg file directly instead of re-running cfgmaker.

Once MRTG is configured, you will now need to run it at least 3 times in order for the errors to correct themselves (to create log files, etc). To run MRTG issue the following command:

env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg

Now that it works correctly, you need to "prep" the webpage using the following command:

indexmaker --output=/srv/www/htdocs/mrtg/index.html /etc/mrtg/mrtg.cfg

MRTG needs to be ran periodically to collect all the data it needs to process. In order to do this, add the command above as a cron job (have it run every 5 minutes or so) by using "crontab -e" or simply adding the following to the /etc/crontab file:

*/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg

Of course, it will take quite a while for enough data to be captured in order for your graphs to populate, but once all of these steps are taken, MRTG will definitely be a tool you will be glad you implemented on your firewall/router.

The MRTG Index Page

Detailed Traffic Graphs

The MRTG Index Page and Detailed Graphs from a Firewall

For those that are total control freaks, there are few other applications available to use in managing the Internet Traffic on your website (such as ntop and etherape). Although for more advanced network monitoring, I recommend that you simply look into the "Network Information and Monitoring Applicance". This is a VMWare Virtual Machine I created specifically for this purpose, you can find it at: http://www.pcc-services.com/NIMA/

Google Ad

© 2017 Mike Petersen - All Rights Reserved