[Techtalk] (long) Firewall script sample

Conor Daly conor.daly at oceanfree.net
Sat Jun 15 09:49:04 EST 2002 

On Tue, Jun 11, 2002 at 07:37:29PM +0000 or so it is rumoured hereabouts, 
jhazer at emailko.com thought:
> Can anyone pls. help me to have an overview of how my firewall script will look like with this kind of setup:
> 
> Webserver (intranet only)
> Mail server            ----> Firewall ---> Internet             
> DNS Caching                  Dial-up        
> Squid Caching
> 
> 
> Werein the webserver, mail server, etc. will be on the same machine. While the firewall and the modem (for dial-up) will be on a separate PC. I realy am confused on how i will set it up. I have read a tutorial about iptables and shamelessly i'm still lost and confused. Lots of questions arises in my mind. Like. How will i configure my firewall to allow mails and forward it to the mail server. Same with DNS and Squid. How will i allow it from the firewall.
> 
> I'm really sorry for this newbie question. But i've read a lot of Howto's, from ipmasquerading to iptables and i'm still confused. Hope anyone can guide me. Thank you very much.
> 
> -JhAzEr-

There's a few things you need for this setup to work.  

Firstly since you're on a
dialup, stuff like the mail server won't work as they are normally
intended to.  You need to have the mail server queue outgoing mail and you
need something else (fetchmail) to pop email from your ISP and feed it to
your local mail server.  

Secondly, your firewall needs to be able to
handle your (presumably) dynamic ip address.  I have a setup (using
ipchains) where 'ifconfig ppp0 | cut -f2 -d" "' produces the current ip
address but I have to run the firewall up script each time I connect to
the internet.  I've seen firewall scripts which base their rules
_entirely_ on the _interface_ rather than on ip address.  Assuming that
works for NAT / ipmasq you can have your firewall running all the time and
save the overhead of bringing it up at each connection.

Thirdly, you need some method for bringing up the internet connection (and
for taking it down quickly!).  I use diald which does dial on demand along
with running a post-connect script.

Last, you need some way of telling your server when the internet
connection comes up and when it goes down so that the server can do its
server-type stuff like fetching and sending email and so on.

So, for 

1. Mail server: you need to set up your MTA (mail transport agent) to
queue outgoing email.  I did this so long ago that I've forgotten how and
in any case it will depend on your MTA.  Once you've done that, sending
mail out to the internet is as simple as "sendmail -q" (for both sendmail
and postfix)
   Fetchmail: to receive mail from your ISP, you need fetchmail.  A simple
/root/.fetchmailrc to pop email for anyone you host mail for and a
"fetchmail  -f /root/.fetchmailrc" will pop everyone's email and inject it
into your local MTA.  My .fetchmailrc looks like:

poll "mail.isp.net" proto pop3 user "my.email.address" with pass "secret"
is "my.local.user" here forcecr smtpaddress localhost
poll "mail.isp.net" proto pop3 user "another.email.address" with pass
"secret2" is "another.local.user" here forcecr smtpaddress localhost

You'll also need to create aliases for your local users to rewrite their
email addresses to their public ones.  There's a very nice tool for this
task called install_sendmail available on the downloads page of
http://www.linux.ie which will set up most of this stuff for you.

Of course, you still need some way of making all this happen.  We'll come
to that in a minute.

2. Firewall: your firewall needs to know the ip address of your internet
connection.  Since this changes every time you dial up, the firewall must
be restarted each time you connect.  To get the ip address you do

IPADDR=$(/sbin/ifconfig | /bin/grep -A 6 ppp0 | /bin/grep P-t-P |
/usr/bin/cut -f 2 -d : | /usr/bin/cut -f 1 -d P)

within the firewall script and then use $IPADDR in the individual rules.
there are a number of tools out there on the internet for configuring
firewalls which you can then adapt for your needs (a google for "linux
firewall tools" should return plenty).  One of these (I was looking at a
while ago) didn't use the external IP address at all (since that changes)
but instead uses the external _interface_ eg. ppp0 (which doesn't change).
this means the firewall can remain up constantly.

3. Dial on demand:  To have your internet connection come up when you need
it, some form of dial on demand is required.  This is a program that
listens to your network for any traffic for outside of your local network
and starts the internet connection when required.  It should also watch
that internet traffic and take down the internet connection when it dies
down.  Something that is aware of your telco's call charging pattern is
also nice (eg. if you get charged for the first 10 minutes of a call
anyhow, there's no point in having the internet connection come down after
2 minutes).  Diald does all this as well as having a number of controlling
methods available (eg. a TCL based GUI and a FIFO which will accept input
on the commandline).  The last thing diald does when it brings a
connection up or down is run a post-connect or post-disconnect script.
Which brings us nicely to 4.

4. Telling the server: your server needs to know when the internet
connection is up so it can do stuff like sending email and so on.  Equally
important (when using dial on demand), it needs to know when the
connection is down so that it will stop!.  The post-(dis)connect scripts
on the firewall look after this.  They do two things:  a) bring the firewall
up or down and b) telnet the server (on defined ports) to tell it the
state of the internet connection.
  On the server: I have two entries in my xinetd config: ppp-up and
ppp-down along with the following in /etc/services:

ppp-up		6453/tcp
ppp-down	6454/tcp

/etc/xinetd.d/ppp-up looks like:

service ppp-up
{
	socket_type		= stream
	protocol		= tcp
	wait			= no
	user			= root
	server			= /etc/ppp/ppp.faenor
	server_args		= up 
	disable			= no
}

while /etc/xinetd.d/ppp-down is:

service ppp-down
{
	socket_type		= stream
	protocol		= tcp
	wait			= no
	user			= root
	server			= /etc/ppp/ppp.faenor
	server_args		= down 
	disable			= no
}

o, if I telnet the server on port 6453, it will run 

"/etc/ppp/ppp.faenor up"

which does a few tasks like running the checkmail program which sends and
receives email at 5 minute intervals until a "telnet server 6454" tells it
to stop.

The details of the checkmail program (and other scripts) are available on
request.

Conor (who didn't mean to go on for quite so long)
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
  8:39am  up 22 days, 17:56,  0 users,  load average: 0.15, 0.03, 0.01
Hobbiton.cod.ie
  8:45am  up 22 days, 18:06,  2 users,  load average: 0.18, 0.09, 0.02

More information about the Techtalk mailing list