Setup guide
Address
All connections form the private addresses are masqueraded, and appear as coming from one
external address - that of the router.
This can be done by enabling the masquerading action for source NAT rules.
• Enforce the Internet Usage Policy from the Customer's Network
Connections from the customer's network should be monitored.
This can be done by putting rules in the forward chain, or/and by masquerading (source NAT)
only those connections, that are allowed.
Filtering has some impact on the router's performance. To minimize it, the filtering rules that match
packets for established connections should be placed on top of the chain. These are TCP packets
with options non-syn-only.
Examples of setting up firewalls are discussed below.
Example of Firewall Filters
Assume we want to create a firewall that:
• protects the Wandy router from unauthorized access from anywhere. Only access from the
'trusted' network 10.5.8.0/24 is allowed
• protects the customer's hosts within the network 192.168.0.0/24 from unauthorized access
from anywhere
• gives access from the Internet to the http and smtp services on 192.168.0.17
• allows only ICMP ping from all customer's hosts and forces use of the proxy server on
192.168.0.17
The basic network setup is illustraded in the following diagram:
The IP addresses and routes of the Wandy router are as follows:
[admin@Wandy] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.0.217/24 10.0.0.0 10.0.0.255 Public
1 192.168.0.254/24 192.168.0.0 192.168.0.255 Local
[admin@Wandy] > ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 S 0.0.0.0/0 r 10.0.0.254 1 Public
1 DC 192.168.0.0/24 r 0.0.0.0 0 Local
2 DC 10.0.0.0/24 r 0.0.0.0 0 Public
[admin@Wandy] >
To protect the router from unauthorized access, we should filter out all packets with the destination
addresses of the router, and accept only those which are allowed. Since all packets with destination
to the router's address are processed against the input chain, we can add the following rules to it:
[admin@Wandy] > ip firewall rule input
[admin@Wandy] ip firewall rule input> add protocol=tcp tcp-options=non-syn-only \
\... connection-state=established comment="Allow established TCP connections"
[admin@Wandy] ip firewall rule input> add protocol=udp comment="Allow UDP
connections"
[admin@Wandy] ip firewall rule input> add protocol=icmp comment="Allow ICMP
messages"
[admin@Wandy] ip firewall rule input> add src-addr=10.5.8.0/24 \
\... comment="Allow access from 'trusted' network 10.5.8.0/24"
[admin@Wandy] ip firewall rule input> add action=reject log=yes \
\... comment="Reject and log everything else"
[admin@Wandy] ip firewall rule input> print
Flags: X - disabled, I - invalid, D - dynamic