6.4 Testing your network

Start by using the ifconfig and route commands. If you have two network cards ifconfig should look something like:

#ifconfig

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING  MTU:3924 Metric:1

RX packets:1620 errors:0 dropped:0 overruns:0 TX packets:1620 errors:0 dropped:0 overruns:0 collisions:0 txqueuelan:0

eth0 Link encap:10Mbps Ethernet   HWaddr 00:00:09:85:AC:55

inet addr:24.94.1.123 Bcast:24.94.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST   MTU:1500 Metric:1

RX packets:1000 errors:0 dropped:0 overruns:0 TX packets:1100 errors:0 dropped:0 overruns:0 collisions:0 txqueuelan:0 Interrupt:12 Base address:0x310

eth1 Link encap:10Mbps Ethernet   HWaddr 00:00:09:80:1E:D7

inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST   MTU:1500 Metric:1

RX packets:1110 errors:0 dropped:0 overruns:0 TX packets:1111 errors:0 dropped:0 overruns:0 collisions:0 txqueuelan:0 Interrupt:15 Base address:0x350

and your route table should look like:

Kernel routing table

Destination

Gateway

Genmask

Flags

MSS

Window

Use

Iface

24.94.1.0

*

255.255.255.0

U

1500

0

15

eth0

192.168.1.0

*

255.255.255.0

U

1500

0

0

eth1

127.0.0.0

*

255.0.0.0

U

3584

0

2

lo

default

24.94.1.123

*

UG

1500

0

72

eth0

Note: 24.94.1.0 is the Internet side of this firewall and 192.168.1.0 is the private (LAN) side.

You should start by making sure every computer on your LAN can ping the inside address of your firewall system. (192.168.1.1 in this example) If not, go over the NET-2 HOWTO again and work on the network some more.

Next, from the firewall, try to ping a Internet system. I use www.internic.net as my test point. If it doesn't work, try a server at your ISP. If this doesn't work some part of your Internet connection is wrong. You should be able to connect to the anywhere on the Internet from the firewall. Try looking at your default gateway setting. If you are using a dialup connection double check your user ID and Password. Reread the

Net-2 HOWTO, and try again.

Now try to ping the outside address of the firewall (24.94.1.123) from a computer on your LAN. This shouldn't work. If it does, you have masquerading or IP Forwarding turned on, or you already have some packet filtering set. Turn them off and try again. You need to know the filtering is in place.

For kernels newer then 2.1.102 you can issue the command;

echo "0"  > /proc/sys/net/ipv4/ip_forward

If you are using an older kernel (WHY) you will need to re-compile your kernel with forwarding turned off. (Just upgrade.)

Try pinging the outside address of the firewall (24.94.1.123) again. It shouldn't work.

Now turn on IP forwarding and/or masquerading. You should be able to ping the anywhere on the Internet from any system on your LAN.

echo "1"  > /proc/sys/net/ipv4/ip_forward

BIG NOTE: If you are using "REAL" IP addresses on your LAN (not 192.168.1.*) and you can't ping the internet but you CAN ping the Internet side of your firewall, make sure your ISP is routing packets for your private network address.

A test for this problem is to have someone else on the Internet (say a friend using a local provider) use traceroute to your network. If the trace stops at your providers router, then they are not forwarding your traffic.

It works? Great. The hard part is done. :-)

A firewall isn't any good if the system it is build on is left wide open to attacks. A "bad guy" could gain access to the through a non firewall service and modify it for their own needs. You need to turning off any unneeded services.

Look in your /etc/inetd.conf file. This file configures inetd also known as the "super server". It controls a bunch of the server daemons and starts them as they are requested by a packet arriving at a "well known" port.

You should turn off echo, discard, daytime, chargen, ftp, gopher, shell, login, exec, talk, ntalk, pop-2, pop-3, netstat, systat, tftp, bootp, finger, cfinger, time, swat and linuxconfig if you have one.

To turn a service off, put # as the first character of the service line. When your done, send a SIG-HUP to the process by typing "kill -HUP <pid>", where <pid> is the process number of inetd. This will make inetd re-read its configuration file (inetd.conf) and restart without taking your system down.

Test this by telneting to port 15 (netstat) on firewall. If you get any output you have not turned these services

off.

telnet localhost 19

You can also create the file /etc/nologin. Put a few line of text in it like (BUZZ OFF). When this file exists, login will not allow user to logon. They will see the contents of this file and their logins refused. Only root can logon.

You can also edit the file /etc/securetty. If the user is root, then the login must be occurring on a tty listed in /etc/securetty. Failures will be logged with the syslog facility. With both of these controls in place the only way to logon to the firewall will be as root from the console.

NEVER EVER TELNET to a system and log IN AS ROOT. If you need remote root access SSH (Secure

Shell). You might even turn off telnet.

If you are really paranoid you need to be using lids (Linux Intrusion Detect System). It is an intrusion detection system patch for the Linux kernel; it can protect important files from being changed. When it's in effect, no one (including root) can change the protected files or directories and their sub-directories. You have to reboot the system with a security=1 LILO setting to modify secure files. (I'd also boot into single user mode.)