Installing and configuring IPTables Firewall
A guide for the home webmaster

HOME | SPAMASSASSIN | WEBMIN

Last updated: 5/10/2008

This document assumes you have installed two NIC's (network cards) in your server. Hopefully you've done so before you installed Debian so they are listed as eth0 and eth1. If you added a second after the install, a reboot will load drivers for it but it won't have an interface name. To add a configuration option you'll need to install Webmin or edit /etc/network/interfaces. I prefer to edit the interfaces file myself. It then shows up in webmin where you can change addresses or other options.

INTERFACES:
If you plan on using NAT (Network Address Translation, from a single internet IP to multiple private network IP's) to share your internet connection you'll need two hardware network interfaces. One plugged into your modem or other internet gadget, the other plugged into your local area network, usually through a hub. You probably won't be able to use a router on the internal network so a hub is preferrable. A router is not really necessary as Debian has a fine DHCP server. I have managed to get a router to act as a hub by using the hub ports alone but it won't work using a crossover cable, from my experience.
TIP- If you have a crossover cable (for conecting two comptuers rather than computer to hub) you can use it with a hub by plugging one end it into your internal network adapter and the other end into the "uplink" port on the hub. You can then use regular straight through cables to connect the internal net computers to the hub.

Hub
Bottom Right is the Crossover Cable on Uplink port. Center is my Vista Box and the others are for my XP Scanner system I use to scan pictures. The hub also acts as a repeater so you can also use it to get some extra network reach if cable length is an issue. MAX length is 100 meters per cable. I get 11 megabytes per second over the 10/100 net using this setup. Be sure to use the correct power supply for the hub.

To get your second NIC working, Install it and reboot. You'll need to adjust the eth0, eth1 etc to reflect your setup. If you've changed hardware (swapped NIC's for newer versions) you can read HERE for a discussion on how to a specific adapter name (eth1) to a specific hardware MAC address. See the section "Using UDEV rules".
#ifconfig -a to find your currently detected adapters and their MAC addresses
#nano /etc/udev/rules.d/z25_persistent-net.rules See below for example. Change the ethX to match your desired adapter name and REBOOT.

# This file was automatically generated by the /lib/udev/write_net_rules
# program, probably run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single line.
# MAC addresses must be written in lowercase.
# PCI device 0x1106:0x3065 (via-rhine)
SUBSYSTEM=="net", DRIVERS=="?*", ATTRS{address}=="00:19:21:20:b0:de", NAME="eth0"
# PCI device 0x10ec:0x8139 (8139too)
SUBSYSTEM=="net", DRIVERS=="?*", ATTRS{address}=="00:1b:2f:2f:55:c4", NAME="eth1"

Note that you'll NEED a STATIC IP ADDRESS for your internet connection to successfully run a webserver. You cannot reliably run a webserver and you definitly can't run a mail server without a STATIC INTERNET IP ADDRESS. Ask your ISP to add a DNS A record and an MX record for IP so you can receive mail. Most popular mail systems like Yahoo, Comcast, MSN, Google and others, won't send or accept mail from you unless you have an RLookup. Ask your ISP.
Now edit /etc/network/interfaces. Match the entries from that file above and be sure you use the AUTO keywork as below, not HOTPLUG.
#nano or vi /etc/network/interfaces
Referencing the file below: Make sure you have the loopback entry and two additional entries, one for each NIC.
Basically you need to edit this file then reset the network and watch to make sure both NIC cards come UP correctly.
See below the gray box for how to restart the network.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface, necessary or your network won't work, this is the localhost address auto lo iface lo inet loopback
# The primary network interface
#Broadcast address is always xx.xx.xx.255 unless you KNOW it to be different
#netmask is 255.255.255.0 unless you KNOW different #Notice the AUTO eth0 rather than allow-hotplug eth0 auto eth0 iface eth0 inet static address 216.99.209.41 netmask 255.255.255.0 network 216.99.209.0 broadcast 216.99.209.255 gateway 216.99.209.254 dns-nameservers 216.99.193.19 216.99.193.2 dns-search trbailey.net post-up iptables-restore < /etc/iptables.up.rules # dns-* options are implemented by the resolvconf package, if installed # The internal Network interface for NAT. You may need to try eth2 or eth3 to get this to work if you swapped NIC's auto eth1 iface eth1 inet static #Change the address entry below to 192.168.1.1 for most setups address 192.168.1.99 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 #No need for a gateway, dns or iptables-restore for this adapter unless this is a second internet adapter

To reset your network interfaces, at the console enter:
#/etc/init.d/networking restart
If everything went well you'll see the message:
Reconfiguring network interfaces...done.

If you were using PuTtY & SSH it will still work if everything came up correctly. Test it by pinging an internet address and an internal net box (cables are pluggin in, right?). If both interfaces respond to pings, YOU'RE SET, continue to WEBMIN below.

If not you'll need to use the console to edit the files above and try again. Just be sure you know which adapter name has which address, one for the internet and the other for your internal network.

WEBMIN:
Follow this simple guide and return here when you can login to webmin.

ROUTER:
If you don't have a hub you may be able to use a hardware router in it's place but it's untested by me and not recommended. It will add an additional address translation layer and duplicates the IPTables NAT function. But, if it's all you have and you need to feed more than one private net computer, you can probably get it to work.

You'll probably need to do this from a desktop computer if your router and internal adapter addresses are the same.

Email me if it won't and I'll see if I can help, but no guarantees. 10/100 hubs are available at nearly any resale computer store for $2-$4. I got the one above free at a garage sale.

IPTABLES:
In Debian Etch the IPTables is already installed or will auto install when you add rules. If you have rules you want to save, or you want to be able to return to the current config, at a shell prompt enter:
#iptables-save > /etc/webmin/firewall/iptables.save
This will save any currently active firewall rules to the /etc/webmin/firewall directory. To restore the rules that were saved enter:
#iptables-restore < /etc/webmin/firewall/iptables.save

First, if you plan on using masquerading you'll need to enable ip forwarding as follows. Failure to do so will cause no end of difficulties getting the masquerading (internet sharing) to work. This need only be done once for Debian Etch (4.0) and later versions.

NOTE: In earlier or other versions of Linux the procedure was to use "echo 1 > /proc/sys/net/ipv4/ip_forward". However this is no longer the correct method in Debian Etch and later versions. Use the procedure below and there is no need to write a script. The setting is carried on reboot.
Activate IP forwarding in /etc/sysctl.conf by adding or uncommenting the following line.
net.ipv4.ip_forward = 1

You may also find this page useful if you don't use Debian Linux or you use Ubuntu.
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html

SETUP IP TABLE RULES for filters and NAT tables :
Log in to Webmin
Select Networking -> Linux Firewall
If the firewall is active you'll see something similar to the image below. These are my rules, the first DROP is for a system that recently attempted to hack my SSH & FTP ports. You will probably not see any rules at all.
Firewall in Webmin

At the bottom of the page is a button marked "reset firewall", press this button.
You'll see a list of configuration options. Near the bottom is an option marked
Block all except SSH, IDENT, ping and high ports on interface:
Select this option and your internet adapter. Mine is eth2, but most are eth0
See" interfaces above if you need help configuring your NIC's
If you are unsure which adapter to use, select "Network Configuration" and Look under "Interfaces". You want to select the adapter that connects to the internet (it will have your STATIC internet IP). When you've selected the above option you'll see the same as above with the first rule referring to your internet connection.

Notice the rule named:

Accept if protocol is TCP and destination ports are 21,80,443,110,25,993,995

This is the rule that opens your internet ports. In the example above I have the following ports open:
21,80,443,110,25,993,995 which are all related to the services I have running. If you want to change the default, select the "Accept" word and change only the port list on the lower portion of the screen. Press SAVE and then press APPLY CONFIGURATION.
Test your open ports if you have a local tool to do so. If not you'll need to enable NAT first so you can use a private net computer on your internal network to find a site on the internet.

NAT:
Now, to enable NAT on an internal network you'll need a separate interface, of course. Mine is eth1 and my internal network gateway address is: 192.168.1.99. You'll need to know this address, even if you run DHCP. The IP address of the internal gateway (IP of the second NIC) is arbitrary but use 192.168.1.1 unless you have a reason to change it, most of the time it will be 192.168.1.1. I changed mine to allow static IP addresses below it and to prevent conflic if I had to use my router again. If you haven't already discovered, more than one gadget cannot have the same IP address so If I use 192.168.1.1 for my internal IP I can't even get to my Router if I need to fiddle with it. If you aren't sure, use 192.168.1.1 in the Network Configuration screen for the adapter you are using, then SAVE and APPLY . You should be able to ping it from a private net computer (ping 192.168.1.1 or 192.168.1.?), even if NAT is not working, and Webmin should also work in a browser from an internal network computer as long as you connect to http://192.168.1.?:10000. Be sure to use 255.255.255.0 as the netmask unless you know otherwise. This will allow you to use Webmin even if your NAT is not working for internet access.

To enable NAT redirection on the internal adapter look at the top of the screen for the drop down box that says "Packet filtering (filter)", drop down the list and select "network address translation (nat)", and press "Show Iptables". You'll see no rules listed. We need to add only one rule to enable NAT. Under the POSTROUTING heading (bottom of the screen) press the ADD RULE button on the far right. At the top tick the box that says "Masquerade". Now down on the lower portion of the screen find the box marked "Outgoing Interface", select "EQUALS" and your internet adapter. Mine is eth2 so I select "Outgoing interface Equals eth2". Hit SAVE at the bottom of the screen to save this rule then select APPLY CONFIGURATION. Mine looks like this:

Firewall NAT
You should now be able to browse the internet on your NAT address boxes through your internal network interface. But you'll have to select an ip address for the internal network computer(s) and you'll have to enter the correct gateway IP for both gateway and DNS. If you want to setup DHCP so your internal computers get addresses automatically, see next section below.
If it all works, you may want to forward NAT ports

STATIC IP:
On the private, internal network computer either windows or linux, set the

DHCP:
To install a DHCP server on your Linux Box use Webmin. Select ->Servers -> DHCP Server
If it's installed you'll see configuration options, if not webmin will offer to install it for you. Do so...
When it's installed, you'll need to add your private network to the list so it will assign addresses.
Select ADD A NEW SUBNET, give it a description if you want, enter the network which is going to be 192.168.1.0 for me since my gateway IP address is 192.168.1.99. The ZERO on the end is an indicator to use the entire subnet address range. Enter an appropriate netmask 255.255.255.0 in this case. Finally enter a range of addresses you want the DHCP server to assign. If you have static IP addresses on any of your private network computers, make sure you don't include them in the range. It should look similar to this:
DHCP Subnet
In this example I've assigned addresses 192.168.1.120 through 192.168.1.130 to the DHCP server. So the first private net computer that requests an address will get .120, the next one will get 121 etc.
Now we need to define a default Internet Gateway and a Default DNS server for our internal network clients to use.
Press the "Edit Client Options" button and enter your gateway and DNS addresses as pictured below. The gateway address goes in the Default routers box and the DNS server goes in the DNS servers box. Be sure to tick the radion button.
Dhcp3 Image
Press SAVE
Then press SAVE again to keep your configuration. Before starting the server we need to tell it which interface on which to assign addresses. It will probably guess correctly by comparing the subnet with the IP of the adapter but to be sure, let's tell it which one we intend it to use.
dhcp3 imagedhcp network interface

Find the button makred "Edit Network Interfaces" and press it. You'll see you current network interfaces listed, with one or more highlighted. Choose the adapter that matches you INTERNAL adapter only and press SAVE.

When you get the Module Index screen, you can either START the server if it's not running or APPLY CHANGES to force it to reload the configuration.

TEST it. You should be able to use default settings (automatic IP and DNS) in windows XP or Vista and access the internet. The DHCP server will provide the next available address in the range, assign you a Gatway address cooresponding to the "Default router" address from above and a DNS cooresponding to the "DNS servers" value you entered above.
*Note: At this point it's meaningless to run the windows firewall so turn it off, even if it complains. It will just get in your way and add overhead. All port forwarding configuration is now done under Webmin on the Linux SERVER box. Also be aware that Vista has a built-in DNS as well. It duplicates the Squid cache configuraiton below. Both are not necessary nor are the both desirable.
See:
Disable DNS Cache for more information or search the internet. Microsoft seems to have gone out of their way to prevent users from configuring and using the software they purchase the way they want to use it. You may not be able to disable it if you use a DHCP address.

HOW NAT WORKS:
Nat does not blindly forward data packets between the internet and internal computers. It is, essentially, an inbound firewall the way we have it set up here. It translates requests that came from the internal adapter to the internet. That's why you don't need to specifically open port 80 to get internet access. The rule says that any internal computer can initiate an outgoing connection on any "usable" port and the firewall will allow traffic that is "related" to that request back through, even if it's using a different port. It does this because the packet has destination information within it that validates it is from an internal adapter request. That's why you don't need to specifically open port 80 to use the internet. Your browser sends an outbound page request that is then serviced as a "related" connection. However, things like eMule, uTorrent etc don't work that way. They send an http request to a tracker or server that is satisfied because it's "related", but incoming connections are not specifically "related" to that request so you'll need to open a port for them to use if you plan on using them to any advantage.

Torrents: uTorrent and other torrent downloaders contact a tracker to get peer addresses and identifies itself as running. It also sends requests directly to the peers or seeds. If you don't open a port for it to use, it uses port 80 which limits what it can do in terms of data transmittion meaning it can't directly connect to peers and trnasfer packets, it must use the tracker to send the packets. This means it must contact the tracker to initiate the transfer. I don't think the data itself is transferred via the tracker but it does need to make the peer connection for you. This process adds significant delay and overhead to the download process making it much less efficient since torrent files are downloaded in small chunks called "pieces". Using DHT makes it worth using. Without it, unless you are on a private network, the added overhead defeats the purpose for using a torrent downloader.
eMule: eMule (MLDonkey) and aMule work in a similar manner. They connect to a "server" for searching and initiating a transfer but the data transfer itself needs to be done via a separate open port or it's basically a waste of time due to excessive packet overhead.

IP FORWARDING:
Now, to open ports in your firewall for things like uTorrent, eMule or other P2P setups you'll need to add a rule for each port range to the nat part of the IPtables.
Add a rule to the PREROUTING secion of your nat tables, the TOP of the NAT screen.

Static IP speal:
Note that while forwarding will work using a DHCP address, if you have several computers using DHCP it's better to simply assign a static IP on the computer you are running utorrent or eMule etc.. I use DHCP when installing a new OS, PXE booting, and for temporary connections only. To enter a static IP, just enter the IP of your internal adapter as both gateway and dns, then assign yourself an address on the same subnet but outside the DHCP address range. In the examples above I used 192.168.1.120~192.168.130 as DHCP addresses so a static address could be anywhere between 192.168.1.2 (NOT the same as the internal adapter) and 192.168.1.119 or above 130 but not 255. 255 is reserved for other things.

Adding Forwarding Rules with Webmin:
First, make sure you are viewing the NAT rules (drop down box then press Show IP tables.) Press ADD RULE. Tick the box marked " Destination NAT". Enter an IP address for the computer on the internal private network that hosts this service, like 192.168.1.100 from above. Find the box marked " Destination Address or Network:" set it to "Equals" and enter your INTERNET IP address. Select the protocol for this port range (TCP, UDP, ICMP etc.) Set source and destination ports to the port(s) you want opened or use the separate Source and Destination boxes to translate an internet port to a private net port. See example below:
NAT rule
Press SAVE and APPLY the rule. You should now be able to access the specified port on the specified IP address.
You can probably make this work with a DHCP address but this firewall does not support UPNP or NAT-PMP, both of which are huge security holes. So you'll have to manually open ports for services you run on internal network computers each time you restart. Also keep in mind that DHCP addresses have a Lease time that causes the address to be refreshed, which MAY mess up any forwarding rules you enter here. In short, take three minutes and enter a static IP.

Testing webserver open ports:
Zenmap is acceptable and it runs on windows.
FIRST: Download and install this: http://www.winpcap.org/install/bin/WinPcap_4_0_2.exe
Then install ZenNmap: http://download.insecure.org/nmap/dist/nmap-4.50-setup.exe
Ignore the warning that winpcap is already installed. The version of winpcap that comes with nmap alone won't work with vista so you have to install this version first.

You can also use HackerWatch to do a scan of your server IP.
Just click here and it will begin testing. It's a bit slow but it's very useful. And, of course, most p2p or torrent software has a "port test" internet page .

SQUID proxy DNS cache:
Many of us find a DNS cache very useful when running internal net computers. Keep in mind that VISTA HAS A DNS CACHE so using squid in addition may not be useful. I disabled it on mine so I can use the SQUID cache since it's more centralized and it provides an easy way to log pages visited. Plus there are many useful squid access.log reporting programs, like Webalizer that will generate an online report for you.

Webmin ->Servers ->Squid Proxy Server
If it's not installed, allow webmin to install it for you.

Image below

Squid graphic


Now press APPLY CONFIGURATION and wait for squid to come back. Start it if it's not started. If it fails to start (no STOP or APPLY..) check your ports and networking settings. See below next graphics to enable SQUID.


Squid redirecton graphic
At this point squid is running but not doing anything unless you set DNS to your gateway ip on port 3128. To enable squid as a DNS caching server on port 80, select "Port Redirection" and enable it on your INTERNAL ADAPTER ONLY. Do not enable squid for the internet adapter unless you know what you are doing. Once it's enabled you can test it in a browser. I've found that it significantly decreases the load time and network traffic on my internet connection by caching DNS IP addresses, thus preventing the need to HIT the DNS server for each object you load. Rather it sends the IP address from the DNS cache when retrieving images, providing there is a cached version. There are many technical discussion on how to set the squid cache and memory usage. Keep in mind that getting the html is only the beginning, a browser must often hit the same server dozens, even hundreds of times to load graphics. That's were DNS cache helps because the IP has already been resolved, it gets a HIT and uses the IP without having to go over the internet to get it again. Some browsers may use the same IP for graphics if the domain name is the same. But, overall, it's a much faster way to browse the internet.

If you find things missing on web pages or you just want to reset the squid cache, use the Clear and Rebuild Cache button on the Squid Module Index in Webmin.

FINALLY, before you quit:

Now that you tested it and things are working be sure to set the firewall to load the rules at boot time. In webmin tick the appropriate box in Servers ->Linux Firewall at the bottom of the page. Then press ACTIVATE AT BOOT. Reload the page from the menu and check it again. It's a bit flaky or I don't get how it works. Questions, comments just saying hello!
siggma@trbailey.net