Configure a Debian Firewall Gateway

October 5, 2015 | Views: 4640

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I am presenting to you, the Cybrary members, a Firewall/gateway configuration that’s used here in my home/HQ for Twisted Security.

It’s recommended that you learn the basic Linux Command Line operations and know how to use the tools provided to scan and monitor your firewall.

 

1. Install Latest Debian Distro
a. Absolute minimal install
b. No Web, FTP, Mail or any services not needed to run the Server
c. Change its internal IP on eth0 to static and .10 of the internal network IP allocation

 

2. We’ll Need Vim
a. Using Apt apt-get install vim –y

 

3. A System Config to Forward ipv4
a. Using vim, vi /etc/sysctl.conf
b. net.ipv4.ip_forward=1
c. Escape, :wq

 

4. Network Interfaces
a. The interface eth0 is set to DHCP to get its IP Address from the Modem
b. The interface eth1 and set to static with an address of 150.125.20.1
c. Using Vim vi /etc/network/interfaces # The external WAN interface (eth0) Both adapters should be of the gigbit variety

# External Network Adapter (eth0)
allow-hotplug eth0
iface eth0 inet dhcp

# The internal LAN Adapter (eth1)
# 1000 (Gigabit)
allow-hotplug eth1
iface eth1 inet static
address 150.125.20.1
netmask 255.255.255.0
network 150.125.20.0
broadcast 150.125.20.255

 

5. Setup the DHCP/DNS Server
a. We prefer the 150.125.20.0/24 network for 24 machines, /24 may change if more machines are needed
b. Using Apt apt-get install dnsmasq
c. In /etc vi /etc/dnsmasq.conf
d. At the top interface=eth1
listen-address=127.0.0.1
domain=home.yourdomain.com
dhcp-range=192.168.0.100,192.168.0.110,12h
e. Escape, :wq

 

6. IP Tables
a. IP tables are the preferred means of securing a Linux Server
b. The standard script below allows outgoing – but blocks anything incoming

# firewall
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state –state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don’t forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
c. Create this in /etc/init.d and make it executable chmod a+x firewall

 

7. Restart the Server

 

8. Once Restarted, Install Security Software
a. Using Apt apt-get install clamav rkhunter chkrootkit fail2ban

 

9. FastNetMon Anti-DDOS Analyzer
a. This application will force a DOS or DDoS Attacks into a Black hole
b. Gain Root Access su (Or a user with sudo/admin rights)
c. Get the software wget https://raw.githubusercontent.com/FastVPSEestiOu/fastnetmon/master   /src/fastnetmon_install.pl -Ofastnetmon_install.pl
d. perl fastnetmon_install.pl
e. Let it install
f. Type /opt/fastnetmon/fastnetmon –daemonize

 

10. RUN A COMPLETE VIRUS SCAN
a. Type cd / as root
b. Type clamscan -r /

 

11. Reboot all systems within the network to gain a new IP from the Firewall and DNS settings.


It’s my hope that this, in itself, will help others in locking down their internal networks or even the office network given the correct configuration. Truth be told, my security layers are much deeper than this, but most are configured closely to this configuration. Different IP Schemes and my network is hidden quite securely behind 4 firewalls with a honey pot, (monitored by my company) in my DMZ – drawing the would be attackers away from my primary network.

 

Scott Cilley
Founder/CTO
Twisted Security
www.twistedsecurity.com

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel