Configure a Debian Firewall Gateway

I am presenting to you, the Cybrary members, a Firewall/gateway configuration that's used here in my home/HQ for Twisted Security.It's recommended that you learn the basic Linux Command Line operations and know how to use the tools provided to scan and monitor your firewall. 1. Install Latest Debian Distroa. Absolute minimal installb. No Web, FTP, Mail or any services not needed to run the Server c. Change its internal IP on eth0 to static and .10 of the internal network IP allocation 2. We'll Need Vima. Using Apt apt-get install vim –y 3. A System Config to Forward ipv4a. Using vim, vi /etc/sysctl.confb. net.ipv4.ip_forward=1c. Escape, :wq 4. Network Interfacesa. The interface eth0 is set to DHCP to get its IP Address from the Modemb. The interface eth1 and set to static with an address of 150.125.20.1c. Using Vim vi /etc/network/interfaces# The external WAN interface (eth0) Both adapters should be of the gigbit variety# External Network Adapter (eth0)allow-hotplug eth0iface eth0 inet dhcp# The internal LAN Adapter (eth1)# 1000 (Gigabit)allow-hotplug eth1iface eth1 inet staticaddress 150.125.20.1netmask 255.255.255.0network 150.125.20.0broadcast 150.125.20.255 5. Setup the DHCP/DNS Servera. We prefer the 150.125.20.0/24 network for 24 machines, /24 may change if more machines are neededb. Using Apt apt-get install dnsmasqc. In /etc vi /etc/dnsmasq.confd. At the top interface=eth1listen-address=127.0.0.1domain=home.yourdomain.comdhcp-range=192.168.0.100,192.168.0.110,12he. Escape, :wq 6. IP Tablesa. IP tables are the preferred means of securing a Linux Serverb. The standard script below allows outgoing - but blocks anything incoming# firewall#!/bin/shPATH=/usr/sbin:/sbin:/bin:/usr/bin## delete all existing rules.#iptables -Fiptables -t nat -Fiptables -t mangle -Fiptables -X# Always accept loopback trafficiptables -A INPUT -i lo -j ACCEPT# Allow established connections, and those not coming from the outsideiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPTiptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT# Allow outgoing connections from the LAN side.iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT# Masquerade.iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE# Don't forward from the outside to the inside.iptables -A FORWARD -i eth0 -o eth1 -j REJECT# Enable routing.echo 1 > /proc/sys/net/ipv4/ip_forwardc. Create this in /etc/init.d and make it executable chmod a+x firewall 7. Restart the Server 8. Once Restarted, Install Security Softwarea. Using Apt apt-get install clamav rkhunter chkrootkit fail2ban 9. FastNetMon Anti-DDOS Analyzera. This application will force a DOS or DDoS Attacks into a Black holeb. Gain Root Access su (Or a user with sudo/admin rights)c. Get the software wget https://raw.githubusercontent.com/FastVPSEestiOu/fastnetmon/master   /src/fastnetmon_install.pl -Ofastnetmon_install.pl d. perl fastnetmon_install.ple. Let it installf. Type /opt/fastnetmon/fastnetmon –daemonize 10. RUN A COMPLETE VIRUS SCANa. Type cd / as rootb. Type clamscan -r / 11. Reboot all systems within the network to gain a new IP from the Firewall and DNS settings.

---

It's my hope that this, in itself, will help others in locking down their internal networks or even the office network given the correct configuration. Truth be told, my security layers are much deeper than this, but most are configured closely to this configuration. Different IP Schemes and my network is hidden quite securely behind 4 firewalls with a honey pot, (monitored by my company) in my DMZ - drawing the would be attackers away from my primary network. Scott CilleyFounder/CTOTwisted Securitywww.twistedsecurity.com