Inexpensive Web Hosting, Comcast Web Hosting Java Blog

441Chapter 17Running a Linux Firewall/RouterWould you like to change these settings? [Y/N]: NOPTIONS CONFIGURATIONDemand Dial: Initiate the link only on demand, i.e. when datatraffic is present. 7.Here s where you set up your dial-up features (providing you are using dial-upto get to the Internet, as this example does). The first question is whether toallow demand dialing. Type yif you want the Internet connection to start upevery time someone tries to open a connection to that interface (say, for tryingto browse the Web or sending e-mail from the local system or any computeron your LAN using this as a route to the Internet): Do you want to enable the demand dial option [y/n]: y8.Type the number of seconds of idle time (time when no data is sent over thenetwork connection) after which the dial-up connection to the Internet isdropped. The default is 180 (three minutes). I changed it to 600 (10 minutes). Enter number of seconds for idle disconnect [180]: 6009.To come up on the Internet with a particular IP address (assigned from the ISP), type ythen add the IP address as requested. In most cases, however, you willjust have the ISP assign you an IP address by typing nhere. Did your ISP assign you a static IP ADDRESS? [y/n]: nSetting up for dynamic PPP AddressSet the local PPP interface IP address. Should not be thesame as 192.168.0.1, but on the same subnet. 10.You need an initial IP address to start the PPP interface. As noted, you shoulduse an IP address that is on the same network as your LAN. Press enter for [192.168.0.3]: 192.168.0.311.The next several questions relate to setting up your dial-out connection. Thetty device is the serial port where your modem is connected (ttyS0 for COM1, ttyS1 for COM2, and so forth). The port speed is how fast your computer cantalk to the modem (the default, 115200, is fine). ATZ is the normal script forinitializing a modem (check your modem manual if you need something else). Type any name representing your ISP (no spaces). Enter the phone number todial to get your Internet connection. Finally, enter the username and then thepassword that was provided to you by the ISP for this Internet account. Enter tty device name for modem (ttyS0, etc)[ttyS0]: ttyS0Enter ttyS0 s port speed (115200, 57600, etc)[115200]: 115200Enter modem init string (Enter = ATZ): ATZEnter name of ISP (no whitespace)[isp]: attEnter phone number to dial: 5551212Enter username: jsmithEnter password: tkN0stf24_
Note: If you are looking for high quality webhost to host and run your jsp application check Vision christian web host services

440Part IIIChoosing and Installing a Linux Distribution3.Change to the coyotedirectory that was just created and start the makefloppy.shbatch script to build the Coyote Linux floppy disk, as follows: # ./makefloppy.shCoyote floppy builder script v2.9Please choose the desired capacity for the created floppy: 1) 1.44Mb (Safest and most reliable but may lack space neededfor some options) 2) 1.68Mb (Good reliability with extra space) - recommended3) 1.72Mb (Most space but may not work on all systems or withall diskettes) 4.Choose the capacity of your floppy disk. I used 3(1.72Mb) and it worked fine. With an older floppy drive, you may have to use a lower capacity, which willinclude fewer features. Enter selection: 3Please select the type of Internet connection that yoursystem uses. 1) Standard Ethernet Connection2) PPP over Ethernet Connection3) PPP Dialup Connection5.This example uses a PPP Dial-up Connection here, so type 3: If you have a broadband (DSL, cable modem, or other Ethernet connection) to theInternet, you would typically select 1 here. Select 2 if your ISP said you have a PPPoEconnection. Configuring an Ethernet connection is actually simpler than configur- ing dial-up. Instead of defining the dialer, you typically just select to connect to theInternet via DHCP and enter a hostname (when prompted). Enter Selection: 3… By default, Coyote uses the following settings for thelocal network interface: IP Address: 192.168.0.1Netmask: 255.255.255.0Broadcast: 192.168.0.255Network: 192.168.0.06.You can simply accept the default IP address (and related Netmask, Broadcast, and Network numbers) by typing N. If you are creating a new set of addressesfor your LAN, this is a common set of IP addresses for you to use (192.168.0.1,192.168.0.2, etc.). Reasons to consider changing the IP address are if it conflictswith your current network numbering or if that set of IP addresses is beingused on your interface to the Internet. Note24_
Note: If you are looking for high quality webhost to host and run your jsp application check Vision christian web host services

439Chapter 17Running a Linux Firewall/RouterYou need to know the Linux driver name for your Ethernet cards before you run theprocedure to create your firewall floppy. If you don t know what it is, I recommendstarting KNOPPIX on your machine and then using the lsmodand lspcicom- mands to determine the driver names for your Ethernet cards (they should havebeen autodetected). Use modinfoif you are not sure if the driver name is theright one (for example, modinfo 8139too). If possible, it s better to use a broadband or other Ethernet interface to connect tothe Internet because dial-up modems can require extra configuration to work, pro- vide slower connections, and make you deal with issues of using a phone line andbringing connections up and down all the time. Because, however, this section ismeant to illustrate how to use minimal hardware with an extraordinarily compactLinux, it shows how to use an inexpensive connection type as well. Figure 17-2 shows an example of the firewall configuration you ll create in the fol- lowing Coyote Linux procedure. Figure 17-2:A Coyote Linux firewall runs from a floppy disk, managing traffic betweenyour network and the Internet. Here s what you do to create a firewall with Coyote Linux: 1.On a computer that has a CD drive and a floppy drive, copy the Coyote Linuxdirectory from the CD that comes with this book to your computer s harddrive. Then open a Terminal window (or other shell) and change to that direc- tory. (See Appendix A for the location of Coyote Linux on the CD.) 2.Unzip and untar the Coyote Linux file by typing the following: # tar xvfz coyote*tar.gzISPLANDial-upmodem192.168.0.3Phone lineCoyote Linuxfloppy firewall192.168.0.1Ethernetcard192.168.0.100192.168.0.101192.168.0.102Caution24_
Note: If you are looking for best quality webspace to host and run your tomcat application check Vision personal web hosting services

438Part IIIChoosing and Installing a Linux Distribution .Log activities. In addition to creating logs of activities on the firewall, Coyotecan be set to pass those log files to another computer on your LAN. .Monitor network activities. There are a few basic administrative tools in CoyoteLinux to check out your network a bit. Those tools include tracerouteandnslookup. .Log in remotely (ssh) and get around the shell. The sshd daemon in CoyoteLinux lets you log in from another computer on your LAN. The busybox utility(www.buysbox.net) provides a good set of basic shell tools. .Open a Web interface to Coyote Linux. From any Web browser on your LAN, you can open the Coyote Linux Web Administrator interface by typing yourfirewall s IP address and port 8180 (for example, http://192.168.0.1:8180). The following section shows you how to create a Coyote Linux boot floppy firewall/ router. Once you have your Coyote Linux firewall up and running, you can changesettings for that firewall from another computer on your LAN using the Web browseror shell (ssh) interface to the computer. If you are familiar with the shell and firewallfeatures (described earlier in the chapter), there are a lot of things such as routing, demand dialing, and DHCP service that you can do with this nice little distribution. For more information, refer to the Web site of Vortech Consulting, LLC (www. vortech.net), which created the Coyote Linux project. Like many companiesthat support open source software, it offers commercial products that relate to itsopen source project. If you want more advanced products and support, you canconsider purchasing its corporate and small-office firewall products. Building the Coyote Linux FloppyTo get just what you want in your Coyote Linux firewall floppy, you need to build ityourself. That entails: .Creating the floppy.You ll need a computer with a floppy drive to which youcan write raw data. That machine should be running Linux (KNOPPIX shouldwork fine if you don t have a Linux already installed). .Running the firewall.For this, you want a computer that can boot from afloppy disk and have two network interfaces. That computer can be as low asa discarded 486 machine. In the example, the firewall computer will have adial-up modem to connect to the Internet and an Ethernet card to connect itto your LAN (although a better and simpler way is to have an Ethernet con- nection to the Internet that can basically turn on automatically in most cases). And, of course, you need a floppy disk. The computer with which you create the floppy disk and the computer on whichyou run it may be the same computer. Note24_
Note: If you are looking for cheap and reliable webhost to host and run your web application check Vision coldfusion web hosting services

437Chapter 17Running a Linux Firewall/Router .The Iptables Tutorial (http:// iptables-tutorial.frozentux.net) This tutorial by Oskar Andreasson is the standard by which other iptablesinformation is measured. .Netfilter project (www.netfilter.org) Get the latest information aboutiptables development, patches, security issues, mailing lists, and news. .Linux Gurus (www.linuxguruz.com/iptables) Provides a nice range oflinks to iptables FAQs, scripts, chat locations, HOWTOs, tutorials, tools, secu- rity sites, and mailing lists. Making a Coyote Linux Bootable Floppy FirewallIn as little as a 1.4MB floppy disk, you can have a firewall that does a good job pro- tecting your LAN against unwanted access from the Internet. With a CD-ROM, you canadd literally hundreds of tools for managing your firewall and keeping your networkrunning smoothly. There are a handful of bootable Linux firewall distributions available today. The restof this chapter steps you through the setup of Coyote Linux and then describes afew others that might interest you. Creating a Coyote Linux FirewallUsing a single, simple script, Coyote Linux lets you create a bootable Linux firewallthat fits on a floppy disk. Once you install and boot Coyote Linux, you can manageit from another computer on your LAN. You can use a Web interface or log into itusing ssh and manage Coyote Linux from a Linux shell. Coyote Linux contains an amazing set of features for such a small space. After boot- ing the Coyote Linux boot floppy you create, you have a firewall with which you can: .Route packets between your LAN and the Internet. .Provide network interfaces to Ethernet LAN (TCP or PPPoE) or Dial-up (PPP) network connections. .Create firewall rules supported by iptables. (It starts with a few basic rules, but you can add your own rules to include IP Masquerading and NAT, port forwarding, transparent proxies, or many other iptables features.) .Enable DHCP. Coyote Linux can act as a DHCP server, providing IP addressesand other information to the computers on your LAN.
Note: If you are looking for high quality webhost to host and run your jsp application check Vision christian web host services

436Part IIIChoosing and Installing a Linux DistributionIn this example, any packet destined for port 80 (–dport 80) is redirected toport3128 (–to-ports 3128). Note that the packet is changed before it is routed (-A PREROUTING). You can only use REDIRECTtargets in PREROUTINGand OUTPUTchains within a nattable. You can also give a range of port numbers to spread the redirection acrossmultiple port numbers. Using Iptables for Port ForwardingWhat if you have only one public IP address but you want to use a computer otherthan your firewall computer to provide Web, FTP, DNS, or some other service? Youcan use the Dynamic Network Address Translation (DNAT) feature to direct trafficfor a particular port on your firewall to another computer. For example, if you want all requests for Web service (port 80) that are directed tothe firewall computer (-d 15.15.15.15) to be directed to another computer onyour LAN (such as 10.0.0.25), you could use the following iptablescommand: # iptables -t nat -A PREROUTING -p tcp -d 15.15.15.15 –dport 80 -j DNAT –to-destination 10.0.0.25(This example should actually appear on one line. The backslash indicates continu- ation on the next line.) You can also spread the load for the service you are forwarding by providing arange of IP addresses (for example, –to-destination 10.0.0.1-10.0.0.25). Likewise, you can direct the request to a range of ports as well. Getting Iptables ScriptsRather than type in all your firewall rules by hand, there are many scripts availableon the Internet (licensed under the GPL) that you can modify to suit your needs. Many of these scripts contain sections in the front where you can add IP addresses, port numbers, and other information that is specific to your firewall setup. A nice set of scripts that illustrate how to use iptables comes from Oskar Andreasson, the author of the iptables tutorial. The set can be found at http://iptables- tutorial.frozentux.net/scripts/. In particular, the rc.firewall.txtis agood file to step through. Finding Out More about IptablesSo far, you ve seen an overview of many of the features in iptables and gotten a basicunderstanding of what it can do. Creating complex firewalls, especially in situationswhere there are a lot of people trying to break in, requires a much deeper knowledgeof iptables. I suggest that, from here, you refer to the following:
Note: If you are looking for cheap webhost to host and run your apache application check Vision jboss web hosting services

435Chapter 17Running a Linux Firewall/RouterAdding Modules with IptablesSome firewall features require that modules be added to the kernel. For example, ifa client behind your firewall needs to access an FTP server using passive FTP, spe- cial modules are required. With passive FTP, the FTP client sends its IP address andthe port number on which it will listen for data to the server. If that client is on acomputer that is behind your firewall, for which you are doing NAT, that informa- tion must be translated as well or the FTP server will not be able to communicatewith the client. The iptables facility uses modules to track connections, looking inside the FTP datathemselves (that is, not in the IP packet header) to get the information it needs to doNAT (remember that computers from the Internet can t talk directly to your privateIP addresses). For FTP connection tracking, you need to have the following modulesloaded: ip_conntrackip_conntrack_ftpip_nat_ftpFor client computers to use some chat servers from behind the firewall, you needto add connection tracking and NAT as well. In those cases, addresses and portnumbers are stored within the IRC protocol packets, so those packets must betranslated, too. To allow clients on your LAN to use IRC services, you need to loadthe following modules: ip_conntrack_ircip_nat_ircThe default port for IRC connections is 6667. If you don t want to use the default, youcan add different port numbers when you load the connection-tracking modules: insmod ip_conntrack_irc.o ports=6668,6669Using Iptables as a Transparent ProxyYou can use REDIRECTto cause traffic for a specific port on the firewall computerto be directed to a different port. This feature enables you to direct host computerson your local LAN to a proxy service on your firewall computer without those hostsknowing it. Here s an example of a command line that causes a request for Web service(port80) to be directed to a proxy service (port 3128): # iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 312824_
Note: If you are looking for reliable webhost to maintain and run your java application check Vision java hosting services

434Part IIIChoosing and Installing a Linux DistributionIt s possible that you won t have access to a Linux machine on the Internet to testoutside access to your computer. If you have another computer on your LAN, tryrunning nmap from that computer. If you have only Windows machines, you canalways run a bootable Linux and try nmap from that. Using Iptables to Do NAT or IP MasqueradingYou can use Source Network Address Translation (SNAT) or IP Masquerading (MASQUERADE) to allow computers on your LAN with private IP addresses to accessthe Internet through your iptables firewall. Choose SNATif you have a static IPaddress for your Internet connection, and use MASQUERADEif the IP address isassigned dynamically. When you create the MASQUERADEor SNATrule, it is added to the NATtable and thePOSTROUTINGchain. For MASQUERADEyou must provide the name of the interface(such as eth0, ppp0, or slip0) to identify the route to the Internet or other outsidenetwork. For SNATyou must also identify the actual IP address of the interface. The following examples assume that the connection to the Internet is providedthrough the first Ethernet card (eth0). Here s an example of a MASQUERADErule: # iptables t nat A POSTROUTING o eth0 j MASQUERADEAnd here s an example of a SNAT rule: # iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to-source 12.12.12.12You can add several source addresses if you have multiple addresses that provide aroute to the Internet (for example, –to-source 12.12.12.12.1-12.12.12.12.254). Although MASQUERADEuses some additional overhead, you probably need touse it instead of SNATif you have a dial-up connection to the Internet for which theIP address changes on each connection. Make sure that IP forwarding is turned on in the kernel. (It is off by default.) To turnit on temporarily, do the following: # echo 1 > /proc/sys/net/ipv4/ip_forwardTo turn on IP forwarding permanently, add the following line to the /etc/sysctl. conffile: net.ipv4.ip_forward = 1If you require it, here s how to turn on dynamic IP addressing: # echo 1 > /proc/sys/net/ipv4/ip_dynaddr24_
Note: If you are looking for cheap and reliable webhost to host and run your mysql application check Vision mysql hosting services

433Chapter 17Running a Linux Firewall/RouterChecking Your FirewallNow that your firewall is configured, you should check it to make sure that it appearsto the outside world (in our example, to the Internet on eth0 and your local LAN oneth1) as you would like it to. A popular tool for checking what services are availableon a network interface is called nmap. While nmap is an excellent tool for checking network interfaces on your own computer or private LAN, it should not be used to check for available services oncomputers that are not yours. Using nmap on someone else s computer is likechecking all the doors and windows on a person s house to see if you can get in. It is considered to be an intrusive act. Use nmap only to make sure your own doors and windows are secure. Following is an example of using nmapto scan a large number of ports on the fire- wall system you just configured to see what services appear to be available fromthe two network interfaces on the firewall (eth0 and eth1). To do this effectively, you need to run the nmapcommand from a computer outside your local firewall. That s because you don t want to see what is going on inside your firewall; youwant to see the outside world s view of your firewall. From the firewall computer, you d first get the IP address of the external Internetinterface on eth0 by running ifconfig eth0. For this example, that IP address is323.45.67.89. (Remember that is not a real IP address; it s used so you don t nmap areal computer on the Internet.) Then, from another Linux machine on the Internet, type the following: # nmap 323.45.67.89Starting nmap 3.50 ( http://www.insecure.org/nmap/) at 2004-10-22 14:56 CDTInteresting ports on 323.45.67.89: (The 1653 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE21/tcp closed ftp22/tcp open ssh53/tcp closed domain80/tcp closed http113/tcp closed auth4000/tcp closed remoteanythingNmap run completed — 1 IP address (1 host up) scanned in 72.951 secondsThe output shows that 1653 ports scanned on this address were filtered (blockedfrom access) and 6 were not blocked. Services not filtered include TCP ports 21, 22,53, 80, 113, and 4000 (which you made available when you set up the firewall ear- lier). Notice that only ssh has a server listening (providing service) at the moment. The other services are open from the firewall (not filtered), but the servers are notrunning yet. Caution24_
Note: In case you are looking for affordable webhost to host and run your web application check Vision cheap hosting services

432Part IIIChoosing and Installing a Linux DistributionThe first four lines open up the ports for the TCP services you want to pro- vide to anyone from the Internet: for FTP service (–destination-port 21), secure shell service (22), Web service (80), and IDENTDauthentication (113), the last of which might be necessary for protocols such as IRC. You want to ensure that the services on the ports to which you are allowing accessare properly configured before you allow packets to be accepted. In other words, don t open port 80 until you have a Web server configured or port 53 before youhave a DNS server configured. The last three lines define the ports where connection packets are acceptedfrom the Internet for UDP services. This example assumes that DNS service (–destination-port 53) is configured on the computer. It also illustrateslines that accept requests for two other optional ports: Port 2074 is needed bysome multimedia applications the users on your LAN might want to use, andport 4000 is used by the ICQ protocol (for online chats). At this point you can run iptables -Lagain to see your new set of rules. If youhave a connection to the computer from your LAN, as we illustrated with someoptions above, you can try to ping the computer from the LAN. You can also tryconfiguring different services and accessing them from your network interfaces. With this part of the procedure completed, your new firewall rules are built into theLinux kernel but do not exist anywhere in a configuration file. Unless you save thoserules, they will be gone the next time you reboot your computer. The following sec- tion discusses saving your firewall settings so you can use them permanently. Saving Firewall SettingsIf you think you have a good set of rules in your current kernel, you can savethemusing the iptables-savecommand so they can be reloaded later using theiptables-restorecommand. Here s an example of how to use the iptables- savecommand: # iptables-save > /root/iptablesIn this example, the current firewall rules are stored in the /root/iptablesfile(you can put them anywhere you like for the time being). These rules can be copiedto where they can be loaded automatically on some Linux systems. For example, inRed Hat Linux systems, copy this file to /etc/sysconfig/iptables, and the rulesare installed when the computer reboots. If they don t load automatically, you canrestore them yourself as follows: # iptables-restore < /root/iptablesThe previously saved rules are now restored to the currently running kernel. Caution24_
Note: In case you are looking for affordable webhost to host and run your servlet application check Vision ecommerce web hosting services