Installing the Firewall

This section assumes that the firewall script is called rc.firewall. There's no reason that the script couldn't be called simply fwscript or something else either. In fact, on Debian systems the standard is closer to the single name, fwscript, rather than a name prefixed with an rc. as is the case on Red Hat. This section covers the commands as if the script was installed in either /etc/rc.d/ for a Red Hat or SUSE system and /etc/init.d/ for a Debian system.

As a shell script, initial installation is simple. The script should be owned by root. On Red Hat and SUSE:

 chown root.root /etc/rc.d/rc.firewall 

On Debian:

 chown root.root /etc/init.d/rc.firewall 

The script should be writable and executable by root alone. Ideally, the general user should not have read access. On Red Hat and SUSE:

 chmod u=rwx /etc/rc.d/rc.firewall 

On Debian:

 chmod u=rwx /etc/init.d/rc.firewall 

To initialize the firewall at any time, execute the script from the command line. There is no need to reboot:

 /etc/rc.d/rc.firewall start 

Technically, the start argument isn't required there, but it's a good habit anywayagain, I'd rather err on the side of completeness than have ambiguity with a firewall. The script includes a stop action that flushes the firewall entirely. Therefore, if you want to stop the firewall, call the same command with the stop argument:

 /etc/rc.d/rc.firewall stop 

Be forewarned: If you stop the firewall in this way, you are running with no protection. The attorneys tell me that I should tell you, "Always leave the firewall enabled!"

On Debian, change the path for the command to /etc/init.d. Start the firewall:

 /etc/init.d/rc.firewall start 

Stop the firewall on Debian:

 /etc/init.d/rc.firewall stop 

Tips for Debugging the Firewall Script

When you're debugging a new firewall script through an SSH or another remote connection, it's quite possible that you might lock yourself out of the system. Granted, this isn't a concern when you're installing the firewall from the console, but as someone who manages remote Linux servers, I find that access to the console is rarely possible. Therefore, a method is necessary for stopping the firewall automatically after it gets started, just in case the firewall locks out my connection. Cron to the rescue.

Using a cron entry, you can stop the firewall by running the script with a stop argument at some predefined interval. I find that every 2 minutes works well during initial debugging. If you'd like to use this method, set a cron entry with the following command as root (on Debian):

 crontab -e */2 * * * * /etc/init.d/rc.firewall stop 

On Red Hat and SUSE:

 crontab -e */2 * * * * /etc/rc.d/rc.firewall stop 

With this cron entry in place, you can start the firewall and have it stop every 2 minutes. Using such a mechanism is somewhat of a trade-off though, because you have to do your initial debugging before the clock hits a minute divisible by two! Additionally, it's up to you to remember to remove this cron entry when you've debugged the firewall. If you forget to remove this entry the firewall will stop and you'll be running with no firewall again!

Starting the Firewall on Boot with Red Hat and SUSE

On Red Hat and SUSE, the simplest way to initialize the firewall is to edit /etc/rc.d/rc.local and add the following line to the end of the file:

 /etc/rc.d/rc.firewall start 

After the firewall rules are debugged and stable, Red Hat Linux provides a more standard way to start and stop the firewall. If you chose iptables while using one of the runlevel managers, the default runlevel directory contains a link to /etc/rc.d/init.d/_iptables. As with the other startup scripts in this directory, the system will start and stop the firewall automatically when booting or changing runlevels.

One additional step is required to use the standard runlevel system, however. You must first manually install the firewall rules:

 /etc/rc.d/rc.firewall 

Then execute the command:

 /etc/init.d/iptables save 

The rules will be saved in a file, /etc/sysconfig/iptables. After this, the startup script will find this file and load the saved rules automatically.

A word of caution is in order about saving and loading the firewall rules using this method. The iptables save and load features are not fully debugged at this point. If your particular firewall configuration results in a syntax error when saving or loading the rules, you must continue using some other startup mechanism, such as executing the firewall script from /etc/rc.d/rc.local.

Starting the Firewall on Boot with Debian

As with many other things, configuring the firewall script to start on boot is simpler on Debian than on other distributions. You can make the firewall start and stop on boot with the update-rc.d command. Run update-rc.d with the firewall script in /etc/init.d, and set your current directory to /etc/init.d/ as well:

 cd /etc/init.d update-rc.d rc.firewall defaults 

See the man page for update-rc.d for more information on its usage beyond that shown here.

Other aspects of the firewall script depend on whether you have a registered, static IP address or a dynamic, DHCP-assigned IP address. The firewall script as presented in this chapter is set up for a site with a statically assigned, permanent IP address.

Installing a Firewall with a Dynamic IP Address

If you have a dynamically assigned IP address, the standard firewall installation method won't work without modification. The firewall rules would be installed before the network interfaces are brought up, before the system is assigned an IP address, and possibly before being assigned a default gateway router or name servers.

The firewall script itself needs the IPADDR and NAMESERVER values defined. Both the DHCP server and the local /etc/resolv.conf file can define up to three name servers. Also, any given site may or may not know the addresses of their name servers, default gateway router, or DHCP server ahead of time. Furthermore, it's not uncommon for your network mask, subnet, and broadcast addresses to change over time as the ISP renumbers its network. Some ISPs assign a different IP address on a frequent basis, with the result that your IP address can change numerous times during the course of an ongoing connection.

Your site must provide some means of dynamically updating the installed firewall rules as these changes occur. Appendix B, "Firewall Examples and Support Scripts," provides sample scripts designed to handle these changes automatically.

In addition, if you're using a DSL connection, there's a chance that the MTU might cause problems. If this is the case, here's a firewall rule to fix the problem:

 $IPT -A OUTPUT -o $INTERNET -p tcp --tcp-flags SYN,RST \     SYN -j TCPMSS --clamp-mss-to-pmtu 

The firewall script could read these shell variables directly from the environment or could read them from a file. In any case, the variables would not be hard-coded into the firewall script, as they are in the example in this chapter.