An Easy Tutorial on IP Tables and Port Knocking
Do you wish you had access to your home file server without leaving your firewall wide open to attacks? Well today's your lucky day! While you can implement this on any OS its easiest to do this on Linux. This article will show you how to lock down your firewall and implement a port knocker to let you in.
We are going to achieve this using a Linux firewall and server, SLED 10.1 to be exact. Yes, you will be playing around with config files, but I'll give you a template you can work with so you can just copy/paste and change the things you need to change.
Before we get started you need to install some things along with the OS. Mainly:
- C/C++ Compiler and Tools Pattern
- Common Code Base (for certification) Pattern
- kernel-source Package
- kernel-syms Package
You can install these tools through YaST2, just make sure you have the install cd/dvd with you and remember to resolve dependencies.
The first thing you have to do is configure both network cards. That's right, I said "both." You need to have two network cards in this box to let it run as a firewall. You need to configure one as "internal" and one as "external." Again, you can do this through YaST2.
While your there, make sure the "External" card has no ports open and your internal one has all the ports open. The external card is the one that's going to be interfacing with the Internet and as such is the one running the firewall. If you can't figure out which card is which open a terminal, do an
su - to change to root and type in
ifconfig. Note the MAC addresses for each card (probably eth0 and eth1) and then compare them to the MACs you see in the YaST2 configuration screen. If your ISP gave you a static IP address, configure that in the external card as well, or else set up that card to optain its IP address with DHCP. The set up should eventually look like this: modem->SLED Server (a.k.a. firewall)->router->other computers.
I'm going to skip the rest of the card configuration steps; it's not that hard just play around with it. You need to set up your internal card to either give out IP addresses, or just put the IP address of your second card into the default gateway of your router. Go crazy and experiment, the worst that will happen is you need to reinstall or reset your router.