Tuxer WannaBe’S

Firewall bisa di set agar server Internal boleh diakses dari ekstranet. Cara paling mudah adalah pakai Destination NAT, walau agak tidak aman.

1. Lawu dan Merbabu (Intranet) bisa akses Jawa (Ekstranet)
2. Sebaliknya Jawa tidak bisa akses Lawu, namun bisa sebagian port Merbabu.

Dari artikel lalu, yang harus kita tambah di Merapi (Firewall) adalah:

1. Set DNAT ke Merbabu
2. Ijinkan forwarding dari Ekstranet ke Merbabu.

Di sini kita akan coba DNAT untuk port 22 (ssh) dan 80 (http). Jadi dari Jawa, kalau anda akses ssh atau http ke Merapi (10.0.1.1), akan masuk ke Merbabu (192.168.0.1).

• SET FIREWALLedit /etc/rc.d/rc.firewall seperti listing terlampir.
• PERIKSA FIREWALLScript firewall anda akan otomatis dijalankan saat boot. Untuk sekarang, jalankan secara manual, lalu test sbb.:

  #### Jalankan firewall
  root@merapi:# ./rc.firewall
  Starting firewall ...
  
  #### Periksa rules
  root@merapi:/etc/rc.d# iptables -L
  root@merapi:/etc/rc.d# iptables -t nat -L

• TEST DARI JAWA (EKSTRANET) KE MERAPIOk, sekarang testing …

  ## SSH ke Merapi
  tux@jawa:# ssh root@10.0.1.1

  
  Kalau anda masuk ke merbabu, bukan ke Merapi, berarti DNAT bekerja betul. Coba di Merbabu diperiksa

  root@merbabu:# w
   07:29:57 up 23:37,  2 users,  load average: 0.04, 0.02, 0.00
  USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
  root     ttys/0   -                Sat06    0.00s  0.00s  0.00s w
  root     pts/0    10.0.1.254       07:29   32.00s  0.00s  0.00s -bash

  
  Ternyata memang ada akses, dari 10.0.1.254 (Jawa). Magic kan ?

• TEST DARI LAWUCoba dari Lawu lakukan hal-hal berikut, setiap kali periksa koneksi yang masuk di Merbabu.

  # SSH ke merapi IP eksternal
  root@lawu:# ssh root@10.0.1.1
  
  # SSH ke merapi IP internal
  root@lawu:# ssh root@192.168.0.254
  
  # SSH ke merbabu, IP internal
  root@lawu:# ssh root@192.168.0.1

  
  Apa kesimpulan anda ? (Doh … serasa nulis modul praktikum mahasiswa LOL).

• LISTING RC.FIREWALL

  #!/bin/sh
  # rc.firewall
  # A simple firewall rules for masquerading
  # Using network-based masquerading, not interface-based masquerading
  #
  # This is example only, not to be used in production line.
  # Use it on your own risk.
  #
  # (c) Kocil, 2004
  
  # The settings
  INTRANET="192.168.0.0/24"
  
  SNAT_IP="10.0.1.1"
  
  DNAT_IP=10.0.1.1
  DNAT_SERVER=192.168.0.1
  DNAT_PORTS="ssh,http,smtp"
  
  BASTION_PORTS="--all"
  #BASTION_PORTS="ssh,domain,http,smpt"
  
  # You should not need to change anything after this
  IPT="/usr/sbin/iptables"
  
  firewall_disable_forwarding()
  {
    echo "0" > /proc/sys/net/ipv4/ip_forward
  }
  
  firewall_enable_forwarding()
  {
    echo "1" > /proc/sys/net/ipv4/ip_forward
  }
  
  ## Clear all rules, no firewall at all
  firewall_clear()
  {
    $IPT -F
    $IPT -F -t nat
    $IPT -F -t mangle
    $IPT -X
  }
  
  ## Set the default rules
  firewall_default()
  {
    $IPT -P INPUT DROP
    $IPT -P FORWARD DROP
    $IPT -P OUTPUT ACCEPT
  }
  
  ## Turn ON SNAT/Masquerading
  firewall_masquerade()
  {
    # If using modem, use masquerading
    #$IPT -t nat -A POSTROUTING -s $INTRANET -d ! $INTRANET -j MASQUERADE
  
    # else, use SNAT
    $IPT -t nat -A POSTROUTING -s $INTRANET -d ! $INTRANET
      -j SNAT --to-source $SNAT_IP
  
    # allow forwarding from internal to external
    $IPT -A FORWARD -s $INTRANET -j ACCEPT
  
    # allow forwarding to internal, related only
    $IPT -A FORWARD -d $INTRANET -m state --state ESTABLISHED,RELATED -j ACCEPT
  }
  
  ## Turn On DNAT/Redirect
  firewall_redirect()
  {
    # redirect some ports to merbabu
    $IPT -t nat -A PREROUTING -d $DNAT_IP
      -p tcp -m multiport --dport $DNAT_PORTS
      -j DNAT --to-destination $DNAT_TO
  
    # allow forwarding from external to merbabu, some ports only
    $IPT -A FORWARD -d $DNAT_TO -p tcp
      -m multiport --dport $DNAT_PORTS -j ACCEPT
  }
  
  ## Open all or some ports of the host itself
  firewall_bastion()
  {
    if [ "$BASTION_PORTS" == "--all" ]; then
      $IPT -A INPUT -j ACCEPT
    else
      $IPT -A INPUT -i lo -j ACCEPT
      $IPT -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
      $IPT -A INPUT -p tcp -m multiport –dports $BASTION_PORTS -j ACCEPT
      $IPT -A INPUT -p udp -m multiport –dports $BASTION_PORTS -j ACCEPT
      $IPT -A INPUT -p icmp -j ACCEPT
    fi
  }
  
  ## Top levels subroutines
  ## Start the firewall
  firewall_start() {
    echo “Starting firewall …”
    firewall_disable_forwarding
    firewall_clear
    firewall_default
    firewall_masquerade
    firewall_redirect
    firewall_bastion
    firewall_enable_forwarding
  }
  
  firewall_stop()
  {
    echo “Stopping firewall …”
    firewall_clear
  }
  
  ## Main program
  case “$1″ in
    ’start’)
      firewall_start
      ;;
    ’stop’)
      firewall_stop
      ;;
    ‘restart’)
      firewall_stop
      sleep 2
      firewall_start
      ;;
    *)
      firewall_start
  esac
  
  ## End rc.firewall

Ditulis: Kocil