a lot of users request Howtos about securing their various Linux systems ranging from desktop machines to OpenVPN routers. Based on your questions we decided to concentrate on three common use cases: Desktop machine, Home router, and application firewalling for a BitTorrent client.
Instead of using iptables directly, we show you how to configure firewalls with ferm which makes maintaining iptables firewalls easier due to its very readable configuration file. The ferm configuration also supports syntactical constructs known from programming languages (e.g. variables or conditionals). We use these constructs together with udev to automate firewall updates when OpenVPN connects or disconnects to prevent systems to access the Internet without an underlying VPN connection.
The Linux firewall Howto covers the set up of a desktop firewall and is the basis for the home router and Transmission articles. The most important features of the basic firewall setup are:
- The default configuration only allows to establish a VPN connection.
- Full Internet access only once the VPN is active.
- Automatic insertion of VPN related firewall rules based on interface add and remove actions controlled by udev.
- Basic DNS leak protection.
- Logging of dropped packets in PCAP format readable by tcpdump or Wireshark, which helps a lot when debugging firewall problems.
The Linux firewall Howto was written for use with Ubuntu Linux or Debian GNU/Linux systems, but with minor modifications (e.g. installing packages, directory layout) it should work equally well on other Linux distributions.
The article Restricting Transmission to the VPN interface on Ubuntu Linux deals with a common issue of limiting access to the Internet for a specific application. To achieve the intended behavior it is very important to make yourself familiar with the network interfaces and ports the restricted application needs to use. We picked out the Transmission BitTorrent client as an example application because it provides good control over network interface and port usage. The last chapter in this Howto shows how to tweak your desktop system for better BitTorrent performance.
The last of the three prepared articles is Configuring Debian GNU/Linux as an OpenVPN router which again extends the Linux firewall Howto in a scenario where you use a dedicated machine as a router at home. The router provides Internet access for a local network only if the VPN connection is active.
Have fun! Please send an email to email@example.com you have comment or error corrections. Thank you.
The IPredator team