Linux in a Windows Workstation Environment, Part I
In the summer of 2004, the resort owners expanded and refurbished the computer room, replacing all the old computer equipment with 39 new Windows XP workstations connected to the Internet by way of a T-1 line. This was a perfect opportunity to upgrade the server using the fastest of our old computers, an AMD Athlon 1800+. It had 256MB of RAM, two disk drives with a storage total of 10GB and two network interfaces. The SuSE 9.1 distribution, which has a 2.6.x kernel, was the basis for the new system. The two hard drives were partitioned using the following scheme:
Swap partitions, the equivalent of the swap file on Windows systems, were placed on each drive, with 2.0 GB on /dev/hda--the master drive on the primary IDE system, C: in Windows terminology--and 0.5 GB on /dev/hdb, the slave drive. Splitting the swap space between drives improves the system response; however, this system swaps infrequently and it probably doesn't matter.
The remainder of /dev/hda, 7.8 GB, was formatted as a Reiser filesystem mounted as /, the root of the filesystem.
The remainder of /dev/hdb, 4.0 GB, was formatted as a Reiser filesystem mounted on /home, which is the location characteristically dedicated to user file storage.
One of the advantages of Linux is it supports several distinct filesystems, and the user can choose among them. I selected the Reiser filesystem for its journaling capability, which avoids long recovery times in case of system crashes or power failures. It also is more efficient than the Linux-default ext2 filesystem when there are large numbers of small files. Linux also presents multiple disk drives in what appears to be a monolithic filesystem. Even remote filesystems, mounted across a network, are referenced using a path with exactly the same form as local files.
Our current Windows environment consists of 38 user stations, each with a 2.4GHz Celeron processor, 256MB of RAM and a 40GB hard drive. The single instructor's machine has a 3.0GHz P4 processor, 512MB of RAM and and 80GB hard drive. All of the machines have Windows XP Pro, DVD ROM - CD/RW optical drives and 17" flat-screen LCD monitors. Other equipment includes an XGA projector, an HP2300N b/w laser printer, an HP4650N color laser printer and two scanners. We also have several free RJ-45 ports so users can connect to the Internet using personal notebook computers. In addition, free Wi-Fi access is being provided throughout the park. Figure 1 shows a view of part of our computer facility.
Every resident of the RV park is eligible to use the computers; however, during the winter season (Nov. 1 - March 31), only members of the club can use either printer or take classes. During the remainder of the year, access to the color printer is blocked, but the b/w printer is available. In season, the computers are available from 7AM to 9PM, seven days a week, with roughly 25,000 individual user sessions per season. This season, all 38 machines frequently are busy and more users are waiting. Club rules prevent an individual user from installing new programs, storing files on any of the computers or changing any settings. A software program that restores each machine in the middle of each night enforces these rules.
Now that I have become more familiar with Linux, I would like to offer one or more systems with a Linux desktop; however, I don't think our user base would support this. In fact, many of our users operate the computer by rote and are lost if even a desktop icon is missing.
The most important functions of the Linux box in the current setup are to act as the gateway for the Windows workstations, perform network address translation for them and protect the network from outside intrusion. These tasks are accomplished by using a boot-time script that utilizes the iptables facility of Linux. The first step is to make certain the necessary kernel modules are loaded. These probably would be autoloaded; however, these instructions generate an error if any of these modules are missing.
modprobe ip_tables modprobe ip_nat_ftp modprobe ip_conntrack_ftp
The next step is to turn off packet forwarding and turn on route verification on all interfaces to prevent IP spoofing. This syntax is appropriate for the bash shell. N.B. /proc is a pseudo filesystem containing information that describes and controls drivers and processes.
echo 0 > /proc/sys/net/ipv4/ip_forward for i in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $i done
The next set of commands defines the symbol IPTABLES as the absolute path of the iptables binary, deletes all existing rules and removes all user-defined chains.
IPTABLES="/usr/local/sbin/iptables" $IPTABLES -F # delete all the rules $IPTABLES -X # delete all user-defined chains
We now set the policies for the standard chains. Incoming packets are dropped unless we have a rule that accepts them; whereas outgoing and forwarded packets are accepted unless a rule drops them.
$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT
We now establish network address translation (NAT). This rule will source NAT everything heading out the eth1 (external) interface to the IP of that interface. This form is correct for a dynamic IP.
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
We now create three logging chains and a silent chain to drop packets that will be identified by rules entered later. Packets are dropped rather than rejected to hide our existence from a potential intruder. To help prevent any denial-of-service attack from succeeding, the maximum rate at which log entries are generated is limited. The backslash (\) character is used to continue a command onto a new line.
$IPTABLES -N firewall $IPTABLES -A firewall -m limit --limit 15/minute -j LOG \ --log-prefix "*** Firewall:" $IPTABLES -A firewall -j DROP $IPTABLES -N dropwall $IPTABLES -A dropwall -m limit --limit 15/minute -j LOG \ --log-prefix "*** Dropwall:" $IPTABLES -A dropwall -j DROP $IPTABLES -N badflags $IPTABLES -A badflags -m limit --limit 15/minute -j LOG \ --log-prefix "*** Badflags:" $IPTABLES -A badflags -j DROP $IPTABLES -N silent $IPTABLES -A silent -j DROP
The local loopback device (127.0.0.1 or lo) and the internal Ethernet interface (eth0) are deemed to be trusted, and any packets destined for the outside are routed without further inspection. This assumption may not be appropriate for your network, depending on your users.
$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i eth0 -j ACCEPT $IPTABLES -A OUTPUT -i eth0 -j ACCEPT
All packets originating from our nameservers, which are external, are accepted.
$IPTABLES -A INPUT -i eth1 -s 184.108.40.206 -j ACCEPT $IPTABLES -A INPUT -i eth1 -s 220.127.116.11 -j ACCEPT $IPTABLES -A INPUT -i eth1 -s 18.104.22.168 -j ACCEPT
The next set of rules catches all malformed packets that have illegal combinations of flags and places them on the badflags chain, which logs and drops them.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ -j badflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
The next section silently drops packets that generate a lot of log entries but are not deemed harmful, including the netbios stuff that Windows machines generate.
$IPTABLES -A INPUT -i eth1 -s 22.214.171.124 -j silent $IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
Most icmp packets are dropped. Only type 8 (ping) and type 0 (ping reply) are accepted. Pings are limited to one per second.
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit \ --limit 1/second -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -p icmp -j firewall
Secure-shell packets coming in on eth1 are accepted only from networks 10.10.x.0.
$IPTABLES -A INPUT -i eth1 -s 10.10.0.0/16 -p tcp --dport 22 -j ACCEPT
Any remaining packets coming from the external interface (eth1) are dropped unless their state is ESTABLISHED or RELATED. No external computer can create a connection to any computer on the inside.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
The final rule is to send anything still on INPUT to the dropwall chain. That way we don't get silent drops.
$IPTABLES -A INPUT -j dropwall
The final step is to turn on packet forwarding and echo an appropriate line to the console.
echo 1 > /proc/sys/net/ipv4/ip_forward echo "The MRCC Firewall is up and running."
The above rules have protected our network from external attacks for nearly four years now.