Running Linux and Netfilter on Nokia IP Series Hardware
Check Point Software Technologies has the largest market share of any firewall vendor with their Firewall-1 (FW-1) product, and Nokia manufactures several hardware appliances together with an operating system called IPSO to run FW-1. IPSO is based on FreeBSD, provides advanced routing and failover capabilities and is extremely stable, with uptimes regularly running in the multiple hundreds of days. Nokia and Check Point together provide as close to a de facto standard for enterprise firewalls as possible in a field with such a diversity of security vendors. Of course, all of this comes at a price; Check Point makes a lot of money on both licensing fees and support contracts for Firewall-1. Then, as time marches on, Check Point stops supporting older versions of FW-1. This by itself does not force companies to upgrade to newer versions of FW-1, at least not until a security vulnerability or other bug is discovered. Firewall-1 is not open-source software and, hence, cannot be patched without Check Point's (paid) assistance.
The purpose of this article is to illustrate a method for installing Red Hat Linux on a Nokia IP330 and, furthermore, to show that Netfilter can function properly in this hardware environment. The choice of Red Hat as the Linux distribution mostly is motivated by its relative ease of installation as compared to other distributions, such as Debian, Gentoo or Linux From Scratch. These others certainly work, and Gentoo was tested as such. This article merely serves as a proof of concept. It is assumed the reader has some familiarity with Linux system administration.
A base Nokia IP330 appliance manufactured in 1999 contains an AMD K6-II 266MHz processor with 64MB of RAM and an 8.0GB Quantum Fireball IDE hard drive. It is a 1U rackmountable machine with no CD-ROM or floppy drive, no keyboard or mouse ports, no graphics card, only one IDE port and one serial console port. The motherboard is custom built by Nokia with an Intel PCI bus, runs an Award BIOS and is labeled NOKIA IPRG IP300 SERIES. Three 10/100Mb Intel EtherExpress Pro Ethernet interfaces are built right onto the motherboard. Although the hardware spec of the IP330 indicates it is somewhat less endowed than is more modern hardware, it nonetheless is quite capable of handling the task it was designed to perform.
Hardware/Software Requirements:
1 Phillips head screwdriver
1 serial cable
1 Nokia IP330
1 standard desktop PC running Linux with an AMD K6-II (266 or 500MHz) processor, CD-ROM drive and an Ethernet interface
Red Hat 7.3 disks (only the first two installation disks are necessary)
Access to the Internet
Installation Outline:
Remove drive from Nokia IP330 and install in the desktop system.
Install RH 7.3 Linux on the desktop with only network support and the individual GCC, autoconf and ncurses packages.
Boot into the newly installed Linux distribution on the desktop.
Download the latest stable kernel (2.4.20 as of this writing).
Compile the kernel for AMD K6-II, serial support, no LKMs, ext2/ext3 filesystems, iptables, VM support, the Becker eepro100 driver and so on.
Configure /etc/lilo.conf.
Configure /etc/inittab.
Configure /etc/securetty.
Shutdown the desktop and reinstall the drive in the IP330.
Boot and configure an iptables policy.
Before we start the installation process, it is important to have the necessary hardware and software and to review the installation outline above. Begin with the Nokia IP330 and the desktop PC both in functioning states, with IPSO installed on the Nokia machine and Linux on the desktop.
At the end of this process, we aim to have a functioning Linux system on the original drive, which currently is in the IP330. Before we begin formatting any disks, however, it is important to boot into IPSO and record the MAC addresses of all three Ethernet interfaces using ifconfig. The reason this is necessary stems from the fact that the Intel EtherExpress cards are built onto the Nokia motherboard, and each of their EEPROMs apparently is not located at an address where either the standard Linux eepro100 driver or the Intel e100 driver expects to find it. The cards accept MAC addresses manually with ifconfig, however, and this allows us to simply transfer the MAC addresses as reported under IPSO to the cards directly when we have installed and booted into Linux. You may also want to record other information from the Nokia, such as IP addresses, ospf and vrrp configurations and so forth.
Now that all important information from the Nokia has been recorded, the next thing to do is crack open the case of the IP330. After removing all 17 screws (including the drive screws) to remove the top of the IP330 case, disconnect the drive IDE and power cables. Take the Nokia drive out of the IP330 and swap it in place of the Linux drive currently installed in the desktop PC. Boot off of Red Hat install CD #1. Although the graphics mode of Anaconda works perfectly well, the text mode seems a bit less cluttered, so pass the option text at the boot prompt. Use fdisk or disk druid to remove any existing IPSO UFS partitions, add a 128MB swap partition and three ext3 partitions: /boot (50MB), /etc (200MB) and / (remaining space). Once the new partition table is saved there is no going back; both IPSO and Check Point FW-1 are gone.
Next we must choose a boot loader. Both LILO and GRUB work on the IP330s, but LILO is less than one tenth the size of GRUB. Hence, LILO was chosen for this article as it is less complex. The BIOS on the Nokia machines is able to load the boot loader into RAM off the master boot record and jump to it as any normal BIOS would do, so instruct Anaconda to install LILO in the MBR. Several of the next configuration sections are routine, no special options need to the passed to the kernel at boot time: select an appropriate network configuration so the machine can be put on the network, select the default shadow/MD5 password scheme and so on. When it comes time to install the various packages, select only Network Support and then go into the Select Individual Packages section and add GCC, autoconf and ncurses.
After the package installation finishes, the last detail to take care of before starting the real work is the creation of the boot disk. Even though the Nokia IP330 has no floppy drive, it still is useful to create a boot disk, because the drive always can be moved to another machine if something goes wrong.
Now that we have Linux installed on the original Nokia disk, we can begin the process of customizing the installation to function on the Nokia hardware. The first step is to download and compile a custom kernel (see Resources). Boot into Linux on the desktop PC, login as root, gain network connectivity and download the latest stable kernel (2.4.20 as of this writing) from kernel.org. Extract the kernel tar archive and begin the compilation process with make menuconfig (possible because we installed the ncurses library) to configure the kernel build. It is important to ensure that only necessary portions of the kernel code are compiled into the resulting kernel binary. To this end, only the following features should be compiled in:
Processor type and features:
K6/K6-II/K6-III
General setup:
Networking support
PCI support
PCI device name database
System V IPC
Sysctl support
Kernel support for ELF binaries
ATA/IDE/MFM/RLL support:
Enhanced IDE disk support
CMD640 chipset bugfix/support
RZ1000 chipset bugfix/support
Include IDE/ATA-2 disk support
Use multi-mode by default
Generic PCI IDE chipset support
Sharing PCI IDE interrupts support
Generic PCI bus-master DMA support
Intel PIIXn chipsets support
PIIXn Tuning support
Networking options:
Packet socket
Network packet filtering (replaces ipchains)
UNIX domain sockets
TCP/IP networking
IP: Netfilter Configuration:
Connection tracking
IP tables support
Connection state match support
Connection tracking match support
Packet filtering
Full NAT
MASQUERADE target support
LOG target support
Network device support:
EtherExpressPro (eepro100, Becker driver)
Character devices:
Standard/generic serial support
Support for console on serial port
Filesystems:
Ext3 journaling filesystem support
Virtual memory filesystem support
/proc filesystem support
Second extended fs support
After compiling the kernel with the standard make dep && make clean && make bzImage, our shiny new kernel should be around 610KB in size. Copy it to the /boot partition, configure LILO to see the new kernel binary and run lilo -t && lilo to reinstall LILO in the MBR.
By default the LILO boot loader does not send any kernel boot messages, init messages or system log messages over the serial port. Initially when we reinstall the IP330 drive back in the IP330, the only method we have available to interact with the machine is through the serial port. To configure LILO to send messages over the serial port, add the following line just before the timeout=50 line:
serial=0,9600n8
This instructs LILO to send messages out of /dev/ttyS0, which corresponds to serial port 0, at a speed of 9600 baud with one stop bit and no parity bits (see Resources). Also, there is no need to have LILO display the fancy semi-graphical boot message, so remove the message=/boot/message line. Now that we have finished editing /etc/lilo.conf, it is time to rerun lilo -t && lilo once more.
Configuring LILO to send messages over the serial port would not be of much use if, after the machine boots and init has run, there is no way to login. Therefore, we require init to spawn a getty process on /dev/ttyS0. Getty processes are spawned from the init process based on the /etc/inittab configuration file. The default Red Hat inittab file instructs init to start getty processes on ttys 1 through 6:
# Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6
Because there is no way to attach a keyboard to a Nokia IP330, all of these should be replaced with the following single line:
1:2345:respawn:/sbin/agetty -h ttyS0 9600 vt102
agetty, in contrast to mingetty, does not reference any configuration files and simply takes all configuration input from the command line. mingetty also is not suitable for use on serial lines, according to its man page.
If the desktop PC has only one Ethernet interface, the Red Hat installer creates only one network config file for eth0, located at /etc/sysconfig/network-scripts/ifcfg-eth0. The Nokia has three network interfaces, however, so ifcfg-eth0 should be copied to ifcfg-eth1 and ifcfg-eth2 in the /etc/sysconfig/network-scripts directory. Each of these files needs to be edited to contain the correct interface names, IP addresses and MAC addresses. Interface eth0 under Linux corresponds to eth-s3 under IPSO, eth1 to eth-s4 and eth2 to eth-s5. To each of the ifcfg-eth[n] files add the line MACADDR=<MAC> where <MAC> is the original MAC address, as reported under IPSO before the Nokia disk was formatted. This mitigates the problem of the Ethernet driver not being able to read the MAC addresses directly out of the EEPROM chips.
If all has gone well up to this point, it now is time to shut down the desktop system and return the drive to the Nokia machine. Be sure to re-attach the top of the IP330 case to keep the CPU cool during intensive operations, such as a kernel compile. The four fans at the back of the machine are effective only when the case is sealed, and a good way to demonstrate this point is to try consecutive kernel compiles without the top attached. The CPU usually overheats and causes the machine to crash during the first compilation attempt. With the case properly secured, the number of consecutive kernel compiles has no affect on the stability of the machine, which is what one would expect.
Before booting the IP330, reinstall the desktop disk in the desktop PC and boot into Linux. Use the serial cable to connect the two serial ports on the two systems and run minicom. Recall the serial port settings we specified in /etc/lilo.conf, and configure minicom to match.
Now we are ready to boot Linux on the IP330. After the memory test is finished (which can be interrupted by pressing the ESC key twice) the familiar LILO boot prompt should be displayed and then the kernel boot sequence happily flows past. After the sequence is finished, init gets a chance to run and eventually a login prompt is displayed (see Resources).
Even though we are successfully running Linux on the IP330 at this point, it still is a good idea to recompile the kernel from scratch in order to put the operating system through its paces. This helps to ensure Linux is indeed stable on a hardware platform not specifically designed to run Linux. Besides, an added bonus is the 256MHz processor probably allows enough time to grab a quick sandwich during the recompilation process.
With the Nokia up and running, connect it to the network and test by pinging another host on the same network; use your default gateway or the Linux desktop machine, if necessary. Then execute the command:
iptables -A INPUT -p icmp -i eth0 -j LOG
Ping the host again, and this time iptables log messages should show up in the /var/log/messages system log when the icmp echo reply packets reach the firewall.
To test the filtering ability of iptables, execute the following command and then try to ping the host again:
iptables -A INPUT -p icmp -i eth0 -j DROP
The reply packets now should be logged and dropped, so the ping does not succeed. We have established that iptables can both log and filter traffic, but we have one more test to run:
iptables -I INPUT 1 -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Execute the ping once more, and it should work once again even though both the log and drop rules still are in effect. This illustrates the stateful capability of iptables, in which packets associated with legitimate network traffic are let through and no log messages are generated (see Resources).
Depending on the specific application of the IP330 in your network, you may require software additional to what is listed here. But, at a minimum you probably want to download and compile the latest versions of the OpenSSL libraries, OpenSSH and the iptables user space code. If you require the Nokia to become part of an OSPF area, install the Zebra routing dæmon. If you require the Nokia to failover to another machine, install Keepalived and configure it to run VRRP. The VRRP implementation of Keepalived is particularly good. It is extremely easy to put one or all three interfaces on the Nokia into a "sync group" that failovers all interfaces if the link on any particular interface is lost. If you require the Nokia to form an endpoint for an IPSEC VPN, install FreeSWAN (see Mick Bauer's Paranoid Penguin columns from the January and February 2003 issues of LJ for an excellent exposition on FreeSWAN). One of the biggest advantages to running Check Point Firewall-1 is the GUI interface, which makes it easy to configure a firewall policy. Firewall Builder provides similar functionality for iptables, and Mick Bauer covers it in the May issue of Linux Journal.
For information regarding compiling the Linux kernel, see the Kernel HOWTO
Some iptables options, such as limit match and MAC address support, may or may not need to be compiled in, depending on the needs for your particular network configuration.
For more information on serial support in Linux boot loaders, see www.tldp.org/HOWTO/Remote-Serial-Console-HOWTO
Although hardening the Linux installation is beyond the scope of this article, it is important to turn off all unnecessary services. To fully harden the Linux installation install Bastille Linux.
More information on the configuration and administration of iptables can be found in the various Netfilter HOWTOs
Michael Rash works as a senior security engineer for an ASP in Annapolis, Maryland. He holds a Master's in Applied Mathematics from the University of Maryland and has been tinkering with Linux since 1998. In his free time, he enjoys playing the violin for the Prince George's Philharmonic Orchestra.
email: mbr@cipherdyne.com