FireRouter
From GridTrak
Contents |
Debian 4.0 R4 FireRouter Project
Updated: August 23, 2008
OS Preparation
System Configurations
Target System
- DELL Power Edge 2450, PERC 2D disconnected, SCSI hard disks, SCSI-IDE CDROM, 1GB RAM
- IO Gear KVM, DELL 170n FP LCD monitor
- WAN Integrated 10/100 Intel NIC [eth0]
- LAN Intel Gigabit NIC [eth1]
Test System
- HP Pavilion 753n, Pentium-4, IDE HD, 512MB RAM (integrated NIC burned out)
- IO Gear KVM, Multi-sync CRT
- WAN 10/100 Intel NIC [eth1]
- LAN Intel Gigabit NIC [eth2]
Note: On this system the Firewire IEEE 1394 interface is identified as [eth0] and is not used
Debian 4.0 R4 Installation
Note: Debian was selected for this project because it is the only Open Source/GNU distribution that works reliably on the DELL PE2450 server.
- Select the WAN network interface as the primary NIC for setup; use DHCP and current LAN gateway
- Unselect all software options in the initial tasksel
- After reboot, comment out the CDROM installation Source from /etc/apt/sources.list
- Update Aptitude and install iproute and ssh and other goodies
aptitude update aptitude install iproute aptitude install ssh aptitude install ulogd aptitude install tofrodos aptitude install tcpdump aptitude autoclean
- Check the network interfaces with ifconfig
- [optional] Add PuTTY to a remote system for remote access to the new system.
Configure Ethernet Interfaces
Our test router will installed on the LAN side of a consumer router at home for testing.
The consumer LAN is 192.168.0.0/24. This will be the WAN side of our test router. The LAN side of the test router will be LAN 192.168.1.0/24.
Configuration Summary LANIP = 192.168.1.1 WANIP = 192.168.0.63 WAN Gateway = 192.168.0.4 (consumer router LAN Side Interface) DNSSVR = 192.168.0.85
- Edit the /etc/network/interfaces file
# Loopback Network Interface auto lo iface lo inet loopback # WAN Primary Network Interface allow-hotplug eth1 iface eth1 inet static address 192.168.0.63 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.4 dns-nameservers 192.168.0.85 # WAN Network Interface allow-hotplug eth2 iface eth2 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 dns-nameservers 192.168.0.85
See Virtual Network Interface for multiple IP address assignments to a single interface.
Create a Simple Firewall Test Script
This will set up a very promiscous system to verify basic functionality. This is clearly not a secure configuration. We can live with this, for now, because we are testing on the inside of a consumer firewall.
- Create a file: /etc/init.d/firerouter.sh
Derived from the About Debian proxy.sh example
#!/bin/bash
IPT=/sbin/iptables
WANETH="eth1"
LANETH="eth2"
# WANIP="`/sbin/ifconfig eth1 |grep 'inet addr' | awk '{print $2}' | sed -e 's/.*:/'
WANIP=192.168.0.63
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPT -P INPUT ACCEPT
$IPT -F INPUT
$IPT -P OUTPUT ACCEPT
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -t nat -F
$IPT -A FORWARD -i $WANETH -o $LANETH -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $LANETH -o $WANETH -j ACCEPT
$IPT -t nat -A POSTROUTING -o $WANETH -j MASQUERADE
- Script Installation
chmod 755 /etc/init.d/firerouter.sh ln -s /etc/init.d/firerouter.sh /etc/rc2.d/S19firewall
Complete Firewall Script
This will set up a more complete firewall than the previous system. This script can probably be used to replace the consumer firewall device.
- Edit or Create a file: /etc/init.d/firerouter.sh
Derived from the About Debian firewall.sh example
#!/bin/bash
echo "PenguinFood.net FireRouter 1.1.3, Aug 22, 2008"
IPT=/sbin/iptables
WANETH="eth1"
WANIP="`/sbin/ifconfig eth1 |grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
#WANIP="24.126.60.160"
WANNET=$WANIP"/24"
echo "WAN IP = $WANIP, WAN NET = $WANNET"
# DMZ
LANETH2="eth2"
LANIP2="192.168.2.1"
LANNET2="192.168.2.0/24"
# Workstations LAN
LANETH3="eth3"
LANIP3="192.168.3.1"
LANNET3="192.168.3.0/24"
UNIVERSE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"
PRIVPORTS="0:1023"
BCAST_SRC="0.0.0.0"
BCAST_DST="255.255.255.255"
# Specific Servers
MY_DNS="192.168.2.80"
MY_WWW="192.168.2.80"
MY_WIKI="192.168.2.81"
# Choke Firewalls
MY_LAN2="192.168.2.2"
MY_LAN3="192.168.3.2"
TORPORTS="6881:6889"
RDP3389="3389"
RDP3407="3407"
RDP9587="9587"
RDP9858="9858"
echo ".. modprobing"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo ".. Resetting iptables policies"
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -t nat -F
$IPT -t filter -F
$IPT -X
$IPT -Z
echo ".. Clearing Logs"
:>/var/log/ulog/syslogemu.log
modprobe ipt_ULOG nlbufsiz=4096 flushtimeout=40
#### INPUT
echo ".. Configuring iptables INPUT Rules"
# Drop Log Spoofs
$IPT -A INPUT -i $WANETH -s $LANNET2 -d $UNIVERSE -j ULOG \
--ulog-prefix "SPOOF2" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A INPUT -i $WANETH -s $LANNET2 -d $UNIVERSE -j DROP
$IPT -A INPUT -i $WANETH -s $LANNET3 -d $UNIVERSE -j ULOG \
--ulog-prefix "SPOOF3" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A INPUT -i $WANETH -s $LANNET3 -d $UNIVERSE -j DROP
# Loopback can go anywhere
$IPT -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Local Interface and LAN can go anywhere
$IPT -A INPUT -i LANETH2 -s $LANNET2 -d $UNIVERSE -j ACCEPT
$IPT -A INPUT -i LANETH3 -s $LANNET3 -d $UNIVERSE -j ACCEPT
# Remote Traffic can go to WAN IP Address
$IPT -A INPUT -i $WANETH -s $UNIVERSE -d $WANIP -j ACCEPT
# Returning WAN MASQUERADE Traffic
$IPT -A INPUT -i $WANETH -s $UNIVERSE -d $WANIP \
-m state --state ESTABLISHED,RELATED -j ACCEPT
## Services on the FireRouter
# External SSH Service
#$IPT -A INPUT -i $WANETH -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $WANIP --dport 22 -j ACCEPT
# Internal SSH Service
$IPT -A INPUT -i $LANETH2 -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $LANNET2 -d $LANIP2 --dport 22 -j ACCEPT
$IPT -A INPUT -i $LANETH3 -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $LANNET3 -d $LANIP3 --dport 22 -j ACCEPT
# Ping
$IPT -A INPUT -i $LANETH2 -m state --state NEW,ESTABLISHED,RELATED \
-p icmp -j ACCEPT
$IPT -A INPUT -i $LANETH3 -m state --state NEW,ESTABLISHED,RELATED \
-p icmp -j ACCEPT
# DNS
$IPT -A INPUT -i $LANETH2 -p udp -s $LANNET2 --sport $UNPRIVPORTS \
-d $LANIP2 --dport 53 -j ACCEPT
$IPT -A INPUT -i $LANETH2 -p udp -s $LANNET2 --sport 53 \
-d $LANIP2 --dport $UNPRIVPORTS -j ACCEPT
$IPT -A INPUT -i $LANETH3 -p udp -s $LANNET3 --sport $UNPRIVPORTS \
-d $LANIP3 --dport 53 NEW -j ACCEPT
$IPT -A INPUT -i $LANETH3 -p udp -s $LANNET3 --sport 53 \
-d $LANIP3 --dport $UNPRIVPORTS -j ACCEPT
# DHCP with ISP
$IPT -A INPUT -i $WANETH -p udp -s $BCAST_SRC --sport 68 \
-d $BCAST_DST --dport 67 -j ACCEPT
$IPT -A INPUT -i $WANETH -p udp -s $BCAST_SRC --sport 67 \
-d $BCAST_DST --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $WANETH -p udp -s $BCAST_SRC --sport 68 \
-d $BCAST_DST --dport 67 -j ACCEPT
$IPT -A INPUT -i $LANETH2 -p tcp -s $MY_LAN2 --sport $UNPRIVPORTS \
-d $UNIVERSE --dport 14555 -j ACCEPT
## Drop Log catch all else
$IPT -A INPUT -s $UNIVERSE -d $UNIVERSE -j ULOG \
--ulog-prefix "INPUT*DROP" --ulog-nlgroup 1 --ulog-cprange 48 --ulog-qthreshold 1
$IPT -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
#### OUTPUT
echo ".. Configuring iptables OUTPUT rules"
# Drop Log: Stuffed Routing = Outbound LAN traffic on WAN interface
$IPT -A OUTPUT -o $WANETH -s $UNIVERSE -d $LANNET2 -j ULOG \
--ulog-prefix "OUTPUT-STUFF2" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A OUTPUT -o $WANETH -s $UNIVERSE -d $LANNET2 -j DROP
$IPT -A OUTPUT -o $WANETH -s $UNIVERSE -d $LANNET3 -j ULOG \
--ulog-prefix "OUTPUT-STUFF3" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A OUTPUT -o $WANETH -s $UNIVERSE -d $LANNET3 -j DROP
# Loopback can go anywhere
$IPT -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Local Interface to LAN, from WAN or LAN IP addresses
$IPT -A OUTPUT -o $LANETH2 -s $WANIP -d $LANNET2 -j ACCEPT
$IPT -A OUTPUT -o $LANETH3 -s $WANIP -d $LANNET3 -j ACCEPT
$IPT -A OUTPUT -o $LANETH2 -s $LANIP2 -d $LANNET2 -j ACCEPT
$IPT -A OUTPUT -o $LANETH3 -s $LANIP3 -d $LANNET3 -j ACCEPT
$IPT -A OUTPUT -o $WANIP -s $LANIP3 -j ACCEPT
$IPT -A OUTPUT -o $WANIP -s $LANIP2 -j ACCEPT
# WAN Traffic on WAN Interface can go anywhere
$IPT -A OUTPUT -o $WANETH -s $WANIP -d $UNIVERSE -j ACCEPT
# Drop Log catch all else
$IPT -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j ULOG \
--ulog-prefix "OUTPUT*DROP" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo ".. Configuring iptables FORWARD Rules and NAT"
# Allow Only existing back In
$IPT -A FORWARD -i $WANETH -o $LANETH2 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $WANETH -o $LANETH3 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow All LAN Forward Combinations
$IPT -A FORWARD -i $LANETH2 -j ACCEPT
$IPT -A FORWARD -i $LANETH3 -j ACCEPT
## Forward Inbound Traffic to Specific Services
# DHCP from ISP (needed unless we have a Static WAN IP address)
$IPT -A FORWARD -i $WANETH -p udp --sport 67 \
-d $WANIP --dport 68 -j ACCEPT
## DNS
# DNS to LAN3 (users)
$IPT -A FORWARD -i $WANETH -o $LANETH3 -p udp --sport $UNPRIVPORTS \
-d $MY_LAN3 --dport 53 -j ACCEPT
# DNS to LAN2 (DMZ - including our DNS Server)
$IPT -A FORWARD -i $WANETH -o $LANETH2 -p udp --sport $UNPRIVPORTS \
-d $LANNET2 --dport 53 -j ACCEPT
# Other Specific Services
$IPT -A FORWARD -i $WANETH -o $LANETH2 -p tcp --sport $UNPRIVPORTS \
-d $MY_WWW --dport 80 -j ACCEPT
$IPT -A FORWARD -i $WANETH -o $LANETH2 -p tcp --sport $UNPRIVPORTS \
-d $MY_WIKI --dport 81 -j ACCEPT
### Diagnostics Override, DROP is the default
# $IPT -A FORWARD -i $WANETH -o $LANETH3 -j ACCEPT
# $IPT -A FORWARD -i $WANETH -o $LANETH2 -j ACCEPT
$IPT -t nat -A POSTROUTING -o $WANETH -j SNAT --to $WANIP
#$IPT -t nat -A POSTROUTING -o $WANETH -j MASQUERADE
$IPT -t nat -A PREROUTING -i $WANETH -p tcp --sport $UNPRIVPORTS \
-d $WANIP --dport 80 -j DNAT --to-destination $MY_WWW
$IPT -t nat -A PREROUTING -i $WANETH -p tcp --sport $UNPRIVPORTS \
-d $WANIP --dport 81 -j DNAT --to-destination $MY_WIKI
$IPT -t nat -A PREROUTING -i $WANETH -p udp --sport $UNPRIVPORTS \
-d $WANIP --dport 53 -j DNAT --to-destination $MY_DNS
# Alex's TORRENT
$IPT -A FORWARD -i $WANETH -o $LANETH2 -p tcp --sport $UNPRIVPORTS \
-d $MY_LAN2 --dport 14555 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WANETH -p tcp \
-d $WANIP --dport 14555 -j DNAT --to-destination $MY_LAN2
# Web Server RDP
$IPT -A FORWARD -i $WANETH -o $LANETH2 -p tcp --sport $UNPRIVPORTS \
-d $MY_WWW --dport $RDP3407 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WANETH -p tcp --sport $UNPRIVPORTS \
-d $WANIP --dport $RDP3407 -j DNAT --to-destination $MY_WWW
$IPT -A FORWARD -i $WANETH -o $LANETH3 -p tcp --sport $UNPRIVPORTS \
-d $MY_LAN3 --dport $RDP9587 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LANETH3 -p tcp --sport $UNPRIVPORTS \
-d $LANIP3 --dport $RDP3389 -j DNAT --to-destination $MY_LAN3
$IPT -t nat -A PREROUTING -i $LANETH2 -p tcp --sport $UNPRIVPORTS \
-d $LANIP2 --dport $RDP3389 -j DNAT --to-destination $MY_LAN3
$IPT -t nat -A PREROUTING -i $WANETH -p tcp --sport $UNPRIVPORTS \
-d $WANIP --dport $RDP9587 -j DNAT --to-destination $MY_LAN3
$IPT -A FORWARD -s $UNIVERSE -d $UNIVERSE -j ULOG \
--ulog-prefix "FORWARD*DROP" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A FORWARD -s $UNIVERSE -d $UNIVERSE -j DROP
echo "FireRouter Configuration Completed!"
- View the Dropped Packet Logs created by ulog
tail -f /var/log/ulog/syslogemu.log
