Linux is stable OS, which can provide quite a flexible routing and firewall setup. It is also a free alternative to Cisco. To pre-configure it though is quite a challange if you are doing it for the first time. This howto should help you get started:
Install ssh and set the firewall
Login to your new Ubuntu installation and install the packages we will need.
Go to root – we will be doing most stuff as root
sudo su -
Upgrade ubuntu with latest patches and install required packages
aptitude update && aptitude upgrade aptitude install openssh-server openssh-client wget vim lynx
Configure the firewall to only allow remote logins (SSH) from all source IPs. Save the configuration to a script so that it will restore on reboot. We need to finish this step for sshdfilter rules to work (next step)
iptables -N SSHD iptables -A INPUT -p tcp -m tcp --dport 22 -j SSHD iptables -A INPUT -m state --state established,related -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -j DROP # if you want to add an exception to sshd blocking rules (e.g. to your local network) # you would then execute this command line (assuming 192.168.0.0/16 is your local network) iptables -I INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 22 -j ACCEPT # in case you added a rule you wish to remove, execute it with -D instead. Example: iptables -D INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 22 -j ACCEPT
Now, let’s make the rules permanent
iptables-save > /etc/iptables-rules vi /etc/init.d/networking
Find text similar to this one:
start)
process_options
log_action_begin_msg "Configuring network interfaces"
if ifup -a; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
;;
And add the below line somewhere between fi and ;;
/sbin/iptables-restore < /etc/iptables-rules
Download and install sshdfilter - against ssh brute-forcing
mkdir /root/src cd /root/src wget http://www.glonek.co.uk/sshdfilter-1.5.5.tar.gz tar -zxvf sshdfilter-1.5.5.tar.gz cd sshdfilter-1.5.5 vi install_aswrapper.pl
Now let's patch the install script so it will work on Ubuntu. Find the below lines:
} else {
printf "System type does not appear to be Fedora, RedHat pre Fedora, Debian, \n";
printf "CentOS, SUSE, RH Enterprise, Gentoo or Slackware. So, you will have to install manually \n";
printf "(see INSTALL) and send me some hints on how to identify your system.\n";
exit 1;
And replace with this:
} else {
printf "System type: Debian system\n";
$pattype="deb31";
$inittype="$pattype";
$confpath="/etc/";
$exepath="/usr/local/sbin/";
$initname="ssh";
$logconf="/etc/log.d/conf/services/";
$logserv="/usr/share/logwatch/scripts/services/";
Now, let's install sshd filter:
./install_aswrapper.pl # you will get some errors there about Hunk failing. Let's fix that cp /etc/init.d/ssh /etc/init.d/ssh-original sed 's/--exec \/usr\/sbin\/sshd/--exec \/usr\/local\/sbin\/sshdfilter/g' /etc/init.d/ssh-original > /etc/init.d/ssh # now edit sshdfilter config file to your liking. It's well commented and doesn't really need much tweaking vi /etc/sshdfilterrc # you will want to wteak the main rules (5,3d = DEFAULT etc) to remove the examples # you will also want to look at SECTION IPPOLICY for ip based filtering to remove examples # restart ssh and we are ready /etc/init.d/ssh restart
Configure iptables for NAT routing
Some time ago, we had to recompile the kernel to include nat table in the iptables. I'm so happy this is now over! Ubuntu linux kernel already now has the nat table. To see the iptables rules (main and NAT), do this (as root):
iptables -L -vn iptables -t nat -L -vn
To enable NAT with port forwarding, we need to enable this in the kernel first. You will want to do that with every reboot
vi /etc/init.d/networking # now find the line we added there to restore iptables-rules and put the below line just above it echo 1 > /proc/sys/net/ipv4/ip_forward
Let's configure iptables now
Now, we will need to make a few assumptions. Let's assume that:
eth0 - interface on which we are connected to the internet (WAN)
network: 123.123.123.120/30
ip: 123.123.123.122
subnet: 255.255.255.252
gateway: 123.123.123.121
eth1 - interface on which we are connected to the LAN network (LAN)
network: 192.168.0.0/24
ip: 192.168.0.1
subnet: 255.255.255.0
gateway: 123.123.123.122 - as we are routing traffic outside
# configure interfaces vi /etc/network/interfaces auto eth0 iface eth0 inet static address 123.123.123.122 gateway 123.123.123.121 netmask 255.255.255.252 network 123.123.123.120 broadcast 123.123.123.123 auto eth1 iface eth1 inet static address 192.168.0.1 netmask 255.255.255.252 network 192.168.0.0 broadcast 192.168.0.255 # save the file and run the below to restart network interfaces # you'll want to do that on the box, not through ssh, as it will restart interfaces /etc/init.d/networking restart # allow routing within LAN iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT # masquarade LAN IPs for WAN communication iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 123.123.123.122 # drop incoming connections from WAN with spoofed LAN IPs iptables -A FORWARD -s 192.168.0.0/24 -i eth0 -j DROP # now say you have a server in your internal LAN for HTTP (port 80) # with ip 192.168.0.100 # to open and forward ports to it, you would do this: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.100:80 # open port 80 in the INPUT main table iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT # if you have a default DROP policy at the end of your FORWARD table, you will need to do this: iptables -I FORWARD -i eth0 -p tcp --dport 80 -d 192.168.0.100 -j ACCEPT # save the rules iptables-save > /etc/iptables-rules
iptables rules can be set to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ) . a special local subnetwork dedicated to providing services on a public carrier such as the Internet. For example, to set a rule for routing incoming HTTP requests to a dedicated HTTP server at 10.0.4.2 (outside of the 192.168.0.0/24 range of the LAN), NAT calls a PREROUTING table to forward the packets to their proper destination:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.2:80 iptables-save > /etc/iptables-rules
Configure iproute2 for routing
Ok, let's check the routes. You will have some defaults set. The global default route should be via eth0 123.123.123.121.
ip route ls # if default is different, let's change it ip route del default ip route add default via 123.123.123.121 dev eth0 metric 100 # nothing else should be needed to be done # if it doesn't work (for some reason it doesn't always like my metric), try this: ip route add default via 123.123.123.121 dev eth0 # if something still doesn't work, you will need to troubleshoot here # contact me using the contact form with output of the below 2 commands # so that I can help you and also fix this manual ip route ls route
At this point you might want to also setup DNS and DHCP on your router. To do that, visit the following manuals:
DNS Configuration Quick HowTo
DHCP Configuration Guide
Administration and port forwarding guide
You will surely want to open some more ports to your internal servers. This is a quick guide on how to accomplish that:
# open port 443 and forward to LAN IP 192.168.0.100 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.0.100:443 iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -I FORWARD -i eth0 -p tcp --dport 443 -d 192.168.0.100 -j ACCEPT iptables-save > /etc/iptables-rules # to remove the rule iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.0.100:443 iptables -D INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -D FORWARD -i eth0 -p tcp --dport 443 -d 192.168.0.100 -j ACCEPT # to open port 53 on local machine and not forward requests anywhere iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT # to see all rules iptables -L -vn # to see all nat table rules iptables -t nat -L -vn
I want to thank the blogger very much not only for this post but also for his all previous efforts. I found glonek.co.uk to be very interesting. I will be coming back to glonek.co.uk for more information.
[...] is proudly powered by WordPress. Copyright © 2008. Theme Design by The Circling Sky …Setting up a basic linux routerTo enable NAT with port forwarding, we need to enable this in the kernel first. … Administration [...]