Linux, BSD and Unix Tutorials

kartook · 12-01-2004, 01:20 PM

Linux Router / NAT / Firewall

Among other things, Linux makes a great router. Some benefits of using Linux as a router instead of retail router from Best Buy, CompUSA etc.

1. more control
2. real firewall
3. logs
4. you get to use linux
5. no arbitrary limits on port forwarding
6. greater capacity
7. more sophisticated
[packet filtering, traffic monitoring, packet balancing, packet sniffing]

so now that you have an idea of the benefits I will give you a brief howto with scripts and sample config files

equipment:
Linux Computer with: IPTABLES, DHCPD and SSH installed
[the more extras you have installed the more vuln u subject urself too]
2 NICs
Switch [i do mean a switch, not a hub and not a router/switch combo]

assuming you have linux installed with the above packages the key component is setting up your IPTABLES Firewall because you will use forwarding, prerouting which is essentially your router.

iptables router script including anti DDoS, DoS and FW Piercing Detection
written by Weazy

where p.p.p.p = public IP address

# setting up modules we neet to support NAT and add protocols with unordinary behavior
modprobe iptable_nat
modprobe ip_conntrack

#make sure packet forwarding enabled by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#flushing existing tables
iptables --flush

#enable connection tracking
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#allowing ssh to this machine
iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport ssh -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port ssh -j DNAT --to p.p.p.p

#enable loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# accept established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#defend against port scans and DDOS attacks
#dealing with packets w/o syn flags when they are new
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "new no-SYN: "
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state --state NEW -j LOG --log-prefix "New ACK: "

#enforcing TCP standards
iptables -A INPUT -p tcp --tcp-option \! 2 -j LOG --log-tcp-options --log-prefix "TCP standards not met: "
iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset

#allowing all outbound traffic
iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT

#rewrite all connections coming from private network to use eth0 addres and rewrite response
#appropriately

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source p.p.p.p

iptables -P INPUT DROP

This script assumes you are using eth0 for your public connection and eth1 for your private and that you are using 192.168.0.0 for your subnet.

save this file as rc.firewall and then add rc.firewall to your startup script to initiate your firewall automatically on boot.

assuming that you will be using your firewall as a gateway and that the other machines are workstations, you will want to have a dhcpd server as well.

DHCPD Configuration
DHCP server config file: /etc/dhcpd.conf
DHCP server executable: /usr/sbin/dhcpd
Start DHCPD: /etc/rc.d/init.d/dhcpd start

dhcpd config:
where dx.dx.dx.dx = domain name servers

# sample dhcpd configuration
# allows assignment from .2 - .60
ddns-update-style ad-hoc;

subnet 132.236.243.0 netmask 255.255.255.0 { }

subnet 192.168.0.0 netmask 255.255.255.0 {
server-name "name";
range 192.168.0.2 192.168.0.60;
default-lease-time 86400;
max-lease-time 186400;
get-lease-hostnames on;
option routers 255.255.255.255;
option ip-forwarding on;
option broadcast-address 192.168.0.255;
option subnet-mask 255.255.255.0;
option domain-name-servers d1.d1.d1.d1, d2.d2.d2.d2;

}

allow unknown-clients;
pool {
max-lease-time 186400;
range 192.168.0.2 192.168.0.60;
allow unknown-clients;
}
}

then add any hostnames and IP addresses that will use IP addresses not being assigned by the dhcp server at /etc/hosts
i.e. any machine that will use an IP not in .2 - .60 range

with all this set, you simply plug your workstations into the switch and voila you have a linux router that can fully replace your retail router and gives you all the benefits of linux on a router. also, you can intercept all incoming and outgoing relay frames by sitting on the router and coping packet payloads -- that of course leads to passwords, email and IM msgs galore etc ....

kartook

12-01-2004, 01:20 PM	#1 (permalink)
kartook Newb Techie Join Date: Sep 2004 Posts: 12	Linux, BSD and Unix Tutorials Linux Router / NAT / Firewall Among other things, Linux makes a great router. Some benefits of using Linux as a router instead of retail router from Best Buy, CompUSA etc. 1. more control 2. real firewall 3. logs 4. you get to use linux 5. no arbitrary limits on port forwarding 6. greater capacity 7. more sophisticated [packet filtering, traffic monitoring, packet balancing, packet sniffing] so now that you have an idea of the benefits I will give you a brief howto with scripts and sample config files equipment: Linux Computer with: IPTABLES, DHCPD and SSH installed [the more extras you have installed the more vuln u subject urself too] 2 NICs Switch [i do mean a switch, not a hub and not a router/switch combo] assuming you have linux installed with the above packages the key component is setting up your IPTABLES Firewall because you will use forwarding, prerouting which is essentially your router. iptables router script including anti DDoS, DoS and FW Piercing Detection written by Weazy where p.p.p.p = public IP address # setting up modules we neet to support NAT and add protocols with unordinary behavior modprobe iptable_nat modprobe ip_conntrack #make sure packet forwarding enabled by kernel echo 1 > /proc/sys/net/ipv4/ip_forward #flushing existing tables iptables --flush #enable connection tracking iptables -I FORWARD -m state --state INVALID -j DROP iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #allowing ssh to this machine iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT iptables -A INPUT -p tcp -i eth1 --dport ssh -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port ssh -j DNAT --to p.p.p.p #enable loopback iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT # accept established connections iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #defend against port scans and DDOS attacks #dealing with packets w/o syn flags when they are new iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "new no-SYN: " iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state --state NEW -j LOG --log-prefix "New ACK: " #enforcing TCP standards iptables -A INPUT -p tcp --tcp-option \! 2 -j LOG --log-tcp-options --log-prefix "TCP standards not met: " iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset #allowing all outbound traffic iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT #rewrite all connections coming from private network to use eth0 addres and rewrite response #appropriately iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source p.p.p.p iptables -P INPUT DROP This script assumes you are using eth0 for your public connection and eth1 for your private and that you are using 192.168.0.0 for your subnet. save this file as rc.firewall and then add rc.firewall to your startup script to initiate your firewall automatically on boot. assuming that you will be using your firewall as a gateway and that the other machines are workstations, you will want to have a dhcpd server as well. DHCPD Configuration DHCP server config file: /etc/dhcpd.conf DHCP server executable: /usr/sbin/dhcpd Start DHCPD: /etc/rc.d/init.d/dhcpd start dhcpd config: where dx.dx.dx.dx = domain name servers # sample dhcpd configuration # allows assignment from .2 - .60 ddns-update-style ad-hoc; subnet 132.236.243.0 netmask 255.255.255.0 { } subnet 192.168.0.0 netmask 255.255.255.0 { server-name "name"; range 192.168.0.2 192.168.0.60; default-lease-time 86400; max-lease-time 186400; get-lease-hostnames on; option routers 255.255.255.255; option ip-forwarding on; option broadcast-address 192.168.0.255; option subnet-mask 255.255.255.0; option domain-name-servers d1.d1.d1.d1, d2.d2.d2.d2; } allow unknown-clients; pool { max-lease-time 186400; range 192.168.0.2 192.168.0.60; allow unknown-clients; } } then add any hostnames and IP addresses that will use IP addresses not being assigned by the dhcp server at /etc/hosts i.e. any machine that will use an IP not in .2 - .60 range with all this set, you simply plug your workstations into the switch and voila you have a linux router that can fully replace your retail router and gives you all the benefits of linux on a router. also, you can intercept all incoming and outgoing relay frames by sitting on the router and coping packet payloads -- that of course leads to passwords, email and IM msgs galore etc .... kartook

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode