Linux Router / NAT / Firewall

Intro, intermediate and advanced HOWTOs and discussion.
Post Reply
User avatar
Posts: 1688
Joined: Sun Jul 07, 2002 10:02 am
Location: any given

Linux Router / NAT / Firewall

Post by weazy » Sat Jun 21, 2003 2:25 pm

Among other things, Linux makes a great router. Some benefits of using Linux as a router instead of retail router from Best Buy, CompUSA etc.

1. more control
2. real firewall
3. logs
4. you get to use linux
5. no arbitrary limits on port forwarding
6. greater capacity
7. more sophisticated
[packet filtering, traffic monitoring, packet balancing, packet sniffing]

so now that you have an idea of the benefits I will give you a brief howto with scripts and sample config files

Linux Computer with: IPTABLES, DHCPD and SSH installed
[the more extras you have installed the more vuln u subject urself too]
2 NICs
Switch [i do mean a switch, not a hub and not a router/switch combo]

assuming you have linux installed with the above packages the key component is setting up your IPTABLES Firewall because you will use forwarding, prerouting which is essentially your router.

iptables router script including anti DDoS, DoS and FW Piercing Detection
written by Weazy

where p.p.p.p = public IP address

# setting up modules we neet to support NAT and add protocols with unordinary behavior
modprobe iptable_nat
modprobe ip_conntrack

#make sure packet forwarding enabled by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#flushing existing tables
iptables --flush

#enable connection tracking
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#allowing ssh to this machine
iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport ssh -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port ssh -j DNAT --to p.p.p.p

#enable loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# accept established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#defend against port scans and DDOS attacks
#dealing with packets w/o syn flags when they are new
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "new no-SYN: "
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state --state NEW -j LOG --log-prefix "New ACK: "

#enforcing TCP standards
iptables -A INPUT -p tcp --tcp-option \! 2 -j LOG --log-tcp-options --log-prefix "TCP standards not met: "
iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset

#allowing all outbound traffic
iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT

#rewrite all connections coming from private network to use eth0 addres and rewrite response

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source p.p.p.p

iptables -P INPUT DROP

This script assumes you are using eth0 for your public connection and eth1 for your private and that you are using for your subnet.

save this file as rc.firewall and then add rc.firewall to your startup script to initiate your firewall automatically on boot.

assuming that you will be using your firewall as a gateway and that the other machines are workstations, you will want to have a dhcpd server as well.

DHCPD Configuration
DHCP server config file: /etc/dhcpd.conf
DHCP server executable: /usr/sbin/dhcpd
Start DHCPD: /etc/rc.d/init.d/dhcpd start

dhcpd config:
where dx.dx.dx.dx = domain name servers

# sample dhcpd configuration
# allows assignment from .2 - .60
ddns-update-style ad-hoc;

subnet netmask { }

subnet netmask {
server-name "name";
default-lease-time 86400;
max-lease-time 186400;
get-lease-hostnames on;
option routers;
option ip-forwarding on;
option broadcast-address;
option subnet-mask;
option domain-name-servers d1.d1.d1.d1, d2.d2.d2.d2;


allow unknown-clients;
pool {
max-lease-time 186400;
allow unknown-clients;

then add any hostnames and IP addresses that will use IP addresses not being assigned by the dhcp server at /etc/hosts
i.e. any machine that will use an IP not in .2 - .60 range

with all this set, you simply plug your workstations into the switch and voila you have a linux router that can fully replace your retail router and gives you all the benefits of linux on a router. also, you can intercept all incoming and outgoing relay frames by sitting on the router and coping packet payloads -- that of course leads to passwords, email and IM msgs galore etc ....

i will post a script or two on how to parse traffic meaningfully sometime in the near future.
--The Devil is in the Details--

Post Reply