Johns Hopkins Linux Users Group	Main Page | About | Help | FAQ | Special pages | Log in
	Category: Articles Printable version | Disclaimers | Privacy policy

Debian Linux Router

From Johns Hopkins Linux Users Group

Contents 1 Debian 4.0 R4 FireRouter Project 1.1 OS Preparation 1.1.1 System Configurations 1.1.2 Debian 4.0 R4 Installation 1.1.3 Configure Ethernet Interfaces 1.1.4 Create a Simple Firewall Test Script 1.1.5 Complete Firewall Script 2 Traffic Control Script 2.1 About the Author - Arnold

Debian 4.0 R4 FireRouter Project

Updated: August 23, 2008

OS Preparation

System Configurations

Target System

• DELL Power Edge 2450, PERC 2D disconnected, SCSI hard disks, SCSI-IDE CDROM, 1GB RAM
• IO Gear KVM, DELL 170n FP LCD monitor
• WAN Integrated 10/100 Intel NIC [eth0]
• LAN Intel Gigabit NIC [eth1]

Test System

• HP Pavilion 753n, Pentium-4, IDE HD, 512MB RAM (integrated NIC burned out)
• IO Gear KVM, Multi-sync CRT
• WAN 10/100 Intel NIC [eth1]
• LAN Intel Gigabit NIC [eth2]

Note: On this system the Firewire IEEE 1394 interface is identified as [eth0] and is not used

Debian 4.0 R4 Installation

Note: Debian was selected for this project because it is the only Open Source/GNU distribution that works reliably on the DELL PE2450 server.

• Select the WAN network interface as the primary NIC for setup; use DHCP and current LAN gateway
• Unselect all software options in the initial tasksel
• After reboot, comment out the CDROM installation Source from /etc/apt/sources.list
• Update Aptitude and install iproute and ssh and other goodies

 aptitude update
 aptitude install iproute
 aptitude install ssh
 aptitude install ulogd
 aptitude install tofrodos
 aptitude install tcpdump
 aptitude autoclean

• Check the network interfaces with ifconfig
• [optional] Add PuTTY to a remote system for remote access to the new system.

Configure Ethernet Interfaces

Our test router will installed on the LAN side of a consumer router at home for testing.
The consumer LAN is 192.168.0.0/24. This will be the WAN side of our test router. The LAN side of the test router will be LAN 192.168.1.0/24.

 Configuration Summary
 LANIP = 192.168.1.1
 WANIP = 192.168.0.63
 WAN Gateway = 192.168.0.4 (consumer router LAN Side Interface)
 DNSSVR = 192.168.0.85

• Edit the /etc/network/interfaces file

 # Loopback Network Interface
 auto lo
 iface lo inet loopback
 
 # WAN Primary Network Interface
 allow-hotplug eth1
 iface eth1 inet static
 address 192.168.0.63
 netmask 255.255.255.0
 network 192.168.0.0
 broadcast 192.168.0.255
 gateway 192.168.0.4
 dns-nameservers 192.168.0.85
 
 # WAN Network Interface
 allow-hotplug eth2
 iface eth2 inet static
 address 192.168.1.1
 netmask 255.255.255.0
 network 192.168.1.0
 broadcast 192.168.1.255
 gateway 192.168.1.1
 dns-nameservers 192.168.0.85

See Virtual Network Interface for multiple IP address assignments to a single interface.

Create a Simple Firewall Test Script

This will set up a very promiscous system to verify basic functionality. This is clearly not a secure configuration. We can live with this, for now, because we are testing on the inside of a consumer firewall.

• Create a file: /etc/init.d/firerouter.sh

Derived from the About Debian proxy.sh example

 #!/bin/bash
 IPT=/sbin/iptables
 
 WANETH="eth1"
 LANETH="eth2"
# WANIP="`/sbin/ifconfig eth1 |grep 'inet addr' | awk '{print $2}' | sed -e 's/.*:/'
 WANIP=192.168.0.63
 
 /sbin/depmod -a
 /sbin/modprobe ip_tables
 /sbin/modprobe ip_conntrack
 /sbin/modprobe ip_conntrack_ftp
 /sbin/modprobe ip_conntrack_irc
 /sbin/modprobe iptable_nat
 /sbin/modprobe ip_nat_ftp
 echo "1" > /proc/sys/net/ipv4/ip_forward
 echo "1" > /proc/sys/net/ipv4/ip_dynaddr
 
 $IPT -P INPUT ACCEPT
 $IPT -F INPUT
 $IPT -P OUTPUT ACCEPT
 $IPT -F OUTPUT
 $IPT -P FORWARD DROP
 $IPT -F FORWARD
 $IPT -t nat -F
 $IPT -A FORWARD -i $WANETH -o $LANETH -m state --state ESTABLISHED,RELATED -j ACCEPT
 $IPT -A FORWARD -i $LANETH -o $WANETH -j ACCEPT
 $IPT -t nat -A POSTROUTING -o $WANETH -j MASQUERADE

• Script Installation

 chmod 755 /etc/init.d/firerouter.sh
 ln -s /etc/init.d/firerouter.sh /etc/rc2.d/S19firewall

Complete Firewall Script

This will set up a more complete firewall than the previous system. This script can probably be used to replace the consumer firewall device.

• Edit or Create a file: /etc/init.d/firerouter.sh

Derived from the About Debian firewall.sh example

#!/bin/bash
echo "PenguinFood.net FireRouter 1.1.3, Aug 22, 2008"

IPT=/sbin/iptables

WANETH="eth1"
WANIP="`/sbin/ifconfig eth1 |grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
#WANIP="24.126.60.160"
WANNET=$WANIP"/24"
echo "WAN IP = $WANIP, WAN NET = $WANNET"

# DMZ
LANETH2="eth2"
LANIP2="192.168.2.1"
LANNET2="192.168.2.0/24"

# Workstations LAN
LANETH3="eth3"
LANIP3="192.168.3.1"
LANNET3="192.168.3.0/24"

UNIVERSE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"
PRIVPORTS="0:1023"
BCAST_SRC="0.0.0.0"
BCAST_DST="255.255.255.255"


# Specific Servers
MY_DNS="192.168.2.80"
MY_WWW="192.168.2.80"
MY_WIKI="192.168.2.81"

# Choke Firewalls
MY_LAN2="192.168.2.2"
MY_LAN3="192.168.3.2"

TORPORTS="6881:6889"

RDP3389="3389"
RDP3407="3407"
RDP9587="9587"
RDP9858="9858"

echo ".. modprobing"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo ".. Resetting iptables policies"
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -t nat -F
$IPT -t filter -F

$IPT -X
$IPT -Z

echo ".. Clearing Logs"
:>/var/log/ulog/syslogemu.log
modprobe ipt_ULOG nlbufsiz=4096 flushtimeout=40


#### INPUT
echo ".. Configuring iptables INPUT Rules"

# Drop Log Spoofs
$IPT -A INPUT -i $WANETH -s $LANNET2 -d $UNIVERSE -j ULOG \
     --ulog-prefix "SPOOF2" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A INPUT -i $WANETH -s $LANNET2 -d $UNIVERSE -j DROP

$IPT -A INPUT -i $WANETH -s $LANNET3 -d $UNIVERSE -j ULOG \
     --ulog-prefix "SPOOF3" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A INPUT -i $WANETH -s $LANNET3 -d $UNIVERSE -j DROP

# Loopback can go anywhere
$IPT -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# Local Interface and LAN can go anywhere
$IPT -A INPUT -i LANETH2 -s $LANNET2 -d $UNIVERSE -j ACCEPT
$IPT -A INPUT -i LANETH3 -s $LANNET3 -d $UNIVERSE -j ACCEPT

# Remote Traffic can go to WAN IP Address
$IPT -A INPUT -i $WANETH -s $UNIVERSE -d $WANIP -j ACCEPT

# Returning WAN MASQUERADE Traffic
$IPT -A INPUT -i $WANETH -s $UNIVERSE -d $WANIP \
              -m state --state ESTABLISHED,RELATED -j ACCEPT

## Services on the FireRouter
# External SSH Service
#$IPT -A INPUT -i $WANETH -m state --state NEW,ESTABLISHED,RELATED \
#              -p tcp -s $UNIVERSE -d $WANIP --dport 22 -j ACCEPT

# Internal SSH Service
$IPT -A INPUT -i $LANETH2 -m state --state NEW,ESTABLISHED,RELATED \
              -p tcp -s $LANNET2 -d $LANIP2 --dport 22 -j ACCEPT
$IPT -A INPUT -i $LANETH3 -m state --state NEW,ESTABLISHED,RELATED \
              -p tcp -s $LANNET3 -d $LANIP3 --dport 22 -j ACCEPT

# Ping
$IPT -A INPUT -i $LANETH2 -m state --state NEW,ESTABLISHED,RELATED \
              -p icmp -j ACCEPT
$IPT -A INPUT -i $LANETH3 -m state --state NEW,ESTABLISHED,RELATED \
              -p icmp -j ACCEPT

# DNS
$IPT -A INPUT -i $LANETH2 -p udp -s $LANNET2 --sport $UNPRIVPORTS \
              -d $LANIP2 --dport 53 -j ACCEPT
$IPT -A INPUT -i $LANETH2 -p udp -s $LANNET2 --sport 53 \
              -d $LANIP2 --dport $UNPRIVPORTS -j ACCEPT

$IPT -A INPUT -i $LANETH3 -p udp -s $LANNET3 --sport $UNPRIVPORTS \
              -d $LANIP3 --dport 53 NEW -j ACCEPT
$IPT -A INPUT -i $LANETH3 -p udp -s $LANNET3 --sport 53 \
              -d $LANIP3 --dport $UNPRIVPORTS -j ACCEPT

# DHCP with ISP
$IPT -A INPUT -i $WANETH -p udp -s $BCAST_SRC --sport 68 \
              -d $BCAST_DST --dport 67 -j ACCEPT
$IPT -A INPUT -i $WANETH -p udp -s $BCAST_SRC --sport 67 \
              -d $BCAST_DST --dport 68 -j ACCEPT

$IPT -A OUTPUT -o $WANETH -p udp -s $BCAST_SRC --sport 68 \
              -d $BCAST_DST --dport 67 -j ACCEPT

$IPT -A INPUT -i $LANETH2 -p tcp -s $MY_LAN2 --sport $UNPRIVPORTS \
              -d $UNIVERSE --dport 14555 -j ACCEPT

## Drop Log catch all else
$IPT -A INPUT -s $UNIVERSE -d $UNIVERSE -j ULOG \
     --ulog-prefix "INPUT*DROP" --ulog-nlgroup 1 --ulog-cprange 48 --ulog-qthreshold 1
$IPT -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP


#### OUTPUT
echo ".. Configuring iptables OUTPUT rules"

# Drop Log:  Stuffed Routing = Outbound LAN traffic on WAN interface
$IPT -A OUTPUT -o $WANETH -s $UNIVERSE -d $LANNET2 -j ULOG \
     --ulog-prefix "OUTPUT-STUFF2" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A OUTPUT -o $WANETH -s $UNIVERSE -d $LANNET2 -j DROP

$IPT -A OUTPUT -o $WANETH -s $UNIVERSE -d $LANNET3 -j ULOG \
     --ulog-prefix "OUTPUT-STUFF3" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A OUTPUT -o $WANETH -s $UNIVERSE -d $LANNET3 -j DROP

# Loopback can go anywhere
$IPT -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# Local Interface to LAN, from WAN or LAN IP addresses
$IPT -A OUTPUT -o $LANETH2 -s $WANIP -d $LANNET2 -j ACCEPT
$IPT -A OUTPUT -o $LANETH3 -s $WANIP -d $LANNET3 -j ACCEPT
$IPT -A OUTPUT -o $LANETH2 -s $LANIP2 -d $LANNET2 -j ACCEPT
$IPT -A OUTPUT -o $LANETH3 -s $LANIP3 -d $LANNET3 -j ACCEPT
$IPT -A OUTPUT -o $WANIP -s $LANIP3 -j ACCEPT
$IPT -A OUTPUT -o $WANIP -s $LANIP2 -j ACCEPT

# WAN Traffic on WAN Interface can go anywhere
$IPT -A OUTPUT -o $WANETH -s $WANIP -d $UNIVERSE -j ACCEPT

# Drop Log catch all else
$IPT -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j ULOG \
     --ulog-prefix "OUTPUT*DROP" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP


echo ".. Configuring iptables FORWARD Rules and NAT"
# Allow Only existing back In
$IPT -A FORWARD -i $WANETH -o $LANETH2 \
                -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $WANETH -o $LANETH3 \
                -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow All LAN Forward Combinations
$IPT -A FORWARD -i $LANETH2 -j ACCEPT
$IPT -A FORWARD -i $LANETH3 -j ACCEPT

## Forward Inbound Traffic to Specific Services

# DHCP from ISP (needed unless we have a Static WAN IP address)
$IPT -A FORWARD -i $WANETH -p udp --sport 67 \
                -d $WANIP --dport 68 -j ACCEPT

## DNS
# DNS to LAN3 (users)
$IPT -A FORWARD -i $WANETH -o $LANETH3 -p udp --sport $UNPRIVPORTS \
                -d $MY_LAN3 --dport 53 -j ACCEPT

# DNS to LAN2 (DMZ - including our DNS Server)
$IPT -A FORWARD -i $WANETH -o $LANETH2 -p udp --sport $UNPRIVPORTS \
                -d $LANNET2 --dport 53 -j ACCEPT

# Other Specific Services
$IPT -A FORWARD -i $WANETH -o $LANETH2 -p tcp --sport $UNPRIVPORTS \
                -d $MY_WWW --dport 80 -j ACCEPT

$IPT -A FORWARD -i $WANETH -o $LANETH2 -p tcp --sport $UNPRIVPORTS \
                -d $MY_WIKI --dport 81 -j ACCEPT

### Diagnostics Override, DROP is the default 
# $IPT -A FORWARD -i $WANETH -o $LANETH3 -j ACCEPT
# $IPT -A FORWARD -i $WANETH -o $LANETH2 -j ACCEPT


$IPT -t nat -A POSTROUTING -o $WANETH -j SNAT --to $WANIP
#$IPT -t nat -A POSTROUTING -o $WANETH -j MASQUERADE

$IPT -t nat -A PREROUTING -i $WANETH -p tcp --sport $UNPRIVPORTS \
            -d $WANIP --dport 80 -j DNAT --to-destination $MY_WWW

$IPT -t nat -A PREROUTING -i $WANETH -p tcp --sport $UNPRIVPORTS \
            -d $WANIP --dport 81 -j DNAT --to-destination $MY_WIKI
            
$IPT -t nat -A PREROUTING -i $WANETH -p udp --sport $UNPRIVPORTS \
            -d $WANIP --dport 53 -j DNAT --to-destination $MY_DNS

# Alex's TORRENT
$IPT -A FORWARD -i $WANETH -o $LANETH2 -p tcp --sport $UNPRIVPORTS \
                -d $MY_LAN2 --dport 14555 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WANETH -p tcp  \
            -d $WANIP --dport 14555 -j DNAT --to-destination $MY_LAN2

# Web Server RDP
$IPT -A FORWARD -i $WANETH -o $LANETH2 -p tcp --sport $UNPRIVPORTS \
                -d $MY_WWW --dport $RDP3407 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WANETH -p tcp --sport $UNPRIVPORTS \
            -d $WANIP --dport $RDP3407 -j DNAT --to-destination $MY_WWW

$IPT -A FORWARD -i $WANETH -o $LANETH3 -p tcp --sport $UNPRIVPORTS \
                -d $MY_LAN3 --dport $RDP9587 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LANETH3 -p tcp --sport $UNPRIVPORTS \
            -d $LANIP3 --dport $RDP3389 -j DNAT --to-destination $MY_LAN3

$IPT -t nat -A PREROUTING -i $LANETH2 -p tcp --sport $UNPRIVPORTS \
            -d $LANIP2 --dport $RDP3389 -j DNAT --to-destination $MY_LAN3

$IPT -t nat -A PREROUTING -i $WANETH -p tcp --sport $UNPRIVPORTS \
            -d $WANIP --dport $RDP9587 -j DNAT --to-destination $MY_LAN3


$IPT -A FORWARD -s $UNIVERSE -d $UNIVERSE -j ULOG \
            --ulog-prefix "FORWARD*DROP" --ulog-nlgroup 1 --ulog-cprange 1 --ulog-qthreshold 1
$IPT -A FORWARD -s $UNIVERSE -d $UNIVERSE -j DROP


echo "FireRouter Configuration Completed!"

• View the Dropped Packet Logs created by ulog

 tail -f /var/log/ulog/syslogemu.log

---

Traffic Control Script

Aug 23, 2008 The following script uses tc to divide bandwidth shared by two LANs.

#!/bin/bash
echo "Fire Controller firectrl.sh"
echo "Aug 20, 2008 rev 0.0.8"
####

WANETH1="eth1"
WAN="0.0.0.0/0"
LANETH2="eth2"
LAN2="192.168.2.0/24"
LANETH3="eth3"
LAN3="192.168.3.0/24"

####
echo "+ Creating root qdisc and root class for ethx"
tc qdisc del root dev $WANETH1
tc qdisc del root dev $LANETH2
tc qdisc del root dev $LANETH3

tc qdisc add dev $WANETH1 root handle 10: cbq bandwidth 100Mbit avpkt 1000
tc qdisc add dev $LANETH2 root handle 20: cbq bandwidth 100Mbit avpkt 1000
tc qdisc add dev $LANETH3 root handle 30: cbq bandwidth 100Mbit avpkt 1000

####
echo "+ Adding Root Classes"
tc class add dev $WANETH1 parent 10:0 classid 10:1 cbq bandwidth 100Mbit \
  rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000

tc class add dev $LANETH2 parent 20:0 classid 20:1 cbq bandwidth 100Mbit \
  rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000

tc class add dev $LANETH3 parent 30:0 classid 30:1 cbq bandwidth 100Mbit \
  rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000

####
echo "+ Adding Flow Classes"
# 100% for WAN
tc class add dev $WANETH1 parent 10:1 classid 10:100 cbq bandwidth 100Mbit \
  rate 20Mbit allot 1514 weight 2Mbit prio 5 maxburst 20 avpkt 1000 bounded

# Up to 4Mbps for LAN2
tc class add dev $LANETH2 parent 20:1 classid 20:100 cbq bandwidth 100Mbit \
  rate 4Mbit allot 1514 weight 1Mbit prio 5 maxburst 20 avpkt 1000 bounded

# Up to 12Mbps for LAN3
tc class add dev $LANETH3 parent 30:1 classid 30:100 cbq bandwidth 100Mbit \
  rate 12Mbit allot 1514 weight 1Mbit prio 5 maxburst 20 avpkt 1000 bounded

echo "+ Adding SFQs"
tc qdisc add dev $WANETH1 parent 10:100 sfq quantum 1514b perturb 15
tc qdisc add dev $LANETH2 parent 20:100 sfq quantum 1514b perturb 15
tc qdisc add dev $LANETH3 parent 30:100 sfq quantum 1514b perturb 15

echo "+ Adding Filters"
tc filter add dev $WANETH1 parent 10:0 protocol ip prio 5 u32 match ip \
  dst $WAN flowid 10:100

tc filter add dev $LANETH2 parent 20:0 protocol ip prio 5 u32 match ip \
  dst $LAN2 flowid 20:100

tc filter add dev $LANETH3 parent 30:0 protocol ip prio 5 u32 match ip \
  dst $LAN3 flowid 30:100

---

About the Author - Arnold

The author is a Linux novice who uses wikis for taking notes for his projects.

View source | Discuss this page | Page history | What links here | Related changes Main Page | About Johns Hopkins Linux Users Group | Find: This page has been accessed 485 times. This page was last modified on 4 April 2009, at 17:04.