WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Firewall/Router (iptables) pros requested!  (Read 2151 times)

Offline CentralWare

  • Retired Admins
  • Hero Member
  • *****
  • Posts: 760
Firewall/Router (iptables) pros requested!
« on: February 21, 2015, 03:45:06 AM »
I'm about to set up a slightly elaborate in-home IPtables which I'm going to need an extra brain or two to thoroughly think out.

TC running on a machine with 4GB, an onboard T-100 network interface (called "wan") and four GBe ports (called lan0, lan1, wifi0 and wifi1)
The goal here is to turn the machine into:
DHCP (dnsmasq) Server - easy
DNS (dnsmasq) Server - easy
TFTP (dnsmasq + bb-httpd) - easy
NFS (nfs-utils) Server - easy
SSH (dropbear) Server - easy
Firewall (iptables)
Router (iptables)

Mind you, it's 3am so I might be overly tired...  but I just can't wrap my head around the rule-set to implement this into iptables.

Networking:
1) boot code of nodhcp is being used
2) Using ifrename/iftab, ethX is being renamed as noted above and all interfaces are taken down
*) "wan" may have its MAC reassigned after being renamed (I find it helpful from time to time with the ISP.)
3) udhcpc is being called on "wan", all other ports are assigned static IPs of 10.0.0.25x/255.0.0.0 with ifconfig
*) I haven't completed the firewall/router yet, so routes for 10.0.0.25x are not yet assigned

lo - easy-peasy
lan0 is connected to a managed switch connecting to other servers on the local network.  All access to all networks is allowed.
lan1 is "reserved" for a later date but will be treated in a fashion similar to lan0
wifi0 is connected to a router feeding a group of devices NOT permitted to interact with the local network (internet only)
wifi0 also needs to have limitations implemented (drop all EXCEPT a specific list of TCP and/or UDP)
wifi1 is allowed local network and internet
wan needs to have DROP ALL INbound (unestablished) unless a rule specifies otherwise

What I'm guessing I should do is start off by utilizing a single port (lan0) and get things running as if it were the only NIC...  but something tells me there's a much simpler and/or more efficient method to my madness, I just haven't managed to wrap my brain around it yet.  Any thoughts would be truly appreciated!

Offline UART

  • Newbie
  • *
  • Posts: 7
Re: Firewall/Router (iptables) pros requested!
« Reply #1 on: March 11, 2016, 01:09:14 PM »
It's been some time now so I guess I'll consolidate my findings here, along with notes of my own. I know how it feels when you have to wait on experts for a nugget or two...

I found this site:
https://firewallengineer.wordpress.com/2013/08/12/tiny-core-linux-routing/

depicting a similar scenario.

Also, some things you may want to consider upon building such a system, based on my experience via direct-connect (PC>CblModem>Internet):

-DNS monitoring (It's plain text, however they LOVE injecting/intercepting queries)
-Buffer-overflow management
-Memory management (control data/structure corruption)
-Speed and Bandwidth management (because while downloading, you may experience attacks)
-Closing unwanted services/ports (you know this already;-)

I've seen them use DDoS, Pingsweep, telnet-23(favorite) ICMP-unreachable(favorite) and various UDP ports as well. Hardening against these you'll need a means of monitoring incoming traffic of all sorts, CPU powerhouse and ample amounts of RAM, but not too much. Best to use CD-ROM for your final image with a CDROM (not CDRW/DVDRW) drive, accompanied with a service-watchdog when using Core.img.

I also found that 32-bit systems perform well and have more resources at the tap than 64.  As of this writing DNS injection is hot again since GLIBCs CVE-2015-0235 oompF.

Mint is a major target right now, seeing they're #1 in the polls so thats where I'm at for now testing with tcpdump, wireshark and others, can be helpful.
I'm just trying to help.