| View previous topic :: View next topic |
| Author |
Message |
Iron_DragonLord
Apprentice
Joined: 04 Nov 2004
Posts: 273
|
 Posted: Sun Mar 27, 2005 7:18 pm Post subject: Old PC as server/router with iptables.. settings&problem |
 |
|
I have an old 500 MHz PC acting as a server, and also as a gateway for my PC, which the server then wirelessly connects to my WRT54G. But going through two firewalls is annoying so I DMZed the server after setting it up.
Here's my set up:
eth0 is LAN
wlan0 is to the router (then the internet)
| Code: | # Generated by iptables-save v1.2.11 on Sun Mar 27 11:42:50 2005
*nat
:PREROUTING ACCEPT [17273:1269113]
:POSTROUTING ACCEPT [131095:7865583]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Sun Mar 27 11:42:50 2005
# Generated by iptables-save v1.2.11 on Sun Mar 27 11:42:50 2005
*mangle
:PREROUTING ACCEPT [27887948:15007848530]
:INPUT ACCEPT [4342229:733736484]
:FORWARD ACCEPT [23540237:14273436302]
:OUTPUT ACCEPT [6190102:6594934936]
:POSTROUTING ACCEPT [29798048:20869726360]
COMMIT
# Completed on Sun Mar 27 11:42:50 2005
# Generated by iptables-save v1.2.11 on Sun Mar 27 11:42:50 2005
*filter
:INPUT DROP [1025:259188]
:FORWARD ACCEPT [64:4576]
:OUTPUT ACCEPT [12923:5535083]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 81 -j ACCEPT
-A INPUT -d 192.168.0.0/255.255.255.0 -j ACCEPT
-A INPUT -s 192.168.1.1 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i wlan0 -j ACCEPT
COMMIT
# Completed on Sun Mar 27 11:42:50 2005
|
I originally followed the "Home Router How-To" guide, but I was displeased with the way it worked compared to my router. My goal was to make my server identicle to my router, only way better. (I like dropping packets and being stealth than returning the port is closed)
So I set input default policy to DROP, my first and obvious problem was this didn't even allow traffic flow back to my PC (the one connecting through it) so things like FireFox stopped working, of course.
I found the solution for this to be simple (but took me a while to figure it out). This solved it:
-A INPUT -d 192.168.0.0/255.255.255.0 -j ACCEPT
That was solved, and as far as I could tell, made my server almost just as good as the router was, security wise. But there's a few problems.
I couldn't get my server to resolve names. I tried accepting traffic on port 53 on both protocols, no luck. I half-assedly tried searching google for what DNS uses, but that was a pain with irrelevent results and all, so in the end, I used the cheap solution by just accepting INPUT from the router (since it acts as a DNS server).
-A INPUT -s 192.168.1.1 -j ACCEPT
So far, that's my main problem, although there might be more that are similar. I guess it's a bit "too secure". How can I resolve names other than my method? What other problems might I run into? Any tips?
Thanks.
Edit: I just remembered another problem. I can ping servers, but iptables won't accept the packets back. So it consideres them lost. |
|
| Back to top |
|
 |
stevets
n00b
Joined: 27 Mar 2005
Posts: 3
|
| Posted: Sun Mar 27, 2005 9:48 pm Post subject: |
|
|
I tried setting up a firewall/router using Gentoo but gave up when I found http://www.ipcop.org
Just a suggestion if you want a firewall/router that just works, has ssh access, web proxy, intrusion detection and some other stuff.
_________________
In a world without doors who needs Windows? |
|
| Back to top |
|
|
Iron_DragonLord
Apprentice
Joined: 04 Nov 2004
Posts: 273
|
| Posted: Wed Mar 30, 2005 6:49 pm Post subject: |
|
|
Hmm, that's pretty neat, might come in handy for another pc. Thanks though.
Anyone got any other ideas? |
|
| Back to top |
|
|
WarMachine
Apprentice
Joined: 15 Jul 2002
Posts: 181
|
| Posted: Wed Mar 30, 2005 7:10 pm Post subject: |
|
|
| I also tried to write my own firewall rules but changed my mind in favor of frontends to iptables in favor of ease of setup and more comprehensive security. There were so many things frontends cover that I wouldn't have thought of to write into my own script. A popular frontend is shorewall. I prefer ipkungfu because it was *very* easy to set up and because it restricts outgoing traffic best for my setup ( that is, very little). Do some searching to get more opinions on different packages. |
|
| Back to top |
|
|
To
Veteran
Joined: 12 Apr 2003
Posts: 1145
Location: Coimbra, Portugal
|
| Posted: Wed Mar 30, 2005 7:12 pm Post subject: |
|
|
Did you took a look into shorewall? It's a simple tool that allows you to use more than 1 device:
| Code: | gandalf ~ # emerge -s shorewall
Searching...
[ Results for search key : shorewall ]
[ Applications found : 1 ]
* net-firewall/shorewall
Latest version available: 2.2.2
Latest version installed: 2.2.2
Size of downloaded files: 2,610 kB
Homepage: http://www.shorewall.net/
Description: Full state iptables firewall
License: GPL-2
gandalf ~ # |
I use it to get the rules and then optimize.
Tó
_________________
------------------------------------------------
Linux Gandalf 3.2.35-grsec
Gentoo Base System version 2.2
------------------------------------------------ |
|
| Back to top |
|
|
|
Networking & Security
