| View previous topic :: View next topic |
| Author |
Message |
Maxwell
Tux's lil' helper
Joined: 10 Dec 2003
Posts: 97
|
 Posted: Mon Jun 26, 2006 9:56 pm Post subject: Stripped down server for ADSL gateway+router+firewall |
 |
|
Hi!
I'm currently setting up a small gentoo server to serve my small home network. The idea to use a pentium to manage ADSL link through my ADSL USB modem (i think it's done), route everything inside my lan, use NAT and have a DHCP server to setup the ip's automagically.
| Code: |
_____ ___________ ______
| USB | | | | |
|MODEM| <---> | ppp0 eth0| <---> |SWITCH| <---> other pcs
|_____| |___________| |______|
|
By now i have the modem working. I'm a complete newbie with IPTables, but i think i might have a good script to set it up. What isn't working, for now, is dhcp with dnsmasq (already tried dhcp from ISC, with no luck) with my notebook (window$ xp)....
The notebook sends the requests but it doesn't receives the answers that the server is sending to it!
Any ideas?
_________________
Freedom works. Use it!
Linux, by Gentoo |
|
| Back to top |
|
 |
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Mon Jun 26, 2006 10:01 pm Post subject: |
|
|
dhcp-authoritative in /etc/dnsmasq.conf is set?
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
Maxwell
Tux's lil' helper
Joined: 10 Dec 2003
Posts: 97
|
| Posted: Mon Jun 26, 2006 10:23 pm Post subject: |
|
|
Nop i didn't, but after the change i tried and i got:
| Quote: | dnsmasq: started, version 2.32 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-ISC-leasefile no-DBus no-I18N
dnsmasq: DHCP, IP range 192.168.X.X -- 192.168.X.X, lease time 12h
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 192.168.X.X#53
dnsmasq: read /etc/hosts - 2 addresses
dnsmasq: DHCPDISCOVER(eth0) X.X.X.X AA:AA:AA:AA:AA:AA
dnsmasq: DHCPOFFER(eth0) 192.168.X.X AA:AA:AA:AA:AA:AA
|
The windows machine still didn't got the ip.
And, thank you very much for the quick answer!!
_________________
Freedom works. Use it!
Linux, by Gentoo |
|
| Back to top |
|
|
celestialwizard
Tux's lil' helper
Joined: 15 Jun 2006
Posts: 81
Location: Brisbane, Australia
|
| Posted: Tue Jun 27, 2006 3:27 am Post subject: |
|
|
| Do you allow UDP/57 out of your eth0 device? |
|
| Back to top |
|
|
Maxwell
Tux's lil' helper
Joined: 10 Dec 2003
Posts: 97
|
| Posted: Tue Jun 27, 2006 8:28 am Post subject: |
|
|
Hi!
I haven't done any iptables related setup. I was trying to put dhcp and dns working first...
just to make sure i'm well understood, dnsmasq receives the request from the notebook and replies to it, but the notebook doesn't receives anything, any package at all!! I'm also gonna try to change the ethernet cable.... 
_________________
Freedom works. Use it!
Linux, by Gentoo |
|
| Back to top |
|
|
P3SM
Tux's lil' helper
Joined: 13 Apr 2006
Posts: 93
Location: Gronsveld - The Netherlands
|
| Posted: Tue Jun 27, 2006 8:48 am Post subject: |
|
|
| Maxwell wrote: | | I haven't done any iptables related setup. |
Try shorewall before playing around with iptables directly. It makes it a lot easier!
_________________
Smaug: Sun Netra T1 105, UltraSPARC-IIi 440MHz, 512MB, 2*36GB 10kRPM; 2 Sun Netra D130: 6*36GB 10kRPM, swraid 0
Haku: Dual P3 Xeon 500MHz, 512MB; Sun Multipack: 12*18GB 10kRPM, hwraid 5
Falkor: Sun SparcStation LX, 128 MB, 2.1GB |
|
| Back to top |
|
|
Maxwell
Tux's lil' helper
Joined: 10 Dec 2003
Posts: 97
|
| Posted: Tue Jun 27, 2006 9:12 am Post subject: |
|
|
I've just emerged that... Isn't it command line driven? I just want to close everything from the outside (except maybe ssh and PoPToP) and use NAT inside my lan... Isn't it straightforward to do it with iptables directly, or iptables are that difficult?
_________________
Freedom works. Use it!
Linux, by Gentoo |
|
| Back to top |
|
|
P3SM
Tux's lil' helper
Joined: 13 Apr 2006
Posts: 93
Location: Gronsveld - The Netherlands
|
| Posted: Tue Jun 27, 2006 10:25 am Post subject: |
|
|
IPTables and shorewall are both scripts where shorewall is a script that generates iptables scripts! It is basically a shell around iptables. Personally I find shorewall better and easier to understand than iptables and it makes what you're doing more transparant --> which is what you want when building a firewall to make sure you build it waterproof, right!
BTW: if you want a graphical tool (web based) to configure shorewall you could try webmin.
_________________
Smaug: Sun Netra T1 105, UltraSPARC-IIi 440MHz, 512MB, 2*36GB 10kRPM; 2 Sun Netra D130: 6*36GB 10kRPM, swraid 0
Haku: Dual P3 Xeon 500MHz, 512MB; Sun Multipack: 12*18GB 10kRPM, hwraid 5
Falkor: Sun SparcStation LX, 128 MB, 2.1GB |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Jun 27, 2006 5:04 pm Post subject: |
|
|
please post you dnsmasq.conf
about your iptables needs:
as long as you'd only want NAT inside-> outside and have one or two 'outside'->Gateway/ssh you don't need shorewall or alike. The setup for that is easy enough.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
Maxwell
Tux's lil' helper
Joined: 10 Dec 2003
Posts: 97
|
| Posted: Tue Jun 27, 2006 5:11 pm Post subject: |
|
|
The stripped down dnsmasq configuration file....
| Quote: |
domain-needed
bogus-priv
filterwin2k
interface=eth0
domain=home
dhcp-range=home,192.168.2.100,192.168.2.200,255.255.255.0,12h
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
dhcp-authoritative
|
I think that portage should put some working configuration using some wizards or something when installing these things...
Thanks for the help
_________________
Freedom works. Use it!
Linux, by Gentoo |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Jun 27, 2006 5:20 pm Post subject: |
|
|
just for testing...
change your dhcp-range line to read as
| Code: | | dhcp-range=192.168.2.100,192.168.2.200,12h |
and restart dnsmasq afterwards.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
Maxwell
Tux's lil' helper
Joined: 10 Dec 2003
Posts: 97
|
| Posted: Tue Jun 27, 2006 6:08 pm Post subject: |
|
|
YES!! Dhcp is working. The problem was the ethernet cable.... It works fine for the server but not for the notebook... 
Well, now onto firewall and NAT. I've collecting some parts of some scripts so, now it's a question of trial and error until it's done, but if anyone could see if it's ok, be my guest
| Code: | IPT=/sbin/iptables
INTRA_LAN=eth0
OUT_IF=ppp0
NETMASK="255.255.255.0"
SERVER_IP="192.168.2.1"
# ssh
ACCEPTED_PORTS_IN="22"
# ssh|http|http-ssl|imap-ssl|pop3-ssl
ACCEPTED_PORTS_OUT="22 80 443 993 995" #Just for now, but maybe i can trust on the "inside" of the home...
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Default rules
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
#accepted input
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -m state --state NEW -i ! $OUT_IF -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
for port in $ACCEPTED_PORTS_IN
do
$IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
# $IPT -A INPUT -p udp -m state --state NEW -m tcp --dport $port -j ACCEPT
done
# accepted output
for port in $ACCEPTED_PORTS_IN
do
$IPT -A OUTPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
# $IPT -A OUTPUT -p udp -m state --state NEW -m tcp --dport $port -j ACCEPT
done
#Lock services to LAN
$IPT -I INPUT 1 -i ${INTRA_LAN} -j ACCEPT
$IPT -I INPUT 1 -i lo -j ACCEPT
$IPT -A INPUT -p UDP --dport bootps -i ! ${INTRA_LAN} -j REJECT
$IPT -A INPUT -p UDP --dport domain -i ! ${INTRA_LAN} -j REJECT
#NAT
$IPT -t nat -A POSTROUTING -o ${OUT_IF} -j MASQUERADE
$IPT -I FORWARD -i ${INTRA_LAN} -d ${SERVER_IP}/${NETMASK} -j DROP
$IPT -A FORWARD -i ${INTRA_LAN} -s ${SERVER_IP}/${NETMASK} -j ACCEPT
$IPT -A FORWARD -i ${OUT_IF} -d ${SERVER_IP}/${NETMASK} -j ACCEPT
|
_________________
Freedom works. Use it!
Linux, by Gentoo |
|
| Back to top |
|
|
Maxwell
Tux's lil' helper
Joined: 10 Dec 2003
Posts: 97
|
| Posted: Sat Jul 01, 2006 9:04 pm Post subject: |
|
|
Hi!
I've got my new system working... For this i've coded a set of scripts (which are almost complete) to compile all the base system software, on another (faster... ) computer. But this process is boresome and requires some stripping after all the compilation. I don't want to have some extra software that some hocker could use in my own router.
So i need to build a cross-compilation environment to compile the minimum software set necessary to have the router working. Any ideas?
Thanks for the help
_________________
Freedom works. Use it!
Linux, by Gentoo |
|
| Back to top |
|
|
Maxwell
Tux's lil' helper
Joined: 10 Dec 2003
Posts: 97
|
| Posted: Tue Jul 04, 2006 11:01 am Post subject: |
|
|
Hi!
As already stated before, i have my system up and running. I've also been searching for some way of building a small system using an already built one, and looks like cross-compiling is the only way...
Besides that, i have a problem with my firewall. I can't access some webpages, like the one my ISP has for me to control the ADSL traffic... What can be the problem in my firewall?
| Code: | IPT=/sbin/iptables
INTRA_LAN=eth0
OUT_IF=ppp0
NETMASK="255.255.255.0"
SERVER_IP="192.168.2.1"
# ssh
ACCEPTED_PORTS_IN="22"
# ssh|http|http-ssl|imap-ssl|pop3-ssl
ACCEPTED_PORTS_OUT="22 80 443 993 995" #Just for now, but maybe i can trust on the "inside" of the home...
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Default rules
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
#accepted input
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -m state --state NEW -i ! $OUT_IF -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
for port in $ACCEPTED_PORTS_IN
do
$IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
# $IPT -A INPUT -p udp -m state --state NEW -m tcp --dport $port -j ACCEPT
done
# accepted output
for port in $ACCEPTED_PORTS_IN
do
$IPT -A OUTPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
# $IPT -A OUTPUT -p udp -m state --state NEW -m tcp --dport $port -j ACCEPT
done
#Lock services to LAN
$IPT -I INPUT 1 -i ${INTRA_LAN} -j ACCEPT
$IPT -I INPUT 1 -i lo -j ACCEPT
$IPT -A INPUT -p UDP --dport bootps -i ! ${INTRA_LAN} -j REJECT
$IPT -A INPUT -p UDP --dport domain -i ! ${INTRA_LAN} -j REJECT
#NAT
$IPT -t nat -A POSTROUTING -o ${OUT_IF} -j MASQUERADE
$IPT -I FORWARD -i ${INTRA_LAN} -d ${SERVER_IP}/${NETMASK} -j DROP
$IPT -A FORWARD -i ${INTRA_LAN} -s ${SERVER_IP}/${NETMASK} -j ACCEPT
$IPT -A FORWARD -i ${OUT_IF} -d ${SERVER_IP}/${NETMASK} -j ACCEPT
|
Thanks for the help
_________________
Freedom works. Use it!
Linux, by Gentoo |
|
| Back to top |
|
|
|
Networking & Security
