[gentoo-user] iptables advice for stand alone box under different usage scenarios

[gentoo-user] iptables advice for stand alone box under different usage scenarios

[Michael Kintzios]

Hi All,

I know that this has been talked to death, but can I please ask for your
patience as I don't yet feel confident enough to push on without some
more specific advice.

I am contemplating two different set ups as shown is the two diagrams
below:
==============DIAGRAM A===============================================
        |  Router/firewall  +-->(Gentoo box)192.168.0.2 (one NIC only)
Internet|<--Netgear DG834---|
ADSL    |    192.168.0.1    +-->(WinXP box) 192.168.0.3 (one NIC only)
======================================================================
The router here performs NAT, firewalling and DNS duties.

Occasionally, I want to send/receive faxes using a modem and when the
ADSL connection is playing up I have to use good old dial up to connect
to the internet:
==========DIAGRAM B==============
        |           |
Internet|<--modem-->|(Gentoo box)
Dialup  |           |
=================================

Ideally, I would like to setup iptables for the following potential
scenarios:

1.  As shown in diagram (A) above where both boxes operate as
conventional desktops.  I guess iptables is not really needed, but
assume for a minute that my other half just installed a trojan and now a
script kiddie is trying to install a rootkit into my Gentoo box via her
WinXP-bot.  This hypothetical scenario at least presents a good
opportunity for me to learn how to set iptables up in a relatively safe
environment (behind the netgear firewall).

2.  As shown in diagram (B) above where the Gentoo box operates as a
desktop.  Here the box is exposed to the elements and any malicious
entity could compromise it over the dialup interface.

3.  As shown in diagram (A), but now the Gentoo box is no longer a
desktop, but it operates as a www/ftp/mail server and serves both LAN
and WAN clients (I'm fed up paying for unhelpful webhosters ;-).

I can see that I will need to load different iptable set-ups depending
on the network configuration and the role of the Gentoo box
(desktop/server).  Not sure how I switch between them.

Starting from the basics I am also not quite sure how to define my
interfaces.  If the Gentoo box NIC eth0 is the external iface, under
scenario 1, then what's the internal?  I'm asking this because I tried
to setup fwbuilder and it is asking for an internal iface, even for a
stand alone host (am I supposed to setup a loopback?).

Sorry if the above are naïve questions, but iptables is new ground for
me and I thought it's high time I put some effort into learning it.
Whether you feel like scripting out each scenario for me, or you would
rather explain the basic firewall operating philosophy for a particular
usage scenario, I would be most grateful all the same for your help.
-- 
Regards,
Mick


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables advice for stand alone box under different usage scenarios

[Dave Nebinger]

Okay, Mike, here goes...

For the gentoo box to act as the router/gateway/hub, you need more than one 
ethernet card in the box.

Typically eth0 will be the outward facing card (towards the net), and 
eth{1,2,...} will be inward facing cards.

Just having the cards installed in the box is not enough; you need to 
configure them and start them just as eth0 is handled (create the soft link 
to net.lo in /etc/init.d and edit /etc/conf.d/net to identify ip address 
and/or dhcp info, do the rc-update add net.eth1 default, etc.).

That takes care of your routing questions (I hope).

As for the firewall questions, your rules are going to fall into a couple of 
different flavors:

a) desktop only: For this setup you're basically going to block all incoming 
traffic, allow all outbound traffic and existing traffic.  Forwarding is not 
an issue.

b) server: For this setup it's pretty much like the desktop except you'll 
allow incoming traffic on the ports that you wish to serve, i.e. mail, pop3, 
etc.  Again forwarding is not needed in this scenario.

c) gateway: For the pure gateway system, this one is a little trickyer.  All 
outbound and established traffic should be allowed, and incoming traffic is 
only allowed for the services you're going to provide.  The tricky part is 
that now your rules need to operate on the FORWARD chain and manage the 
snat/dnat/masquerade stuff.

d) combination: The combo system wraps service providing and gateway (and 
possibly desktop) into one box.  This setup is similar to the server 
scenario, except it also must include the gateway type rules to ensure that 
internal entities can get to the outside & back.

Regardless of the scenario that you choose to pursue, the rule sets will 
remain the same for dialup vs adsl; in either case the box is exposed to the 
network and you'll want to block unauthorized incoming traffic to the box. 
Granted being on dialup means that a remote attacker is less likely to hit 
upon your box on a regular basis (as your ip address will vary on each 
connection), but it is still a 'better safe than sorry' position to leave 
the firewall in place even for the dialup session.

As in the other iptables threads going on now, I would suggest a tool like 
shorewall.  I haven't heard anything bad about fwbuilder, but I can affirm 
that the documentation provided with shorewall is top-notch and pretty easy 
to get your brain around.  I can even help define the config for shorewall 
if you need it.

Hope this helps!

Dave

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: iptables advice for stand alone box under different usage scenarios

[Mick]

Thanks Nebinger!

Dave Nebinger wrote:

> Okay, Mike, here goes...
> 
> For the gentoo box to act as the router/gateway/hub, you need more than
> one ethernet card in the box.

OK, but under the ADSL connection scenario (diagram A) I already have a
hardware router/gateway, so do I still need a two card configuration?  What
I am trying to do is protect the Gentoo box from other boxes in the LAN
(behind the Netgear router), or when connected to the Internet via dialup
then protect it from other internet machines.

> As for the firewall questions, your rules are going to fall into a couple
> of different flavors:
> 
> a) desktop only: For this setup you're basically going to block all
> incoming
> traffic, allow all outbound traffic and existing traffic.  Forwarding is
> not an issue.

Right, is that tight enough?  I mean, shouldn't I accept only specific
outgoing protocols/ports and then be blocking everything else which might
try to get out?  I'm thinking here in trojan terms and the way certain
M$Windoze 'personal firewalls' are usually set up.

> b) server: For this setup it's pretty much like the desktop except you'll
> allow incoming traffic on the ports that you wish to serve, i.e. mail,
> pop3,
> etc.  Again forwarding is not needed in this scenario.

Understood.

> c) gateway: For the pure gateway system, this one is a little trickyer. 
> All outbound and established traffic should be allowed, and incoming
> traffic is
> only allowed for the services you're going to provide.  The tricky part is
> that now your rules need to operate on the FORWARD chain and manage the
> snat/dnat/masquerade stuff.

Not sure I need one of those, except as you describe below.

> d) combination: The combo system wraps service providing and gateway (and
> possibly desktop) into one box.  This setup is similar to the server
> scenario, except it also must include the gateway type rules to ensure
> that internal entities can get to the outside & back.

I guess that I'll need some sort of a combo set up if I am to use the Gentoo
box as a server to be accessed both by machines in the WAN and by PC/laptop
in my LAN.  On the other hand, I am thinking that all this
masquarading/IPforwarding and NATing could be achieved by my Netgear? 
 
> As in the other iptables threads going on now, I would suggest a tool like
> shorewall.  I haven't heard anything bad about fwbuilder, but I can affirm
> that the documentation provided with shorewall is top-notch and pretty
> easy
> to get your brain around.  I can even help define the config for shorewall
> if you need it.
> 
> Hope this helps!

Yes it does, thanks again.  :-)
-- 
Regards,
Mick

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios

[Dave Nebinger]

>> For the gentoo box to act as the router/gateway/hub, you need more than
>> one ethernet card in the box.
>
> OK, but under the ADSL connection scenario (diagram A) I already have a
> hardware router/gateway, so do I still need a two card configuration? 
> What
> I am trying to do is protect the Gentoo box from other boxes in the LAN
> (behind the Netgear router), or when connected to the Internet via dialup
> then protect it from other internet machines.

Depends.  Personnally I had little love for my netgear router when it was in 
place.  I had a couple of issues:

1.  Although my gentoo box allowed for externally-generated syslog entries, 
the netgear router (even though the gui suggested it would) would not 
forward syslog messages to my gentoo box, so I missed out on things like 
knowing who was hitting the router.

2. Could not find an easy way to extract the external IP address from the 
darn thing.  My domain name is managed via dyndns.org, and I only wanted to 
trigger an update when an actual ip address change occurred.  It was either 
that or tickle the dyndns.org system every few minutes so it would update IP 
address from the incoming connnection.

3. Performance, over time, would drop down to a trickle.  The only way to 
get it back up was to reboot the router.  And since I didn't want to expose 
the admin interface to the world, that meant that I would have to wait till 
I was on-site to reboot it.

4. DNS & DHCP - It still isn't clear to me how their DNS is set up; although 
it will act as the gateway for internal systems, I couldn't tell if it was 
using a caching DNS service or was just passing DNS queries up the stream 
for processing.  DHCP gets managed by the router, so you have little control 
beyond designating the range to use for dynamic address assignments.

5. No DMZ support - everything plugged into the netgear box is 'exposed'. 
In my current gentoo gateway, I can and do severely limit traffic on the 
intranet side while being a little less controlling on the DMZ side.  Should 
a penentration of the DMZ occur, I know that the line of demarcation between 
the DMZ and the intranet should protect my sensitive information.

6. No ssh access, no ability to programmatically get information from the 
router, and other minor complaints.

In any case I ended up dumping netgear and running with a Sangoma ADSL card. 
All the benefits of using ADSL whilst including all the access and 
administration my gentoo box allows.

>> As for the firewall questions, your rules are going to fall into a couple
>> of different flavors:
>>
>> a) desktop only: For this setup you're basically going to block all
>> incoming
>> traffic, allow all outbound traffic and existing traffic.  Forwarding is
>> not an issue.
>
> Right, is that tight enough?  I mean, shouldn't I accept only specific
> outgoing protocols/ports and then be blocking everything else which might
> try to get out?  I'm thinking here in trojan terms and the way certain
> M$Windoze 'personal firewalls' are usually set up.

Well, as a desktop system (meaning there is no other windblows systems 
behind the gentoo box), you really won't have to worry too much about that. 
All incoming connections would be denied (i.e. mail, dns, ssh, etc.) so no 
one could get into the box to plant a trojan or virus, so nothing would be 
exposed.  In this scenario somehow you'd have to install something that 
would open a backdoor to a remote hacker's system - they couldn't connect 
automatically and the whole thing would be a pain in the ass for them to 
develop as opposed to your standard windblows problems.

>> d) combination: The combo system wraps service providing and gateway (and
>> possibly desktop) into one box.  This setup is similar to the server
>> scenario, except it also must include the gateway type rules to ensure
>> that internal entities can get to the outside & back.
>
> I guess that I'll need some sort of a combo set up if I am to use the 
> Gentoo
> box as a server to be accessed both by machines in the WAN and by 
> PC/laptop
> in my LAN.  On the other hand, I am thinking that all this
> masquarading/IPforwarding and NATing could be achieved by my Netgear?

That's the setup I run.  I've got a gentoo box that is the gateway and, 
since it is beefed up, also runs my ftp and mail service.  Web and other 
services are routed into the DMZ.  The local network where I serve my 
printer, windows boxen, and other gentoo systems are on another card.  The 
main box manages the communications with the outside world, from the outside 
world, as well as internal traffic.  Quite a sweet setup, if I do say so 
myself.

Yes, the netgear will handle the NAT and forwarding stuff for you, as long 
as you're happy with it.


-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios

[Michael Kintzios]

> -----Original Message-----
> From: Dave Nebinger [mailto:dnebinger@joat.com] 
> Sent: 08 September 2005 21:27
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] Re: iptables advice for stand 
> alone box under different usage scenarios
> 
> 
> >> For the gentoo box to act as the router/gateway/hub, you 
> need more than
> >> one ethernet card in the box.
> >
> > OK, but under the ADSL connection scenario (diagram A) I 
> already have a
> > hardware router/gateway, so do I still need a two card 
> configuration? 
> > What
> > I am trying to do is protect the Gentoo box from other 
> boxes in the LAN
> > (behind the Netgear router), or when connected to the 
> Internet via dialup
> > then protect it from other internet machines.
> 
> Depends.  Personnally I had little love for my netgear router 
> when it was in 
> place.  I had a couple of issues:
> 
> 1.  Although my gentoo box allowed for externally-generated 
> syslog entries, 
> the netgear router (even though the gui suggested it would) would not 
> forward syslog messages to my gentoo box, so I missed out on 
> things like 
> knowing who was hitting the router.

I think that things have improved a lot since you last used netgear.
The DG384 is now on version 2.10.22 of their embedded image firmware,
which offers a lot more functionality than just a couple of years ago.
It now offers VPN with Ipsec connectivity.  Also, it can broadcast the
logs on the LAN, or you can set a specific IP address to FWD them to.
You can of course still use the http gui to see the logs, save them
manually or have them emailed to you regularly, or when a warning/alarm
is triggered.
 
> 2. Could not find an easy way to extract the external IP 
> address from the 
> darn thing.  My domain name is managed via dyndns.org, and I 
> only wanted to 
> trigger an update when an actual ip address change occurred.  
> It was either 
> that or tickle the dyndns.org system every few minutes so it 
> would update IP 
> address from the incoming connnection.

I've got a fixed IP address so I didn't need this feature, but
'tickling' the dyndns.org is the default method (don't think that you
can set the interval).  It works like a client which logs on to the
dyndns server and updates the IP address - not sure if it's more
intelligent than just doing that every few minutes).  
 
> 3. Performance, over time, would drop down to a trickle.  The 
> only way to 
> get it back up was to reboot the router.  And since I didn't 
> want to expose 
> the admin interface to the world, that meant that I would 
> have to wait till 
> I was on-site to reboot it.

Aahh, that's not on!  I haven't noticed any such problem with mine.  Are
you sure it wasn't an ISP throttling, or contention ratio issue?  Access
to netgear's remote web interface can be restricted to a particular IP
address/port number and you can also remotely reboot the rooter.
 
> 4. DNS & DHCP - It still isn't clear to me how their DNS is 
> set up; although 
> it will act as the gateway for internal systems, I couldn't 
> tell if it was 
> using a caching DNS service or was just passing DNS queries 
> up the stream 
> for processing.  DHCP gets managed by the router, so you have 
> little control 
> beyond designating the range to use for dynamic address assignments.

I understand that it can obtain an IP address, subnet mask, DNS server
addresses, and a gateway address if the ISP provides this information by
DHCP.  To act as a DHCP server for the LAN it has to keep its own
routing tables, but I am not sure what it does with regards to DNS.  I
believe that it keeps stuff in the local cache but don't know the size
of the cache.  On the other hand it might just be passing all DNS
queries to the ISP's DNS servers?

> 5. No DMZ support - everything plugged into the netgear box 
> is 'exposed'. 
> In my current gentoo gateway, I can and do severely limit 
> traffic on the 
> intranet side while being a little less controlling on the 
> DMZ side.  Should 
> a penentration of the DMZ occur, I know that the line of 
> demarcation between 
> the DMZ and the intranet should protect my sensitive information.

As  I understand it, now you get the full DMZ facility for a complete
box/IP address.

> 6. No ssh access, no ability to programmatically get 
> information from the 
> router, and other minor complaints.

Yes, unfortunately there's no raw engine room access, just the http gui,
but for a simple network setup it should be OK.
 
> In any case I ended up dumping netgear and running with a 
> Sangoma ADSL card. 
> All the benefits of using ADSL whilst including all the access and 
> administration my gentoo box allows.

That's for sure a more flexible self-determining approach, especially if
you have a complex network configuration.

Q1. If I connect my Gentoo box on its own (stand alone) via a dialup
modem to the internet what's my internal iface and what is the external?
Q2. Can I run public services http/ftp/mail on the Gentoo box and in
parallel continue using it as a desktop (simultaneously)?  How do I set
this up?  How do I define my ifaces?

Thanks again for your advice,
-- 
Regards,
Mick


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios

[Dave Nebinger]

>> 3. Performance, over time, would drop down to a trickle.  The
>> only way to
>> get it back up was to reboot the router.  And since I didn't
>> want to expose
>> the admin interface to the world, that meant that I would
>> have to wait till
>> I was on-site to reboot it.
>
> Aahh, that's not on!  I haven't noticed any such problem with mine.  Are
> you sure it wasn't an ISP throttling, or contention ratio issue?

Well, it would be solved by a router reboot, so I don't think that it could 
be throttling or contention from the ISP side.

I have noticed that there are times when, due to VCI/VPI errors on the ADSL 
line that sometimes retraining results in a significantly lower 
download/upload rate.  When this happens I end up manually stopping/starting 
the ADSL card and that typically brings the throughput rate back up to where 
it should be.  If I'm remote I just trigger a script that manages it for me 
(since the connection goes down in the process) and reconnect after the box 
reconnects itself.

> Access
> to netgear's remote web interface can be restricted to a particular IP
> address/port number and you can also remotely reboot the rooter.

This works if you have a known address that you're going to be coming from. 
But if you need to recycle the router and all you have access to is the 
hotspot at Starbucks, you're kinda limited (for good reasons ;-)

> I understand that it can obtain an IP address, subnet mask, DNS server
> addresses, and a gateway address if the ISP provides this information by
> DHCP.  To act as a DHCP server for the LAN it has to keep its own
> routing tables, but I am not sure what it does with regards to DNS.  I
> believe that it keeps stuff in the local cache but don't know the size
> of the cache.  On the other hand it might just be passing all DNS
> queries to the ISP's DNS servers?

Ah, but my gentoo server uses a caching dns scheme, as well as providing 
naming services for boxen inside the network, both of which are not possible 
with the netgear box.

>> 5. No DMZ support - everything plugged into the netgear box
>> is 'exposed'.
>> In my current gentoo gateway, I can and do severely limit
>> traffic on the
>> intranet side while being a little less controlling on the
>> DMZ side.  Should
>> a penentration of the DMZ occur, I know that the line of
>> demarcation between
>> the DMZ and the intranet should protect my sensitive information.
>
> As  I understand it, now you get the full DMZ facility for a complete
> box/IP address.

I think you're confusing the 'pass through' setup with a dmz.  The pass 
through thing built into the netgear which they refer to as a DMZ just 
routes all traffic inbound to a specific box.  This is useful in gaming 
where one wouldn't know or want to find all of the ports necessary to open 
to get a game to work through a firewall.

For network terminology, however, the DMZ is a separate subnet from your 
primary intranet; each subnet can have multiple boxen residing in it.  Most 
incoming traffic is routed to systems in the DMZ and does not go to the 
intranet subnet.  You can't do this with the netgear without more hardware 
(i.e. a switch plugged into the dmz port of netgear that routes to different 
internal systems).

>> 6. No ssh access, no ability to programmatically get
>> information from the
>> router, and other minor complaints.
>
> Yes, unfortunately there's no raw engine room access, just the http gui,
> but for a simple network setup it should be OK.

Agreed.  For the average home network user I would say they should use a 
netgear or linksys or something - my setup is not typical and not for 
newbies ;-)

>> In any case I ended up dumping netgear and running with a
>> Sangoma ADSL card.
>> All the benefits of using ADSL whilst including all the access and
>> administration my gentoo box allows.
>
> That's for sure a more flexible self-determining approach, especially if
> you have a complex network configuration.

Well, I don't know if I'd call it complex.  One powerful gentoo box running 
as gateway & server, a DMZ with smaller servers hosting internal and 
external services, and an intranet hosting gentoo & windows boxen.  8 to 10 
boxen at any given time.

> Q1. If I connect my Gentoo box on its own (stand alone) via a dialup
> modem to the internet what's my internal iface and what is the external?

That will be your ppp interface, a logical interface that should show up 
when you do the ifconfig after connecting.  The internal interfaces will 
still be your ethernet cards and lo.

> Q2. Can I run public services http/ftp/mail on the Gentoo box and in
> parallel continue using it as a desktop (simultaneously)?  How do I set
> this up?  How do I define my ifaces?

Sure.  Just emerge the services you want to run, configure them, then 
"rc-update add [service] default".  That will bring the services up when the 
system boots.

Gentoo & linux in general to not make a distinction between a desktop system 
and a server system, as in the Windows world.  The same kernel is used, the 
same core set of software, etc.  The only difference, as far as linux is 
concerned, is what processes are running.

The part that will catch you, though, is the power of the box.  If you're 
doing this on an old 386 you'll see the impact of running a web server on it 
immediately in the performance and swapping areas.  If you're doing this on 
a newer P4 with plenty of extra memory, you won't notice the addition much 
at all.

-- 
gentoo-user@gentoo.org mailing list