Username Always stay logged in
Password:

 

Pages: [1]
  Print  
Author Topic: Router  (Read 2114 times)
martinc
Global Moderator
Pro Designer
*****

Karma: +1/-0
Offline Offline

Posts: 148



View Profile
« on: November 16, 2012, 07:24:40 PM »

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# proven on debian

To get a single machine surfing the web

for my setup:
eth0 = internal network side
eth1 = WAN / modem side

/etc/network/interfaces
Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The internal network interface
allow-hotplug eth0
iface eth0 inet static
        address 192.168.1.1
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        dns-nameservers 8.8.8.8

# The external network interface
allow-hotplug eth1
iface eth1 inet dhcp

### optional - add to run firewall at startup
#        pre-up /etc/network/if-pre-up.d/00.firewall


to share the internet connection...
Code:
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

To act as a gateway

if you run an isc-dhcp-server
/etc/dhcp/dhcp.conf
Code:
...
subnet 192.168.1.0 netmask 255.255.255.0 {
       range 192.168.1.100 192.168.1.200;
       option routers 192.168.1.1;
       option broadcast-address 192.168.1.255;
}
...

iptables script
step by step

DNS server
generally faster page loads and less traffic
Code:
# apt-get install dnsmasq

# nano /etc/dnsmasq.conf

# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# uneccessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link uneccessarily.

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=eth0

# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
listen-address=127.0.0.1
listen-address=192.168.1.99
## a bit redundant, but useful if using vlans

cache-size=1000
neg-ttl=3600
resolv-file=/etc/resolv.dnsmasq
no-poll

/etc/resolv.conf
Code:
# you could go with what your isp provides you or tell your system where to query from

nameserver 127.0.0.1

/etc/resolv.dnsmasq
Code:
# Allow applications on the machine hosting dnsmasq to also use it too
nameserver 127.0.0.1

# Google IPv4 DNS
nameserver 8.8.8.8
nameserver 8.8.4.4

# Google IPv6 DNS
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

Ad blocking
simplicity is king as dnsmasq queries your /etc/hosts file so adblocking is as painless as modifying that

Caching Nameserver using dnsmasq

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

To beef up security a bit with iptables you could try something like . . .
# passthrough WWW traffic only and SSH to the router
Code:
#!/bin/sh

WAN=eth1
LAN=eth0

echo "Flushing iptables rules..."
#########################
# clears out and resets #
#########################
# Delete all rules
iptables -F
iptables -t nat -F
# Delete all chains
iptables -X
iptables -t nat -X
# Mangle
iptables -t mangle -F
iptables -t mangle -X

# Set the default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Set the default policy for the NAT table
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#########################

# make new tables
iptables -N FIREWALL
iptables -N WAN
iptables -N LAN

#########################
echo "Applying iptables rules..."
echo "INPUT links to ..."
#########
# INPUT #
#########

iptables -A INPUT -j FIREWALL
iptables -A INPUT -j DROP

#########
# OUTPUT #
#########

iptables -A OUTPUT -j FIREWALL
iptables -A OUTPUT -j DROP

#########################
echo "FIREWALL splits to..."
############
# FIREWALL #
############

# Allow self communication
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -o lo -j ACCEPT

# send traffic to table based on nic
iptables -A FIREWALL -i $WAN -j WAN
iptables -A FIREWALL -o $WAN -j WAN
iptables -A FIREWALL -i $LAN -j LAN
iptables -A FIREWALL -o $LAN -j LAN

# drop all other packets
iptables -A FIREWALL -j DROP

#########################
echo "LAN and ..."
#######
# LAN #
#######

# DNS   ### only if running dns server
iptables -A LANin -i $LAN -p udp --dport 53 -m state --state NEW,ESTABLISHED  -j ACCEPT
iptables -A LANout -o $LAN -p udp --sport 53 -m state --state ESTABLISHED  -j ACCEPT

# SSH to router
iptables -A LANin -i $LAN -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A LANin -i $LAN -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A LANout -o $LAN -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# icmp (ping)
iptables -A LAN -i $LAN -p icmp -m icmp -j ACCEPT
iptables -A LAN -o $LAN -p icmp -m icmp -j ACCEPT

# drop all other packets
iptables -A LAN -j DROP

#########################
echo "WAN..."
#######
# WAN #
#######

# drop all other packets
iptables -A WAN -j DROP

###########
# FORWARD #
###########

iptables -N FromLAN
iptables -N FromWAN

iptables -A FORWARD -i $LAN -j FromLAN
iptables -A FORWARD -i $WAN -j FromWAN

# drop all other packets
iptables -A FORWARD -j DROP

###########
# FromLAN

# http
iptables -A FromLAN -i $LAN -o $WAN -p tcp -m tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A FromLAN -i $LAN -o $WAN -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

# DNS
iptables -A FromLAN -i $LAN -o $WAN -p udp -m udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A FromLAN -i $LAN -o $WAN -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

# icmp [ping] from inside to outside
iptables -A FromLAN -i $LAN -o $WAN -p icmp --icmp-type echo-request -j ACCEPT

# drop all other packets
iptables -A FromLAN -j DROP

############
# FromWAN

# http
iptables -A FromWAN -o $LAN -i $WAN -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# DNS
iptables -A FromWAN -o $LAN -i $WAN -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

# icmp [ping] from inside to outside
iptables -A FromWAN -o $LAN -i $WAN -p icmp --icmp-type echo-reply -j ACCEPT

# drop all other packets
iptables -A FromWAN -j DROP

###############
# POSTROUTING #
###############

# Masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Enable routing
echo 1 > /proc/sys/net/ipv4/ip_forward


# a little more complete
Code:
#!/bin/sh

WAN=eth1
LAN=eth0
LAN_RANGE=192.168.1.0/24
SERVER_IP=192.168.1.1
external_ip="`ifconfig $WAN | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

echo "Flushing iptables rules..."
#########################
# clears out and resets #
#########################
# Delete all rules
iptables -F
iptables -t nat -F
# Delete all chains
iptables -X
iptables -t nat -X
# Mangle
iptables -t mangle -F
iptables -t mangle -X

# Set the default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Set the default policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
# Set the default policy for the NAT table
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# Set the default policy for the NAT table
ip6tables -t nat -P PREROUTING DROP
ip6tables -t nat -P POSTROUTING DROP
ip6tables -t nat -P OUTPUT DROP
#########################

# make new tables
iptables -N FIREWALL
iptables -N WAN
iptables -N LAN
iptables -N FilterDROP

#########################
echo "Applying iptables rules..."
echo "INPUT links to ..."
#########
# INPUT #
#########

iptables -A INPUT -j FilterDROP
iptables -A INPUT -j FIREWALL
iptables -A INPUT -j DROP

#########
# OUTPUT #
#########

iptables -A OUTPUT -j FilterDROP
iptables -A OUTPUT -j FIREWALL
iptables -A OUTPUT -j DROP


#########################
echo "FilterDROP ..."
##############
# FilterDROP #
##############

# Fragment check
iptables -A FilterDROP -f -j DROP

# DROP invalid
iptables -A FilterDROP -m state --state INVALID -j DROP

# Restrict the flow to avoid ping flood attacks
iptables -A FilterDROP -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A FilterDROP -p icmp -m icmp --icmp-type timestamp-request -j DROP

# Drop bogus TCP packets
iptables -A FilterDROP -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FilterDROP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

# XMAS packets
iptables -A FilterDROP -p tcp --tcp-flags ALL ALL -j DROP

# Drop all NULL packets
iptables -A FilterDROP -p tcp --tcp-flags ALL NONE -j DROP

# Force SYN packets check
iptables -A FilterDROP -p tcp ! --syn -m state --state NEW -j DROP

# Syn-flood protection:
iptables -A FilterDROP -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP

# loopback spoof
#iptables -A FilterDROP -d 127.0.0.0/8 -j REJECT

# Bad packets chk
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "BAD tcp"
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp"
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
iptables -A FilterDROP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
iptables -A FilterDROP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
iptables -A FilterDROP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A FilterDROP -p tcp -j RETURN


#########################
echo "FIREWALL splits to..."
############
# FIREWALL #
############

# Allow self communication
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -o lo -j ACCEPT

# send traffic to table based on nic
iptables -A FIREWALL -i $WAN -j WAN
iptables -A FIREWALL -o $WAN -j WAN
iptables -A FIREWALL -i $LAN -j LAN
iptables -A FIREWALL -o $LAN -j LAN

# drop all other packets
iptables -A FIREWALL -j DROP

#########################
echo "LAN and ..."
#######
# LAN #
#######

#iptables -A LAN -i $LAN -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A LAN -i $LAN -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A LAN -i $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# DNS   ### only if running dns server
iptables -A LANin -i $LAN -p udp --dport 53 -m state --state NEW,ESTABLISHED  -j ACCEPT
iptables -A LANout -o $LAN -p udp --sport 53 -m state --state ESTABLISHED  -j ACCEPT

# SSH to router
iptables -A LANin -i $LAN -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A LANin -i $LAN -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A LANout -o $LAN -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# SSH from router
iptables -A LANin -i $LAN -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A LANout -o $LAN -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A LANout -o $LAN -p tcp --dport 22 -m state --state NEW -j ACCEPT

# samba
iptables -A LAN -i $LAN -p udp --dport 137:139 -j ACCEPT
iptables -A LAN -o $LAN -p udp --sport 137:139 -j ACCEPT
iptables -A LAN -i $LAN -p tcp --dport 139 -j ACCEPT
iptables -A LAN -o $LAN -p tcp --sport 139 -j ACCEPT
iptables -A LAN -i $LAN -p tcp --dport 445 -j ACCEPT
iptables -A LAN -o $LAN -p tcp --sport 445 -j ACCEPT

# icmp (ping)
iptables -A LAN -i $LAN -p icmp -m icmp -j ACCEPT
iptables -A LAN -o $LAN -p icmp -m icmp -j ACCEPT

# drop all other packets
iptables -A LAN -j DROP

#########################
echo "WAN..."
#######
# WAN #
#######

# http
iptables -A WAN -i $WAN -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A WAN -o $WAN -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# DNS
iptables -A WAN -i $WAN -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A WAN -o $WAN -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# icmp [ping] from inside to outside
iptables -A WAN -o $WAN -p icmp --icmp-type echo-request -j ACCEPT
iptables -A WAN -i $WAN -p icmp --icmp-type echo-reply -j ACCEPT

# drop all other packets
iptables -A WAN -j DROP

###########
# FORWARD #
###########

iptables -N FromLAN
iptables -N FromWAN

iptables -A FORWARD -j FilterDROP
iptables -A FORWARD -i $LAN -j FromLAN
iptables -A FORWARD -i $WAN -j FromWAN

# drop all other packets
iptables -A FORWARD -j DROP

###########
# FromLAN

# http
iptables -A FromLAN -i $LAN -o $WAN -p tcp -m tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A FromLAN -i $LAN -o $WAN -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

# DNS
iptables -A FromLAN -i $LAN -o $WAN -p udp -m udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A FromLAN -i $LAN -o $WAN -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT

# icmp [ping] from inside to outside
iptables -A FromLAN -i $LAN -o $WAN -p icmp --icmp-type echo-request -j ACCEPT

# drop all other packets
iptables -A FromLAN -j DROP

############
# FromWAN

# http
iptables -A FromWAN -o $LAN -i $WAN -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# DNS
iptables -A FromWAN -o $LAN -i $WAN -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

# icmp [ping] from inside to outside
iptables -A FromWAN -o $LAN -i $WAN -p icmp --icmp-type echo-reply -j ACCEPT

# drop all other packets
iptables -A FromWAN -j DROP

###############
# POSTROUTING #
###############

# Masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Enable routing
echo 1 > /proc/sys/net/ipv4/ip_forward

# a little security
#
#---------------------------------------------------------------
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#---------------------------------------------------------------
#
#net/ipv4/conf/all/rp_filter = 1
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
##
#---------------------------------------------------------------
# Enable logging of packets with malformed IP addresses
#---------------------------------------------------------------
#
#net/ipv4/conf/all/log_martians = 1
#
#---------------------------------------------------------------
# Disable redirects
#---------------------------------------------------------------
#
#net/ipv4/conf/all/send_redirects = 0
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
#
#---------------------------------------------------------------
# Disable source routed packets
#---------------------------------------------------------------
#
#net/ipv4/conf/all/accept_source_route = 0
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#
#---------------------------------------------------------------
# Disable acceptance of ICMP redirects
#---------------------------------------------------------------
#
#net/ipv4/conf/all/accept_redirects = 0
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#
#---------------------------------------------------------------
# Turn on protection from Denial of Service (DOS) attacks
#---------------------------------------------------------------
#
#net/ipv4/tcp_syncookies = 1
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
#---------------------------------------------------------------
# Disable responding to ping broadcasts
#---------------------------------------------------------------
#
#net/ipv4/icmp_echo_ignore_broadcasts = 1
#

save to /etc/network/if-pre-up.d/router
chmod u+x /etc/network/if-pre-up.d/router
Logged

I have as much authority as the Pope, I just don't have as many people who believe it. --George Carlin
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines
Greenday Theme Designed By [S.W.T]