Linux Gateway And Router

From Biowiki
Revision as of 22:42, 1 January 2017 by Move page script (talk | contribs) (Move page script moved page LinuxGatewayAndRouter to Linux Gateway And Router: Rename from TWiki to MediaWiki style)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

THE GOAL

To set up a Linux box as a gateway/router/firewall between the terrible, scum-ridden wastelands of the Internet and a private network. This Linux box will have two physical network ports - one going to the Internet, one going to the private network (i.e. to a switch connecting the private network components). Traffic originating from the Internet will be filtered according to a set of rules, then (if allowed to) forwarded to the private network (unless it's bound for the gateway machine itself), whereas traffic originating from the private network is generally unrestricted, and will be forwarded to the Internet if that's its heart's desire. Thus our Linux box will do network address translation (NAT) to mask IP addresses (IP Masquerading) of private network machines from the Internet and packet forwarding (so it's a router), be a bridge between the private network and the Internet (so it's a gateway), and filter packets, blocking undesired ones (so it's a firewall).

Setting this up is rather easy - we can use iptables (available in Linux kernel version 2.4 and later... earlier versions use ipchains, which can also be configured to do the same task) to do all these things. The following walkthrough is just a stripped-down and more applicable version of this guide, so go there if you want more details.

STEP 0: OUR SETUP

Note that this is written for iptables only (see the above guide for ipchains info) on a Red Hat system or something similar (in my case, I did this on Cent OS). So if your iptables is not set up correctly, proceed no further.

We will designate eth0 as the device connected to the Internet and eth1 as the device connected to the private network. We are assuming Ethernet for everything (so this probably won't work if you're connecting to the Internet via dial-up, if you are so unfortunate). We are also assuming that the machine you will use as the gateway/router/firewall is correctly connected to the Internet and functioning in that respect.

Note that we are additionally assuming that your current iptables configuration (i.e. any prior firewall or NAT that you set up) will not conflict with what we're adding. If in doubt, delete (flush) all prior configurations from the filter and nat tables (and maybe even mangle), but back up your prior configurations first, just in case:

$ iptables-save -t filter > IPTABLE.FILTER.OLD

$ iptables-save -t nat > IPTABLE.NAT.OLD

$ iptables-save -t mangle > IPTABLE.MANGLE.OLD

$ iptables -t filter -F

$ iptables -t nat -F

$ iptables -t mangle -F

Note that this will leave you wide open to whatever scurvy-ridden traffic that the Internet may throw at your IP, so you should really physically disconnect your gateway from the Internet before doing this, and set up additional firewall rules before you plug it back in. To do that, once again, this helps. You have been warned.

STEP 1: SET UP THE GATEWAY/ROUTER/FIREWALL MACHINE (TODO: need to rethink and rework this section to be more generally instructive, less specific to our config... this should be a tutorial, not a set of steps of how we set up our cluster for all in the world to know)

Log into your machine as root. Do the following:

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The above appends a rule to the POSTROUTING chain in the nat table that enables IP Masquerading for all packets going out via eth0 into the wild.

$ iptables -A FORWARD -i eth1 -s 192.168.0.0/255.255.255.0 -j ACCEPT

The above appends a rule to the FORWARD chain in the filter table that allows all packets coming in from the private network on eth1 to be forwarded (I also specified the private network IP and netmask that those packets should have, just in case).

$ echo 1 > /proc/sys/net/ipv4/ip_forward

The above enables packet forwarding by kernel.

Simple, innit! Now make sure you add rules blocking unwanted traffic in the filter table. Adding a few logging rules (see the man page for iptables, grep for LOG) might also help keep track of who's trying to compromise your machine and how.

Another word of advice - if you set up your INPUT chain policy in filter to DROP (which I would recommend), you should really ACCEPT all packets on the loopback interface, so add that as your first rule to the table, like this:

$ iptables -I INPUT 1 -i lo -j ACCEPT

otherwise, you will suffer having to wait for a minute anytime you use iptables -vL or route to see your network configuration.

TODO: add in the suggestions for more restrictive config, but also the caveats about lo, other things that might cause routing/network to freeze...

After you set up the firewalls, don't forget to save the iptables rules before rebooting! Otherwise, when you reboot the machine, it will be wide open! Save them as follows:

$ /sbin/service iptables save

which will write the configuration to the files /etc/sysconfig/iptables and /etc/sysconfig/iptables-config that are visible to root only.

Lastly, you may also want to make sure that the ethX (where X is an integer) network devices are configured to start at boot/init time. Otherwise, you will not have a network connection when you reboot the machine.

STEP 2: SET UP THE PRIVATE NETWORK MACHINES (TODO: need to rethink and rework this section to be more generally instructive, less specific to our config... this should be a tutorial, not a set of steps of how we set up our cluster for all in the world to know)

Log into each private network machine as root and do this:

$ route add default gw xxx.xxx.xxx.xxx

Where xxx.xxx.xxx.xxx is the private network IP (i.e. the IP of eth1) of your gateway you set up above. This will add a catch-all to your kernel routing table that will send to the gateway all packets not bound for a local machine on the network.

Now we should set up a simple firewall, just in case. This is especially useful if you didn't have a firewall at the gateway machine (but why would you do such a silly thing?). Do this:

$ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

which means accept only packets for either an established connection or something related to it. I.e., don't accept requests for a new connection.

$ iptables -A INPUT -i lo -j ACCEPT

which means allow incoming packets from yourself to yourself (i.e. the interface lo). Necessary for loopback which, trust me, is necessary.

$ iptables -P INPUT DROP

$ iptables -P FORWARD DROP

which means set policy to drop all incoming and forwarded packets, unless some rule in the INPUT and FORWARD chains specifies they should be accepted. This is always a good idea. Note, however, that we are allowed to send anything we want, and outgoing traffic won't be blocked.

Note that the above configuration won't let you SSH in from other machines on your subnet (or anywhere for that matter), so you really want to explicitly specify which machines on your subnet can be allowed to establish an SSH connection. For example, this:

$ iptables -A INPUT -p tcp --destination-port 22 -m state --state NEW -s xxx.xxx.xxx.xxx -j ACCEPT

will allow your machine to accept requests to open an SSH connection from the machine at xxx.xxx.xxx.xxx. So if that is the IP address of eth1 on your gateway machine, you can SSH into your gateway machine from the Internet, then SSH in from the gateway machine to the machine on your private network.

After you set up the firewalls, don't forget to save the iptables rules before rebooting! Otherwise, when you reboot the machine, it will be wide open! Save them as follows:

$ /sbin/service iptables save

which will write the configuration to the files /etc/sysconfig/iptables and /etc/sysconfig/iptables-config that are visible to root only.

Lastly, you may also want to make sure that the ethX (where X is an integer) network devices are configured to start at boot/init time. Otherwise, you will not have a network connection when you reboot the machine.

-- Andrew Uzilov - 17 Feb 2006