RE: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios
-Original Message- From: Dave Nebinger [mailto:[EMAIL PROTECTED] Sent: 08 September 2005 21:27 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios For the gentoo box to act as the router/gateway/hub, you need more than one ethernet card in the box. OK, but under the ADSL connection scenario (diagram A) I already have a hardware router/gateway, so do I still need a two card configuration? What I am trying to do is protect the Gentoo box from other boxes in the LAN (behind the Netgear router), or when connected to the Internet via dialup then protect it from other internet machines. Depends. Personnally I had little love for my netgear router when it was in place. I had a couple of issues: 1. Although my gentoo box allowed for externally-generated syslog entries, the netgear router (even though the gui suggested it would) would not forward syslog messages to my gentoo box, so I missed out on things like knowing who was hitting the router. I think that things have improved a lot since you last used netgear. The DG384 is now on version 2.10.22 of their embedded image firmware, which offers a lot more functionality than just a couple of years ago. It now offers VPN with Ipsec connectivity. Also, it can broadcast the logs on the LAN, or you can set a specific IP address to FWD them to. You can of course still use the http gui to see the logs, save them manually or have them emailed to you regularly, or when a warning/alarm is triggered. 2. Could not find an easy way to extract the external IP address from the darn thing. My domain name is managed via dyndns.org, and I only wanted to trigger an update when an actual ip address change occurred. It was either that or tickle the dyndns.org system every few minutes so it would update IP address from the incoming connnection. I've got a fixed IP address so I didn't need this feature, but 'tickling' the dyndns.org is the default method (don't think that you can set the interval). It works like a client which logs on to the dyndns server and updates the IP address - not sure if it's more intelligent than just doing that every few minutes). 3. Performance, over time, would drop down to a trickle. The only way to get it back up was to reboot the router. And since I didn't want to expose the admin interface to the world, that meant that I would have to wait till I was on-site to reboot it. Aahh, that's not on! I haven't noticed any such problem with mine. Are you sure it wasn't an ISP throttling, or contention ratio issue? Access to netgear's remote web interface can be restricted to a particular IP address/port number and you can also remotely reboot the rooter. 4. DNS DHCP - It still isn't clear to me how their DNS is set up; although it will act as the gateway for internal systems, I couldn't tell if it was using a caching DNS service or was just passing DNS queries up the stream for processing. DHCP gets managed by the router, so you have little control beyond designating the range to use for dynamic address assignments. I understand that it can obtain an IP address, subnet mask, DNS server addresses, and a gateway address if the ISP provides this information by DHCP. To act as a DHCP server for the LAN it has to keep its own routing tables, but I am not sure what it does with regards to DNS. I believe that it keeps stuff in the local cache but don't know the size of the cache. On the other hand it might just be passing all DNS queries to the ISP's DNS servers? 5. No DMZ support - everything plugged into the netgear box is 'exposed'. In my current gentoo gateway, I can and do severely limit traffic on the intranet side while being a little less controlling on the DMZ side. Should a penentration of the DMZ occur, I know that the line of demarcation between the DMZ and the intranet should protect my sensitive information. As I understand it, now you get the full DMZ facility for a complete box/IP address. 6. No ssh access, no ability to programmatically get information from the router, and other minor complaints. Yes, unfortunately there's no raw engine room access, just the http gui, but for a simple network setup it should be OK. In any case I ended up dumping netgear and running with a Sangoma ADSL card. All the benefits of using ADSL whilst including all the access and administration my gentoo box allows. That's for sure a more flexible self-determining approach, especially if you have a complex network configuration. Q1. If I connect my Gentoo box on its own (stand alone) via a dialup modem to the internet what's my internal iface and what is the external? Q2. Can I run public services http/ftp/mail on the Gentoo box and in parallel continue using it as a desktop (simultaneously)? How do I set this up
Re: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios
3. Performance, over time, would drop down to a trickle. The only way to get it back up was to reboot the router. And since I didn't want to expose the admin interface to the world, that meant that I would have to wait till I was on-site to reboot it. Aahh, that's not on! I haven't noticed any such problem with mine. Are you sure it wasn't an ISP throttling, or contention ratio issue? Well, it would be solved by a router reboot, so I don't think that it could be throttling or contention from the ISP side. I have noticed that there are times when, due to VCI/VPI errors on the ADSL line that sometimes retraining results in a significantly lower download/upload rate. When this happens I end up manually stopping/starting the ADSL card and that typically brings the throughput rate back up to where it should be. If I'm remote I just trigger a script that manages it for me (since the connection goes down in the process) and reconnect after the box reconnects itself. Access to netgear's remote web interface can be restricted to a particular IP address/port number and you can also remotely reboot the rooter. This works if you have a known address that you're going to be coming from. But if you need to recycle the router and all you have access to is the hotspot at Starbucks, you're kinda limited (for good reasons ;-) I understand that it can obtain an IP address, subnet mask, DNS server addresses, and a gateway address if the ISP provides this information by DHCP. To act as a DHCP server for the LAN it has to keep its own routing tables, but I am not sure what it does with regards to DNS. I believe that it keeps stuff in the local cache but don't know the size of the cache. On the other hand it might just be passing all DNS queries to the ISP's DNS servers? Ah, but my gentoo server uses a caching dns scheme, as well as providing naming services for boxen inside the network, both of which are not possible with the netgear box. 5. No DMZ support - everything plugged into the netgear box is 'exposed'. In my current gentoo gateway, I can and do severely limit traffic on the intranet side while being a little less controlling on the DMZ side. Should a penentration of the DMZ occur, I know that the line of demarcation between the DMZ and the intranet should protect my sensitive information. As I understand it, now you get the full DMZ facility for a complete box/IP address. I think you're confusing the 'pass through' setup with a dmz. The pass through thing built into the netgear which they refer to as a DMZ just routes all traffic inbound to a specific box. This is useful in gaming where one wouldn't know or want to find all of the ports necessary to open to get a game to work through a firewall. For network terminology, however, the DMZ is a separate subnet from your primary intranet; each subnet can have multiple boxen residing in it. Most incoming traffic is routed to systems in the DMZ and does not go to the intranet subnet. You can't do this with the netgear without more hardware (i.e. a switch plugged into the dmz port of netgear that routes to different internal systems). 6. No ssh access, no ability to programmatically get information from the router, and other minor complaints. Yes, unfortunately there's no raw engine room access, just the http gui, but for a simple network setup it should be OK. Agreed. For the average home network user I would say they should use a netgear or linksys or something - my setup is not typical and not for newbies ;-) In any case I ended up dumping netgear and running with a Sangoma ADSL card. All the benefits of using ADSL whilst including all the access and administration my gentoo box allows. That's for sure a more flexible self-determining approach, especially if you have a complex network configuration. Well, I don't know if I'd call it complex. One powerful gentoo box running as gateway server, a DMZ with smaller servers hosting internal and external services, and an intranet hosting gentoo windows boxen. 8 to 10 boxen at any given time. Q1. If I connect my Gentoo box on its own (stand alone) via a dialup modem to the internet what's my internal iface and what is the external? That will be your ppp interface, a logical interface that should show up when you do the ifconfig after connecting. The internal interfaces will still be your ethernet cards and lo. Q2. Can I run public services http/ftp/mail on the Gentoo box and in parallel continue using it as a desktop (simultaneously)? How do I set this up? How do I define my ifaces? Sure. Just emerge the services you want to run, configure them, then rc-update add [service] default. That will bring the services up when the system boots. Gentoo linux in general to not make a distinction between a desktop system and a server system, as in the Windows world. The same kernel is used, the same core set of software, etc. The
[gentoo-user] Re: iptables advice for stand alone box under different usage scenarios
Thanks Nebinger! Dave Nebinger wrote: Okay, Mike, here goes... For the gentoo box to act as the router/gateway/hub, you need more than one ethernet card in the box. OK, but under the ADSL connection scenario (diagram A) I already have a hardware router/gateway, so do I still need a two card configuration? What I am trying to do is protect the Gentoo box from other boxes in the LAN (behind the Netgear router), or when connected to the Internet via dialup then protect it from other internet machines. As for the firewall questions, your rules are going to fall into a couple of different flavors: a) desktop only: For this setup you're basically going to block all incoming traffic, allow all outbound traffic and existing traffic. Forwarding is not an issue. Right, is that tight enough? I mean, shouldn't I accept only specific outgoing protocols/ports and then be blocking everything else which might try to get out? I'm thinking here in trojan terms and the way certain M$Windoze 'personal firewalls' are usually set up. b) server: For this setup it's pretty much like the desktop except you'll allow incoming traffic on the ports that you wish to serve, i.e. mail, pop3, etc. Again forwarding is not needed in this scenario. Understood. c) gateway: For the pure gateway system, this one is a little trickyer. All outbound and established traffic should be allowed, and incoming traffic is only allowed for the services you're going to provide. The tricky part is that now your rules need to operate on the FORWARD chain and manage the snat/dnat/masquerade stuff. Not sure I need one of those, except as you describe below. d) combination: The combo system wraps service providing and gateway (and possibly desktop) into one box. This setup is similar to the server scenario, except it also must include the gateway type rules to ensure that internal entities can get to the outside back. I guess that I'll need some sort of a combo set up if I am to use the Gentoo box as a server to be accessed both by machines in the WAN and by PC/laptop in my LAN. On the other hand, I am thinking that all this masquarading/IPforwarding and NATing could be achieved by my Netgear? As in the other iptables threads going on now, I would suggest a tool like shorewall. I haven't heard anything bad about fwbuilder, but I can affirm that the documentation provided with shorewall is top-notch and pretty easy to get your brain around. I can even help define the config for shorewall if you need it. Hope this helps! Yes it does, thanks again. :-) -- Regards, Mick -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables advice for stand alone box under different usage scenarios
For the gentoo box to act as the router/gateway/hub, you need more than one ethernet card in the box. OK, but under the ADSL connection scenario (diagram A) I already have a hardware router/gateway, so do I still need a two card configuration? What I am trying to do is protect the Gentoo box from other boxes in the LAN (behind the Netgear router), or when connected to the Internet via dialup then protect it from other internet machines. Depends. Personnally I had little love for my netgear router when it was in place. I had a couple of issues: 1. Although my gentoo box allowed for externally-generated syslog entries, the netgear router (even though the gui suggested it would) would not forward syslog messages to my gentoo box, so I missed out on things like knowing who was hitting the router. 2. Could not find an easy way to extract the external IP address from the darn thing. My domain name is managed via dyndns.org, and I only wanted to trigger an update when an actual ip address change occurred. It was either that or tickle the dyndns.org system every few minutes so it would update IP address from the incoming connnection. 3. Performance, over time, would drop down to a trickle. The only way to get it back up was to reboot the router. And since I didn't want to expose the admin interface to the world, that meant that I would have to wait till I was on-site to reboot it. 4. DNS DHCP - It still isn't clear to me how their DNS is set up; although it will act as the gateway for internal systems, I couldn't tell if it was using a caching DNS service or was just passing DNS queries up the stream for processing. DHCP gets managed by the router, so you have little control beyond designating the range to use for dynamic address assignments. 5. No DMZ support - everything plugged into the netgear box is 'exposed'. In my current gentoo gateway, I can and do severely limit traffic on the intranet side while being a little less controlling on the DMZ side. Should a penentration of the DMZ occur, I know that the line of demarcation between the DMZ and the intranet should protect my sensitive information. 6. No ssh access, no ability to programmatically get information from the router, and other minor complaints. In any case I ended up dumping netgear and running with a Sangoma ADSL card. All the benefits of using ADSL whilst including all the access and administration my gentoo box allows. As for the firewall questions, your rules are going to fall into a couple of different flavors: a) desktop only: For this setup you're basically going to block all incoming traffic, allow all outbound traffic and existing traffic. Forwarding is not an issue. Right, is that tight enough? I mean, shouldn't I accept only specific outgoing protocols/ports and then be blocking everything else which might try to get out? I'm thinking here in trojan terms and the way certain M$Windoze 'personal firewalls' are usually set up. Well, as a desktop system (meaning there is no other windblows systems behind the gentoo box), you really won't have to worry too much about that. All incoming connections would be denied (i.e. mail, dns, ssh, etc.) so no one could get into the box to plant a trojan or virus, so nothing would be exposed. In this scenario somehow you'd have to install something that would open a backdoor to a remote hacker's system - they couldn't connect automatically and the whole thing would be a pain in the ass for them to develop as opposed to your standard windblows problems. d) combination: The combo system wraps service providing and gateway (and possibly desktop) into one box. This setup is similar to the server scenario, except it also must include the gateway type rules to ensure that internal entities can get to the outside back. I guess that I'll need some sort of a combo set up if I am to use the Gentoo box as a server to be accessed both by machines in the WAN and by PC/laptop in my LAN. On the other hand, I am thinking that all this masquarading/IPforwarding and NATing could be achieved by my Netgear? That's the setup I run. I've got a gentoo box that is the gateway and, since it is beefed up, also runs my ftp and mail service. Web and other services are routed into the DMZ. The local network where I serve my printer, windows boxen, and other gentoo systems are on another card. The main box manages the communications with the outside world, from the outside world, as well as internal traffic. Quite a sweet setup, if I do say so myself. Yes, the netgear will handle the NAT and forwarding stuff for you, as long as you're happy with it. -- gentoo-user@gentoo.org mailing list