NSLU2-Linux
view · edit · print · history

You can have a network firewall without any additional hardware (ie, ethernet ports).

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO. Check out EnableFirewall or FireSlug instead.

If your NSLU2 is on the same network that you want to protect, this is for you.

You will need to:

  1. Give the ethernet interface a second IP.
  2. Send all incoming traffic (from the Internet) to the NSLU2.
  3. Send all outgoing traffic (from the LAN) to the NSLU2.
  4. Isolate the traffic
  5. Write appropriate rules to allow / block traffic coming and going.

Give the ethernet interface a second IP

Since we only have one interface, we will use the trick of IP address aliasing.

We want outgoing traffic on one IP address, incoming on the other. For this example we will use 192.168.1.77 for the LAN, and 192.168.1.78 for the Internet.

The default ifconfig (busybox) can't handle aliases, so download the net-tools package from ipkgfind.nslu2-linux.org and install it.

Typing ifconfig should give the following: 

ixp0      Link encap:Ethernet  HWaddr 00:13:10:D7:EE:07
          inet addr:192.168.1.77  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44837 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45241 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:256
          RX bytes:21359579 (20.3 Mb)  TX bytes:22005899 (20.9 Mb)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:152 (152.0 b)  TX bytes:152 (152.0 b)

Create an ip alias with the command

ifconfig ixp0 add 192.168.1.78

Now typing ifconfig should give the following: 

ixp0      Link encap:Ethernet  HWaddr 00:13:10:D7:EE:07
          inet addr:192.168.1.77  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44837 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45241 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:256
          RX bytes:21359579 (20.3 Mb)  TX bytes:22005899 (20.9 Mb)

ixp0:0    Link encap:Ethernet  HWaddr 00:13:10:D7:EE:07
          inet addr:192.168.1.78  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:152 (152.0 b)  TX bytes:152 (152.0 b)

You now have two IPs? on the same interface. We will use one for LAN traffic and the other for Net traffic.

Type route -n (-n means "don't resolve IPs?"). You should get something like the following: 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ixp0
127.0.0.0       0.0.0.0         255.255.255.0   U     0      0        0 lo
239.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 ixp0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 ixp0

Here, the router is 192.168.1.1, the G flag indicating that it's the default dateway.

Delete the existing default route (which uses 192.168.1.77 on ixp0)

route delete default ixp0

Create a new default route (using 192.168.1.78, on ixp0:0)

route add default gw 192.168.1.1 ixp0:0

(Change 192.168.1.1 if your router is something different) 

$route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ixp0
127.0.0.0       0.0.0.0         255.255.255.0   U     0      0        0 lo
239.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 ixp0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 ixp0

Note that the interface alias is not specified in the routing table, but you can check it is working once you have a connection by doing netstat -an and checking which IP is used for the connection.

Send incoming traffic to the NSLU2

To do this, log into the ADSL/Cable/etc router connecting you the Internet, and forward all incoming ports to your NSLU2's IP address, eg, 

Start port:   End port:   Forward to:      Enable:
         0        65535   192.168.1.77      (tick)

Now all traffic hitting the router from the Internet will be directed to your NSLU2.

Send outgoing LAN traffic to the NSLU2

To do this, you will need to set the GATEWAY setting on all networked machines to the NSLU2's IP address.

The best way to do this is with DHCP, as below.

DHCP

If your ADSL/Cable/etc router has a configurable server, just enable it and put the NSLU2's address in the GATEWAY box.

If you don't have a DHCP server, you can install the dhcp package from ipkgfind.nslu2-linux.org

Your dhcpd.conf can just be: 

default-lease-time 600;
max-lease-time 7200;
authoritative;
option domain-name-servers DNS_SERVER_GOES_HERE;
ddns-update-style none;
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.149;
  option routers 192.168.1.77;
  option broadcast-address 192.168.1.255;
}

If your router has a DHCP relay function, you may be able to have it relay DHCP to/from the NSLU2.

If you'd rather not use DHCP, just set up all your networked machines with the NSLU2's IP as their GATEWAY.

If you find Windows machines are assigning themselves an 169.254.x.x address, go to

NetworkConnections? -> TCP/IP -> AlternateConfiguration?

and off the Self-Configuring function.

Isolate the traffic

There are 2 issues here:

Firstly, you don't want LAN traffic to bypass the NSLU2 and go straight to the Internet.

My router (Linksys WAG54G?) lets me block machines on the LAN by IP or MAC address. Just ALLOW the NSLU2 and DENY the rest.

Secondly, you don't want packets from the Internet with 192.168.1.0/24 addresses or similar getting into the LAN.

Since all traffic from the Internet is being forwarded by the router to 192.168.1.78, you can just set up your firewall rules to ignore any traffic destined for that IP that has a Private Address source, eg 192.168.1.0/24

Firewall Rules

I use iptables. Set up rules depending on the source and destination IPs? similar to the way you would use incoming and outgoing interfaces normally, ie,

  • Traffic with destination 192.168.1.78 is from the Internet
  • Traffic with destination 192.168.1.77 is from the LAN

and go from there.

view · edit · print · history · Last edited by ben.
Originally by ben.
Page last modified on December 15, 2006, at 06:17 AM