NSLU2-Linux
view · edit · print · history

HowTo.SingleInterfaceFirewall History

Hide minor edits - Show changes to markup

January 07, 2009, at 11:39 AM by PPmarcel -- Fixed IP forwarded by the modem
Changed line 124 from:
         0        65535   192.168.1.77      (tick)
to:
         0        65535   192.168.1.78      (tick)
December 15, 2006, at 06:17 AM by ben -- fix typo
Changed lines 3-4 from:

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO. Check out EnableFirewall or FireSlug? instead.

to:

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO. Check out EnableFirewall or FireSlug instead.

December 15, 2006, at 06:16 AM by ben -- fix typo
Changed lines 3-4 from:

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO. Check out EnableFirewall or instead.

to:

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO. Check out EnableFirewall or FireSlug? instead.

December 15, 2006, at 06:15 AM by ben -- added dhcpd.conf example, firewall links
Changed lines 3-4 from:

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO.

to:

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO. Check out EnableFirewall or instead.

Added lines 143-157:

Your dhcpd.conf can just be:

default-lease-time 600;
max-lease-time 7200;
authoritative;
option domain-name-servers DNS_SERVER_GOES_HERE;
ddns-update-style none;
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.149;
  option routers 192.168.1.77;
  option broadcast-address 192.168.1.255;
}
December 15, 2006, at 05:55 AM by ben -- added ifconfig / route examples
Changed lines 31-32 from:

FIXME: add ifconfig output

to:
ixp0      Link encap:Ethernet  HWaddr 00:13:10:D7:EE:07
          inet addr:192.168.1.77  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44837 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45241 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:256
          RX bytes:21359579 (20.3 Mb)  TX bytes:22005899 (20.9 Mb)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:152 (152.0 b)  TX bytes:152 (152.0 b)
Deleted lines 54-74:

FIXME: add ifconfig output

You now have two IPs? on the same interface. We will use one for LAN traffic and the other for Net traffic.

Type route. You should get something like the following:

FIXME: add route output

Delete the existing default route (which uses 192.168.1.77, ie, ixp0)

route delete default ixp0

Create a new default route (on 192.168.1.78, ie, ixp0:0)

route add default gw ROUTER ixp0:0

Send incoming traffic to the NSLU2

To do this, log into the ADSL/Cable/etc router connecting you the Internet, and forward all incoming ports to your NSLU2's IP address, eg,

Changed lines 56-57 from:

Start port: End port: Forward to: Enable:

         0        65535   192.168.1.77      (tick)
to:

ixp0 Link encap:Ethernet HWaddr? 00:13:10:D7:EE:07

          inet addr:192.168.1.77  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44837 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45241 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:256
          RX bytes:21359579 (20.3 Mb)  TX bytes:22005899 (20.9 Mb)

ixp0:0 Link encap:Ethernet HWaddr? 00:13:10:D7:EE:07

          inet addr:192.168.1.78  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:152 (152.0 b)  TX bytes:152 (152.0 b)
Added lines 77-126:

You now have two IPs? on the same interface. We will use one for LAN traffic and the other for Net traffic.

Type route -n (-n means "don't resolve IPs?"). You should get something like the following:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ixp0
127.0.0.0       0.0.0.0         255.255.255.0   U     0      0        0 lo
239.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 ixp0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 ixp0

Here, the router is 192.168.1.1, the G flag indicating that it's the default dateway.

Delete the existing default route (which uses 192.168.1.77 on ixp0)

route delete default ixp0

Create a new default route (using 192.168.1.78, on ixp0:0)

route add default gw 192.168.1.1 ixp0:0

(Change 192.168.1.1 if your router is something different)

$route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ixp0
127.0.0.0       0.0.0.0         255.255.255.0   U     0      0        0 lo
239.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 ixp0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 ixp0

Note that the interface alias is not specified in the routing table, but you can check it is working once you have a connection by doing netstat -an and checking which IP is used for the connection.

Send incoming traffic to the NSLU2

To do this, log into the ADSL/Cable/etc router connecting you the Internet, and forward all incoming ports to your NSLU2's IP address, eg,

Start port:   End port:   Forward to:      Enable:
         0        65535   192.168.1.77      (tick)
December 15, 2006, at 05:45 AM by ben --
Added line 60:

[@

Changed lines 63-64 from:
to:

@]

December 15, 2006, at 05:44 AM by ben -- formatting
Changed lines 3-4 from:

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO.

to:

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO.

Changed lines 7-8 from:

---

to:
Changed lines 20-21 from:

---

to:
Changed lines 27-30 from:

The default ifconfig (busybox) can't handle aliases, so download the net-tools package from ipkgfind.nslu2-linux.org and install it.

Typing ifconfig should give the following:

to:

The default ifconfig (busybox) can't handle aliases, so download the net-tools package from ipkgfind.nslu2-linux.org and install it.

Typing ifconfig should give the following:

Changed lines 35-38 from:

ifconfig ixp0 add 192.168.1.78

Now typing ifconfig should give the following:

to:

ifconfig ixp0 add 192.168.1.78

Now typing ifconfig should give the following:

Changed lines 43-44 from:

Type route. You should get something like the following:

to:

Type route. You should get something like the following:

Changed lines 49-50 from:

route delete default ixp0

to:

route delete default ixp0

Changed lines 53-56 from:

route add default gw ROUTER ixp0:0

---

to:

route add default gw ROUTER ixp0:0

Changed lines 65-66 from:

---

to:
Changed lines 72-73 from:

---

to:
Changed lines 77-78 from:

If you don't have a DHCP server, you can install the dhcp package from ipkgfind.nslu2-linux.org

to:

If you don't have a DHCP server, you can install the dhcp package from ipkgfind.nslu2-linux.org

Changed lines 83-86 from:

If you find Windows machines are assigning themselves an 169.254.x.x address, go to NetworkConnections? -> TCP/IP -> AlternateConfiguration?, and off the Self-Configuring function.

---

to:

If you find Windows machines are assigning themselves an 169.254.x.x address, go to

NetworkConnections? -> TCP/IP -> AlternateConfiguration?

and off the Self-Configuring function.

Changed lines 102-103 from:

---

to:
Changed line 105 from:

I use iptables.

to:

I use iptables.

Changed lines 108-110 from:

traffic with destination 192.168.1.78 is from the Internet traffic with destination 192.168.1.77 is from the LAN

to:
  • Traffic with destination 192.168.1.78 is from the Internet
  • Traffic with destination 192.168.1.77 is from the LAN
December 15, 2006, at 05:38 AM by ben -- formatting
Changed lines 9-20 from:

You will need to:

0. Give the ethernet interface a second IP.

1. Send all incoming traffic (from the Internet) to the NSLU2.

2. Send all outgoing traffic (from the LAN) to the NSLU2.

3. Isolate the traffic

4. Write appropriate rules to allow / block traffic coming and going.

to:

You will need to:

  1. Give the ethernet interface a second IP.
  2. Send all incoming traffic (from the Internet) to the NSLU2.
  3. Send all outgoing traffic (from the LAN) to the NSLU2.
  4. Isolate the traffic
  5. Write appropriate rules to allow / block traffic coming and going.
Changed lines 23-24 from:

Give the ethernet interface a second IP

to:

Give the ethernet interface a second IP

Changed lines 59-60 from:

Send incoming traffic to the NSLU2

to:

Send incoming traffic to the NSLU2

Changed lines 70-71 from:

Send outgoing LAN traffic to the NSLU2

to:

Send outgoing LAN traffic to the NSLU2

Changed lines 78-79 from:

DHCP

to:

DHCP

Changed lines 92-93 from:

Isolate the traffic

to:

Isolate the traffic

Changed lines 106-107 from:

Firewall Rules

to:

Firewall Rules

December 15, 2006, at 05:34 AM by ben -- Created
Added lines 1-119:

You can have a network firewall without any additional hardware (ie, ethernet ports).

If you have an external ethernet port, or a ppp0 interface from a USB modem, you probably don't need this HOWTO.

If your NSLU2 is on the same network that you want to protect, this is for you.

---

You will need to:

0. Give the ethernet interface a second IP.

1. Send all incoming traffic (from the Internet) to the NSLU2.

2. Send all outgoing traffic (from the LAN) to the NSLU2.

3. Isolate the traffic

4. Write appropriate rules to allow / block traffic coming and going.

---

Give the ethernet interface a second IP

Since we only have one interface, we will use the trick of IP address aliasing.

We want outgoing traffic on one IP address, incoming on the other. For this example we will use 192.168.1.77 for the LAN, and 192.168.1.78 for the Internet.

The default ifconfig (busybox) can't handle aliases, so download the net-tools package from ipkgfind.nslu2-linux.org and install it.

Typing ifconfig should give the following:

FIXME: add ifconfig output

Create an ip alias with the command

ifconfig ixp0 add 192.168.1.78

Now typing ifconfig should give the following:

FIXME: add ifconfig output

You now have two IPs? on the same interface. We will use one for LAN traffic and the other for Net traffic.

Type route. You should get something like the following:

FIXME: add route output

Delete the existing default route (which uses 192.168.1.77, ie, ixp0)

route delete default ixp0

Create a new default route (on 192.168.1.78, ie, ixp0:0)

route add default gw ROUTER ixp0:0

---

Send incoming traffic to the NSLU2

To do this, log into the ADSL/Cable/etc router connecting you the Internet, and forward all incoming ports to your NSLU2's IP address, eg,

Start port: End port: Forward to: Enable:

         0        65535   192.168.1.77      (tick)

Now all traffic hitting the router from the Internet will be directed to your NSLU2.

---

Send outgoing LAN traffic to the NSLU2

To do this, you will need to set the GATEWAY setting on all networked machines to the NSLU2's IP address.

The best way to do this is with DHCP, as below.

---

DHCP

If your ADSL/Cable/etc router has a configurable server, just enable it and put the NSLU2's address in the GATEWAY box.

If you don't have a DHCP server, you can install the dhcp package from ipkgfind.nslu2-linux.org

If your router has a DHCP relay function, you may be able to have it relay DHCP to/from the NSLU2.

If you'd rather not use DHCP, just set up all your networked machines with the NSLU2's IP as their GATEWAY.

If you find Windows machines are assigning themselves an 169.254.x.x address, go to NetworkConnections? -> TCP/IP -> AlternateConfiguration?, and off the Self-Configuring function.

---

Isolate the traffic

There are 2 issues here:

Firstly, you don't want LAN traffic to bypass the NSLU2 and go straight to the Internet.

My router (Linksys WAG54G?) lets me block machines on the LAN by IP or MAC address. Just ALLOW the NSLU2 and DENY the rest.

Secondly, you don't want packets from the Internet with 192.168.1.0/24 addresses or similar getting into the LAN.

Since all traffic from the Internet is being forwarded by the router to 192.168.1.78, you can just set up your firewall rules to ignore any traffic destined for that IP that has a Private Address source, eg 192.168.1.0/24

---

Firewall Rules

I use iptables. Set up rules depending on the source and destination IPs? similar to the way you would use incoming and outgoing interfaces normally, ie,

traffic with destination 192.168.1.78 is from the Internet traffic with destination 192.168.1.77 is from the LAN

and go from there.

view · edit · print · history · Last edited by PPmarcel.
Originally by ben.
Page last modified on January 07, 2009, at 11:39 AM