Broadband Router
There are many recipies out there for setting up a firewall router box for a network, so i'm going to just put some config examples here
dhcpd.conf
top of the file
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
default-lease-time 7200;
max-lease-time 14400;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
ddns-update-style ad-hoc;
allow booting;
allow bootp;
# Standard configuration directives...
group is for a set of hosts and dynamic assigned subnets with the same
options
group {
option domain-name "localnet";
option domain-name-servers 192.168.0.2;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
static hosts get a host entry with a fixed address
host happy {
hardware ethernet 00:48:54:1B:DA:40;
fixed-address 192.168.0.2;
}
and finally the dynamic range(s)
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.3 192.168.0.68;
range 192.168.0.70 192.168.0.254;
}
and end the group
}
IP Tables Rules
first, make the box paranoid and only accept stuff that started at it, these do not affect forwarding stuff.
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
then accept connections that are allowed into the router box (http up to
60 per second, and ssh)
iptables -A INPUT -p tcp -m tcp --dport 80 --syn -m limit --limit 60/sec
-j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
maybe ping too?
iptables -A INPUT -p icmp -j ACCEPT
now a chain for logging interesting packets that didn't match above.
this is entirely optional. this chain does not log broadcast udp packets,
and will only log two packets per second, the rest are ignored.
iptables -N log
iptables -A log -d 255.255.255.255 -p udp -j RETURN
iptables -A log -d 192.168.0.255 -p udp -j RETURN
iptables -A log -m limit --limit 2/sec -j LOG
--log-prefix "iptables: "
iptables -A INPUT -j log
more matches on logged packets can go here, whatever falls off the end
is dropped on the floor.
now for filtering the forwarded traffic. eth0 is outside, eth1 is
inside, the inside network is 192.168.0.0/24. First drop all traffic seen on the wrong interface.
iptables -t nat -A PREROUTING -s ! 192.168.0.0/24 -i eth1
-j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0
-j DROP
forward any ports to internal hosts, change for your own setup (this is
vnc and some udp port).
iptables -t nat -A PREROUTING -s ! 192.168.0.0/24 -p tcp -m tcp
--dport 5900 --syn -j DNAT --to-destination 192.168.0.69
iptables -t nat -A PREROUTING -s ! 192.168.0.0/24 -p tcp -m tcp
--dport 5800 --syn -j DNAT --to-destination 192.168.0.69
iptables -A PREROUTING -s ! 192.168.0.0/24 -p udp -m udp --dport 9110
-j DNAT --to-destination 192.168.0.69
drop things being routed in that don't have an inside destination
iptables -t nat -A POSTROUTING -d ! 192.168.0.0/255.255.255.0 -o eth1
-j DROP
don't nat internal to internal
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.0/24
-j ACCEPT
nat anything coming from inside
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
that should be good for this, remember that if it looks like later rules
are not specific enough there are rules above that eliminate the need to be
more specific (for example, once the local/non-local traffic is filtered
from the interfaces i don't need to check the interfaces anymore).
accessing a forwarded port from inside the network by using the external
ip address doesn't work, seems to be a limitation of routing, the packet
needs to come in one interface and go out a different one.