The Perfect SOHO router - Part 4
чети на 
This is the fourth part of series of articles in which i will explain how to create the perfect SOHO router. I have to note that this is my idea of a perfect router with all the good and bad points stemming from it.
The series will comprise of the following articles:
- Basic hints, ideas, needed services and some thoughts - Here i will try to argument myself upon the choice of software and services for the router
- Base install - i will describe the way our system will be installed and minimized
- Configuration of DNS and DHCP services - here i will describe with arguments what i think is the best configs for the task
- Configure the routing - here is the heart of our router. I will suggest some tricks that make the life easier, also some pointers for more specific stuff
- Configuring very basic monitoring system
- Extending our router - i will describe some small things that make our life tad easier, smooth and not so demanding
After we have installed our router and configured the basic set of services it is time to realise the routing process itself. This is accomplished with the tools route, iptables, arp, iproute2.
In this part we will show the following configurations:
- Dead simple router - this is the most basic one and it offers almost no features at all.
- Router doing NAT/masquerade and firewall - this is the most comon type of router which can be seen.
- Router which is doing load balancing for two or more ISP’s - this is a bit of advanced topic but it is worth.
The examples and the configs are quite basic and skeletal, as almost everyone has different requirements. At the end of this article i will give additional links to read and learn.
Dead simple router
In this situation our router is only moving the traffic. In the most common scenario this router does not do any filtering or masquerading as it is not needed. This solution is usually used in big networks to segment them in smaller and easier manageable parts. It is achieved quite easyly by a simple kernel option and enabling it’s use. The option is IP FORWARDING. I can beallowed in two different ways:
- Using the proc subsystem (it is allways available):
echo "1" > /proc/sys/net/ipv4/ip_forward
- Using the sysctl system (it may not be available):
sysctl -w net.ipv4.ip_forward=1
This setting allows our router to forward packets between it’s interfaces and in reality this way we start it. It is needed this setting to be put in such place that it is applied on every start of our router. Good place for it is /etc/rc.local or a separate file which is executed at the end of the boot process.
As you can see this is a dead simple router not offering anything special to our clients. For the client machines to work each of them has to have a unique IP address, which is visible in the whole network. This router does not do any filtering or protection schemes for the client machines. This solution is suitable for big networks which has to be segmented and have a decent router and firewall at their entrance.
Router doing NAT/masquerade and firewall
This is by far the most commonly used solution. Its advantages are that behind one addres we can hide (masquerade) many machines (in theory almost unlimited if we have the processing power).
The configuration in this example is built with the following assumptions in mind:
- External interface: eth0 with it’s ip address and mask
- Internal interface: eth1 with it’s ip address and mask
- Simple protection from DoS, DDoS and scanning
- Limit of speciffic ICMP requests
- Access to http и ssh from the external side to our router
- Access to http, ssh, dns, dhcp from the internal side
- SNAT for all clients (even with dinamyc ip address)
- Forwarding 10 ports for each client - for ease of our clients
- Explicit filtering of some stuff
The topic of TTL mangling will be skipped. It can be realised very easy and there is a lot of documentation.
#!/bin/bash # Simple firewalling router # author: vvitkov # contact: http://www.getoto.net/az/ # # Licence: CC NC-BY-SA v3 # Disclaimer: i take no responsibility for the consequences of using or not using this. # It is up to you to decide what to do with this stuff. # Please if you use this write me a note and don't remove the author info. ####### # Settings, vars ####### echo "Setting Up Variables ..." IPT="/sbin/iptables" if [ -x /sbin/sysctl ] ; then SYSCTL="/sbin/sysctl -w" fi # define external interface, ip, mask, broadcast EXT_IF="eth0" EXT_IP="$(/sbin/ifconfig $EXT_IF | grep "addr:" | cut -d":" -f2 | cut -f1 -d" ")" EXT_NM="$(/sbin/ifconfig $EXT_IF | grep "addr:" | cut -d":" -f4 | cut -f1 -d" ")" EXT_BC="$(/sbin/ifconfig $EXT_IF | grep "addr:" | cut -d":" -f3 | cut -f1 -d" ")" # define internal interface, ip, mask, broadcast INT_IF="eth1" INT_IP="$(/sbin/ifconfig $INT_IF | grep "addr:" | cut -d":" -f2 | cut -f1 -d" ")" INT_NM="$(/sbin/ifconfig $INT_IF | grep "addr:" | cut -d":" -f4 | cut -f1 -d" ")" INT_BC="$(/sbin/ifconfig $INT_IF | grep "addr:" | cut -d":" -f3 | cut -f1 -d" ")" INT_NET="$INT_IP"/"$INT_NM" # define the loopback LO_IF="lo" LO_IP="127.0.0.1" # define allowed ports EXT_IN_TCP="22 80" EXT_IN_UDP="33434:33524" INT_IN_TCP="22 53 67 68 80" INT_IN_UDP="53 67 68 33434:33524" ####### # Lets go ####### echo "Tunning ..." if [ -z $SYSCTL ] ; then # stop forwarding $SYSCTL net.ipv4.ip_forward=0 # fix our routing a bit $SYSCTL net.ipv4.conf.default.accept_redirects=0 $SYSCTL net.ipv4.conf.default.accept_source_route=0 $SYSCTL net.ipv4.conf.default.send_redirects=0 $SYSCTL net.ipv4.conf.default.rp_filter=1 # don't log strange packets $SYSCTL net.ipv4.conf.default.log_martians=0 # smurf rpotection $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1 $SYSCTL net.ipv4.icmp_ignore_bogus_error_responses=1 $SYSCTL net.ipv4.conf.default.proxy_arp=0 # keep quiet about arp requests/answers $SYSCTL net.ipv4.conf.default.arp_filter=1 $SYSCTL net.ipv4.conf.default.arp_announce=2 $SYSCTL net.ipv4.conf.default.arp_ignore=2 # set the ttl to a windows like box (additional layer of security) $SYSCTL net.ipv4.ip_default_ttl=128 # recycle fast unused buckets for packet infos $SYSCTL net.ipv4.tcp_tw_recycle=1 $SYSCTL net.ipv4.tcp_tw_reuse=1 # do not stamp the packets $SYSCTL net.ipv4.tcp_timestamps=0 else echo "0" > /proc/sys/net/ipv4/ip_forward echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/default/accept_send_redirects echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter echo "0" > /proc/sys/net/ipv4/conf/default/log_martians echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "0" > /proc/sys/net/ipv4/conf/default/proxy_arp echo "1" > /proc/sys/net/ipv4/conf/default/arp_filter echo "2" > /proc/sys/net/ipv4/conf/default/arp_announce echo "2" > /proc/sys/net/ipv4/conf/default/arp_ignore echo "128" > /proc/sys/net/ipv4/ip_default_ttl echo "1" > /proc/sys/net/ipv4/tcp_tw_recycle echo "1" > /proc/sys/net/ipv4/tcp_tw_reuse echo "0" > /proc/sys/net/ipv4/tcp_timestamps fi # Clear all tables echo "Start on clean ..." $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP echo "Setting custom chains ..." $IPT -N bad_packets $IPT -N bad_tcp_packets $IPT -N icmp_packets $IPT -N tcp_in $IPT -N udp_in $IPT -N tcp_out $IPT -N udp_out echo "Setting some protections ..." echo " General" $IPT -A bad_packets -p ALL -i $EXT_IF -s $INT_NET -j DROP $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP $IPT -A bad_packets -p tcp -j bad_tcp_packets $IPT -A bad_packets -p ALL -j RETURN echo " TCP" $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPT -A tcp_in -p TCP -s 0/0 --destination-port 113 -j REJECT $IPT -A bad_tcp_packets -p tcp -j RETURN echo " ICMP" $IPT -A icmp_packets --fragment -p ICMP -j DROP $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -m limit --limit 1/s -j ACCEPT $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT $IPT -A icmp_packets -p ICMP -j RETURN echo " UDP" $IPT -A udp_in -p UDP -s 0/0 --dport 137 -j DROP $IPT -A udp_in -p UDP -s 0/0 --dport 139 -j DROP $IPT -A udp_in -p UDP -s 0/0 --dport 113 -j REJECT echo "Filling the chains ..." echo " UDP INCOMING" for PORT in $EXT_IN_UDP ; do $IPT -A udp_in -p UDP -i EXT_IF -s 0/0 --dport $PORT -j ACCEPT; done for PORT in $INT_IN_UDP ; do $IPT -A udp_in -p UDP -i INT_IF -s 0/0 --dport $PORT -j ACCEPT; done $IPT -A udp_in -j RETURN echo " UDP OUTGOING" $IPT -A udp_out -p UDP -s 0/0 -j ACCEPT echo " TCP INCOMING" for PORT in $EXT_IN_TCP ; do $IPT -A tcp_in -p TCP -i $EXT_IF -s 0/0 --dport $PORT -j ACCEPT done for PORT in $INT_IN_TCP ; do $IPT -A tcp_in -p TCP -i $INT_IF-s 0/0 --dport $PORT -j ACCEPT done $IPT -A tcp_in -p TCP -j RETURN echo " TCP OUTGOING" $IPT -A tcp_out -p TCP -j ACCEPT echo " INCOMING" $IPT -A INPUT -p ALL -i $LO_IF -j ACCEPT $IPT -A INPUT -p ALL -j bad_packets $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP $IPT -A INPUT -p ALL -i $INT_IF -s $INT_NET -j ACCEPT $IPT -A INPUT -p ALL -i $INT_IF -d $INT_BC -j ACCEPT $IPT -A INPUT -p UDP -i $INT_IF --sport 68 --dport 67 -j ACCEPT $IPT -A INPUT -p ALL -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p ALL -i ! $EXT_IF -m state --state NEW -j ACCEPT $IPT -A INPUT -p TCP -i $EXT_IF -j tcp_in $IPT -A INPUT -p UDP -i $EXT_IF -j udp_in $IPT -A INPUT -p ICMP -i $EXT_IF -j icmp_packets $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP echo " FORWARD" $IPT -A FORWARD -p ALL -j bad_packets $IPT -A FORWARD -p tcp -i $INT_IF -j tcp_out $IPT -A FORWARD -p udp -i $INT_IF -j udp_out $IPT -A FORWARD -p ALL -i $INT_IF -j ACCEPT $IPT -A FORWARD -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -p ALL -i $EXT_IF -m state --state NEW -j ACCEPT echo " OUTPUT" $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO_IF -j ACCEPT $IPT -A OUTPUT -p ALL -s $INT_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $INT_IF -j ACCEPT $IPT -A OUTPUT -p ALL -o $EXT_IF -j ACCEPT echo " NAT" echo " PORT FORWARDING" TMP="`echo $INT_IP | cut -d\. -f1-3`" for HOST in `seq 2 254` ; do PORTR=$((10000+HOST*10)):$((10009+HOST*10)) echo " $PORTR for $TMP.$HOST" $IPT -A FORWARD -p udp -i $EXT_IF --dport $PORTR -d $TMP.$HOST -j ACCEPT $IPT -A FORWARD -p tcp -i $EXT_IF --dport $PORTR -d $TMP.$HOST -j ACCEPT $IPT -t nat -A PREROUTING -p udp -i $EXT_IF --dport $PORTR -j DNAT --to $TMP.$HOST $IPT -t nat -A PREROUTING -p tcp -i $EXT_IF --dport $PORTR -j DNAT --to $TMP.$HOST done $IPT -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to $EXT_IP if [ -z $SYSCTL ] ; then $SYSCTL net.ipv4.ip_forward=1 else echo "1" > /proc/sys/net/ipv4/ip_forward fi
All in all this is quite good basic firewall. There are few interesting points in it:
- The way we get the addresses for our cards - as you can see the only hardcoded variables are the interface names. This way our firewall becomes flexible and can be applied to all sorts of connections.
- The way we do the masquerading. We do it with SNAT as it is lighter than MASQUERADE. For the people that will say it is inaplicable for dynamic connections (pppoe, ip assigned from dhcp) yes you are right. Unless we use the features of the DHCP client/pppoe client and get around this limitation. At the moment when our ip is changed we can forcibly execute our firewall and it will get the new correct address and rewrite all the rules necessary.
- The way we forward ports to machines behind the router - the construct used is valid only in bash and we use it to generate two numbers denoting the start and the end of the range. After that we explicitly open them in the FORWARD chain (which is not strictly required) and after that forward them with DNAT.
- The portrange 33434:33524 - this ports should be open so traceroute can operate correctly
Router which is loa balancing two or more ISP’s
Here we will show only the part that balances the traffic. Our example is only with 2 providers but the example can be easily extended. The task is a bit larger and we will use iproute. It has quite cryptic syntax but after you get used to it you won’t stop using it.
For being able to balance traffic we need the following tools:
- iproute2
- kernel support for multipath routing
- At least one discipline for multipath routing compiled in the kernel - i personally recomend wrr
If we want to be able to use names we must add them to the /etc/iproute2/rt_tables file. The indexes are between 2 and 253. If you need to balance more than 200 providers … this is not the right reading.
#!/bin/bash # # Simple balancing router # author: vvitkov # contact: http://www.getoto.net/az/ # # Licence: CC NC-BY-SA v3 # Disclaimer: i take no responsibility for the consequences of using or not using this. # It is up to you to decide what to do with this stuff. # Please if you use this write me a note and don't remove the author info. ### Settings ISP1_NET="1.2.3.0/24" ISP1_GW="1.2.3.1" ISP1_IF="eth1" ISP1_OUR_HOST="1.2.3.99" ISP2_NET="9.8.7.0/24" ISP2_GW="9.8.7.1" ISP2_IF="eth2" ISP2_OUR_HOST="9.8.7.99" INT_NET="10.42.3.0/24" # Defining routing tables for source routing if ( ip ru ls | grep main | grep 50 ) then ip r f t main else ip ru a prio 50 t main fi if ( ip ru ls | grep isp_rules1 ) then ip r f t isp_rules1 else ip ru a from $ISP1_NET prio 201 t isp_rules1 fi if ( ip ru ls | grep isp_rules2 ) then ip r f t isp_rules2 else ip ru a from $ISP2_NET prio 202 t isp_rules2 fi # Clear all the existing routes ip r f any ip r f t default # Host routes ip r a $ISP1_NET dev $ISP1_IF src $ISP1_OUR_HOST ip r a $ISP2_NET dev $ISP2_IF src $ISP2_OUR_HOST # Local networks ip r a 127.0.0.0/8 dev lo ip r a $INT_NET dev eth0 # Default gateways ip r a 0/0 via $ISP1_GW dev $ISP1_IF table isp_rules1 proto static ip r a prohibit 0/0 table isp_rules1 metric 1 proto static ip r a 0/0 via $ISP2_GW dev $ISP2_IF table isp_rules2 proto static ip r a prohibit 0/0 table isp_rules2 metric 1 proto static # lets shake it :) ip r a 0/0 proto static table default nexthop via $ISP1_GW dev $ISP2_IF nexthop via $ISP2_GW dev $ISP2_IF # Remote networks with static routes ip r a < NETWORK IN ISP1 > via $ISP1_GW dev $ISP1_IF ip r a < NETWORK IN ISP2 > via $ISP2_GW dev $ISP2_IF # flush caches ip r f c
With this we end the examples for configuring our router. I know i haven’t covered everything but a man has to do some research on his own.
Links
- http://www.lartc.org/ - the bible in this field
- http://www.netfilter.org/
- http://easyfwgen.morizot.net/gen/
- http://www.linuxguruz.com/iptables/scripts/rc.firewall_017.txt
- http://www.shorewall.net/
The Series continues with The Perfect SOHO router - Part 5
Здрасти :)
Май е добре да добавим и VPN сърверче за достъп до DMZ-a.
Ще гледам да правя TC скриптовете в твой стил :)
Какво ще кажеш за идеята ми за XML конфиг файла?
http://www.linux-bg.org/cgi-bin/y/index.pl?page=news&key=393860161&cmtkey=393860161_1181588956&id=#comment_info
2007-06-15 at 4.03 pmЗа VPN сървър много си мислех дали да го сложа ама … не знам как ще стане раздаването на сертификатите. Че иначе VPN парола ми иде малко … някак си несигурно.
А колкото до конфиг със XML ако не се лъжа m0n0wall беше със XML конфиг. И то цялата система.
2007-06-15 at 6.21 pmМного добре изглеждащ firewall!
2007-06-16 at 12.58 amami neka az vi dam moq skript koito sam sglobil ot saitovete, samo 4e mislq 4e trqbvashe na FORWARD da e na accpet 4e neshto ne raboti! nqkoi ako moje da go opravi pri 3-te policii na drop neka pishe
2007-06-16 at 7.00 pmta eto go :))
eto i dr variant koito moje direktno da se paste v rc.local
2007-06-16 at 7.01 pmАз имам една питанка по скрипта. Имаме следните правила:
… и малко след това друго:
Дали има смисъл от това последното предвид горното и ако да … какъв точно? 2007-06-26 at 7.43 pm
@Schenker: смисъл има …
Вярно е че се получава известно дублиране, но съм имал проблеми при неговата липса. Знам че звучи странно но това ги оправи.
2007-06-27 at 10.59 amfrom tolstoi (recovered):
2007-09-11 at 9.54 amМалко по-чисто е да се сложи в post-up.d директорията
Като цяло всичко е въпрос на лично предпочитание. Смятам че посредством rc.local изглежда малко по чисто, но това си е лично мое мнение.
2007-09-11 at 9.54 amМалки корекции
Някъде около:
# Local networks
ip r a 127.0.0.0/8 dev lo
ip r a $INT_NET dev eth0
1-во ползвам променлива вместо eth0
2007-11-21 at 3.43 pm2-ро сожих INT_IF=eth2, защото локалния трафик ми е на eth2
Много добро ръководство ще се опитам да го възпроизведа на slackware. При мен положението е следното имам интернет който е адсл(9Mb/s) и влиза на eth0 lan(служебната мрежа) на eth1 и back-up доставчик който е на eth2 (4Mb/s)но интернета се получава по pptp във вкъщи имам само мрежа (без интернет) от backup доставчика и на работата съм си направил pptp server с който получавам интернет от адсл в къщи (понеже мрежата на back-up доставчика е с подмрежи няма друг вариант да
2008-03-28 at 4.00 pmползвам servera на работата като gw освен pptp)Понеже където живея не се продава по бърз интербет от този на адлс пък той вече не стига целта мие да впрегна в load balance и двата доставчика но пък да мога през pptpd да имам и нет във вкъщи.
Незнам колко е активна тая тема но все пак от тука взех скрипта тук ще питам за проблема …… Пуснах днеска скрипта за лоад балансинга обаче IRC-то дропи през няколко минути !
Някои има ли някакви идеи ?
От един стар firewallми попадна еитова (с коментар преди него “за да не дропи IRC при лоад балансинг)…
iptables -t mangle -I FORWARD -p tcp –dport 6667 -j ROUTE –oif $EXTIF1 –continue
като заместих $EXTIF1 с някой от интерфейсите към двата ADSL-а обаче ми даде грешка ” iptables v1.4.0: Unknown arg `–oif’ “.
Моля някои ако знае решение на проблема нека помогне !
2008-07-03 at 2.24 pmБлагодаря предварително.
Здравейте колеги и приятели.
2008-07-15 at 7.13 pmНезнам колко е активана темата надявам се да ми помогнете.
Разгледах внимателни скрипта за балансиране на два доставчика и се позанимавах един следобед с iproute2. Моята постановка е малко по различна от тази описана по горе, защото на мен ми е нужно решение,при което когато загубя връзка с gataway на първия доставчки всички заявки да се прехвърлят през втория(при възтановяване на връзката да се възтанови рутинга към доставчик 1), с което да гарантирам постоянна свързаност с интернет. Надявам се някои да се е сблъсквал с подобно решение. ще съм му много благодарен ако помогне.