In Fire We Trust

This is the sixth part of series of articles in which i will explain how to create the perfect SOHO router. I have to note that this is my idea of a perfect router with all the good and bad points stemming from it.

The series will comprise of the following articles:

• Basic hints, ideas, needed services and some thoughts - Here i will try to argument myself upon the choice of software and services for the router
• Base install - i will describe the way our system will be installed and minimized
• Configuration of DNS and DHCP services - here i will describe with arguments what i think is the best configs for the task
• Configure the routing - here is the heart of our routing. I will suggest some tricks that make the life easier, also some pointers for more specific stuff
• Configuring very basic monitoring system
• Extending our router - i will describe some small things that make our life tad easier, smooth and not so demanding

After our router is installed, working, filtering and has some rudimentary monitoring we can start to extend it’s functionality. We can start to work on some small and fun stuff, some extensions and etc.

As this article tends to be quite large and will be writen over some serious period of time you’ll have to click on the read more link. I will be more than glad if you share your tricks.

The first thing with which we will extend our router is proxy server. Besides configuring the proxy server we will also make it transparent for ease of configuration. It has to be noted that there are certain methods of configuring automatic proxy detections, but they are neither easy, intuitive nor foolproof.

Why do we need proxy server
The proxy server is a system that caches requests. I.e. client A requests a file file.html our server then stores the reply in its cache for some time. If at later moment client B requests the same file it will be served from the cache and not from internet. This way we achieve traffic conservation, speed, control. With a little more work we can extend this to antivirus, antispam, ads filtering, traffic control etc. The most popular proxy server is squid.

Simple configuration for squid
We will give a very simple configuration, where everything works, but there are almost no protections or advancities. The configuration is without the default comments because … they inflate the size to almost 40K.

# which port do we listen and is there some auth (no)
http_port 9999 no-connection-auth
# on which port to talk with other proxies (we won't talk at all)
icp_port 0
# if some of these strings is fond in the URL do not cache
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
# workaround for an apache problem
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
# max size of an object in memory cache
maximum_object_size_in_memory 48 KB
# how much ram we can spare for memory caching
cache_mem 24 MB
# directory for disk cache (read the configuration file, the docu is great)
cache_dir aufs /var/spool/squid 500 16 256
# logging ...
access_log /var/log/squid/access.log squid
# bit of anonymisation ... maximum in fact
client_netmask 0.0.0.0
# user for ftp sessions
ftp_user IEUser@
hosts_file /etc/hosts
# standard parameters for refresh time for protocols static in nature
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
# few ACL-s almost all are stock
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl Jabber_ports 5222 5223  # Jabber
acl purge method PURGE
acl CONNECT method CONNECT
# that's us now
acl clientnetwork src 10.42.3.0/255.255.255.0
# let's start allowing/denying access
http_access allow manager localhost
http_access allow manager home
http_access deny manager
http_access allow CONNECT Jabber_ports
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# YESSSSS we are live
http_access allow clientnetwork
http_access allow localhost
# everything else ... is dropped on the floor
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr root
cache_effective_group proxy
# let's do some hiding
httpd_suppress_version_string on
# keep quiet that we are proxying
via off
forwarded_for off
cachemgr_passwd parola all
buffered_logs on
short_icon_urls on
coredump_dir /var/spool/squid
# let's try being smart and fetch few pages at once
pipeline_prefetch on

This is very simple configuration which slightly differs from the standard one. We changed the listening port, added a setting for bigger in-memory cache, rised a bit the on-disk cache and hidden the fact there is a proxy. Now all that is left is to make our proxy transparent. That’s because we want to skip clients configuration. We will achieve that with redirecting the requests for a speciffic ports. Let’s assume we will be redirecting http but no https traffic and ftp traffic. As an added bonus we know that some of our clients are visiting site which are not on port 80 but at 81,88,8800,8080. Also quite a bit of sites have 2 web servers, one on port 80 and second on port 81 which serves only pictires.
The task can be done with the following line (following conventions from http://www.getoto.net/2007/06/the-perfect-soho-router-part-4/)

$IPT -t nat -A PREROUTING -i $INT_IF -m multiport --dports 21,80,81,88,8800,8080 -j REDIRECT --to-port 9999

Accordingly port 9999 should be open for at least the internal interface.

The topic of delay_pools is also quite interesting as it can be used to realise a simple shaper. And for everybody’s ease it is quite well documented in the configuration file.

Simple traffic shaping
At times the clients are prety cheeky and do lots of downloads. If we don’t have the knowledge or just don’t want to implement a shaper, we can mash up a solution with iptables. The solution is based on the idea that if the line is overloaded the network stack tries to lower the troughput. Usually overloaded line is detected by high packet loss. For it to look plausible the dropped packets should be random. This can be achieved with the iptables module RANDOM. This module is in patch-o-matic-ng base. Our rule will look like this.

$IPT -t nat -A FORWARD -i $INT_IF -s < client_IP > -m RANDOM --average 5% -j DROP

This method is not prety and at some times it only loads the line more. Though if we use a big percentage (30% and up) usually the clients stop their downloads by themselves.

More advanced traffic stats
If the mrtg stats are not enough for you you can use ipaudit-web. All in all it is a good piece of software with good statistics but tends to load the machine quite a bit.

For now this is the stuff that pops in my mind. Everybody is welcome to submit their tips and tricks. I will try my best to integrate them.

Time server
This is a usability advancement from which special class of applications can benefit. More specifficaly those one that depend on correct time. Besides them everyone is free to use the service. The server is usually realised with ntpd and it’s configurations is quite simple and elegant

# /etc/ntp.conf, configuration for ntpd
# where we should store our drift. Setting speciffic for the server on which it depends
driftfile /var/lib/ntp/ntp.drift
# where to store statistics
statsdir /var/log/ntp
# what stats and how exactly do we want them
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
 
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
 
# pool.ntp.org maps to more than 300 low-stratum NTP servers.
# Your server will pick a different set every time it starts up.
#  *** Please consider joining the pool! ***
#  *** <http ://www.pool.ntp.org/join.html> ***
# let's prime our box with some knowledge of the time
server 0.bg.pool.ntp.org iburst
server 1.bg.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server pool.ntp.org iburst
 
# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery
 
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify
 
# If you want to provide time to your local subnet, change the next line.
# we provide exact time to our network on broadcast for everybody to use
broadcast 10.42.3.255 minpoll 8</http>

As you see the configuration is prety simple. The only thing worth noting is the decision to broadcast the time in our net. There is no guarantee it will be used but is there for everyone which wants to. We can inform our clients where they can find a time server with the following lines in the configuration of our dhcp server (dhcpd):

option time-servers 10.99.3.1;
  option ntp-servers 10.99.3.1;

Also it has to be noted that for this service to be available it’s port has to be opened in our firewall. Prefferably only on the internal interface. The port in question is 123