Linux Router and Firewall

Transcription

Linux Router and Firewall
11/18/2014
Linux Router and Firewall - SSN
Linux Router and Firewall
From SSN
This tutorial shows you how to setup a server for the
sole purpose of being the DHCP server and firewall
for our LAN. The purpose of having a Linux-based
server/firewall is for the flexibility and in some cases,
an improvement of bandwidth and speed outside to
the internet, though the main purpose is truly is for
flexibility.
Any Linux distribution can be used for this purpose,
but this tutorial will mainly focus on CentOS 7.x and
other derivatives (RHEL/SL/etc). This tutorial will
also focus on some security aspects when putting your
new Linux router into a 'production' state to ensure
100% uptime in and out.
If you are looking for RHEL/CentOS 6, go here.
Linux EL 7 Router and Firewall
SecureCRT providing SSH Access to CentOS
Server
OS family
Linux: CentOS/RHEL 7
Working state
Public
Supported platforms
x86, x64
Contents
1 Overview
1.1 Advantages to having a Linux Router
1.2 Disadvantages to having a Linux Router
1.3 Required Software and Hardware
2 Tutorial
2.1 Setting up DHCP
2.2 The firewall
2.2.1 FirewallD
2.3 SSH User Access and Restrictions
3 Extras
3.1 Renaming your Devices
3.2 Target static IP for specific host
3.3 Forwarding Ports
3.3.1 FirewallD
3.4 Denying Unknown Mac Addresses
3.5 IPv6 Tunnel
3.6 Dynamic DNS
Overview
This tutorial provides you the steps to get started in getting a Linux router setup for your LAN. It's not
only a secure option and can be grounds for modification, it's also a learning and educational experience.
In the end, it is an easy process and can be accomplished on a wide array of distributions, hardware, and
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
1/14
11/18/2014
Linux Router and Firewall - SSN
networking situations.
We only cover the basics of getting up and running. Modifications like QoS, IPv6 tunnels, DNS,
advanced firewall rules are beyond the scope of this article, but will be included as value-added at the
bottom.
Note: This guide is meant as a learning exercise to get an idea of how most configurations and other
dedicated setups typically work, from a manual stand point.
Advantages to having a Linux Router
Flexibility. You will have an available system for an in-house lab, SSH Tunneling, PXE/Cobbler, or
even means of holding a web server if you're so inclined. The only limitations are you and what you
want.
Disadvantages to having a Linux Router
You have to use a PC for it. It would make more sense to buy an on-the-self router and flash the
firmware to something that is third-party and has similar Linux aspects.
Required Software and Hardware
The software requirements:
-A Linux OS
CentOS 7 (http://www.centos.org) is what we'll use here
The hardware requirements:
You'll need a PC that can handle a minimal install of a Linux OS. The hard drive does NOT have to
be large. You'll also need two network cards. One of them CAN be built in, but you'll need an add-on
PCI ethernet card. Also, your stock-router needs its DHCP settings turned off and a static address set
in accordance to your subnet.
Tutorial
Now we will begin the process of setting up the Linux Router.
*** Warning: Potential Pitfalls! ***
-The incorrect configuration in your firewall or SSH configuration can create security holes
-Not changing your SSH port to something non-standard is a security hole. Change it or turn it off completely.
-If your system uses SELinux, leave it on. It's there for a reason. Turn it off for troubleshooting only.
-Do NOT come to me for support if you have disabled selinux
-You need to turn your store-bought router into a switch by turning off DHCP and setting a static IP to access it when
necessary.
-Do NOT plug the Linux Router into the internet slot. Plug it into the 1-4 slots, instead.
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
2/14
11/18/2014
Linux Router and Firewall - SSN
Setting up DHCP
To start everything off, you'll need to setup a DHCP server. Not only this, you may want to disable
Network Manager. If you wish to keep it on, then do so. However, I turn it off in this tutorial for
generally good reasons.
% yum install dhcp dhcp-common -y
% systemctl stop NetworkManager
% systemctl disable NetworkManager
% systemctl restart network
% systemctl status NetworkManager
NetworkManager.service - Network Manager
Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; disabled)
Active: inactive (dead)
% systemctl status network
network.service - LSB: Bring up/down networking
Loaded: loaded (/etc/rc.d/init.d/network)
Active: active (running) since Thu 2014-07-03 13:39:51 MST; 23h ago
CGroup: /system.slice/network.service
ââ1119 /sbin/dhclient -H zera1 -1 -q -lf /var/lib/dhclient/dhclient-ca756c19-c76b-46fa-813e-ae26a3994860-ens1
Now, we'll need to make some slight changes to our interface files. We'll start with "enp5v0", it may be
a different name for you (like ens or p3p1 etc). So change them to fit your box.
DEVICE="enp5v0"
BOOTPROTO="static"
TYPE="Bridge"
NM_CONTROLLED="no"
ONBOOT="yes"
IPADDR="10.100.1.1"
NETMASK="255.255.255.0"
## This will be set to static
## Set the gateway IP you plan on using
After making that change, restart the network service and double check.
% systemctl restart network
% ip addr show enp5v0
10: enp5v0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether ------------ brd ff:ff:ff:ff:ff:ff
inet 10.100.1.1/24 brd 10.100.1.255 scope global enp5v0
valid_lft forever preferred_lft forever
inet6 fe80::214:d1ff:fe23:2b2c/64 scope link
valid_lft forever preferred_lft forever
Now, let's modify our /etc/dhcp/dhcpd.conf file. It'll be a generally empty file. These are the settings I
used. Make sure to read the comments.
#
# DHCP Server Configuration file.
#
see /usr/share/doc/dhcp*/dhcpd.conf.example
#
see dhcpd.conf(5) man page
#
ddns-update-style interim;
## This matters more if you plan on having dynamic DNS.
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
3/14
11/18/2014
Linux Router and Firewall - SSN
allow booting;
allow bootp;
authoritative;
# deny unknown-clients;
## Helps with PXE
## Same thing, some POS controllers need this
## Authoritative DHCP server
ignore client-updates;
## Ignores requests for DNS server updates
set vendorclass = option vendor-class-identifier; ## Without this, most DHCP servers will not work -- in my case, it wou
subnet 10.100.1.0 netmask 255.255.255.0
interface
option routers
option domain-name-servers
#
option domain-name-servers
option domain-name
option subnet-mask
range
filename
default-lease-time
max-lease-time
next-server
}
{
## Your network and mask goes here
enp5v0;
## Interface in which the clients will be served
10.100.1.1;
## Set this line to your router's IP, more than likely
10.100.1.1;
## My DNS server is my own router. Change this to your
10.100.1.1,68.105.28.11,68.105.29.11,8.8.8.8,8.8.4.4; ## Example of multiple DN
"bromosapien.net";
## If you have a domain name for your network, set it h
255.255.255.0;
## Required.
10.100.1.100 10.100.1.199; ## Range of IP's that systems can use.
"/pxelinux.0";
## PXE related
21600;
43200;
10.100.1.1;
After doing that, enable dhcpd and start it up.
% systemctl enable dhcpd
% systemctl start dhcpd
% systemctl status dhcpd
dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled)
Active: active (running) since Mon 2014-07-07 18:37:02 MST; 4s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 28434 (dhcpd)
CGroup: /system.slice/dhcpd.service
└─28434 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
07
07
07
07
07
07
07
07
07
07
07
07
07
07
07
07
07
18:37:02
18:37:02
18:37:02
18:37:02
18:37:02
18:37:02
18:37:03
18:37:03
18:37:03
18:37:03
18:37:03
18:37:03
18:37:04
18:37:05
18:37:05
18:37:05
18:37:05
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
solaire.bromosapien.net
systemd[1]: Started DHCPv4 Server Daemon.
dhcpd[28434]: Internet Systems Consortium DHCP Server 4.2.5
dhcpd[28434]: Copyright 2004-2013 Internet Systems Consortium.
dhcpd[28434]: All rights reserved.
dhcpd[28434]: For info, please visit https://www.isc.org/software/dhcp/
dhcpd[28434]: Not searching LDAP since ldap-server, ldap-port and ld...file
dhcpd[28434]: Wrote 0 deleted host decls to leases file.
dhcpd[28434]: Wrote 0 new dynamic host decls to leases file.
dhcpd[28434]: Wrote 2 leases to leases file.
dhcpd[28434]: Listening on LPF/enp5v0//10.100.1.0/24
dhcpd[28434]: Sending on
LPF/enp5v0//10.100.1.0/24
dhcpd[28434]: Sending on
Socket/fallback/fallback-net
dhcpd[28434]: DHCPDISCOVER from (android-305df79d0...p5v0
dhcpd[28434]: DHCPOFFER on 10.100.1.106 to (androi...p5v0
dhcpd[28434]: DHCPREQUEST for 10.100.1.106 (10.100.1.1) from ac:22:0...p5v0
dhcpd[28434]: DHCPACK on 10.100.1.106 to (android-...p5v0
dhcpd[28434]: Unable to add forward map from android-305df79d03199b3...ound
And then lastly, we need to enable forwarding. RHEL 7 does it a bit differently, but you can still modify
/etc/sysctl.conf. It does give you a nifty note.
% vi /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
4/14
11/18/2014
Linux Router and Firewall - SSN
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
% sysctl -p
The firewall
The iptables firewall generally is pretty easy to deal with. However, since firewalld is default, you may
want to fall back to the old way.
%
%
%
%
yum install iptables-services iptables-utils
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl enable iptables.service
Read the comments to understand what I did below. This is a generic /etc/sysconfig/iptables file that
should work.
# Start of NAT
# Add this section
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o enp3s0 -j MASQUERADE
## This is absolutely important.
COMMIT
## Always end a table like this
# Start of filter
# Here are your regular "rules"
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -j DROP
## Anything going from the gateway has to have come from us to come back in.
-A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT
## This makes sure that anyone on the inside can head on out.
-A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT
-A FORWARD -j DROP
COMMIT
Restart your firewall and you're ready. Make sure to test your clients.
% systemctl restart iptables
FirewallD
Red Hat recently introduced firewalld into their core product, basing itself on what was shipped in
Fedora. This is not a problem, but it may be a problem for others who want complete control of their
setup, like the above, and the other examples later. However, if you want to turn on NAT with firewalld,
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
5/14
11/18/2014
Linux Router and Firewall - SSN
these are the steps I do.
%
%
%
%
firewall-cmd
firewall-cmd
firewall-cmd
firewall-cmd
--change-interface=enp3s0 --zone=external --permanent
--change-interface=enp5v0 --zone=internal --permanent
--set-default-zone=internal
--complete-reload
By default, the external zone is the masqueraded zone.
Note: If you disable network manager like I do, you will need to specify a ZONE directive in the
interface file for your interfaces. Typically, if your default zone is internal, your modem interface will
always show up in internal. No matter what you do. That's why you have to use the directive.
...
NAME="enp3s0"
DEVICE="enp3s0"
ONBOOT="yes"
ZONE="external" <---- This
SSH User Access and Restrictions
So you want SSH access to your system from the inside and outside. Alright, cool. We just need to make
a couple of modifications to the sshd_config file. First and foremost, we need to change the port number
from 22. There are reasons why it should NOT be port 22. That is the most checked and attacked port of
all time. Sure, if root doesn't have a password and another account is not allowed SSH access by
password and only be SSH key, they won't get in. But, the last thing you want is your logs being filled
up with failures to login and your bandwidth/speed being reduced (though slightly) from those attacks.
Let's modify the file first.
% vi /etc/ssh/sshd_config
## Find the lines commented, and add the changes afterward.
# Port 22
Port 30717
# PermitRootLogin yes
PermitRootLogin no
% semanage port -a -t ssh_port_t -p tcp 30717
% systemctl restart sshd.service
Note: If you don't have semanage available, install policycoreutils-python.
Let's add a user and add them to the wheel group. Be sure to set your user a password.
% useradd pinky
% usermod -aG wheel pinky
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
6/14
11/18/2014
Linux Router and Firewall - SSN
Now, open up /etc/pam.d/su and take one of the comments off. We'll take the one off that says the user is
required to be in the wheel group. That user will still need to know root's password. If you want to allow
a user to get root without root's password, you may do so. However, I don't recommend doing that.
#%PAM-1.0
auth
sufficient
pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth
sufficient
pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth
required
pam_wheel.so use_uid
auth
substack
system-auth
auth
include
postlogin
account
sufficient
pam_succeed_if.so uid = 0 use_uid quiet
account
include
system-auth
password
include
system-auth
session
include
system-auth
session
include
postlogin
session
optional
pam_xauth.so
You may now want to test the effects. An example of the 'implicit' rule.
[pinky@solaire ~]$ su Last login: Mon Jul 7 18:26:49 MST 2014 on pts/0
[root@solaire ~]#
Now, we'll need to make a change to the iptables firewall for our new port.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o enp3s0 -j MASQUERADE
## This is absolutely important.
COMMIT
## Always end a table like this
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i lo -j ACCEPT
## ADD THIS BELOW
-A INPUT -p tcp -m state --state NEW -m tcp --dport 30717 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -j DROP
-A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT
-A FORWARD -j DROP
COMMIT
% systemctl restart iptables
FirewallD Users: If you use firewalld, you'll do something like so.
%
%
%
%
$
firewall-cmd
firewall-cmd
firewall-cmd
firewall-cmd
firewall-cmd
--zone=internal --add-port=30717/tcp
--zone=internal --remove-service=ssh
--zone=external --add-port=30717/tcp
--zone=external --remove-service=ssh
--complete-reload
--permanent
--permanent
--permanent
--permanent
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
7/14
11/18/2014
Linux Router and Firewall - SSN
After that, you should be good! Try plugging a switch or a store bought router (configured correctly with
DHCP disabled and a static address) into the LAN port, make sure all the services have been (re)started,
and see if your clients get IP's. Do they? Now see if you can SSH into your box through your new port
with your users.
If you succeed, you're ready to go. Now just make sure you can get to the internet :)
Extras
Here we'll expand the functionality of our server. We'll have some value added things below in this
section.
Renaming your Devices
This isn't truly important, but if you want your devices to have some names that you actually understand
or know what they are, you may want to try and change them. This can technically be prevented by
using biosdevname=0 and net.ifnames=0 on the grub kernel line, either before your install your system
or on an already installed system.
But, for the sake of the example, I'll change an interface name that was generated by udev. I'll change
my outbound interface to ob0, which is attached to the modem. You can name them however you want,
and you'll need to do this for each device you rename in the long run.
% vi /etc/udev/rules.d/99-rename-net.rules
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="$(cat /sys/class/net/ens192/address)", ATTR{dev_id}=="0x
% cd /etc/sysconfig/network-scripts
% mv ifcfg-ens192 ifcfg-ob0
% vi ifcfg-ob0
# Generated by dracut initrd
DEVICE="ob0"
<-- Change this appropriately
ONBOOT=yes
NETBOOT=yes
BOOTPROTO=dhcp
HWADDR="00:0c:29:c4:ba:2b"
TYPE=Ethernet
NAME="ob0"
<-- Change this appropriately
% init 6
% ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ob0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:ba:2b brd ff:ff:ff:ff:ff:ff
inet 10.100.0.213/23 brd 10.100.1.255 scope global dynamic ob0
valid_lft 21544sec preferred_lft 21544sec
inet6 fe80::20c:29ff:fec4:ba2b/64 scope link
valid_lft forever preferred_lft forever
Target static IP for specific host
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
8/14
11/18/2014
Linux Router and Firewall - SSN
You can do this easily by modifying /etc/dhcp/dhcpd.conf. You can add a line like...
host Healer {
hardware ethernet 00:00:00:00:00:00;
fixed-address 10.100.0.110;
}
Providing the computer name after host, and then that system's mac address, you can provide the 'fixedaddress' that it will get each time it connects to the network.
# service dhcpd restart
You can get the mac addresses of those PC's using either ip a sh (if they're linux) or ipconfig /all if
they're windows. Or, in the windows gui, you can look at the 'status' of an adapter, and click 'details' to
get it too.
Forwarding Ports
Forwarding ports can get complicated. But don't fret, it's not as bad as it seems. Let's say we want to
forward 6112 TCP and UDP to a host, so they can hold StarCraft/WarCraft III games. Modify
/etc/sysconfig/iptables as followed; You'll need a prerouting line and a forward line at the bottom.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Add the prerouting lines below... p is for protocol and m is for match
# i is for interface, -j is for action/target
-A PREROUTING -i enp3s0 -p udp -m udp --dport 6112 -j DNAT --to-destination 10.100.1.101:6112
-A PREROUTING -i enp3s0 -p tcp -m tcp --dport 6112 -j DNAT --to-destination 10.100.1.101:6112
-A POSTROUTING -o enp3s0 -j MASQUERADE
COMMIT
# Start of filter
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i enp3s0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 30717 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -j DROP
-A FORWARD -i enp3s0 -o enp5v0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp5v0 -o enp3s0 -j ACCEPT
# Add the forward lines
-A FORWARD -d 10.100.1.101 -i enp3s0 -p udp -m udp --dport 6112 -j ACCEPT
-A FORWARD -d 10.100.1.101 -i enp3s0 -p tcp -m tcp --dport 6112 -j ACCEPT
COMMIT
Save it, and restart the firewall via systemctl.
FirewallD
To perform this in firewalld, you can do something like this.
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
9/14
11/18/2014
Linux Router and Firewall - SSN
firewall-cmd --zone=external --add-forward-port=port=6112:proto=udp:toport=6112:toaddr=10.100.1.101 --permanent
firewall-cmd --zone=external --add-forward-port=port=6112:proto=tcp:toport=6112:toaddr=10.100.1.101 --permanent
firewall-cmd --complete-reload
Denying Unknown Mac Addresses
Let's say you don't want to use your wireless network's filters, or you decided you wanted to mess with
people who like to hope onto an unprotected wireless network... Whatever the case is, you want to
restrict clients based on mac address. You can add the following to your /etc/dhcp/dhcpd.conf.
deny unknown-clients;
After doing that, you can do like in the above section for static IP leases, make a section at the bottom
and designate the host.
host Healer {
hardware ethernet 00:00:00:00:00:00;
fixed-address 10.100.1.110;
}
IPv6 Tunnel
For those who have tunnels, this might be helpful. I have a tunnel from he.net. Sixxs usually has
instructions for what they want to make their tunnels work, typically. This is what I do for my tunnel to
get it up and running, and to ensure clients on the inside of the network can get out.
First, we need to setup an interface. I typically like consistency. Since the modem interface is enp2s0 on
one of my routers, I will use enp2v0 for the tunnel interface. Technically, you can use sit0.
DEVICE="enp2v0"
TYPE="sit"
BOOTPROTO="none"
ONBOOT="yes"
IPV6INIT="yes"
IPV6TUNNELIPV4="66.220.18.42"
IPV6ADDR="2001:470:c:286::2/64"
IPV6FORWARDING="yes"
# Your tunnel provider usually provides this IP
# This is your end point that does not go with your 'subnet'
For the internal LAN interface, which is eno1, I added in the IPv6 information for the subnet I was
given.
TYPE=Ethernet
BOOTPROTO=static
NAME=eno1
DEVICE=eno1
ONBOOT=yes
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
10/14
11/18/2014
Linux Router and Firewall - SSN
IPADDR="10.100.0.1"
NETMASK="255.255.254.0"
## IPv6 information
IPV6ADDR="2001:470:d:286::1/64"
IPV6INIT="yes"
IPV6FORWARDING="yes"
For the firewall, I did this in the /etc/sysconfig/ip6tables file. Since there is no NAT, we just use basic
INPUT and FORWARD rules in between the sit interface and the internal LAN interface.
*filter
:INPUT ACCEPT [56:6791]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [53:8508]
-A INPUT -p icmpv6 -j ACCEPT
-A INPUT -i enp2v0 -p tcp -m tcp --dport 1 -j DROP
-A INPUT -i enp2v0 -p tcp -m tcp --dport 0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eno1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -p tcp -m state --state NEW -m tcp --dport 45521 -j ACCEPT
-A INPUT -i enp2v0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state NEW -j DROP
-A FORWARD -i enp2v0 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eno1 -o enp2v0 -j ACCEPT
-A FORWARD -i enp2v0 -o eno1 -p icmpv6 -j ACCEPT
-A FORWARD -i enp2v0 -o eno1 -j DROP
COMMIT
% systemctl enable ip6tables
% systemctl start ip6tables
In /etc/sysconfig/network, you'll need these lines.
NETWORKING_IPV6=yes
IPV6FORWARDING=yes
IPV6_DEFAULTDEV="enp2v0"
In /etc/sysctl.conf, I put this.
net.ipv6.conf.all.forwarding = 1
% sysctl -p
In your regular firewall, you'll need some rules for your "heartbeat". Some providers require a heartbeat
of some sort.
-A IN_TRU -s 66.220.2.74/32 -i ob0 -p icmp -m comment --comment "IPv6 Heartbeat" -m icmp --icmp-type 8 -j ACCEPT
-A IN_TRU -s 66.220.18.42 -i ob0 -m comment --comment "IPv6 Heartbeat" -j ACCEPT
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
11/14
11/18/2014
Linux Router and Firewall - SSN
Dynamic DNS
Dynamic DNS is not all that important, but it's sometimes a fun feature to use for a network. It basically
allows clients to have their own name in DNS for easy communication with one another by name, etc.
New clients will get IP's and the bind DNS server will be updated with their names, as long as the
machine provide host names. Note: The subnet I use here is in a testing subnet and does not reflect what
was used in the actual tutorial above.
First, install the bind DNS package and then generate an rndc key.
% yum install bind
% rndc-confgen -a # This will take a few minutes depending on the amount of entropy available
If you don't have DNS already setup, you'll need to change a few options. Most of these are set to
loopback addresses. You can change them to 'any' or to the internal LAN interface IP in your network.
For me, I set them to 'any' because the outside world can query me for information.
options {
...
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1 };
allow-query { any; };
...
};
You will also need to add a forwarders block within options, especially if you plan on pointing your
clients to your DNS server.
options {
...
forwarders {
10.100.0.1;
8.8.8.8;
};
};
And then, at the bottom, you need to set an include line for your key, which includes the key block, as
well as starting your zone blocks. You will also need to change the permissions of the key.
include "/etc/rndc.key"
zone "angelsofclockwork.net" {
type master;
file "dynamic/angelsofclockwork.net";
allow-update { key rndc-key; };
};
zone "2.100.10.in-addr.arpa" {
type master;
file "dynamic/2.100.10.in-addr.arpa";
allow-update { key rndc-key; };
};
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
12/14
11/18/2014
Linux Router and Firewall - SSN
# Save the file
% chown root:named /etc/rndc.key
% chmod 640 /etc/rndc.key
Now, let's make our zone files, giving them a blank slate. We need both the forward and reverse zones.
So first, our forward zone.
$ORIGIN .
$TTL 10800
; 3 hours
angelsofclockwork.net
IN SOA
NS
$ORIGIN angelsofclockwork.net.
zera1
A
angelsofclockwork.net. zera1.angelsofclockwork.net. (
2
; serial
86400
; refresh (1 day)
3600
; retry (1 hour)
604800
; expire (1 week)
10800
; minimum (3 hours)
)
zera1.angelsofclockwork.net.
10.100.2.1
And now, our reverse zone.
$ORIGIN .
$TTL 10800
; 3 hours
2.100.10.in-addr.arpa
IN SOA
NS
$ORIGIN 2.100.10.in-addr.arpa.
1
PTR
2.100.10.in-addr.arpa. zera1.angelsofclockwork.net. (
2
; serial
86400
; refresh (1 day)
3600
; retry (1 hour)
604800
; expire (1 week)
10800
; minimum (3 hours)
)
zera1.angelsofclockwork.net.
zera1.angelsofclockwork.net.
Once those are filled out, change the ownership of the files to named:named using chown. Otherwise,
you will get SERVFAIL errors and DNS will not get updated.
Now, you'll need to modify /etc/dhcp/dhcpd.conf. Comments will follow.
# Add this to turn on DDNS
ddns-updates on;
# Add your key block below. You can get it by doing cat /etc/rndc.key and copying/pasting here.
key rndc-key {
algorithm hmac-md5;
secret fkILNxLzrC/w84mr9gSFbQ==;
};
subnet 10.100.2.0 netmask 255.255.255.0 {
...
# If you haven't already, set your domain server to your router IP.
option domain-name-servers
10.100.2.1;
# If you want your local addresses to have a domain name, you NEED to set this.
# If you followed the above tutorial, I specified a domain name already.
option domain-name
"angelsofclockwork.net";
...
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
13/14
11/18/2014
Linux Router and Firewall - SSN
}
# Now set your zone blocks for both the forward and reverse.
zone angelsofclockwork.net. {
primary localhost;
key rndc-key;
}
zone 2.100.10.in-addr.arpa. {
primary localhost;
key rndc-key;
}
Save the file and restart the services. They should go cleanly.
% systemctl restart named dhcpd
Named will usually be the only one that fails in this case. Check the logs to see what went wrong. Now,
refresh your clients and see if their information is filled out correctly.
% host zera2.angelsofclockwork.net
zera2.angelsofclockwork.net has address 10.100.2.100
Retrieved from "http://www.bromosapien.net:8080/media/index.php?
title=Linux_Router_and_Firewall&oldid=1831"
Category: Operating Systems
This page was last modified on 3 November 2014, at 07:25.
http://www.bromosapien.net:8080/media/index.php/Linux_Router_and_Firewall
14/14