Firewall Setup Tips: Difference between revisions

From MediaWiki
Jump to navigationJump to search
No edit summary
 
(13 intermediate revisions by 2 users not shown)
Line 142: Line 142:
<div class="screen">
<div class="screen">
   <div class="screenTitle">Using quicktables-2.3</div>
   <div class="screenTitle">Using quicktables-2.3</div>
   <div class="userInput"><span class="prompt">[root@tmobile ~]# </span>quicktables-2.3</div>
   <div class="userInput"><span class="prompt">[root@tmobile ~]# </span>/usr/share/quicktables/quicktables-2.3</div>
   <pre class="computerOutput">
   <pre class="computerOutput">


Line 313: Line 313:
</div>
</div>


 
== Turning an NST Probe Into A Broadband Router ==
== Turning a NST Probe Into A Broadband Router ==


In many homes and small businesses, you will find a small broadband router (such as a ''LinkSys WRT54G''). The broadband router is typically configured to act as a firewall and perform Network Address Translation ('''NAT'''). This provides a layer of protection of the internal Local Area Network ('''LAN''') from the outside world. It  allows  systems on the '''LAN''' to initiate connections to the outside world, but blocks the outside world from initiating connections to systems within the '''LAN'''.
In many homes and small businesses, you will find a small broadband router (such as a ''LinkSys WRT54G''). The broadband router is typically configured to act as a firewall and perform Network Address Translation ('''NAT'''). This provides a layer of protection of the internal Local Area Network ('''LAN''') from the outside world. It  allows  systems on the '''LAN''' to initiate connections to the outside world, but blocks the outside world from initiating connections to systems within the '''LAN'''.
Line 331: Line 330:
* Additional services (not typically found on a small broadband router) can be configured. For example, one could setup the '''NST''' system to act as a proxy server for the '''LAN'''.
* Additional services (not typically found on a small broadband router) can be configured. For example, one could setup the '''NST''' system to act as a proxy server for the '''LAN'''.


==== NST Broadband Router Configuration Script ====
==== NST Broadband Router Configuration ====


The following script was created by modifying the output generated by '''quicktables-2.3'''. It can be used to configure a '''NST''' probe to act as a broadband router. By default, it permits systems on the internal '''LAN''' (the "clean" side) to initiate connections to the outside world (the "dirty" side), but prevents the outside world from initiating any connections back to the '''LAN'''. The script does permit the user to define a set of "port forwards" - if there are any services on your local '''LAN''' which need to be available from the Internet.
The following steps can be followed to configure an '''NST''' probe to act as a broadband router. Using the '''iptables''' firewall creation tool, it can be further configured to specifically allow or block incoming connections from the outside world.


Here is a diagram to give a better idea of how we are using the '''NST''' system in this situation:
Here is a diagram to give a better idea of how we are using the '''NST''' system in this situation:
Line 339: Line 338:
[[Image:nst-nat.png]]
[[Image:nst-nat.png]]


'''IMPORTANT''': There are a few variables at the top of the script which will need to adjusted based upon the network and hardware configuration.
==== Step 1: Configure Your NST Box for a Static IP ====


<pre class="programListing">
The '''NST''' box acting as the router '''must''' be configured to have
#!/bin/bash
a static IP address by default. In order to do this, create the file: '''/etc/sysconfig/network-scripts/ifcfg-<YOUR NETWORK INTERFACE>'''.
#
Example:
# generated by /usr/local/sbin/quicktables-2.3 on 2007.03.01.32
<div class="screen">
#
  <div class="screenTitle">Configuring a Static IP</div>
# 2007-03-03: Modified by Paul Blankenbaker to allow one to set the following
  <div class="userInput"><span class="prompt">[root@probe ~]# </span>cd /etc/sysconfig/network-scripts/</div>
# at the top of the script:
  <div class="userInput"><span class="prompt">[root@probe network-scripts]# </span>emacs ifcfg-em1</div>
#
</div>
# cleanInterface (eth0)
#    Network Interface used to connect the NST system to your LAN.
#
# dirtyInterface (eth1)
#    Network Interface used to connect the NST system to the Internet.
#
# cleanNetwork (192.168.0.0/24)
#    The clean network (your internal LAN).
#
# portForwards (optional ARRAY)
#    Allows one to specify where to forward connection attempts from the
#    Internet to the internal LAN. This optional feature permits one to
#    make specific services within the LAN available through the Internet.


# Adjust the following for your configuration
The file should have contents similar to the following:


cleanInterface="eth0";
<pre class="programListing">
dirtyInterface="eth1";
DEVICE=em1
cleanNetwork="192.168.0.0/24";
BOOTPROTO=static
IPADDR=192.168.10.1
NETMASK=255.255.255.0
NETWORK=192.168.10.0
BROADCAST=192.168.10.255
GATEWAY=192.168.10.1
ONBOOT=yes
NM_CONTROLLED=no
</pre>


portForwards=(
==== Step 2: Restart the Network Services ====
# Redirect Internet connections to 22222 to ssh service on this NST probe
# 22222 127.0.0.1 22
# Redirect Internet connections to 8080 to http server
# running on 192.168.0.10 in the LAN
# 8080 192.168.0.10 80
)


#
<div class="screen">
# What follows should not require any adjustments
  <div class="screenTitle">Restarting the Network Services</div>
#
  <div class="userInput"><span class="prompt">[root@probe ~]# </span>systemctl restart network.service</div>
  <div class="userInput"><span class="prompt">[root@probe ~]# </span>systemctl restart NetworkManager.service</div>
  <div class="userInput"><span class="prompt">[root@probe ~]# </span></div>
</div>


add_port_forwards() {
==== Step 3: Configure & Enable the DCHP Service ====
  local pfsize="${#portForwards[@]}";
  local n="$((pfsize / 3))";


  # Verify table has 3 entries for each row
Typically, a home router will automatically assign an IP address from a specific range of addresses to any machine that connects to its network. Unless every machine on your '''LAN''' will be given a static IP address, you will need to enable the '''DHCP''' service on your '''NST''' router. Keep in mind that if you are using another router as a switch for your '''LAN''', you must disable its '''DHCP''' service first, so they do not conflict.
  if (( pfsize != (n * 3) )); then
    cat <<EOF
***Error*** There should be 3 fields for each port forward table entry.
However, there were ${pfsize} total fields found. Your port forwarding
table is being ignored.


EOF
The '''DHCP''' service is set up via a configuration file located here: '''/etc/dhcp/dhcp.conf/'''
    return 1;
It is a good idea to make a backup copy of the file before you start working, in case something goes wrong:
  fi


   # Install port forwards
<div class="screen">
   for ((i=0; i < n; i++)); do
  <div class="screenTitle">Backing up dhcpd.conf</div>
    local dport="${portForwards[i*3]}";
   <div class="userInput"><span class="prompt">[root@probe ~]# </span>cd /etc/dhcp/</div>
    local cip="${portForwards[i*3+1]}";
   <div class="userInput"><span class="prompt">[root@probe dhcp]# </span>cp ./dhcpd.conf ./dhcpd.conf.orig</div>
    local cport="${portForwards[i*3+2]}";
  <div class="userInput"><span class="prompt">[root@probe ~]# </span>ls</div>
  <pre class="computerOutput">
dhclient.conf  dhclient.d  dhcpd6.conf  dhcpd.conf  dhcpd.conf.orig
</pre>
  <div class="userInput"><span class="prompt">[root@probe ~]# </span></div>
</div>


    echo "Forwarding connections to port \"${dport}\" to \"${cip}:${cport}";
Now open the '''dhcp.conf''' file, delete the old contents, and make an entry similar to the one below.
    $iptables -A FORWARD -p tcp -s 0/0 -d ${cip}/32 --destination-port ${dport}$
    $iptables -t nat -I PREROUTING -p tcp --dport ${dport} -j DNAT --to-destina$
  done
}


# set a few variables
<pre class="programListing">
echo ""
ddns-update-style interim;
echo "  setting global variables"
ignore client-updates;
echo ""
get-lease-hostnames true;
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"


# adjust /proc
subnet 192.168.10.0 netmask 255.255.255.0 {
echo "  applying general security settings to /proc filesystem"
option routers 192.168.10.1;
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/t$
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ip$
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_fo$


# flush any existing chains and set default policies
option subnet-mask 255.255.255.0;
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT


# setup nat
option nis-domain "your.domain";
echo " applying nat rules"
option domain-name "your.domain";
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i ${cleanInterface} -j ACCEPT
$iptables -A INPUT -i ${cleanInterface} -j ACCEPT
$iptables -A OUTPUT -o ${cleanInterface} -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s ${cleanNetwork} -o ${dirtyInterface} -j MASQ$


# allow all packets on the loopback interface
option domain-name-servers 8.8.8.8;
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT


# allow established and related packets back in
option time-offset -18000; # Eastern Standard Time
$iptables -A INPUT -i ${dirtyInterface} -m state --state ESTABLISHED,RELATED -j$


# blocking reserved private networks incoming from the internet
option ntp-servers 192.168.10.1;
echo "  applying incoming internet blocking of reserved private networks"
echo ""
$iptables -I INPUT -i ${dirtyInterface} -s 10.0.0.0/8 -j DROP
$iptables -I INPUT -i ${dirtyInterface} -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i ${dirtyInterface} -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i ${dirtyInterface} -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i ${dirtyInterface} -s 10.0.0.0/8 -j DROP
$iptables -I FORWARD -i ${dirtyInterface} -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i ${dirtyInterface} -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i ${dirtyInterface} -s 127.0.0.0/8 -j DROP


# icmp
range dynamic-bootp 192.168.10.100 192.168.10.150;
echo "  applying icmp rules"
default-lease-time 21600;
echo ""
max-lease-time 43200;
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
}
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i ${dirtyInterface} -j DRO$
 
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
 
# custom port forwarding rules
echo "  applying port forwarding rules"
echo ""
add_port_forwards;
 
# drop all other packets
echo "  applying default drop policies"
echo ""
$iptables -A INPUT -i ${dirtyInterface} -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i ${dirtyInterface} -p udp --dport 0:65535 -j DROP
 
echo "### quicktables is loaded ###"
echo ""
</pre>
 
==== Automating the Firewall Setup ====
 
It becomes tedious to setup a firewall each time one installs a new version of the '''NST''' to a hard disk partition or boots from a '''Live CD'''. One can automate the process of setting up a firewall by:
 
* Mounting a thumb drive or hard disk partition.
* Creating a directory named: "'''firewall'''" on the mounted partition.
* Copying the above script to: "'''firewall/firewall'''".
* Modifying the top portion of the script according the '''LAN''' configuration.
* Creating a script named: "'''firewall/setup.sh'''" with the following contents:
<pre class="programListing">
# install firewall
${NSTHOME}/firewall &&
  iptables-save >| /etc/sysconfig/iptables &&
  service iptables start;
</pre>
</pre>
* Un-mounting the thumb drive or hard disk partion.
The following demonstrates the command sequence to accomplish the above. It assumes that hard disk partition '''hda4''' will be used to save the configuration and that you've created your own custom version of the firewall script at: "'''/tmp/firewall'''".


Note that with these settings, every machine in your '''LAN''' will be assigned an IP address of 192.168.10.1xx. Also note that this example uses Google's publicly available DNS server. All these options can be changed according to how you would like to set up your network. When you are done configuring the '''DHCP''' service, enable it by doing the following:
<div class="screen">
<div class="screen">
   <div class="screenTitle">Creating an Automated Firewall Setup</div>
   <div class="screenTitle">Starting the DHCP Service</div>
   <div class="userInput"><span class="prompt">[root@taco ~]# </span>mount /dev/hda4 /mnt/ext3</div>
   <div class="userInput"><span class="prompt">[root@probe ~]# </span>chkconfig dhcpd on</div>
  <div class="userInput"><span class="prompt">[root@taco ~]# </span>mkdir /mnt/ext3/firewall</div>
  <div class="userInput"><span class="prompt">[root@taco ~]# </span>cp /tmp/firewall /mnt/ext3/firewall/firewall</div>
  <div class="userInput"><span class="prompt">[root@taco ~]# </span>vi /mnt/ext3/firewall/setup.sh</div>
<pre class="computerOutput">
<pre class="computerOutput">
# install firewall
Note: Forwarding request to 'systemctl enable dhcpd.service'.
${NSTHOME}/firewall &&
  iptables-save >| /etc/sysconfig/iptables &&
  service iptables start;
 
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
:wq
</pre>
</pre>
   <div class="userInput"><span class="prompt">[root@taco ~]# </span>find /mnt/ext3/firewall</div>
   <div class="userInput"><span class="prompt">[root@probe ~]# </span>service dhcpd start</div>
<pre class="computerOutput">
<pre class="computerOutput">
/mnt/ext3/firewall
Redirecting to /bin/systemctl  start dhcpd.service
/mnt/ext3/firewall/firewall
/mnt/ext3/firewall/setup.sh
</pre>
</pre>
   <div class="userInput"><span class="prompt">[root@taco ~]# </span>umount /mnt/ext3</div>
   <div class="userInput"><span class="prompt">[root@probe ~]# </span></div>
  <div class="userInput"><span class="prompt">[root@taco ~]# </span></div>
</div>
</div>


One you get the above steps down, you can then quickly load your setup after a '''Live CD''' boot (or new hard drive installation of the '''NST''' distribution) via:
==== Step 4: Configure IPtables ====
 
To enable '''Network Address Translation'''(or '''NAT''') on NST, '''iptables''' must be configured correctly. You can configure '''iptables''' for basic '''NAT''' with the following commands:


<div class="screen">
<div class="screen">
   <div class="screenTitle">Using an Automated Firewall Setup</div>
   <div class="screenTitle">Configuring iptables</div>
   <div class="userInput"><span class="prompt">[root@taco ~]# </span>lnstcustom firewall hda4</div>
   <div class="userInput"><span class="prompt">[root@probe ~]# </span>echo 1 > /proc/sys/net/ipv4/ip_forward</div>
<pre class="computerOutput">
  <div class="userInput"><span class="prompt">[root@probe ~]# </span>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</div>
 
  <div class="userInput"><span class="prompt">[root@probe ~]# </span>iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT</div>
        setting global variables
<div class="userInput"><span class="prompt">[root@probe ~]# </span>iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT</div>
 
   <div class="userInput"><span class="prompt">[root@probe ~]# </span></div>
        applying general security settings to /proc filesystem
 
        applying nat rules
 
        applying incoming internet blocking of reserved private networks
 
        applying icmp rules
 
        applying icmp type match blocking
 
        applying port forwarding rules
 
Forwarding connections to port "20022" to "192.168.0.2:22
Forwarding connections to port "23456" to "192.168.0.2:23456
Forwarding connections to port "23465" to "192.168.0.2:23465
Forwarding connections to port "8669" to "192.168.0.2:8669
Forwarding connections to port "8668" to "192.168.0.2:8668
        applying default drop policies
 
### quicktables is loaded ###
 
Flushing firewall rules:                                  [ OK  ]
Setting chains to policy ACCEPT: filter nat                [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
</pre>
   <div class="userInput"><span class="prompt">[root@taco ~]# </span></div>
</div>
</div>


NOTE: Replace: "'''hda4'''" with the partition you placed your "'''firewall'''" directory in. Also, you will most likely find it useful to customize the file: '''setup.sh'''. It can be extended to quickly configure many additional things on your '''NST''' system.
This will configure your '''NST''' box for basic router functionality. Note that in this state, connections from the outside world will still be accepted. In order to selectively filter incoming and outgoing connections, you will have to configure '''iptables''' further.

Latest revision as of 22:42, 24 April 2013

The following provides some tips and examples of managing the firewall rules at a running NST probe.

In a Nut Shell

  • Use quicktables or fwbuilder to initialize your iptables configuration.
  • Use iptables-save to save the current configuration as: "/etc/sysconfig/iptables".
  • Enable the iptables service.

iptables

The iptables command can be used to manage firewall rules on a NST probe.

Displaying the Active iptables Configuration

The following demonstrates how one can display the current iptables configuration. In the output below, we will see that no firewall rules are in affect:

Displaying The Current iptables Configuration
[root@tmobile ~]# iptables --list -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@tmobile ~]#

Testing The Firewall Configuration

After adjusting a iptables configuration, one should always verify that the expected behavior is achieved.

  • Does the system respond to ping requests as expected?
  • Does the system block connection attempts (nmap is handy for this test)?
  • Does the system accept connections (if any were configured)?

Testing With Another NST System

The following demonstrates the use of the ping and nmap commands BEFORE any firewall rules have been applied. The commands will be run on the host system named taco and will test the remote NST system with the IP address of: 192.168.0.139:

Testing Before Applying Firewall Rules
[root@taco ~]# ping -c 3 192.168.0.139
PING 192.168.0.139 (192.168.0.139) 56(84) bytes of data.
64 bytes from 192.168.0.139: icmp_seq=1 ttl=64 time=2.64 ms
64 bytes from 192.168.0.139: icmp_seq=2 ttl=64 time=0.732 ms
64 bytes from 192.168.0.139: icmp_seq=3 ttl=64 time=2.50 ms

--- 192.168.0.139 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.732/1.961/2.648/0.872 ms
[root@taco ~]# nmap -f -p 0:65535 192.168.0.139

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-04 08:19 EST
Interesting ports on 192.168.0.139:
Not shown: 65533 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
6000/tcp open  X11
MAC Address: 00:0C:29:3E:6F:7D (VMware)

Nmap finished: 1 IP address (1 host up) scanned in 17.034 seconds
[root@taco ~]#

Here's what we see AFTER applying the: "No Incoming Connections" firewall rules (NOTE: This takes a much longer time to complete):

Testing After Applying Firewall Rules
[root@taco ~]# ping -c 3 192.168.0.31
PING 192.168.0.139 (192.168.0.139) 56(84) bytes of data.

--- 192.168.0.139 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

[root@taco ~]# nmap -f -p 0:65535 192.168.0.31

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-04 08:24 EST
All 65536 scanned ports on 192.168.0.139 are filtered
MAC Address: 00:0C:29:3E:6F:7D (VMware)

Nmap finished: 1 IP address (1 host up) scanned in 1339.022 seconds
[root@taco ~]#

From the Internet

The free "Shields Up!" service at http://grc.com allows one to perform some firewall testing. When a machine is directly connected to the Internet, it allows one to see how the firewall rules will respond when probed from a another machine on the Internet.


Managing iptables As A Service

After one has performed a hard disk installation, it is often desirable to configure the system such that the appropriate firewall rules are loaded at the time the system boots.

The following demonstrates how one can save the current iptables configuration to the file: "/etc/sysconfig/iptables", and enable the iptables service:

Saving iptables Configuration
[root@tmobile ~]# iptables-save >| /etc/sysconfig/iptables
[root@tmobile ~]# chkconfig iptables on
[root@tmobile ~]# service iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
[root@tmobile ~]#

NOTE: Additional configuration values related to the iptables service can be found in the file: "/etc/sysconfig/iptables-config".

Using quicktables-2.3

Creating configuration files for iptables by hand is a difficult task. The NST distribution comes with the quicktables-2.3 program to help one get started.

No Incoming Connections

The following demonstrates:

  • The creation of a script using quicktables-2.3 which will configure iptables such that it does not allow the outside world to connect to your system.
  • How to install and list the rules.
  • How to save the configuration such that the rules will be enforced the next time the system is started.
Using quicktables-2.3
[root@tmobile ~]# /usr/share/quicktables/quicktables-2.3


running quicktables as the root user is not necessary, and it is not a good idea.
there may not be any particular security reason not to run quicktables as root,
but it's a good practice to get into

press enter to continue or hit the ctrl + c keys to exit:


        use this at your own risk.  this is supplied without any warranty
        stated or implied.  this means you're on your own if you use this
        software, and that you will not hold the author responsible for any
        problems or issues related to the use of this software.


        although it isn't required that you run the quicktables script on the
        firewall machine itself, it is recommended.  quicktables will attempt
        to determine the likely answers to many questions simplifying the entire
        process.  quicktables is really only able to do this when ran on the
        firewall machine.  when not running quicktables on the firewall machine
        itself you may notice things like missing IP addresses in some of the
        questions.  you will have the opportunity to manually enter any and all
        IP addresses that quicktables needs to generate the firewall script


        please make sure to read the readme file


iptables was found at /sbin/iptables.  is that the location you wish to use in
your firewall script (yes/no) : yes


i have determined that the interface that connects you to your ISP (untrusted
network) is eth0.  is this the interface you want to use in your firewall
script (yes/no) : yes


nat, or network address translation, allows you to connect multiple computers on
a private network to the internet using a single internet IP address.  if you have
multiple computers and want to use your linux system as a router you need to answer
yes to the next question

would you like to use NAT (yes/no) : no


would you like your internet IP address to be pingable (yes/no) : no


icmp has many messages that are generated by a type field.  certain types of icmp
messages have no business coming into the average network.  saying yes to the
following question will block incoming icmp types redirect, router advertisement,
router solicitation, address mask request, and address mask reply from the internet.
if you don't know what any of this means then you should also answer yes to the
following question.

would you like to use icmp type restriction to block unwanted icmp types from the
internet (yes/no) : yes


if you run any services on your firewall machine you need to allow connections to their
ports.  this option is mostly for standalone non-nat setups or for allowing ident
requests to a nat aware identd running on your firewall. answering no closes all ports
on the firewall machine itself.

would you like to open any tcp ports to the firewall (yes/no) : no


would you like to open any udp ports to the firewall (yes/no) : no


certain networks have been set aside as private networks, and they shouldn't be routed
across the internet.  if you're using quicktables as an internet firewall or internet
firewall and nat script then you will want to answer yes to the following question.
if you're using quicktables on a private lan (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16)
then you'll want to answer no to the following question.

do you want to block internet access from reservced private networks (yes/no) : no


blocked hosts will not have access to any ports including those that are open or being
forwarded.  hit enter to skip blocking any hosts or networks

enter the ip address(es) and/or network address(es) to completely block. :



logging dropped packets creates a record of the packet.  it can also generate a lot of
logging.  iptables uses kern.info for syslogging

would you like to log dropped packets (yes/no) : no



squid is a web proxy cache.  answering yes to the following question will configure
quicktables to transparently proxy all outbound http requests through squid without
requiring any browser configuration.  if you have no idea what this means answer no
to the following question.

do you wish to use squid (yes/no) : no


blocking services will prevent clients on the trusted side of the quicktables machine
from accessing a certain service.  a common use for this feature would be to block clients
on your internal network from accessing services like ICQ and P2P services.
if you're uncertain about using this option answer no to the following question.

 do you wish to block outbound access to any services (yes/no) : no

        your firewall script has been written to rc.firewall

 thanks for using quicktables.  hit enter to exit.
[root@tmobile ~]# ./rc.firewall

        setting global variables

        applying general security settings to /proc filesystem

        applying icmp rules

        applying icmp type match blocking

        applying default drop policies

### quicktables is loaded ###

[root@tmobile ~]# iptables --list -n
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 18
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 17
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 10
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 9
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 5
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state NEW
[root@tmobile ~]# iptables-save >| /etc/sysconfig/iptables

  
[root@tmobile ~]# chkconfig iptables on

  
[root@tmobile ~]# service iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
[root@tmobile ~]#

Turning an NST Probe Into A Broadband Router

In many homes and small businesses, you will find a small broadband router (such as a LinkSys WRT54G). The broadband router is typically configured to act as a firewall and perform Network Address Translation (NAT). This provides a layer of protection of the internal Local Area Network (LAN) from the outside world. It allows systems on the LAN to initiate connections to the outside world, but blocks the outside world from initiating connections to systems within the LAN.

A NST probe can be configured to act as a broadband router (thus assuming one of the roles of a LinkSys WRT54G).

NST Broadband Router Disadvantages

  • Contains moving mechanical parts (more likely to have a hardware failure over time).
  • Uses more power.

NST Broadband Router Advantages

  • A full suite of Linux tools is available.
  • Packet capture can be done on the "clean side" (prior to NAT). This makes network analysis of Internet usage much simpler.
  • Additional services (not typically found on a small broadband router) can be configured. For example, one could setup the NST system to act as a proxy server for the LAN.

NST Broadband Router Configuration

The following steps can be followed to configure an NST probe to act as a broadband router. Using the iptables firewall creation tool, it can be further configured to specifically allow or block incoming connections from the outside world.

Here is a diagram to give a better idea of how we are using the NST system in this situation:

Step 1: Configure Your NST Box for a Static IP

The NST box acting as the router must be configured to have a static IP address by default. In order to do this, create the file: /etc/sysconfig/network-scripts/ifcfg-<YOUR NETWORK INTERFACE>. Example:

Configuring a Static IP
[root@probe ~]# cd /etc/sysconfig/network-scripts/
[root@probe network-scripts]# emacs ifcfg-em1

The file should have contents similar to the following:

DEVICE=em1
BOOTPROTO=static
IPADDR=192.168.10.1
NETMASK=255.255.255.0
NETWORK=192.168.10.0
BROADCAST=192.168.10.255
GATEWAY=192.168.10.1
ONBOOT=yes
NM_CONTROLLED=no

Step 2: Restart the Network Services

Restarting the Network Services
[root@probe ~]# systemctl restart network.service
[root@probe ~]# systemctl restart NetworkManager.service
[root@probe ~]#

Step 3: Configure & Enable the DCHP Service

Typically, a home router will automatically assign an IP address from a specific range of addresses to any machine that connects to its network. Unless every machine on your LAN will be given a static IP address, you will need to enable the DHCP service on your NST router. Keep in mind that if you are using another router as a switch for your LAN, you must disable its DHCP service first, so they do not conflict.

The DHCP service is set up via a configuration file located here: /etc/dhcp/dhcp.conf/ It is a good idea to make a backup copy of the file before you start working, in case something goes wrong:

Backing up dhcpd.conf
[root@probe ~]# cd /etc/dhcp/
[root@probe dhcp]# cp ./dhcpd.conf ./dhcpd.conf.orig
[root@probe ~]# ls
dhclient.conf  dhclient.d  dhcpd6.conf  dhcpd.conf  dhcpd.conf.orig
[root@probe ~]#

Now open the dhcp.conf file, delete the old contents, and make an entry similar to the one below.

ddns-update-style interim;
ignore client-updates;
get-lease-hostnames true;

subnet 192.168.10.0 netmask 255.255.255.0 {
option routers 192.168.10.1;

option subnet-mask 255.255.255.0;

option nis-domain "your.domain";
option domain-name "your.domain";

option domain-name-servers 8.8.8.8;

option time-offset -18000; # Eastern Standard Time

option ntp-servers 192.168.10.1;

range dynamic-bootp 192.168.10.100 192.168.10.150;
default-lease-time 21600;
max-lease-time 43200;
}

Note that with these settings, every machine in your LAN will be assigned an IP address of 192.168.10.1xx. Also note that this example uses Google's publicly available DNS server. All these options can be changed according to how you would like to set up your network. When you are done configuring the DHCP service, enable it by doing the following:

Starting the DHCP Service
[root@probe ~]# chkconfig dhcpd on
Note: Forwarding request to 'systemctl enable dhcpd.service'.
[root@probe ~]# service dhcpd start
Redirecting to /bin/systemctl  start dhcpd.service
[root@probe ~]#

Step 4: Configure IPtables

To enable Network Address Translation(or NAT) on NST, iptables must be configured correctly. You can configure iptables for basic NAT with the following commands:

Configuring iptables
[root@probe ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@probe ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[root@probe ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@probe ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
[root@probe ~]#

This will configure your NST box for basic router functionality. Note that in this state, connections from the outside world will still be accepted. In order to selectively filter incoming and outgoing connections, you will have to configure iptables further.