LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Gateway server - how to configure NICs and iptables to control Internet access (http://www.linuxquestions.org/questions/linux-networking-3/gateway-server-how-to-configure-nics-and-iptables-to-control-internet-access-4175440907/)

tuxmariner 12-10-2012 10:35 PM
Gateway server - how to configure NICs and iptables to control Internet access
 
Hi,

I am trying to setup an Internet gateway/router to provide security and control access to the Internet on a medium sized network. I have read so much about IP masqurading, NATing and adding routes that I'm a little bit confused about exactly what I need to be doing.


First: The Current Setup
  1. There are a number of wireless access points and wired (Ethernet) computers. All in all less than 100 clients. There are also various local devices such as IP cameras, network printers etc.

  2. Everything connects into a large network switch, which itself connects to a Netgear WNDR3700 router.

  3. The Netgear router is connected via Ethernet to a satellite modem.

  4. The Netgear router has been setup with the details provided by the satellite ISP (I have slightly changed these addresses for privacy reasons):
    • IP Address: 216.90.138.122
    • Subnet Mask: 255.255.255.252
    • Gateway IP Address: 216.90.138.121

  5. The Netgear router is setup as a DHCP server.

  6. The whole network is setup with addresses in the range 10.77.0.0 to 10.77.255.255 (subnet mask 255.255.0.0). Some are statically assigned and some are assigned via DHCP.

  7. This setup currently works perfectly.


Second: The Proposed Setup
  1. I want to completely replace the Netgear router with a server that I setup. This is for various reasons including finer grained controls over who can access the Internet (a lot of the clients on the local network are supposed to only have local network access) and also some other limitations of the Netgear router. I also want to provide basic DNS services to serve names of local websites running on another server on the network.

  2. I have setup a computer with two NICs (eth0 and eth1). It is running Ubuntu Server 12.10. I know there are arguments for other distributions for a gateway server and I may try these at a later date. For now, Ubuntu is the distribution I am most familiar with. The NICs are Realtek RTL8169 PCI Gigabit Ethernet Controllers.

  3. I have setup Dnsmasq on the server. This is running successfully now. I have configured it as both a DHCP server and a DNS server. I can get it to hand out IP leases and serve up IPs of local websites. Everything with that is fine.

  4. Interface eth1 connects to the local network. It is configured with the IP address 10.77.100.51.

  5. Interface eth0 connects to the satellite modem (i.e. the Internet). I am guessing that I am supposed to configure this with the same details previously used with the router (as posted above):
    • IP Address: 216.90.138.122
    • Subnet Mask: 255.255.255.252
    • Gateway IP Address: 216.90.138.121

    This does seem to work from the perspective that if I SSH into the gateway (via eth1) I can access the Internet (e.g. ping google.com) via eth0.

  6. What I still need to figure out is how to make traffic flow from the local network (eth1) to the Internet (eth0) - and only for allowed computers. From what I understand this will be by adding various rules into iptables. I have only used UFW (frontend to iptables) in the past, so iptables rules are a bit daunting for me and I don't know what to do.


Third: The Questions
  1. Am I on the right track? For example, is my eth0/eth1 configuration correct, am I right in thinking I need to do some iptables stuff etc.?

  2. What exactly do I need to do to grant specific computers Internet access? Examples would be appreciated for:

    • a) Grant complete Internet access (web/email/skype/whatever) to 10.77.200.10.
    • b) Grant only FTP access to 10.77.200.11.
    • c) Grant only access the IP 62.148.188.51 to 10.77.200.12.

  3. I am also wanting to be able to have a few rule sets (sometimes everyone has Internet access, sometimes it's super locked down) that I can quickly switch between (presumably by running scripts to update the rules). Any hints on how to go about this?


For Your Reference: /etc/network/interfaces

Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# External (Internet) network interface (eth0)
auto eth0
iface eth0 inet static
        address 216.90.138.122
        netmask 255.255.255.252
        gateway 216.90.138.121
        dns-nameservers 8.8.8.8 8.8.4.4

# Local network interface (eth1)
auto eth1
iface eth1 inet static
        address 10.77.100.51
        netmask 255.255.0.0
Any help would be very much appreciated! Thank you :-)

eantoranz 12-10-2012 11:10 PM
Normally getting intranet hosts to reach internet is not that difficult.

It only requires (basically) two steps:
masquerading traffic going out to the internet interface:
Code:
iptables -t nat -A POSTROUTING -o internetinterface -j MASQUERADE
and enabling forwarding:
Code:
sysctl -w net.ipv4.ip_forward=1
That will allow traffic to go through the server from internet to internet (as long as routing is correctly set up in your intranet).

Then comes the mess of filtering. Traffic coming from one network interface and going out of the host will have to traverse the FORWARD chain in the FILTER tables.

For a server that is going to be connected to internet I'd recommend to set a DROP policy for INPUT and FILTER and then start adding rules to allow traffic on those chains.... a very clear example is to allow traffic moving in the loopback interface:

Code:
iptables -P FILTER DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
Then start adding whatever rules you need to suit your needs.

I normally set up all this netfilter crap in a single script (starting by setting the policies, flushing all the rules and create everything from scratch) and call it from rc.local so that it's set up when the host boots up... and if I need to add/edit/remove something I edit the script and call it.

Hope that helps.

tuxmariner 12-11-2012 06:45 PM
Hi eantoranz,

Thank you very much for your help.

One of the commands you supplied is giving me an error:

Code:
iptables --policy FILTER DROP
Response:

Code:
iptables: Bad built-in chain name.
Any ideas?

eantoranz 12-11-2012 06:46 PM
You're right. It's FORWARD, not FILTER. FORWARD and INPUT.

eantoranz 12-11-2012 06:48 PM
INPUT is traversed by packets that are meant for the host. FORWARD is traversed by packets that are received by this host but are meant for another.


All times are GMT -5. The time now is 12:37 PM.