Hi,

I am trying to setup an Internet gateway/router to provide security and control access to the Internet on a medium sized network. I have read so much about IP masqurading, NATing and adding routes that I'm a little bit confused about exactly what I need to be doing.


First: The Current Setup

1. There are a number of wireless access points and wired (Ethernet) computers. All in all less than 100 clients. There are also various local devices such as IP cameras, network printers etc.
   
   
2. Everything connects into a large network switch, which itself connects to a Netgear WNDR3700 router.
   
   
3. The Netgear router is connected via Ethernet to a satellite modem.
   
   
4. The Netgear router has been setup with the details provided by the satellite ISP (I have slightly changed these addresses for privacy reasons):
   
   • IP Address: 216.90.138.122
   • Subnet Mask: 255.255.255.252
   • Gateway IP Address: 216.90.138.121
   
   
5. The Netgear router is setup as a DHCP server.
   
   
6. The whole network is setup with addresses in the range 10.77.0.0 to 10.77.255.255 (subnet mask 255.255.0.0). Some are statically assigned and some are assigned via DHCP.
   
   
7. This setup currently works perfectly.

Second: The Proposed Setup

1. I want to completely replace the Netgear router with a server that I setup. This is for various reasons including finer grained controls over who can access the Internet (a lot of the clients on the local network are supposed to only have local network access) and also some other limitations of the Netgear router. I also want to provide basic DNS services to serve names of local websites running on another server on the network.
   
   
2. I have setup a computer with two NICs (eth0 and eth1). It is running Ubuntu Server 12.10. I know there are arguments for other distributions for a gateway server and I may try these at a later date. For now, Ubuntu is the distribution I am most familiar with. The NICs are Realtek RTL8169 PCI Gigabit Ethernet Controllers.
   
   
3. I have setup Dnsmasq on the server. This is running successfully now. I have configured it as both a DHCP server and a DNS server. I can get it to hand out IP leases and serve up IPs of local websites. Everything with that is fine.
   
   
4. Interface eth1 connects to the local network. It is configured with the IP address 10.77.100.51.
   
   
5. Interface eth0 connects to the satellite modem (i.e. the Internet). I am guessing that I am supposed to configure this with the same details previously used with the router (as posted above):
   
   • IP Address: 216.90.138.122
   • Subnet Mask: 255.255.255.252
   • Gateway IP Address: 216.90.138.121
   
   This does seem to work from the perspective that if I SSH into the gateway (via eth1) I can access the Internet (e.g. ping google.com) via eth0.
   
   
6. What I still need to figure out is how to make traffic flow from the local network (eth1) to the Internet (eth0) - and only for allowed computers. From what I understand this will be by adding various rules into iptables. I have only used UFW (frontend to iptables) in the past, so iptables rules are a bit daunting for me and I don't know what to do.

Third: The Questions

1. Am I on the right track? For example, is my eth0/eth1 configuration correct, am I right in thinking I need to do some iptables stuff etc.?
   
   
2. What exactly do I need to do to grant specific computers Internet access? Examples would be appreciated for:
   
   
   • a) Grant complete Internet access (web/email/skype/whatever) to 10.77.200.10.
     
   • b) Grant only FTP access to 10.77.200.11.
     
   • c) Grant only access the IP 62.148.188.51 to 10.77.200.12.
   
   
3. I am also wanting to be able to have a few rule sets (sometimes everyone has Internet access, sometimes it's super locked down) that I can quickly switch between (presumably by running scripts to update the rules). Any hints on how to go about this?

For Your Reference: /etc/network/interfaces

Any help would be very much appreciated! Thank you :-)

Normally getting intranet hosts to reach internet is not that difficult.

It only requires (basically) two steps:
masquerading traffic going out to the internet interface:
and enabling forwarding:
That will allow traffic to go through the server from internet to internet (as long as routing is correctly set up in your intranet).

Then comes the mess of filtering. Traffic coming from one network interface and going out of the host will have to traverse the FORWARD chain in the FILTER tables.

For a server that is going to be connected to internet I'd recommend to set a DROP policy for INPUT and FILTER and then start adding rules to allow traffic on those chains.... a very clear example is to allow traffic moving in the loopback interface:

Then start adding whatever rules you need to suit your needs.

I normally set up all this netfilter crap in a single script (starting by setting the policies, flushing all the rules and create everything from scratch) and call it from rc.local so that it's set up when the host boots up... and if I need to add/edit/remove something I edit the script and call it.

Hope that helps.

Hi eantoranz,

Thank you very much for your help.

One of the commands you supplied is giving me an error:

Response:

Any ideas?

You're right. It's FORWARD, not FILTER. FORWARD and INPUT.

INPUT is traversed by packets that are meant for the host. FORWARD is traversed by packets that are received by this host but are meant for another.