LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-10-2012, 10:35 PM   #1
tuxmariner
LQ Newbie
 
Registered: Sep 2012
Distribution: Ubuntu
Posts: 6

Rep: Reputation: Disabled
Question Gateway server - how to configure NICs and iptables to control Internet access


Hi,

I am trying to setup an Internet gateway/router to provide security and control access to the Internet on a medium sized network. I have read so much about IP masqurading, NATing and adding routes that I'm a little bit confused about exactly what I need to be doing.


First: The Current Setup
  1. There are a number of wireless access points and wired (Ethernet) computers. All in all less than 100 clients. There are also various local devices such as IP cameras, network printers etc.

  2. Everything connects into a large network switch, which itself connects to a Netgear WNDR3700 router.

  3. The Netgear router is connected via Ethernet to a satellite modem.

  4. The Netgear router has been setup with the details provided by the satellite ISP (I have slightly changed these addresses for privacy reasons):
    • IP Address: 216.90.138.122
    • Subnet Mask: 255.255.255.252
    • Gateway IP Address: 216.90.138.121

  5. The Netgear router is setup as a DHCP server.

  6. The whole network is setup with addresses in the range 10.77.0.0 to 10.77.255.255 (subnet mask 255.255.0.0). Some are statically assigned and some are assigned via DHCP.

  7. This setup currently works perfectly.


Second: The Proposed Setup
  1. I want to completely replace the Netgear router with a server that I setup. This is for various reasons including finer grained controls over who can access the Internet (a lot of the clients on the local network are supposed to only have local network access) and also some other limitations of the Netgear router. I also want to provide basic DNS services to serve names of local websites running on another server on the network.

  2. I have setup a computer with two NICs (eth0 and eth1). It is running Ubuntu Server 12.10. I know there are arguments for other distributions for a gateway server and I may try these at a later date. For now, Ubuntu is the distribution I am most familiar with. The NICs are Realtek RTL8169 PCI Gigabit Ethernet Controllers.

  3. I have setup Dnsmasq on the server. This is running successfully now. I have configured it as both a DHCP server and a DNS server. I can get it to hand out IP leases and serve up IPs of local websites. Everything with that is fine.

  4. Interface eth1 connects to the local network. It is configured with the IP address 10.77.100.51.

  5. Interface eth0 connects to the satellite modem (i.e. the Internet). I am guessing that I am supposed to configure this with the same details previously used with the router (as posted above):
    • IP Address: 216.90.138.122
    • Subnet Mask: 255.255.255.252
    • Gateway IP Address: 216.90.138.121

    This does seem to work from the perspective that if I SSH into the gateway (via eth1) I can access the Internet (e.g. ping google.com) via eth0.

  6. What I still need to figure out is how to make traffic flow from the local network (eth1) to the Internet (eth0) - and only for allowed computers. From what I understand this will be by adding various rules into iptables. I have only used UFW (frontend to iptables) in the past, so iptables rules are a bit daunting for me and I don't know what to do.


Third: The Questions
  1. Am I on the right track? For example, is my eth0/eth1 configuration correct, am I right in thinking I need to do some iptables stuff etc.?

  2. What exactly do I need to do to grant specific computers Internet access? Examples would be appreciated for:

    • a) Grant complete Internet access (web/email/skype/whatever) to 10.77.200.10.
    • b) Grant only FTP access to 10.77.200.11.
    • c) Grant only access the IP 62.148.188.51 to 10.77.200.12.

  3. I am also wanting to be able to have a few rule sets (sometimes everyone has Internet access, sometimes it's super locked down) that I can quickly switch between (presumably by running scripts to update the rules). Any hints on how to go about this?


For Your Reference: /etc/network/interfaces

Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# External (Internet) network interface (eth0)
auto eth0
iface eth0 inet static
        address 216.90.138.122
        netmask 255.255.255.252
        gateway 216.90.138.121
        dns-nameservers 8.8.8.8 8.8.4.4

# Local network interface (eth1)
auto eth1
iface eth1 inet static
        address 10.77.100.51
        netmask 255.255.0.0
Any help would be very much appreciated! Thank you :-)
 
Old 12-10-2012, 11:10 PM   #2
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
Normally getting intranet hosts to reach internet is not that difficult.

It only requires (basically) two steps:
masquerading traffic going out to the internet interface:
Code:
iptables -t nat -A POSTROUTING -o internetinterface -j MASQUERADE
and enabling forwarding:
Code:
sysctl -w net.ipv4.ip_forward=1
That will allow traffic to go through the server from internet to internet (as long as routing is correctly set up in your intranet).

Then comes the mess of filtering. Traffic coming from one network interface and going out of the host will have to traverse the FORWARD chain in the FILTER tables.

For a server that is going to be connected to internet I'd recommend to set a DROP policy for INPUT and FILTER and then start adding rules to allow traffic on those chains.... a very clear example is to allow traffic moving in the loopback interface:

Code:
iptables -P FILTER DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
Then start adding whatever rules you need to suit your needs.

I normally set up all this netfilter crap in a single script (starting by setting the policies, flushing all the rules and create everything from scratch) and call it from rc.local so that it's set up when the host boots up... and if I need to add/edit/remove something I edit the script and call it.

Hope that helps.

Last edited by eantoranz; 12-10-2012 at 11:13 PM. Reason: typo in masquerading rule
 
Old 12-11-2012, 06:45 PM   #3
tuxmariner
LQ Newbie
 
Registered: Sep 2012
Distribution: Ubuntu
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hi eantoranz,

Thank you very much for your help.

One of the commands you supplied is giving me an error:

Code:
iptables --policy FILTER DROP
Response:

Code:
iptables: Bad built-in chain name.
Any ideas?
 
Old 12-11-2012, 06:46 PM   #4
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
You're right. It's FORWARD, not FILTER. FORWARD and INPUT.
 
Old 12-11-2012, 06:48 PM   #5
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
INPUT is traversed by packets that are meant for the host. FORWARD is traversed by packets that are received by this host but are meant for another.
 
  


Reply

Tags
dhcp, dnsmasq, gateway, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
redhat F9 with multiple nics....configure one to go out onto internet davide123 Linux - Newbie 12 02-01-2010 11:16 AM
IPTABLES: Allow PPTP Server to access the Internet xyzxyzxyz Linux - Networking 3 01-24-2010 06:27 PM
Configure Fedora (PC Gateway) to access DVR from Internet simke Linux - General 2 09-28-2008 11:05 PM
smb server, gateway with restricted user internet access.. wraithe Linux - Networking 0 01-06-2007 06:57 AM
IPTABLES How to access to web server on gateway from LAN? kozaki Linux - Networking 4 08-26-2005 11:27 AM


All times are GMT -5. The time now is 06:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration