|
iptables, nat, dhcp with adsl modem/router and wireless AP
Hi,
I am trying to set up a system that will content filter the internet available to my kids. But before I can consider the content filtering, I need to get the linux server configuration to work. My little system "should" look like this: adsl line --> [modem/router]--> [ethx]--> { server box}--> [ethy]--> [wireless AP] .->.->.-> several wireless connected boxes The modem/router currently acts as dhcp server but (I guess?) this should be left to the 'server box'? I know that the 2 NICs in the server box work fine and that they will 'talk' to the modem/router and the wireless access point. I read several posts (here and elsewhere) about using iptables and nat with dhcp. But in the above 'chain' each of the modem/router, eth0, eth1 and the wireless AP all have an IP addresses. Currently the modem/router has an IP or 192.168.0.1 and the wireless AP an IP of 192.168.0.15. The NICs IPs are (currently) set by the DHCP server in the modem/router. I couldn't figure out which of the various IP addressed bits should be eth0 and eth1 - which made it pretty hard to get started! Has anyone had any experience(s) in setting up such a system? Any suggestions gratefully received. Regards, Geoff. |
Starting at the network level ethx and ethy cannot be on the same subnet i.e 192.168.0.X and 192.168.0.Y. They must be something like 192.168.0.X and 192.168.1.Y. You will probably have to change either the router address or the wireless router address to get this functional. The ethernet card (eth0)attached to the router must be on the same subnet as the ADSL router and the ethernet card (eth1) going to the wireless router must have the same subnet address range as the wireless router. For a newbie I recommend MonMotha's firewall script as it does nearly everything that you need in terms of security, NAT and forwarding. You will need to install ip-masquerading first in order to share the connection.
As far as content filtering is concerned then Dansgaurdian is regarded as one of the best around. |
Hicks,
I agree with Tiger. I'll try to add two-cents too as I think you want a more definitive approach when using this group (hey, thats why I singed up), as in, how-to or what do I do. Anyway, to help out (IP forwarding must be enabled in any case for these to work): plug the adsl line --> modem/router--> {server box} connect modem/router to ethx--> (static IP) connect ethy to wireless AP --> other devices On the server, for ethy, reserve a static IP and set a range to be handed out by the AP. On the AP, configure it to hand out the other addresses. The problem with this configuration is that you'll NOT be able to track the individual web traffic from the AP becuase the server only see's web/ip traffic coming from the AP, not the workstations...... You're limited in this area if your family has individual laptops. A better configuration (assuming they are hard-wired) would be to buy a $20 HUB at CompUSA and configure this way: plug the adsl line --> modem/router--> AP --> (locked down to MAC address, with reserved IP for server) {server box} connect modem/router to ethx--> (static IP) connect ethy --> HUB --> other devices Now, the important stuff, IPTABLES, theres more but not sure how much I can type here: # INPUT chain rules ## Rules for incoming packets from LAN iptables -A INPUT -p ALL -i ethy -s 10.1.1.0/8 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 10.1.1.0 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.1.2 -j ACCEPT iptables -A INPUT -p ALL -i ethy -d 10.1.1.255 -j ACCEPT # TCP rules #which should cover all normal services iptables -A INPUT -p TCP -i ethx -s 0/0 --destination-port 21 -j okay iptables -A INPUT -p TCP -i ethx -s 0/0 --destination-port 22 -j okay iptables -A INPUT -p TCP -i ethx -s 0/0 --destination-port 25 -j okay iptables -A INPUT -p TCP -i ethx -s 0/0 --destination-port 80 -j okay iptables -A INPUT -p TCP -i ethx -s 0/0 --destination-port 110 -j okay iptables -A INPUT -p TCP -i ethx -s 0/0 --destination-port 113 -j okay .............Good luck. |
Firstly, thanks for your help. I will have a go at your suggestions but they have raised a couple of questions - or rather highlighted more of my lack of knowledge!
In angelohl's post the following comment: " On the server, for ethy, reserve a static IP and set a range to be handed out by the AP. On the AP, configure it to hand out the other addresses." The AP I have is just an acces point, not a router. I had presumed that the server box would be the DHCP server for any clients "downstream" from the AP. Also, I assumed (perhaps wrongly) that the "web data stream" would be filtered, firewalled, etc in the server box, between ethx and ethy, so that all outbound information would be "corrected". In the situation I have there are no devices other than wireless, so I am not sure for what the hub would be used. Lastly, given that the existing modem/router is a DHCP server, bells & whistles device - should I dumb that down so that it is just acting as a modem? If this is the case, does the ethx (inbound NIC) become the gateway, DNS holder, etc? Sorry for the questions but I promise to try and understand your responses. Thanks again, Geoff. |
Your concept is correct in that the server will provide the firewall, routing and filtering. Most of the modem/routers that come out have quite good firewalls on them and I would recommend their use. The firewall on the server would be a backup.
Looking at the networking it is preferable to use static addressing at the server level as it is much easier to set gateways because this gets quite complicated. I will try to explain. If the ADSL modem router is set with an address of 192.168.0.1 and the eth0 in the server is connected to it and has an address of 192.168.0.2 then the gateway for the server box is 192.168.0.1 i.e. the router address. As I said above, the lan side of the server must have a different ip address range. Lets say you allocate 192.168.1.1 to eth1 which connects to the wireless AP. The wireless AP should be set to a range above 192.168.1.2 and for all boxes in the lan the gateway address for the net would be 192.168.1.1 (eth1). It should be possible for you to issue dhcp addresses from the AP but in small networks it is often easier to allocate ip addresses statically. This also means it is easier to identify boxes on log files. Hope this makes sense to you. |
Once again thanks for the help, it is much appreciated.
I am please to report that I have my little system working - I am writing this on a Win XP PC connected by wireless to the net. For the sake of any others going down this path, I thought I should document what I did. Firstly, a trap for young players! An earlier comment on the use of a hub got me thinking about the effect of such. Then I realised what a silly mistake I had made in the original physical setup. The lead between the NIC in the server box and the wireless AP was just a normal lead - of course it has to be a cross-over lead. So, the tip about using a hub was really useful but for another reason! So, here is the physical set up: ADSL line connects to: D-Link DSL-504 ADSL Modem/4 port router connects to: D-Link DFE-650TX 10/100 PCMCIA ethernet adapter, as eth1 in: linux server box IBM 600X laptop, running Feather linux 0.7.4, which is providing NAT and DHCP services to: Surecom EP428X 10/100 PCMCIA ethernet adapter, as eth0 eth0 is connected by a crossover cable to: DWL-1000AP wireless access point. Several PCs are then connected wirelessly to the internet via the AP. The software setup is as follows: eth1 is brought up automatically during the boot process, as it is connected to the modem/router, which provides a DHCP service. ip addresses: router 192.168.0.1 netmask 255.255.255.0 <-- set earlier via the router's web interface eth1 192.168.0.2 netmask 255.255.255.0 wireless AP 192.168.1.2 <-- set earlier via the AP's setup software eth0 is brought up via a call to 'ifconfig' ifconfig eth0 192.168.1.1 netmask 255.255.255.0 Then set all the iptables stuff for the NAT service iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE iptables --append FORWARD --in-interface eth0 -j ACCEPT Turn on routing echo 1 > /proc/sys/net/ipv4/ip_forward Setup the DHCP server Note: need to modify the configuration file "/etc/dhcp3/dhcpd.conf" to reflect your LAN. For example, my dhcpd.conf contains the following: subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.200 option routers 192.168.1.1 } Install the DHCP server /etc/init.d/dhcp3-server start Finished! Try pinging the various bits of the system (eg 192.168.1.1, 192.168.1.2, 192.168.0.1, 192.168.0.2) to make sure all the internals are fine. Then try pinging google to see if the outside connection is working. Mine works just fine - now I need to "automate" the process so it just "happens" on each re-boot. Next task is to figure out how to insert a content filter in the linux server box. Thanks once again and bye for now! Geoff. |
Sorry - mothers day weekend and went out of town but, Hey Geoff, glad to see you're up and running. Tiger was correct with administration being easier by simply specifying IP's in a small LAN but I think it's easier to just DHCP it and never have to worry about it. Also, remember to lock-down your AP to the MACs and your switches too. The hub recommendation was simply to save your ports (as the typical AP comes with either 2, 3, or 4 ports (the consumer versions that is)). Oh, and in my diagram, it's easier to for tracking purposes if you separate the private IP's with an obvious range so when your monitoring traffic you won't miss something with the naked eye when scanning logs because the range is too close together (ie. 192.168.1.x on one nic and 192.168.2.x on the other, instead 192.168.x.x and 10.10.x.x - then it's easier to troubleshoot should you need to watch traffice one day for whatever reason). One question I have is that let me know how that setup works for you regarding content filtering/monitoring. I have kids to and I restrict net access to certain hours only for their workstations but, since you're trying to monitor an wireless AP, the flaw I saw there is that all the traffic would seem to come from the AP and you wouldn't be able to track username etc. from it - though, I could be wrong...hmm, let me know if you're using the tool Tiger mentioned earlier too.
|
Hello,
Yes, you are right that my home lan is served via the wireless AP and any content filtering on the server would not be able to distinguish between the "downstream" clients. I will let you know how I get on with the content filtering - I have found a couple of firewall/proxy/filtering specific linux distros. One called 'censornet' the other 'clarkconnect'. Plan to try them out over the next few days (work and family permitting!). An annoying aspect (in light of knoppix, feather, DSL, etc live cds) is that they both want to reformat the hard disk as part of the installation! It occurs to me that the kid monitoring aspect could be handled by using static IPs downstream and monitoring via 'ethereal' or similar. Will get back to you, Bye for now, Geoff |
Hi there,
Have managed to get my little home lan set up with a content filtering, using Privoxy. Although some of the below is already above, I figured I would set it out in one piece: ---------------------------------------------------------------------------------------------------------------------------- ADSL line connects to: D-Link DSL-504 ADSL Modem/4 port router which connects to: D-Link DFE-650TX 10/100 PCMCIA ethernet adapter, as eth1 to --> linux server box IBM 600X laptop, running Feather linux 0.7.4, which is providing NAT service to: Surecom EP428X 10/100 PCMCIA ethernet adapter, as eth0 eth0 is connected by a crossover cable to a DWL-1000AP wireless access point. Several PCs are then connected wirelessly to the internet via the AP. --------------------------------------------------------------------------------------------------------------------------- The software setup is as follows: eth1 is brought up automatically during the boot process, as it is connected to the modem/router, which provides a DHCP service. ip addresses: router 192.168.0.1 netmask 255.255.255.0 <-- set earlier via the router's web interface eth1 192.168.0.2 netmask 255.255.255.0 wireless AP 192.168.1.2 <-- set earlier via the AP's setup software eth0 is brought up via a call to 'ifconfig' ifconfig eth0 192.168.1.1 netmask 255.255.255.0 --------------------------------------------------------------------------------------------------------------------- # the below instructions can be put in a script file and made to execute with each boot # # clear any existing iptables info # iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain # set up and activate the NAT service # iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE iptables --append FORWARD --in-interface eth0 -j ACCEPT # to stop lan clients accessing the net other then via privoxy, 'turn off' port 80 for the internal lan # iptables -I FORWARD -p TCP -i eth0 --dport 80 -j REJECT # Turn on routing # echo 1 > /proc/sys/net/ipv4/ip_forward # Turn on Privoxy # /etc/init.d/privoxy start # --------------------------------------------------------------------------------------------------------------------- In order to be able to 'track' access by clients on the lan, I used static IPs for the client lans, with these and their machine names listed in '/etc/hosts' --------------------------------------------------------------------------------------------------------------------- I found that the default Privoxy is a bit too eager. Also, using Firefox blocks most pop-ups and the router forms a hardware firewall. So, I don't use the 'default.action' action file and turned off most of the filters. The config file was modified so that the following action/filter would be used: /etc/privoxy/standard.action /etc/privoxy/user.action /etc/privoxy/default.filter I used the following modified 'user.action' file (further modified here by substituting the coarse words): ##################################### # user.action file, modified for content filtering # # # URL blocking # {+block \ } .rude*..* .*rude..* .bad*..* .*bad..* # ... and lots more! Where the pairs block any "domains" (first part of the URL) that either start or end with the string. # /.*(bad|rude|other|more|etc) # # The above set of test strings will match the occurrence of the test strings anywhere else in the URL # string, after the "domain" name. To match only the string, as either only the start (or end), not # where it is a sub-string put a space, before/after/both, in the "edit" dialog available in the web # configuration. Strangely, although the 'space' appears as a '+' when you re-edit the string set, but # not when displayed by the web config page. # I have also had some success in using a filter to replace a set of 'bad' words in pages that get # through the above block, which was added to the 'default.filter' file # FILTER: rude replace banned words s/( bad | rude| other|more| etc)/**EXPLETIVE DELETED**/ig #Again, the placement of spaces can (mostly) avoid acceptable words containing the banned strings # as sub-strings being replaced. # lastly a '-block' to allow some good sites that had banned words in their URL or in the pages, this # will develop into a 'white list' over time. # {-block \ } www.google.com .dmoz.org # ------------------------------------------------------------------------------------------------------------------------- I hope that the above is of some use to others. Bye for now, Geoff. |
| All times are GMT -5. The time now is 06:28 PM. |