Ubuntu Linux and firewalling and dual NIC's

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Ubuntu Linux and firewalling and dual NIC's

Bret Busby-2
Hello.

I have a firewall/gateway computer, that has two network cards, and we
are soon to change from ADSL to the (Australian) soupy-doupy NBN thing
with supposedly higher data transmission speed capabilities, which
means a new modem/router thing with which to interface, and so, new
settings (or so, I expect), which means, in the context of the status
of the firewall/gateway computer, replacing the operating system and
firewall software.

I have thus far, used Ubuntu Linux only as a workstation operating
system, which does not involve two network interfaces; two NIC's, and
so I need to know whether Ubuntu can be used on the firewall/gateway
computer, running two NIC's on the same computer.

Please advise.

Thank you in anticipation.

--
Bret Busby
Armadale
West Australia

..............

"So once you do know what the question actually is,
 you'll know what the answer means."
- Deep Thought,
 Chapter 28 of Book 1 of
 "The Hitchhiker's Guide to the Galaxy:
 A Trilogy In Four Parts",
 written by Douglas Adams,
 published by Pan Books, 1992

....................................................

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

RE: Ubuntu Linux and firewalling and dual NIC's

Brandon Tomlinson
Howdy,

It totally can. This will work by just specifying the interface name.

Example: `ufw allow in on eth0 to any port 80 proto tcp` if you wanted to run a web server.

Hope that answers your question.

-Brandon, out!

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bret Busby
Sent: Wednesday, April 26, 2017 4:41 PM
To: [hidden email]
Subject: Ubuntu Linux and firewalling and dual NIC's

Hello.

I have a firewall/gateway computer, that has two network cards, and we are soon to change from ADSL to the (Australian) soupy-doupy NBN thing with supposedly higher data transmission speed capabilities, which means a new modem/router thing with which to interface, and so, new settings (or so, I expect), which means, in the context of the status of the firewall/gateway computer, replacing the operating system and firewall software.

I have thus far, used Ubuntu Linux only as a workstation operating system, which does not involve two network interfaces; two NIC's, and so I need to know whether Ubuntu can be used on the firewall/gateway computer, running two NIC's on the same computer.

Please advise.

Thank you in anticipation.

--
Bret Busby
Armadale
West Australia

..............

"So once you do know what the question actually is,  you'll know what the answer means."
- Deep Thought,
 Chapter 28 of Book 1 of
 "The Hitchhiker's Guide to the Galaxy:
 A Trilogy In Four Parts",
 written by Douglas Adams,
 published by Pan Books, 1992

....................................................

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Ubuntu Linux and firewalling and dual NIC's

Rashkae-2
In reply to this post by Bret Busby-2
On 17-04-26 05:41 PM, Bret Busby wrote:

> Hello.
>
> I have a firewall/gateway computer, that has two network cards, and we
> are soon to change from ADSL to the (Australian) soupy-doupy NBN thing
> with supposedly higher data transmission speed capabilities, which
> means a new modem/router thing with which to interface, and so, new
> settings (or so, I expect), which means, in the context of the status
> of the firewall/gateway computer, replacing the operating system and
> firewall software.
>
> I have thus far, used Ubuntu Linux only as a workstation operating
> system, which does not involve two network interfaces; two NIC's, and
> so I need to know whether Ubuntu can be used on the firewall/gateway
> computer, running two NIC's on the same computer.
>


Depending on your situation and what you're more comfortable with, you
might want to uninstall network manger and resolveconf packages, and
configure the two interfaces with traditional debian interfaces file and
iptables scripts.  (this is what I still do in this situation, though
I'm not certain it's still the *best* solution, it is certainly what I'm
more familiar with.)


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Bob
Reply | Threaded
Open this post in threaded view
|

Re: Ubuntu Linux and firewalling and dual NIC's

Bob
In reply to this post by Bret Busby-2
** Reply to message from Bret Busby <[hidden email]> on Thu, 27 Apr 2017
05:41:19 +0800

> Hello.
>
> I have a firewall/gateway computer, that has two network cards, and we
> are soon to change from ADSL to the (Australian) soupy-doupy NBN thing
> with supposedly higher data transmission speed capabilities, which
> means a new modem/router thing with which to interface, and so, new
> settings (or so, I expect), which means, in the context of the status
> of the firewall/gateway computer, replacing the operating system and
> firewall software.

Depends on your security needs.

I went from ADSL to a cable modem.  Both times the computer had dual NICs and a
firewall.  Doing that is no problem with any OS that I have used.  In this kind
of a setup you need the firewall because there is nothing protecting you.
Later I got a fiber connection.  The company supplying the fiber connection
used a combination modem/router to connect my computers.  In this case I used
the modem/routers firewall as it is good enough for my needs and deleted the
firewall from the computer.

So what are your security needs?  In my case I decided the router firewall was
good enough to keep most people out and there is no TOP-SECRET stuff on my
little network that would attract the really bad guys.


> I have thus far, used Ubuntu Linux only as a workstation operating
> system, which does not involve two network interfaces; two NIC's, and
> so I need to know whether Ubuntu can be used on the firewall/gateway
> computer, running two NIC's on the same computer.
>
> Please advise.
>
> Thank you in anticipation.

--
Robert Blair


A government which robs Peter to pay Paul can always depend on the support of Paul.  -- George Bernard Shaw

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Ubuntu Linux and firewalling and dual NIC's

J. L.-2
In reply to this post by Bret Busby-2
Hi!

Of course Ubuntu, just like more or less any other Linux distro, _can_
be used for firewalling but since You had asked for advice i'd
_strongly_ suggest You'd better take a look at one of the following
specialized "distros" with pfSense and OPNsense being based on FreeBSD
and not Linux:

http://www.ipfire.org/
https://www.fli4l.de/
https://www.sophos.com/en-us/lp/utm-upgrades.aspx (formerly knowna as
Astaro Linux)
https://www.pfsense.org/
https://opnsense.org/

Among some others Endian, Gibraltar, IPCop and Smoothwall seem not to be
really actively maintained any longer. But that depends on one's point
of view! ;-)

Lots of luck!

On 26.04.2017 23:41, Bret Busby wrote:

> Hello.
>
> I have a firewall/gateway computer, that has two network cards, and we
> are soon to change from ADSL to the (Australian) soupy-doupy NBN thing
> with supposedly higher data transmission speed capabilities, which
> means a new modem/router thing with which to interface, and so, new
> settings (or so, I expect), which means, in the context of the status
> of the firewall/gateway computer, replacing the operating system and
> firewall software.
>
> I have thus far, used Ubuntu Linux only as a workstation operating
> system, which does not involve two network interfaces; two NIC's, and
> so I need to know whether Ubuntu can be used on the firewall/gateway
> computer, running two NIC's on the same computer.
>
> Please advise.
>
> Thank you in anticipation.
>


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|

Re: Ubuntu Linux and firewalling and dual NIC's

Xen
In reply to this post by Rashkae-2
Rashkae schreef op 27-04-2017 0:37:

> On 17-04-26 05:41 PM, Bret Busby wrote:
>> Hello.
>>
>> I have a firewall/gateway computer, that has two network cards, and we
>> are soon to change from ADSL to the (Australian) soupy-doupy NBN thing
>> with supposedly higher data transmission speed capabilities, which
>> means a new modem/router thing with which to interface, and so, new
>> settings (or so, I expect), which means, in the context of the status
>> of the firewall/gateway computer, replacing the operating system and
>> firewall software.
>>
>> I have thus far, used Ubuntu Linux only as a workstation operating
>> system, which does not involve two network interfaces; two NIC's, and
>> so I need to know whether Ubuntu can be used on the firewall/gateway
>> computer, running two NIC's on the same computer.
>>
>
>
> Depending on your situation and what you're more comfortable with, you
> might want to uninstall network manger and resolveconf packages, and
> configure the two interfaces with traditional debian interfaces file
> and iptables scripts.  (this is what I still do in this situation,
> though I'm not certain it's still the *best* solution, it is certainly
> what I'm more familiar with.)

I just want to add that a basic firewall comprises only of these steps:

1. echo "1" > /proc/sys/net/ipv4/ip_forward

to turn basic forwarding on


2. allow forwarding from inside to out:

    iptables -A FORWARD -i internal-nic -o external-nic -j ACCEPT

3. disallow forwarding from outside to in:

    iptables -P FORWARD DROP

4. allow forwarding on selected ports that coincide with port forwards.

5. enable masquerading:

    iptables -t nat -A POSTROUTING -i internal-nic -o external-nic -j
MASQ

actually it is -j MASQUERADING, using MASQ for shorthand here...
(doesn't work).

(it is -j MASQUERADE lol).


actually those are not the exact commands.

    iptables -t nat -A POSTROUTING -o external-nic -s <lan subnet> -j
MASQUERADE would ordinarily be the exact command because you cannot
reference the source interface anymore if routing is already completed,
the MASQUERADE rule only changes the source address of your packets
going out, and adds the connection to a table for referencing later on.

Likewise internal port forwards go like this:


    iptables -t nat -A PREROUTING -i external-nic -d <external IP> -p tcp
-m tcp --dport 22 -m conntrack --ctstate NEW -j DNAT --to-destination
<internal IP>

if you do not change the destination port, otherwise you add it with
:port

    iptables -t nat -A PREROUTING -i external-nic -d <external IP> -p tcp
-m tcp --dport 22 -m conntrack --ctstate NEW -j DNAT --to-destination
<internal IP>:<destination port>

So the PREROUTING chain obviously does not know yet whether something is
going to be a forwarded packet or a packet destined for the host itself.

Therefore you cannot use -o <destination-nic> in PREROUTING and you
cannot use -i <source-nic> in POSTROUTING.

At this point you have a fully functioning firewall except that your
port forward won't work until you do:

    iptables -t

no actually not a different table.

    iptables -A FORWARD -i <external-nic> -o <internal-nic> --dport 22 -j
ACCEPT

and you also need

    iptables -A FORWARD -i <external> -o <internal> -m conntrack
--ctstate ESTABLISHED -j ACCEPT

but actually you also need "RELATED" but in a real firewall these stages
would get separated.

    iptables -A FORWARD -i <external> -o <internal> -m conntrack
--ctstate RELATED,ESTABLISHED -j ACCEPT

this ensures that connections originating from your LAN also get
forwarded.



Therefore:

1. everything going out is allowed
2. nothing going in is allowed unless it is RELATED,ESTABLISHED or
destined for a recognised allowed port.
3. you have not defined any open ports on the host itself at this point,
only port forwards and the like
4. masquerading works to give packets coming from within the address of
your external IP.
5. masquerading is a kind of packet mangling that is not sufficient to
allow access if forwarding is turned off.
6. you need to turn forwarding for these packets on by triggering on
RELATING ... err... RELATED and ESTABLISHED like we have done above.
7. initially you need to activate /proc/sys/net/ipv4/ip_forward

8. these ca. 7 commands including one port forward you would put in e.g.
/etc/rc.local to have them executed at each boot.

9. you won't have any Up... no UPnP port forwarding this way.

10. you can't access your external port forwards yet from the inside,
this way.

Other than that this is a complete solution.

If you open an internal port like port 22 to external traffic instead,
you would get:

    iptables -A INPUT -i <external> -p tcp -m tcp --dport 22 -j ACCEPT
    iptables -P INPUT DROP
    iptables -A INPUT -i <internal> -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT

or

    iptables -A INPUT -i   ... the same command as above, thus:

    iptables -A INPUT -i <external> -p tcp -m tcp --dport 22 -j ACCEPT

and then:

    iptables -A INPUT -i <external> -j DROP

to dorp everything else coming from thte outside, but allowing everyting
else by:

    iptables -P INPUT ACCEPT

At that point you have firewall rules for:

- INPUT
- FORWARD
- MASQUERADING
- port forwards

but no output yet, which is simply:

    iptables -P OUTPUT ACCEPT

and you're dopne.

So as said you can't use your own port forwards from the inside now but
everything else is there already.

Your device will now be pummeled by remote break-in attempts.

For this you can install "lippam-shield" ,,, no, "libpam-shield" which
after a tiny bit of configuration will block hosts that do repeated
break-in attempts through e.g. SSH.

Using null-rutes.... routes, so traffic coming from those hosts is
silently dropped without issue.

Otherwise your logs fill up immsensely.

Sorry I can't type, that's all ;-).

Regards.













































    iptables -A FORWARD -i internal-nic -o external-nic -j ACCEPT












--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users