Annvix
Personal tools
/Documentation/Router

From Annvix

Using Annvix as a Router

If you have two network adapters, Annvix can serve as a router. Each connection to the router will require either a hub (or switch) connection or a separate network interface.

This can be handy if you have two machines and would like the one connected directly to your ISP to be as secure as possible.

It is also possible to enable proxy connections without using these steps, and use Squid as a proxy server instead. Squid can also be used in conjunction with this guide to allow filtering and routing at the same time.

There are a variety of tools to assist with the project of making a system act as a router and/or firewall and/or proxy, and most will give you a lot finer control of activity than this will outline.

Contents

Enable IP Forwarding

The default Annvix kernel has all the options that you will need enabled and comes with iptables installed by default. The ability is there, but the option is disabled by default.

The command: 

# echo 1 > /proc/sys/net/ipv4/ip_forward

will enable packet forwarding. This should be done with caution, and the paranoid may wish to avoid this step until the last moment.

Setting up the routing tables

iptables is installed by default and the configuration is stored in /etc/sysconfig/iptables by default. It is a good idea to make a backup before making any changes.

To see what is currently configured, run either /etc/init.d/iptables status for a verbose list, or iptables -L for a somewhat more succinct display.

After making changes you may find that you've lost all connectivity. This is because the changes are not saved until you issue the command: 

# /etc/init.d/iptables save

You can have the changes automatically revert after a five minute delay for testing with the command: 

# (sleep 600;/etc/init.d/iptables restart)&

Another option is to use a script to set up the tables and firewall so that it can easily be run and edited on demand.

A sample script may look like this: 

echo 0 > /proc/sys/net/ipv4/ip_forward
        #Start out with no routing, lest a hacker notice the moment I've got no firewall.
WAN=eth0
LAN=eth1
LAN_IP=10.0.0.1
#With my network devices and internal facing IP defined, I'm ready to continue
/sbin/iptables -F
        #Flush all rules
/sbin/iptables -F INPUT
        #Flush rules for INPUT table
/sbin/iptables -F OUTPUT
        #Flush rules for OUTPUT table
/sbin/iptables -F FORWARD
        #Flush rules for FOWARD table
/sbin/iptables -F -t nat
        #Flush rules for table nat
/sbin/iptables -X
        #Delete every non builtin chain
/sbin/iptables -P INPUT DROP
        #Default policy for INPUT is to drop them
/sbin/iptables -P OUTPUT ACCEPT
        #Default policy for OUTPUT is to accept them
/sbin/iptables -P FORWARD ACCEPT
        #Default policy for FORWARD is to ACCEPT them
/sbin/iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
        #Adding policy to masquerade packets from outside headed inside
/sbin/iptables -A INPUT -i lo -j ACCEPT
        #Adding policy to accept packets from local interface
/sbin/iptables -A INPUT -i $LAN -d $LAN_IP -j ACCEPT
        #Adding policy to allow packets from inside to come in.
/sbin/iptables -A INPUT -i $LAN -d 255.255.255.255 -j ACCEPT
        #Adding policy to allow packets from LAN to go out
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        #Adding policy to allow related packets in and out.
/sbin/iptables -A INPUT -i $LAN -d 0/0 -p tcp --dport 22 -j ACCEPT
        #Allowing ssh to come in from outside, very optional
/sbin/iptables -A INPUT -i $WAN -d 0/0 -p tcp --dport 22 -j ACCEPT
        #Allowing ssh explicitly from inside. This isn't necessary here, but might be with
        #more complex firewall rules.
echo 1 > /proc/sys/net/ipv4/ip_forward
        #Okay, lets start routing again.

This should be commented well enough to make sense to someone who has not used it before, but the simple summary is this:

  • Reset and disable routing during setup
  • Set up default tables:
    • INPUT: packets headed for this system (default: DROP, allow explicitly later)
    • OUTPUT: packets leaving this system, from this system (default: ACCEPT)
    • FORWARD: packets headed to another system, from another system (default: ACCEPT; the router functionality)
  • Set up forwarding
  • Allow localhost type traffic
  • Allow traffic from anywhere inside to anywhere outside
  • Allow traffic in only if it is related to established traffic
  • And allow ssh from inside or outside (optional, of course)

Now this machine is acting as a router. Inside machines can talk to the outside but outside traffic is only allowed where we decided it made sense.

Enabling Squid as a Transparent Proxy

If you're planning on integrating squid as a transparent proxy, you should add the line: 

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

Alternatively, if you want to run a proxy server for someone outside of your internal network, you might add something like this: 

/sbin/iptables -A INPUT -i $WAN -d 0/0 -p tcp --dport 3128 -s 111.111.111.111 -j ACCEPT

In this instance you would be accepting tcp packets destined for port 3128 from the IP address 111.111.111.111.

More details on configuring Squid itself can be found in the Squid documentation.

Shorewall

Another alternative is to use shorewall which uses bash-style configuration files to setup what could be fairly complex rules.

Retrieved from "http://www.annvix.org/Documentation/Router"