twitter |   ||  email | PGP --> harshal @ harshdevx.comharshdevx:~#
harshdevX:~#r00t  |  analyt1cs   |  st1lls  |  ab0ut m3
updating...
ubuntu as your gateway
i can't thanks linux enough. a year back around same time i was struggling with what to use as my firewall. i did alot of experimentation with routers installed dd-wrt/openwrt/tomato actually fried two routers. finally settled with a $80 refurbished desktop from hp (sff) and converted into firewall. so this tutorial is about how to make a firewall spending as little money as possible. many of us have a spare machine old one thats lying around and sometimes we basically throw it because its too slow running windows on. my advise don't throw. what i did was i got this machine installed a $20 gbps nic (network interface card) and installed ubuntu 14.04 server (i went with a mini iso). i will not cover how to install ubuntu server on a machine as there are plenty of tutorials and you can basically get this running within like 20 mins. there are plenty of tutorials available on firewalls as well. i just thought of covering them here was because at one time i was too scared with iptables. but after working with iptables for a year now i can say i am doing ok. this tutorial will get you started with your home firewall.

step 1: get the ubuntu 14.04/16.04 installed. now you can go with any of the distro you like ubuntu is my choice just to make few things easy.
step 2: when it comes to firewall install only required software. i personally would not like a firewall to have gui, music player, browser etc. therefore my choice is ubuntu mini iso. install as you need (need to do basis)
step 3: hardware requirements: an additional network interface card. why? one will be our WAN interface and other will be LAN interface.
step 4: one important thing to note is that these days isp`s ship devices that are capable of wifi/modem together. i don;t like them. basically i prefer to have my own router. so what i do is get into the device and turn their routing functionality off. the device becomes dumb modem. what its supposed to do basically.
step 5: so lets take inventory of what we have so far. we have a machine with 2 nics. a router/mdoem from isp that we converted into a modem. our own home router that will have the functionality of "just the router".
step 6: so far so good. next step is to create a file called fwall. on your prompt elevate your privilege to root. you can do that by typing "su -" and the password for the root.

mkdir /admin
mkdir /admin/scripts
touch /admin/scripts/fwall
chmod +x /admin/scripts/fwall <-- this basically makes the file executable
next we will write some code. this code will basically ensure that data from your LAN interface is sent to the WAN interface of firewall and vice versa. to download the code below click me and save as .sh. do not forget to make it executable.
#1 echo "--> Setup variables and proc"
#2 INT=eth0 <-- this is your internal interface or LAN interface
#3 EXT=eth1 <-- this is your external interface or WAN interface
#4
#5 EXTIP=`ifconfig eth1 | grep -E "inet " | cut -f 2 -d ":" | cut -f 1 -d " "` <-- this gets the ip address from the WAN interface
#6 INTIP=`ifconfig eth0 | grep -E "inet " | cut -f 2 -d ":" | cut -f 1 -d " "` <-- this gets the ip address from the LAN interface; make sure this is static
#7
#8 echo 1 > /proc/sys/net/ipv4/ip_forward
#9 IPT=/sbin/iptables
#10 MPROBE=/sbin/modprobe
#11
#12 #LOAD KERNEL MODULES <-- self explanatory
#13 $MPROBE -v ip_tables
#14 $MPROBE -v ip_conntrack
#15 $MPROBE -v iptable_filter
#16 $MPROBE -v iptable_mangle
#17 $MPROBE -v iptable_nat
#18 $MPROBE -v ipt_LOG
#19 $MPROBE -v ipt_REJECT
#20 $MPROBE -v ipt_limit
#21 $MPROBE -v ipt_state
#22
#23 echo "--> Flush firewall rules"
#24 $IPT -F
#25 $IPT -t nat -F
#26 $IPT -t mangle -F
#27
#28 echo "--> Delete custom chains"
#29 $IPT -X
#30 $IPT -t nat -X
#31 $IPT -t mangle -X
#32
#33 echo "--> Firewall default policies"
#34 $IPT -P INPUT DROP
#35 $IPT -P FORWARD DROP
#36
#37 echo "--> Setup local interface"
#38 $IPT -A INPUT -i lo -j ACCEPT
#39 $IPT -A OUTPUT -o lo -j ACCEPT
#40
#41 ##########################################################################################
#42
#43 echo "--> Setup firewall SPI"
#44
#45 $IPT -A INPUT -m state --state established,related -j ACCEPT
#46 $IPT -A FORWARD -m state --state established,related -j ACCEPT
#47 $IPT -A OUTPUT -m state --state established,related -j ACCEPT
#48 $IPT -t nat -A PREROUTING -m state --state established,related -j ACCEPT
#49 $IPT -t nat -A POSTROUTING -m state --state established,related -j ACCEPT
#50 $IPT -t nat -A OUTPUT -m state --state established,related -j ACCEPT
#51
#52 ##########################################################################################
#53
#54 echo "--> preventing spoof attacks"
#55
#56 $IPT -A INPUT -s 10.0.0.0/8 -i $EXT -j DROP
#57 $IPT -A INPUT -s 169.254.0.0/16 -i $EXT -j DROP
#58 $IPT -A INPUT -s 172.16.0.0/16 -i $EXT -j DROP
#59 $IPT -A INPUT -s 192.168.0.0/24 -i $EXT -j DROP
#60 $IPT -A INPUT -s 127.0.0.0/8 -i $EXT -j DROP
#61 $IPT -A INPUT -s 224.0.0.0/4 -i $EXT -j DROP
#62 $IPT -A INPUT -d 224.0.0.0/4 -i $EXT -j DROP
#63 $IPT -A INPUT -s 240.0.0.0/5 -i $EXT -j DROP
#64 $IPT -A INPUT -d 240.0.0.0/5 -i $EXT -j DROP
#65 $IPT -A INPUT -s 0.0.0.0/8 -i $EXT -j DROP
#66 $IPT -A INPUT -d 0.0.0.0/8 -i $EXT -j DROP
#67 $IPT -A INPUT -d 239.255.255.0/24 -i $EXT -j DROP
#68 $IPT -A INPUT -d 255.255.255.255 -i $EXT -j DROP
#69
#70 ##########################################################################################
#71
#72 echo "--> dropping all INVALID packets"
#73
#74 $IPT -A INPUT -m state --state INVALID -j DROP
#75 $IPT -A FORWARD -m state --state INVALID -j DROP
#76 $IPT -A FORWARD -m state --state INVALID -j DROP
#77
#78 ##########################################################################################
#79
#80 echo "--> protecting against SYN FLOOD DOS attacks"
#81 $IPT -N SOD_OFF
#82 $IPT -N SCAN_CHK
#83 for WL in x.x.x.x y.y.y.y z.z.z.z <-- you can have whilelist ips
#84 do
#85 $IPT -A SCAN_CHK -p tcp -s $WL -j RETURN
#86 done
#87
#88 for PORT_TCP_IN in 22 23
#89 do
#90 $IPT -A SCAN_CHK -p tcp --dport $PORT_TCP_IN -j RETURN
#91 done
#92
#93 for PORT_UDP_IN in 53 1194
#94 do
#95 $IPT -A SCAN_CHK -p udp --dport $PORT_UDP_IN -j RETURN
#96 done
#97
#98 $IPT -A SCAN_CHK -m limit --limit 5/minute -m recent --set -j LOG
#99 $IPT -A SCAN_CHK -p tcp -m multiport --dports 1025:65535 -m limit --limit 5/minute -m recent --set -j SOD_OFF
#100 $IPT -A SCAN_CHK -m limit --limit 5/minute -m recent --set -j DROP
#101 $IPT -A SCAN_CHK -j RETURN
#102 $IPT -A INPUT -i $EXT -p tcp -j SCAN_CHK
#103 $IPT -A FORWARD -i $EXT -p tcp -j SCAN_CHK
#104
#105 ##########################################################################################
#106
#107 echo "--> enabling adaptive dropping"
#108
#109 #$IPT -N SOD_OFF
#110 #iptables -A SOD_OFF -p tcp -j TARPIT ## use this only if you feel nasty
#111 $IPT -A SOD_OFF -j LOG --log-prefix "SCANNER-"
#112 $IPT -A SOD_OFF -j DROP
#113 $IPT -A INPUT -m recent --rcheck --seconds 300 -j SOD_OFF
#114 $IPT -A FORWARD -m recent --rcheck --seconds 300 -j SOD_OFF
#115
#116 ##########################################################################################
#117
#118 echo "--> input to firewall"
#119 #This will allow outside world to connect to your router on your WAN interface.
#120 $IPT -A INPUT -i $EXT -m tcp -p tcp --dport 22 -j ACCEPT
#121
#122 ################################################################################$
#123
#124 echo "--> internal traffic to firewall"
#125
#126 for TCP_INT_IN in 22
#127 do
#128 $IPT -t nat -A PREROUTING -i $INT -m tcp -p tcp --dport $TCP_INT_IN -j ACCEPT
#129 $IPT -A INPUT -i $INT -m tcp -p tcp --dport $TCP_INT_IN -j ACCEPT
#130 done
#131
#132 for UDP_INT_IN in 53
#133 do
#134 $IPT -t nat -A PREROUTING -i $INT -m udp -p udp --dport $UDP_INT_IN -j DNAT --to-dest $INTIP
#135
#136 $IPT -A INPUT -i $INT -m udp -p udp --dport $UDP_INT_IN -j ACCEPT
#137 done
#138
#139 ##########################################################################################
#140
#141 echo "--> through traffic via firewall"
#142 for INT2EXT_TCP in 80 443 22
#143 do
#144 $IPT -t nat -A PREROUTING -i $INT -m tcp -p tcp --dport $INT2EXT_TCP -j ACCEPT
#145 $IPT -A FORWARD -i $INT -o $EXT -m tcp -p tcp --dport $INT2EXT_TCP -j ACCEPT
#146 $IPT -t nat -A POSTROUTING -o $EXT -m tcp -p tcp --dport $INT2EXT_TCP -j SNAT --to-source $EXTIP
#147 done
#148
#149 for INT2EXT_UDP in 53
#150 do
#151 $IPT -t nat -A PREROUTING -i $INT -m udp -p udp --dport $INT2EXT_UDP -j ACCEPT
#152 $IPT -A FORWARD -i $INT -o $EXT -m udp -p udp --dport $INT2EXT_UDP -j ACCEPT
#153 $IPT -t nat -A POSTROUTING -o $EXT -m udp -p udp --dport $INT2EXT_UDP -j SNAT --to-source $EXTIP
#154 done
#155
#156 $IPT -t nat -A PREROUTING -i $INT -m tcp -p tcp -j ACCEPT
#157 $IPT -A FORWARD -i $INT -o $EXT -m tcp -p tcp -j ACCEPT
#158 $IPT -t nat -A POSTROUTING -o $EXT -m tcp -p tcp -j SNAT --to-source $EXTIP
#159
#160 $IPT -t nat -A PREROUTING -i $INT -m udp -p udp -j ACCEPT
#161 $IPT -A FORWARD -i $INT -o $EXT -m udp -p udp -j ACCEPT
#162
#163 $IPT -t nat -A POSTROUTING -o $EXT -m udp -p udp -j SNAT --to-source $EXTIP
once we are through with our firewall we will have to configure the router to pass the traffic from our LAN to the firewall.

concept and design: harshdevX