Building a debian firewall on a CF card
I currently have an OpenBSD firewall running on an ancient 586. I have a mini-itx board, CF/IDE converter and a CF card and have been intending to upgrade.
However - rather than OpenBSD I'm going to try for debian (since I know that much better).
This post will end up being a "how I did it" - but at the minute is just a collection of the notes I'm grabbing for now.
For the initial install - I hung a CD-ROM as the slave IDE unit on the primary IDE channel.
I used the 4.0r3 etch netinst CD downloaded from debian.org.
Install went smoothly once I replaced the CF-IDE converter with a newer one that supported DMA (the newer CF card was DMA compatible) as I simply could not get the installer to disable DMA. However - see [debbug:475223] for information on how you could actually do that.
Disk Mounting
From http://www.debian-administration.org/articles/179 I got a starter fstab and the hint about mtab. Here's the versions I ended up with:
/etc/fstab
proc /proc proc defaults 0 0
/dev/hda1 / ext2 noatime,errors=remount-ro 0 1
tmpfs /etc/network/run tmpfs defaults,noatime 0 0
tmpfs /tmp tmpfs defaults,noatime 0 0
tmpfs /var/lock tmpfs defaults,noatime 0 0
tmpfs /var/log tmpfs defaults,noatime 0 0
tmpfs /var/run tmpfs defaults,noatime 0 0
tmpfs /var/tmp tmpfs defaults,noatime 0 0
Warning: By mounting /var/log on tmpfs, logs will only be available for the current session.
/etc/mtab
rm -f /etc/mtab
ln -s /proc/mounts /etc/mtab
IPv6
I have some issues with things when IPv6 is running. So, to disable IPV6 I added:
blacklist ipv6to /etc/modprobe.d/blacklist.
So - now the server boots, mounts the highly active parts of the system on tmpfs (we don't want to burn out the CF card).
Network
I need both ports to come up - one to the ISP, one internal.
TODO: what is the allow-hotplug bit?
/etc/network/interfaces
The loopback network interface
auto lo eth0 eth1
iface lo inet loopback
The external interface
allow-hotplug eth0
iface eth0 inet static
address 213.187.160.178
netmask 255.255.255.252
gateway 213.187.160.177
The internal interface
iface eth1 inet static
address 192.168.1.2
netmask 255.255.255.0
SSH
Install ssh with aptitude.
I configured up ssh with the following sshd_config file (/etc/ssh):
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
Remember to make sure that you have a working set of .ssh/authorized_keys before changing this from yes to no!
PasswordAuthentication no
X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
DNS
Install bind9 with aptitude.
Two new files in /etc/bind:
/etc/bind/home.chrissearle.org
$ORIGIN .
$TTL 3600 ; 1 hour
home.chrissearle.org IN SOA ns.home.chrissearle.org. hostmaster.chrissearle.org. (
2008041201 ; serial
3600 ; refresh 1 hr
1800 ; retry 30 mins
604800 ; expire 1 wk
3600 ; minimum 1 hr
)
NS ns.home.chrissearle.org.
$ORIGIN home.chrissearle.org.
menavaur A 192.168.1.1 ; Old firewall
nornour A 192.168.1.2 ; New firewall
dolphin-tp A 192.168.1.3 ; Astrid mac mini LAN
dolphin A 192.168.1.4 ; Astrid mac mini WLAN
slippen-tp A 192.168.1.5 ; Chris laptop LAN
slippen A 192.168.1.6 ; Chris laptop WLAN
czar A 192.168.1.7 ; Linux file server
goldeneagle A 192.168.1.8 ; Astrid XP
galatea-tp A 192.168.1.9 ; Chris laptop (work) LAN
galatea A 192.168.1.10 ; Chris laptop (work) WLAN
bonnet A 192.168.1.11 ; Chris iMac
shah A 192.168.1.12 ; Unused
islander A 192.168.1.13 ; Unused
serica A 192.168.1.14 ; Unused
klondyke A 192.168.1.15 ; Unused
campernel A 192.168.1.16 ; Unused
bedroom-tp A 192.168.1.30 ; Airport
bedroom A 192.168.1.31 ; Airport
lounge-tp A 192.168.1.32 ; Airport
lounge A 192.168.1.33 ; Airport
store A 192.168.1.34 ; ReadyNAS NV+
wii A 192.168.1.35 ; Wii
dhcp50 A 192.168.1.50 ; DHCP
dhcp51 A 192.168.1.51 ; DHCP
dhcp52 A 192.168.1.52 ; DHCP
dhcp53 A 192.168.1.53 ; DHCP
dhcp54 A 192.168.1.54 ; DHCP
dhcp55 A 192.168.1.55 ; DHCP
dhcp56 A 192.168.1.56 ; DHCP
dhcp57 A 192.168.1.57 ; DHCP
dhcp58 A 192.168.1.58 ; DHCP
dhcp59 A 192.168.1.59 ; DHCP
dhcp60 A 192.168.1.60 ; DHCP
wifi1 A 192.168.1.200 ; Linksys AP
wifi2 A 192.168.1.201 ; Linksys AP
ns CNAME nornour
irc CNAME czar
web CNAME czar
1.168.192.in-addr.arpa
$ORIGIN .
$TTL 3600 ; 1 hour
1.168.192.in--addr.arpa IN SOA ns.home.chrissearle.org. hostmaster.chrissearle.org. (
2008041201 ; serial
3600 ; refresh 1 hr
1800 ; retry 30 mins
604800 ; expire 1 wk
3600 ; minimum 1 hr
)
NS ns.home.chrissearle.org.
$ORIGIN 1.168.192.in--addr.arpa.
1 PTR menavaur.home.chrissearle.org. ; Old firewall
2 PTR nornour.home.chrissearle.org. ; New firewall
3 PTR dolphin-tp.home.chrissearle.org. ; Astrid mac mini LAN
4 PTR dolphin.home.chrissearle.org. ; Astrid mac mini WLAN
5 PTR slippen-tp.home.chrissearle.org. ; Chris laptop LAN
6 PTR slippen.home.chrissearle.org. ; Chris laptop WLAN
7 PTR czar.home.chrissearle.org. ; Linux file server
8 PTR goldeneagle.home.chrissearle.org. ; Astrid XP
9 PTR galatea-tp.home.chrissearle.org. ; Chris laptop (work) LAN
10 PTR galatea.home.chrissearle.org. ; Chris laptop (work) WLAN
11 PTR bonnet.home.chrissearle.org. ; Chris iMac
12 PTR shah.home.chrissearle.org. ; Unused
13 PTR islander.home.chrissearle.org. ; Unused
14 PTR serica.home.chrissearle.org. ; Unused
15 PTR klondyke.home.chrissearle.org. ; Unused
16 PTR campernel.home.chrissearle.org. ; Unused
30 PTR bedroom-tp.home.chrissearle.org. ; Airport
31 PTR bedroom.home.chrissearle.org. ; Airport
32 PTR lounge-tp.home.chrissearle.org. ; Airport
33 PTR lounge.home.chrissearle.org. ; Airport
34 PTR store.home.chrissearle.org. ; ReadyNAS NV+
35 PTR wii.home.chrissearle.org. ; Wii
50 PTR dhcp50.home.chrissearle.org. ; DHCP
51 PTR dhcp51.home.chrissearle.org. ; DHCP
52 PTR dhcp52.home.chrissearle.org. ; DHCP
53 PTR dhcp53.home.chrissearle.org. ; DHCP
54 PTR dhcp54.home.chrissearle.org. ; DHCP
55 PTR dhcp55.home.chrissearle.org. ; DHCP
56 PTR dhcp56.home.chrissearle.org. ; DHCP
57 PTR dhcp57.home.chrissearle.org. ; DHCP
58 PTR dhcp58.home.chrissearle.org. ; DHCP
59 PTR dhcp59.home.chrissearle.org. ; DHCP
60 PTR dhcp60.home.chrissearle.org. ; DHCP
200 PTR wifi1.home.chrissearle.org. ; Linksys AP
201 PTR wifi2.home.chrissearle.org. ; Linksys AP
Then we need to activate these two:
/etc/bind/named.conf.local
zone "home.chrissearle.org" {
type master;
file "/etc/bind/home.chrissearle.org";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/1.168.192.in-addr.arpa";
};
Restarted bind - now this is authoritative for my local net 192.168.1.x and forwards to the ISP for everything else.
DHCPD
Install dhcpd (virtual package) with aptitude.
Firstly - we want only to serve DHCP internally - that is on interface eth1.
/etc/defaults/dhcp
INTERFACES="eth1"
Now configure it. Most internal machines get a fixed IP via MAC address, but there is also a range of .50 to .60 for visitors.
/etc/dhcpd.conf
group {
option subnet-mask 255.255.255.0;
option routers 192.168.1.2;
option domain-name-servers 192.168.1.2;
option domain-name "home.chrissearle.org";
host menavaur {
hardware ethernet 00:60:08:47:03:69;
fixed-address 192.168.1.1;
}
host dolphin-tp {
hardware ethernet 00:16:CB:94:15:D3;
fixed-address 192.168.1.3;
}
host dolphin {
hardware ethernet 00:16:CB:05:8C:03;
fixed-address 192.168.1.4;
}
host slippen-tp {
hardware ethernet 00:16:CB:C9:2E:A3;
fixed-address 192.168.1.5;
}
host slippen {
hardware ethernet 00:16:CB:B9:F5:B6;
fixed-address 192.168.1.6;
}
host czar {
hardware ethernet 00:0A:5E:1F:3D:6F;
fixed-address 192.168.1.7;
}
host goldeneagle {
hardware ethernet 00:0C:6E:4D:48:DA;
fixed-address 192.168.1.8;
}
host galatea-tp {
hardware ethernet 00:1B:63:A8:06:8B;
fixed-address 192.168.1.9;
}
host galatea {
hardware ethernet 00:1C:B3:C5:21:5B;
fixed-address 192.168.1.10;
}
host bedroom-tp {
hardware ethernet 00:14:51:74:F6:AA;
fixed-address 192.168.1.30;
}
host bedroom {
hardware ethernet 00:14:51:74:F6:AB;
fixed-address 192.168.1.31;
}
host lounge-tp {
hardware ethernet 00:14:51:73:86:96;
fixed-address 192.168.1.32;
}
host lounge {
hardware ethernet 00:14:51:73:86:97;
fixed-address 192.168.1.33;
}
host wii {
hardware ethernet 00:19:1D:FE:A0:56;
fixed-address 192.168.1.35;
}
host wifi1 {
hardware ethernet 00:1A:70:AB:A4:AC;
fixed-address 192.168.1.200;
}
host wifi2 {
hardware ethernet 00:1A:70:AB:A6:91;
fixed-address 192.168.1.201;
}
}
shared-network LOCAL-NET {
option domain-name "home.chrissearle.org ";
option domain-name-servers 192.168.1.2;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.2;
range 192.168.1.50 192.168.1.60;
}
}
DenyHosts
Denyhosts will add hosts to /etc/hosts.deny if they try things like brute force attacks on ssh.
Install denyhosts with aptitude.
Configure the /etc/denyhosts.conf file - I simply changed the mail addresses and mail server - everything else was left defaulted.
IPTables
From http://www.debian-administration.org/articles/23 and http://www.debian-administration.org/articles/73 - the following iptables script was generated.
/etc/network/if-ip.d/00-firewall
!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
Set policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
NAT ssh (2222) and http (80) to an internal machine
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.7:80
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 2222 -j DNAT --to 192.168.1.7:22
Open some ports externally (including the ports for NAT)
iptables -A FORWARD -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW --dport 2222 -i eth0 -j ACCEPT
Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth0 -j REJECT
Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
