Ubuntu Linux and firewalling and dual NIC's

Thu Apr 27 09:49:23 UTC 2017

Rashkae schreef op 27-04-2017 0:37:
> On 17-04-26 05:41 PM, Bret Busby wrote:
>> Hello.
>> 
>> I have a firewall/gateway computer, that has two network cards, and we
>> are soon to change from ADSL to the (Australian) soupy-doupy NBN thing
>> with supposedly higher data transmission speed capabilities, which
>> means a new modem/router thing with which to interface, and so, new
>> settings (or so, I expect), which means, in the context of the status
>> of the firewall/gateway computer, replacing the operating system and
>> firewall software.
>> 
>> I have thus far, used Ubuntu Linux only as a workstation operating
>> system, which does not involve two network interfaces; two NIC's, and
>> so I need to know whether Ubuntu can be used on the firewall/gateway
>> computer, running two NIC's on the same computer.
>> 
> 
> 
> Depending on your situation and what you're more comfortable with, you
> might want to uninstall network manger and resolveconf packages, and
> configure the two interfaces with traditional debian interfaces file
> and iptables scripts.  (this is what I still do in this situation,
> though I'm not certain it's still the *best* solution, it is certainly
> what I'm more familiar with.)

I just want to add that a basic firewall comprises only of these steps:

1. echo "1" > /proc/sys/net/ipv4/ip_forward

to turn basic forwarding on

2. allow forwarding from inside to out:

    iptables -A FORWARD -i internal-nic -o external-nic -j ACCEPT

3. disallow forwarding from outside to in:

    iptables -P FORWARD DROP

4. allow forwarding on selected ports that coincide with port forwards.

5. enable masquerading:

    iptables -t nat -A POSTROUTING -i internal-nic -o external-nic -j 
MASQ

actually it is -j MASQUERADING, using MASQ for shorthand here... 
(doesn't work).

(it is -j MASQUERADE lol).

actually those are not the exact commands.

    iptables -t nat -A POSTROUTING -o external-nic -s <lan subnet> -j 
MASQUERADE would ordinarily be the exact command because you cannot 
reference the source interface anymore if routing is already completed, 
the MASQUERADE rule only changes the source address of your packets 
going out, and adds the connection to a table for referencing later on.

Likewise internal port forwards go like this:

    iptables -t nat -A PREROUTING -i external-nic -d <external IP> -p tcp 
-m tcp --dport 22 -m conntrack --ctstate NEW -j DNAT --to-destination 
<internal IP>

if you do not change the destination port, otherwise you add it with 
:port

    iptables -t nat -A PREROUTING -i external-nic -d <external IP> -p tcp 
-m tcp --dport 22 -m conntrack --ctstate NEW -j DNAT --to-destination 
<internal IP>:<destination port>

So the PREROUTING chain obviously does not know yet whether something is 
going to be a forwarded packet or a packet destined for the host itself.

Therefore you cannot use -o <destination-nic> in PREROUTING and you 
cannot use -i <source-nic> in POSTROUTING.

At this point you have a fully functioning firewall except that your 
port forward won't work until you do:

    iptables -t

no actually not a different table.

    iptables -A FORWARD -i <external-nic> -o <internal-nic> --dport 22 -j 
ACCEPT

and you also need

    iptables -A FORWARD -i <external> -o <internal> -m conntrack 
--ctstate ESTABLISHED -j ACCEPT

but actually you also need "RELATED" but in a real firewall these stages 
would get separated.

    iptables -A FORWARD -i <external> -o <internal> -m conntrack 
--ctstate RELATED,ESTABLISHED -j ACCEPT

this ensures that connections originating from your LAN also get 
forwarded.

Therefore:

1. everything going out is allowed
2. nothing going in is allowed unless it is RELATED,ESTABLISHED or 
destined for a recognised allowed port.
3. you have not defined any open ports on the host itself at this point, 
only port forwards and the like
4. masquerading works to give packets coming from within the address of 
your external IP.
5. masquerading is a kind of packet mangling that is not sufficient to 
allow access if forwarding is turned off.
6. you need to turn forwarding for these packets on by triggering on 
RELATING ... err... RELATED and ESTABLISHED like we have done above.
7. initially you need to activate /proc/sys/net/ipv4/ip_forward

8. these ca. 7 commands including one port forward you would put in e.g. 
/etc/rc.local to have them executed at each boot.

9. you won't have any Up... no UPnP port forwarding this way.

10. you can't access your external port forwards yet from the inside, 
this way.

Other than that this is a complete solution.

If you open an internal port like port 22 to external traffic instead, 
you would get:

    iptables -A INPUT -i <external> -p tcp -m tcp --dport 22 -j ACCEPT
    iptables -P INPUT DROP
    iptables -A INPUT -i <internal> -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT

or

    iptables -A INPUT -i   ... the same command as above, thus:

    iptables -A INPUT -i <external> -p tcp -m tcp --dport 22 -j ACCEPT

and then:

    iptables -A INPUT -i <external> -j DROP

to dorp everything else coming from thte outside, but allowing everyting 
else by:

    iptables -P INPUT ACCEPT

At that point you have firewall rules for:

- INPUT
- FORWARD
- MASQUERADING
- port forwards

but no output yet, which is simply:

    iptables -P OUTPUT ACCEPT

and you're dopne.

So as said you can't use your own port forwards from the inside now but 
everything else is there already.

Your device will now be pummeled by remote break-in attempts.

For this you can install "lippam-shield" ,,, no, "libpam-shield" which 
after a tiny bit of configuration will block hosts that do repeated 
break-in attempts through e.g. SSH.

Using null-rutes.... routes, so traffic coming from those hosts is 
silently dropped without issue.

Otherwise your logs fill up immsensely.

Sorry I can't type, that's all ;-).

Regards.

    iptables -A FORWARD -i internal-nic -o external-nic -j ACCEPT