Etch Gateway Howto

Server Howtos

You could use a prepackaged gateway distro, and it would be quite secure, but you also wouldnt understand much about it, or be able to fiddle with it, or use it for much else. So if you want to find another use for your Etch box, and make the server route as well as serve, then read on.

 

While best practice has it that we should put servers in a DMZ, and not run them on the firewall, for low-priority applications it is seen as secure enough.   Examples of these combined gateway/server appliance are ClarkConnect and Gibralter. You might not have a spare server farm sitting around or be able to afford the megawatts to keep the whole thing running and cool.

 

Setting this up is not really for the fient of heart, so having a reason to do it is useful:

  • your modem/router cant keep up with the amount of NAT connections
  • your modem/routers NAT is slow
  • you want to do access control, or traffic accounting
  • you have special services like VPNs you want better control over

 

Its achievable for intermediate users, but have a large chunk of time free, on top of a couple days prior reading about the strengths and weaknesses of your particular modem and telco environment.

 

Also bear in mind that this process will break net conectivity for a good while, so you have to be prepared. Googling once you start is out, unless you have more than one net connection.

 

We are going to do this in two stages.

  • Stage 1: setup routing and nat on the server, leaving nat also on the dsl modem/router.
  • Stage 2: turn off nat on the modem.

 

The setup will look this:

 

Lan PCS-->Primary switch-->server-->modem-->phoneline

 

The servers LAN IP will be 192.168.0.1/24 static

The servers WAN IP will be 192.168.1.0/24 dhcp client

The modem IP will be 192.168.1.254/24 dhcp server

 

Stage One

 

Because this process involves a number of data cable and IP address changes, get yourself a laptop and sit down beside the server and modem.

 

The first thing to do is to put the second NIC into the server. Then without configuring it, see which NIC still works on your LAN. That is your LAN port, label it.

 

Modem config

Next you need to reconfigure your modem. Bear in mind that these generic instructions apply to a range of cheap dsl modem routers, but may need some tweaking for your particular modem.

 

Assuming the modem is currently running happliy in static LAN + NAT, plug the laptop directly into the modem (on 192.168.0.10)

 

Browse to 192.168.0.254 (or whatever your modem config address was)

 

Configuration | Advanced | Misc Configuration | HTTP Server Port | 81

Save settings, restart modem

 

Browse to 192.168.0.254:81 (new modem config port)

Configuration | LAN | ip address | 192.168.1.254

Configuration | LAN | dhcp server| enabled

Configuration | LAN | dhcp server| DHCP address pool selection |auto

Save settings, restart modem

 

Unplug the laptop from the modem, and back into the lan port of the server, via either a crossover cable or a switch (with the laptop still on 192.168.0.10). Then plug the server WAN NIC into the modem.

 

Server config

On the server, configure the new NIC:

 

nano /etc/network/interfaces

 

auto lo

iface lo inet loopback

allow-hotplug eth0

iface eth0 inet static

      address 192.168.0.1

      netmask 255.255.255.0

|   network 192.168.0.0

auto eth1

allow-hotplug eth1

iface eth1 inet dhcp

 

Restart the interfaces you changed, assuming both:

 

ifdown eth1

ifup eth1

ifdown eth0

ifup eth0

 

Wait 60 seconds, then:

 

ifconfig eth1

 

When the modem has issued, and the   server recieved an IP address, this will show up in the ifconfig readout as having an address in the range 192.168.1.0/24 range. If there is no address line then, go back a few steps and check everything, otherwise so far so good.

 

Get a few packages we need (might have some of these already):

 

aptitude install iptables iproute dnsmasq dhcp3-client

 

Firewall

Next, while we are still protected by the firewall in the modem, we now setup the server`s firewall and NAT. We do this with iptables. For now this will be a light and quick ruleset, and later we will improve it. Paste the following lines into a ssh terminal session as root:

 

echo `1` > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -F

/sbin/iptables -F INPUT

/sbin/iptables -F OUTPUT

/sbin/iptables -F FORWARD

/sbin/iptables -F -t nat

/sbin/iptables -X

/sbin/iptables -P INPUT ACCEPT

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -P FORWARD ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

/sbin/iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

/sbin/iptables -A INPUT -p icmp -j DROP

/sbin/iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT

/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT -p udp --sport 137 --dport 137 -j DROP

/sbin/iptables -A INPUT -j DROP

 

To test the NAT, if you can do these checks on a lan client, then nat is working:

 

ping 192.168.0.1

ping 192.168.1.1

ping 192.168.1.254

ping www.google.co.nz

 

What you have now is a double nat, double firewall situation, and the Lan will be back on line for now. But dont stop here, becasue double nat is not that stable, and if you have ports forwarded from your modem to the old servers IP, that will be broken too.

 

DNS Proxy

The final task of stage one is to setup a caching dns proxy, to replace that provided by the modem. Among other things this approach will speed up repetitive DNS lookups for LAN users, and by the server.

 

nano /etc/dnsmasq

 

interface=eth0

no-dhcp-interface=eth0

 

nano /etc/recolv.conf

 

search homeip.net

nameserver 127.0.0.1

nameserver nnn.nn.nnn.n

nameserver nnn.nn.nnn.n

 

The name servers (nnn.nn.n.n) in the last two lines you can fish out of the modem, or look it up on your ISP`s webpage. The point is to select the correct primary and secondary nameservers (in that order) that are at the other end of your phone line for the quickest dns lookups.

 

Stage Two

 

In stage 2 we assume stage one is complete, and you at least have the temporay firewall above in place. Stage 2 involves getting rid of the double nat situation. Exactly how you do this will depend on the DSL encapsulation that your ISP uses, and the features available in your modem. In general ISPs that support PPPoE encapsulation will be the best. However in the UK and NZ, it is more common to find PPPoA being used.

 

The methods you can choose, in order of preference, are:

  • bridge mode or full bridge mode on modem and PPPoE client on the server (if you telco supports PPPoE)
  • PPPoE to PPPoA bridge in higher end modems eg Draytek
  • PPPtP to PPPoA bridge as supported by Speedtouch modems
  • Half bridge modem supported by most cheap modem routers
  • 1:1 Static NAT + DMZ, also available in most modems

 

If you can do 1, or 2, install and configure a PPPoE client like (pppoe + pppoeconf) and modify ifconfig to use ppp0 instead of eth1. You have it easy.

 

For the rest, these instructions will cover half bridge and 1:1 NAT. Be warned some modems half bridge implementations are rather dodgy, and in fact the whole concept is a nothing more than a patch. If you have trouble with it youll need to resort to another method.

 

Modem half bridge

The best way to do this is to break the process into 2 halves.

 

Because windows understands half bridge natively, using a windows box to put the modem into half bridge and confirm its working is the best first step.

 

So, unplug the modem from the server WAN port, and plug it straight into your laptop. Set your laptop nic to dhcp, then browse to 192.168.1.254:81

 

Assuming you already have the modem running ok in dhcp NAT as per the stage one instructions, do the following (again generic commands YMMV):

 

Configuration | Advanced | Misc Configuration | Half bridge | Enabled

Configuration | WAN | pvc0 submit| encapsulation | pppoa VC-MUX,

Save settings and reboot modem

 

You may at this point need to manually restart the ppp link on the modem:

 

Status | ppp | connect | execute

Wait one minute.

 

Now check your laptops NIC propertys/status, and record the details you see there.   Example:

 

IP:                118.27.21.118

Gateway: 118.27.21.119

Netmask: 255.0.0.0

Lease:         1 minute

 

If it has a ISP WAN IP then the modem is in half bridge ok.

 

If not you SHOULD be able to get back into the modem on 192.168.1.254:81. If not, you will need to factory reset the modem and go back as many steps as you need to and start over.

 

Server config

Otherwise, unplug the laptop returning it to a static LAN address, and plugged back into the LAN subnet of the server; and plug the server WAN back into the modem.

 

Ordinarily the etch server would pick up the public IP as did the windows box. You can see if this is so by typing:

 

ifconfig eth1

 

Usually the public address is picked up ok, and will be shown on the second line under addr: 118.27.21.118. Next try:

 

route

 

If you get output like this, without a pause,you are fine:

 

Destination       Gateway             Genmask             Flags Metric Ref      Use Iface

localnet                      *                      255.255.255.0    U       0         0            0 eth0

118.0.0.0                  *                      255.0.0.0                U       0         0            0 eth1

default             ip-118-27-21-119   0.0.0.0             UG      0         0            0 eth1

 

But if you get a long pause, then the kernal doesnt know where to find the gateway. This is becasue linux doesnt understand the shonky half bridge system used by modems and the solution is a trick known as the `static route hack`. Using the example numbers from above (use yours):

 

/sbin/route add host 118.27.21.119   dev eth1

/sbin/route add default gw 118.27.21.119   dev eth1

 

If the commands:

arp

route

 

both commands respond cheerfully then you are good to go. This fix will survive both a reboot and an WAN IP change. Its basically just giving arp a clue which subnet to start looking for the gateway given that the half bridge has issued dodgy information in order to make it work at all.

 

So, now you have the public IP on the server, your server is now running fully as a gateway and with all ports exposed to the internet. Make sure you have a firewall in place.

 

1:1 NAT + DMZ

If for whatever reason half bridge didnt work out for you, then you can resort to this method as a backstop. Basically this involves reducing the NAT in the modem to just a 1:1 map between the public wan and one single client IP , which is your servers WAN port, and putting this in the modems DMZ. The latter simply turms off the modems firewall, and instead of forwarding individual ports to the server, all ports are forwarded, following the 1:1 NAT map.

 

Plug your laptop into the modem on the modems default settings, usually dhcp. Again these instructions will vary somewhat with your particular modem, but the the essence of it is common to many products on the market.

 

a. Firstly with all the messing around above, hard reset the modem

b. Quick start | username and password, PPPoA VCMUX, VPI=0, VCI=100, tick automatically reconnect

c. Configuration | LAN |   IP Address   | 192.168.1.254

d. Configuration | LAN | dhcp server| disabled

e. Save settings and restart.

f. Reconfigure your laptop NIC to 192.168.1.1 static. Confirm connects under NAT

g. Browse to 192.168.1.254

h. Configuration | Advanced | Misc Configuration | HTTP Server Port | 81

i. Save settings and restart

j. Browse   to 192.168.1.254:81

k. Configuration | Advanced | NAT | mode | NAT (sometimes Static NAT)

l. Configuration | Advanced | NAT | Session name config

m. Enter: name: cow, interface: PPPoPvc0, add, submit

n. Configuration | Advanced | NAT | Session name config | go back to nat config

o. Enter: session: cow , IP= 192.168.1.1, add, submit

p. Configuration | Advanced | Misc config | DMZ | Enabled

q. Configuration | Advanced | Misc config | DMZ host IP | 192.168.1.1

r. Save settings and reboot

 

Yeah its a mouthful.

 

Firewall

 

To get the firewall to survive a reboot you need to put the firewall rules into a startup script. Such a script is included in the Webspaces netmeter package. Save the script as /etc/init.d/firewall

 

chmod 0700 /etc/init.d/firewall

update-rc.d firewall defaults

 

If you are using the traffic accounting that comes with that script, then make sure the scripts S number on runlevel2 is higher than mysql`s ( so MySQL starts before the firewall trys to use it):

 

ls -l /etc/rc2.d/

 

S19mysql -> ../init.d/mysql

S20firewall -> ../init.d/firewall

 

Also to be safe, because the firewall wont be running until a little while after the interface is brought up, we should also put a temporary firewall script in /etc/network/if-preup.d/firewall-preup which just says block everything except that needed to to get an IP address from the modem. Or you can just put your firewall script there and be done with it.However most of your startup tasks cant occur so early in the boot process, so thats why i do it this in two steps.

 

Reboot the server and observe to make sure the firewall script runs ok. You can check the firewall rules with:

 

iptables -L -vxn

 

Traffic accounting

The essence of traffic accounting is installing firewall rules to match traffic that you want to count, then querying the counters associated with those rules on a regular basis.

 

To create the two chains, one for user traffic, and one for total traffic:

 

/sbin/iptables -N Accounting

/sbin/iptables -A Accounting   -j DROP

/sbin/iptables -N Accounting2

/sbin/iptables -A Accounting2 -o eth1

/sbin/iptables -A Accounting2 -i eth1

/sbin/iptables -A Accounting2 -o eth0

/sbin/iptables -A Accounting2 -i eth0

 

/sbin/iptables -I FORWARD 1 -j Accounting

/sbin/iptables -I INPUT 1    -j Accounting2

/sbin/iptables -I OUTPUT 1   -j Accounting2

 

  1. insert 2 lan users

    2. iptables -I Accounting 1 -s 192.168.0.21 -j RETURN

    iptables -I Accounting 1 -d 192.168.0.21 -j RETURN

    iptables -I Accounting 1 -s 192.168.0.22 -j RETURN

    iptables -I Accounting 1 -d 192.168.0.22 -j RETURN

 

To read the counters, to zero the counters, and to read and zero the counters:

 

iptables -L Accounting -vxn

iptables -Z Accounting

iptables -L -Z Accounting -vxn

 

But youd make a cron script to unload the counters hourly:

 

This approach is scalable to the point that you have too many firewall rules that speed becomes an issue. But its been tested with 20 computers to work fine. With much more you will have to break the rules into   sub chains, like so:

 

-m iprange --src-range 192.168.0.20-192.168.0.59 -j AccountingA

-m iprange --src-range 192.168.0.60-192.168.0.99 -j AccountingB

 

You can also match by mac address, and partial mac addresses

 

-m mac --mac-source 00:0F:EA:91:04:08

-m mac --mac-source 00:0F:EA:91:04:08 --mac-mask 00:00:00:00:00:0F

 

<--Etch Admin Howto

Lenny Install Howto>--
Admin login