Results 1 to 4 of 4
  1. #1

    Join Date
    Jun 2008
    Location
    London
    Heatware Profile

    Setting up a dedicated firewall running Debian. (IPtables and QOS help)

    I'm in the process of setting up a firewall running Debian, i was running Astaro but the last update was giving me problems and I fancied a change

    So far, I have the following installed/configured:
    Dnsmasq - Internal DHCP and DNS server.
    Dans Guardian (with Squid) - currently I only have antivirus scanning on, I plan to setup advert blocking at some point soon.
    NTP
    Snort intrusion detection

    Things I need help on.
    QOS <---this is a must, I do torrent a lot. my family use skype and xbox which both need low latency.
    DHCP Reservations, needed for the xbox EDIT: figured out this aswell
    Port Forwarding, from the WAN to the xbox, needs ports 3074 and 88 EDIT: got that working.
    General IP tables help/pointers.

    This is what I have so far in the way of IP tables, I just wana know if there is anything really wrong that I shouldn't be doing in this file?

    eth0 is the internal network
    eth1 is the internet (50mb down, 5mb up fiber).

    Code:
    #!/bin/sh
    ##eth0 is in internal GREEN card , 192.168.117.1
    ##eth1 is the internet RED card , Dynamic address from ISP 
    sleep 10 ##script is ran at boot, adding a small delay so I can ssh in and edit the file if i mess something up when editing. 
    PATH=/usr/sbin:/sbin:/bin:/usr/bin
    # Enable routing.
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    #
    # delete all existing rules.
    #
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    # Always accept loopback traffic
    #iptables -A INPUT -i lo -j ACCEPT
    
    # Allow established connections, and those not coming from the outside
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
    iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow outgoing connections from the LAN side.
    iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
    
    # Masquerade.
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    
    
    # enable "transparent mode" for dans guardian (except for my xbox)
    iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.117.184 -p tcp --dport 80 -j REDIRECT --to-port 8080
    #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    # redirect NTP requests to this machine.
    iptables -t nat -A PREROUTING -i eth0 -p udp --dport 123 -j DNAT --to-destination 192.168.117.1:123
    # redirect DNS requests to this machine
    iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 192.168.117.1:53
    
    
    ##xbox port forwarding
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3074 -j DNAT --to 192.168.117.184:3074
    iptables -t nat -A PREROUTING -i eth1 -p udp --dport 3074 -j DNAT --to 192.168.117.184:3074
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 88 -j DNAT --to 192.168.117.184:88
    iptables -t nat -A PREROUTING -i eth1 -p udp --dport 88 -j DNAT --to 192.168.117.184:88
    iptables -A FORWARD -p tcp -i eth1 -d 192.168.117.184 --dport 3074 -j ACCEPT
    iptables -A FORWARD -p udp -i eth1 -d 192.168.117.184 --dport 3074 -j ACCEPT
    iptables -A FORWARD -p tcp -i eth1 -d 192.168.117.184 --dport 88 -j ACCEPT
    iptables -A FORWARD -p udp -i eth1 -d 192.168.117.184 --dport 88 -j ACCEPT
    
    
    ##let internal computers make connections
    #set iptables to allow everything from home pcs
    iptables -A INPUT -i eth0 -p all -s 192.168.117.0/24 -j ACCEPT
    iptables -A INPUT -i eth0 -p all -j DROP
    
    ##syn flood provention##
    # create new chains
    #iptables -N syn-flood
    # limits incoming packets
    #iptables -A syn-flood -m limit --limit 300/second --limit-burst 50 -j RETURN
    # log attacks
    #iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
    # silently drop the rest
    ##iptables -A syn-flood -j DROP
    
    # Don't forward from the outside to the inside.
    iptables -A FORWARD -i eth1 -o eth0 -j REJECT
    ##by default drop connections from the WAN interface.
    iptables -A INPUT -i eth1 -j DROP
    Thanks in advanced for any help/pointers, Mark
    Last edited by markp1989; 09-13-11 at 07:36 PM.
    DESKTOP: i7 3960x@4.7Ghz 1.4v vcore | P9X79 Pro | 16Gb 1866 DDR3 | 250gb Crucial M4 | 1TB WD Green| Nvidia GTX 780 | Silver Arrow SB-E | Linux Mint/Win 8.1 | Silverstone FT02
    Home Server: i5-4570s | 8Gb DDR3| ASRock H87M-ITX | three 2tb drives (4tb raid5) | Ubuntu
    HTPC: i5 3570T | 4Gb DDR3 | Intel DQ77KB | OpenElec Pxe boot
    Media Players: Intel NUC (Pxebooting Openelec) | NowTV box running Plex
    Firewall: i5 2310 | 4Gb DDR3 | DH67CF ITX | Running Astaro
    PORTABLE: Nexus 4 | Nexus 7 2013| Asus EEE transformer | HP Touchpad | 13" MacBook Pro Retina oct 2013 16Gb Ram

  2. #2
    Destroyer of Empires and User Accounts, El Huginator
    Premium Member #3
    First Responders
    thideras's Avatar
    Join Date
    May 2006
    Location
    South Dakota
    Author Profile Benching Profile Heatware Profile
    I can't help since I haven't built one from the ground up, but have you checked out PFSense? I'm actually using this over Astaro.
    Desktop: Gigabyte Z77X-UD5H | 3570k | 32 GB | GTX 770 Classified | 1 TB Samsung Evo & 2 TB HDD | Windows 3.1 | 4x 2560x1400 Monitors
    VM Server 1: Dell R710 | 2x L5630 | 96 GB RAM | 8x 300 GB Savvio | IBM M1015 | 34 TB Raw disk | XenServer
    VM Server 2: Dell R710 | 2x L5630 | 96 GB RAM |
    8x 300 GB Savvio | XenServer
    Router: Dell R410 | E5620 | 32 GB RAM | 3x 300 GB | pfsense
    "That's not overkill, or a lot. That's just thiderastic." -txus.palacios
    "Clouds are silent, cold, and wet. Servers are none of these things." -Bobnova

    Current projects: Rackmount Overkill (New) | Little Overkill (New)
    Articles: Rack Mounting 101 | Dell Perc 5/i Throughput Benchmarks
    My Website


    Want to talk directly to all the moderators at once? Call the Mod Hotline!

  3. #3

    Join Date
    Jun 2008
    Location
    London
    Heatware Profile
    Thanks for replying to me, I looked at PFSense but I cannot remember why I didnt try it out.

    right now I have most stuff i listed in the op working, the only think i haven't bothered with is QOS, I have been torrenting whilst on the xbox with out problems so I haven't bothered looking in to it properly yet.

    I have a spare machine, so I can give PFSense a test, if i like it i can just swap the machines over to limit down time. even though an internet connection isn't an essential I still get nagged at if it goes down for 2 minutes.
    DESKTOP: i7 3960x@4.7Ghz 1.4v vcore | P9X79 Pro | 16Gb 1866 DDR3 | 250gb Crucial M4 | 1TB WD Green| Nvidia GTX 780 | Silver Arrow SB-E | Linux Mint/Win 8.1 | Silverstone FT02
    Home Server: i5-4570s | 8Gb DDR3| ASRock H87M-ITX | three 2tb drives (4tb raid5) | Ubuntu
    HTPC: i5 3570T | 4Gb DDR3 | Intel DQ77KB | OpenElec Pxe boot
    Media Players: Intel NUC (Pxebooting Openelec) | NowTV box running Plex
    Firewall: i5 2310 | 4Gb DDR3 | DH67CF ITX | Running Astaro
    PORTABLE: Nexus 4 | Nexus 7 2013| Asus EEE transformer | HP Touchpad | 13" MacBook Pro Retina oct 2013 16Gb Ram

  4. #4
    Member grumperfish's Avatar
    Join Date
    Nov 2005
    Location
    South Florida
    Heatware Profile
    I switched from ipcop to smoothwall as I liked the QoS functions and add-ons (guardian is neat), but ipcop had a pretty basic support community and updates lagged to the point where snort was unusable by the time I switched. I tried pfsense, but I had trouble wrapping my head around BSD. I remember one of the key pro points about pfsense being a total failover feature, but I never got far enough along to try it out.

    Smoothwall will do everything in your requirements, other than probably taking less time to set up.
    Desktop: i7 2600K @ 4.6ghz w/ TR HR-02 + SD 120x38mm // Gigabyte Z68XP-UD3P // MSI R9 290 4GB
    16GB G-Skill RipjawsX 1600mhz // Samsung 830 256GB // 6TB // Thermaltake Armor // Corsair TX750
    Server: E6750 // EP35-DS3R // 4GB DDR2 // 4850 512MB // 840Pro 128GB // 4.25TB // Corsair TX650
    Laptop: Latitude D630 // C2M T7300 // 4GB DDR2 // X3100 // Samsung 830 128GB
    Smoothwall: P4 2.4C // 1GB DDR // AOpen MX4GVR // 20GB // Corsair CX430
    I like HEAT

  5. Thanks!

    markp1989 (10-29-11)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •