Results 1 to 4 of 4
  1. #1

    Join Date
    Jun 2008
    Heatware Profile

    Setting up a dedicated firewall running Debian. (IPtables and QOS help)

    I'm in the process of setting up a firewall running Debian, i was running Astaro but the last update was giving me problems and I fancied a change

    So far, I have the following installed/configured:
    Dnsmasq - Internal DHCP and DNS server.
    Dans Guardian (with Squid) - currently I only have antivirus scanning on, I plan to setup advert blocking at some point soon.
    Snort intrusion detection

    Things I need help on.
    QOS <---this is a must, I do torrent a lot. my family use skype and xbox which both need low latency.
    DHCP Reservations, needed for the xbox EDIT: figured out this aswell
    Port Forwarding, from the WAN to the xbox, needs ports 3074 and 88 EDIT: got that working.
    General IP tables help/pointers.

    This is what I have so far in the way of IP tables, I just wana know if there is anything really wrong that I shouldn't be doing in this file?

    eth0 is the internal network
    eth1 is the internet (50mb down, 5mb up fiber).

    ##eth0 is in internal GREEN card ,
    ##eth1 is the internet RED card , Dynamic address from ISP 
    sleep 10 ##script is ran at boot, adding a small delay so I can ssh in and edit the file if i mess something up when editing. 
    # Enable routing.
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # delete all existing rules.
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    # Always accept loopback traffic
    #iptables -A INPUT -i lo -j ACCEPT
    # Allow established connections, and those not coming from the outside
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
    iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow outgoing connections from the LAN side.
    iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
    # Masquerade.
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    # enable "transparent mode" for dans guardian (except for my xbox)
    iptables -t nat -A PREROUTING -i eth0 -s ! -p tcp --dport 80 -j REDIRECT --to-port 8080
    #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
    # redirect NTP requests to this machine.
    iptables -t nat -A PREROUTING -i eth0 -p udp --dport 123 -j DNAT --to-destination
    # redirect DNS requests to this machine
    iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination
    ##xbox port forwarding
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3074 -j DNAT --to
    iptables -t nat -A PREROUTING -i eth1 -p udp --dport 3074 -j DNAT --to
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 88 -j DNAT --to
    iptables -t nat -A PREROUTING -i eth1 -p udp --dport 88 -j DNAT --to
    iptables -A FORWARD -p tcp -i eth1 -d --dport 3074 -j ACCEPT
    iptables -A FORWARD -p udp -i eth1 -d --dport 3074 -j ACCEPT
    iptables -A FORWARD -p tcp -i eth1 -d --dport 88 -j ACCEPT
    iptables -A FORWARD -p udp -i eth1 -d --dport 88 -j ACCEPT
    ##let internal computers make connections
    #set iptables to allow everything from home pcs
    iptables -A INPUT -i eth0 -p all -s -j ACCEPT
    iptables -A INPUT -i eth0 -p all -j DROP
    ##syn flood provention##
    # create new chains
    #iptables -N syn-flood
    # limits incoming packets
    #iptables -A syn-flood -m limit --limit 300/second --limit-burst 50 -j RETURN
    # log attacks
    #iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
    # silently drop the rest
    ##iptables -A syn-flood -j DROP
    # Don't forward from the outside to the inside.
    iptables -A FORWARD -i eth1 -o eth0 -j REJECT
    ##by default drop connections from the WAN interface.
    iptables -A INPUT -i eth1 -j DROP
    Thanks in advanced for any help/pointers, Mark
    Last edited by markp1989; 09-13-11 at 06:36 PM.

  2. #2
    Destroyer of Empires and User Accounts, El Huginator
    Premium Member #3
    First Responders
    thideras's Avatar
    Join Date
    May 2006
    South Dakota
    Author Profile Benching Profile Heatware Profile
    I can't help since I haven't built one from the ground up, but have you checked out PFSense? I'm actually using this over Astaro.
    Desktop: AsRock X99 WS | 5820k | 32 GB G.Skill | GTX 1080 | Intel 750 NVME 400GB & 1 TB Samsung Evo | Windows 3.1 | 6x 2560x1440 Monitors
    VM Server 1: Dell R710 | 2x L5630 | 96 GB RAM | 8x 256 GB Samsung Pro | IBM M1015 | 34 TB Raw disk | ESXi
    VM Server 2: Dell R710 | 2x L5630 | 96 GB RAM |
    8x 256 GB Samsung Pro | ESXi
    Router: Biostar A68N-5000 | Silverstone ITX case | 15w pull | pfsense
    "That's not overkill, or a lot. That's just thiderastic." -txus.palacios
    "Clouds are silent, cold, and wet. Servers are none of these things." -Bobnova

    Current projects: Rackmount Overkill (New) | Little Overkill (New) | Desktop Overkill (New)
    Articles: Rack Mounting 101 | Dell Perc 5/i Throughput Benchmarks
    My Website

    Want to talk directly to all the moderators at once? Call the Mod Hotline!

  3. #3

    Join Date
    Jun 2008
    Heatware Profile
    Thanks for replying to me, I looked at PFSense but I cannot remember why I didnt try it out.

    right now I have most stuff i listed in the op working, the only think i haven't bothered with is QOS, I have been torrenting whilst on the xbox with out problems so I haven't bothered looking in to it properly yet.

    I have a spare machine, so I can give PFSense a test, if i like it i can just swap the machines over to limit down time. even though an internet connection isn't an essential I still get nagged at if it goes down for 2 minutes.

  4. #4
    Member grumperfish's Avatar
    10 Year Badge
    Join Date
    Nov 2005
    South Florida
    Heatware Profile
    I switched from ipcop to smoothwall as I liked the QoS functions and add-ons (guardian is neat), but ipcop had a pretty basic support community and updates lagged to the point where snort was unusable by the time I switched. I tried pfsense, but I had trouble wrapping my head around BSD. I remember one of the key pro points about pfsense being a total failover feature, but I never got far enough along to try it out.

    Smoothwall will do everything in your requirements, other than probably taking less time to set up.
    Desktop: i7 2600K @ 4.5ghz w/ TR HR-02 + SD 120x38mm // Gigabyte Z68XP-UD3P // MSI R9 390 8GB
    16GB G-Skill RipjawsX 1600mhz // Samsung 830 256GB // 6TB // Thermaltake Armor // SS-1050XM2
    HTPC/Server: Q8400 // EP35-DS3R // 8GB DDR2 // EN210 // 840Pro 128GB // 5.75TB // Corsair TX650
    Laptop: Latitude E6410 // i7-640M // 8GB DDR3 // Samsung 830 128GB / 1TB
    pfSense: E4300 // 4GB DDR2 // Gigabyte G31M-SL2 // 250GB // Corsair CX430
    I like HEAT

  5. Thanks!

    markp1989 (10-29-11)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts