Results 1 to 4 of 4
09-13-11, 01:34 PM #1
Setting up a dedicated firewall running Debian. (IPtables and QOS help)
I'm in the process of setting up a firewall running Debian, i was running Astaro but the last update was giving me problems and I fancied a change
So far, I have the following installed/configured:
Dnsmasq - Internal DHCP and DNS server.
Dans Guardian (with Squid) - currently I only have antivirus scanning on, I plan to setup advert blocking at some point soon.
Snort intrusion detection
Things I need help on.
QOS <---this is a must, I do torrent a lot. my family use skype and xbox which both need low latency.
DHCP Reservations, needed for the xbox EDIT: figured out this aswell
Port Forwarding, from the WAN to the xbox, needs ports 3074 and 88 EDIT: got that working.
General IP tables help/pointers.
This is what I have so far in the way of IP tables, I just wana know if there is anything really wrong that I shouldn't be doing in this file?
eth0 is the internal network
eth1 is the internet (50mb down, 5mb up fiber).
#!/bin/sh ##eth0 is in internal GREEN card , 192.168.117.1 ##eth1 is the internet RED card , Dynamic address from ISP sleep 10 ##script is ran at boot, adding a small delay so I can ssh in and edit the file if i mess something up when editing. PATH=/usr/sbin:/sbin:/bin:/usr/bin # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward # # delete all existing rules. # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Always accept loopback traffic #iptables -A INPUT -i lo -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # enable "transparent mode" for dans guardian (except for my xbox) iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.117.184 -p tcp --dport 80 -j REDIRECT --to-port 8080 #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 # redirect NTP requests to this machine. iptables -t nat -A PREROUTING -i eth0 -p udp --dport 123 -j DNAT --to-destination 192.168.117.1:123 # redirect DNS requests to this machine iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 192.168.117.1:53 ##xbox port forwarding iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3074 -j DNAT --to 192.168.117.184:3074 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 3074 -j DNAT --to 192.168.117.184:3074 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 88 -j DNAT --to 192.168.117.184:88 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 88 -j DNAT --to 192.168.117.184:88 iptables -A FORWARD -p tcp -i eth1 -d 192.168.117.184 --dport 3074 -j ACCEPT iptables -A FORWARD -p udp -i eth1 -d 192.168.117.184 --dport 3074 -j ACCEPT iptables -A FORWARD -p tcp -i eth1 -d 192.168.117.184 --dport 88 -j ACCEPT iptables -A FORWARD -p udp -i eth1 -d 192.168.117.184 --dport 88 -j ACCEPT ##let internal computers make connections #set iptables to allow everything from home pcs iptables -A INPUT -i eth0 -p all -s 192.168.117.0/24 -j ACCEPT iptables -A INPUT -i eth0 -p all -j DROP ##syn flood provention## # create new chains #iptables -N syn-flood # limits incoming packets #iptables -A syn-flood -m limit --limit 300/second --limit-burst 50 -j RETURN # log attacks #iptables -A syn-flood -j LOG --log-prefix "SYN flood: " # silently drop the rest ##iptables -A syn-flood -j DROP # Don't forward from the outside to the inside. iptables -A FORWARD -i eth1 -o eth0 -j REJECT ##by default drop connections from the WAN interface. iptables -A INPUT -i eth1 -j DROP
Last edited by markp1989; 09-13-11 at 06:36 PM.
09-29-11, 08:11 PM #2
Premium Member #3
- Join Date
- May 2006
- South Dakota
I can't help since I haven't built one from the ground up, but have you checked out PFSense? I'm actually using this over Astaro.Desktop: AsRock X99 WS | 5820k | 32 GB G.Skill | GTX 1080 | Intel 750 NVME 400GB & 1 TB Samsung Evo | Windows 3.1 | 6x 2560x1440 Monitors
VM Server 1: Dell R710 | 2x L5630 | 96 GB RAM | 8x 256 GB Samsung Pro | IBM M1015 | 34 TB Raw disk | ESXi
VM Server 2: Dell R710 | 2x L5630 | 96 GB RAM | 8x 256 GB Samsung Pro | ESXi
Router: Biostar A68N-5000 | Silverstone ITX case | 15w pull | pfsense
"That's not overkill, or a lot. That's just thiderastic." -txus.palacios
"Clouds are silent, cold, and wet. Servers are none of these things." -Bobnova
Current projects: Rackmount Overkill (New) | Little Overkill (New) | Desktop Overkill (New)
Articles: Rack Mounting 101 | Dell Perc 5/i Throughput Benchmarks
Want to talk directly to all the moderators at once? Call the Mod Hotline!
09-30-11, 10:56 AM #3
Thanks for replying to me, I looked at PFSense but I cannot remember why I didnt try it out.
right now I have most stuff i listed in the op working, the only think i haven't bothered with is QOS, I have been torrenting whilst on the xbox with out problems so I haven't bothered looking in to it properly yet.
I have a spare machine, so I can give PFSense a test, if i like it i can just swap the machines over to limit down time. even though an internet connection isn't an essential I still get nagged at if it goes down for 2 minutes.
10-03-11, 07:10 PM #4
I switched from ipcop to smoothwall as I liked the QoS functions and add-ons (guardian is neat), but ipcop had a pretty basic support community and updates lagged to the point where snort was unusable by the time I switched. I tried pfsense, but I had trouble wrapping my head around BSD. I remember one of the key pro points about pfsense being a total failover feature, but I never got far enough along to try it out.
Smoothwall will do everything in your requirements, other than probably taking less time to set up.Desktop: i7 2600K @ 4.6ghz w/ TR HR-02 + SD 120x38mm // Gigabyte Z68XP-UD3P // MSI R9 390 8GB
16GB G-Skill RipjawsX 1600mhz // Samsung 830 256GB // 6TB // Thermaltake Armor // SS-1050XM2
Server: E6750 // EP35-DS3R // 4GB DDR2 // EN210 // 840Pro 128GB // 4.25TB // Corsair TX650
Laptop: Latitude E6410 // i5-250M // 4GB DDR3 // Samsung 830 128GB / 1TB
pfSense: E4300 // 4GB DDR2 // Gigabyte G31M-SL2 // 250GB // Corsair CX430
I like HEAT