Notices

Overclockers Forums > Software > Internet, Networking, and Security
Internet, Networking, and Security Networking and Viruses/Malware trouble. Get the answers here.
Forum Jump

Setting up a dedicated firewall running Debian. (IPtables and QOS help)

Post Reply New Thread Subscribe Search this Thread
 
 
Thread Tools
Old 09-13-11, 01:34 PM Thread Starter   #1
markp1989



Join Date: Jun 2008
Location: London

 
Setting up a dedicated firewall running Debian. (IPtables and QOS help)


I'm in the process of setting up a firewall running Debian, i was running Astaro but the last update was giving me problems and I fancied a change

So far, I have the following installed/configured:
Dnsmasq - Internal DHCP and DNS server.
Dans Guardian (with Squid) - currently I only have antivirus scanning on, I plan to setup advert blocking at some point soon.
NTP
Snort intrusion detection

Things I need help on.
QOS <---this is a must, I do torrent a lot. my family use skype and xbox which both need low latency.
DHCP Reservations, needed for the xbox EDIT: figured out this aswell
Port Forwarding, from the WAN to the xbox, needs ports 3074 and 88 EDIT: got that working.
General IP tables help/pointers.

This is what I have so far in the way of IP tables, I just wana know if there is anything really wrong that I shouldn't be doing in this file?

eth0 is the internal network
eth1 is the internet (50mb down, 5mb up fiber).

Code:
#!/bin/sh
##eth0 is in internal GREEN card , 192.168.117.1
##eth1 is the internet RED card , Dynamic address from ISP 
sleep 10 ##script is ran at boot, adding a small delay so I can ssh in and edit the file if i mess something up when editing. 
PATH=/usr/sbin:/sbin:/bin:/usr/bin
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
#iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


# enable "transparent mode" for dans guardian (except for my xbox)
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.117.184 -p tcp --dport 80 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
# redirect NTP requests to this machine.
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 123 -j DNAT --to-destination 192.168.117.1:123
# redirect DNS requests to this machine
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 192.168.117.1:53


##xbox port forwarding
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3074 -j DNAT --to 192.168.117.184:3074
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 3074 -j DNAT --to 192.168.117.184:3074
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 88 -j DNAT --to 192.168.117.184:88
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 88 -j DNAT --to 192.168.117.184:88
iptables -A FORWARD -p tcp -i eth1 -d 192.168.117.184 --dport 3074 -j ACCEPT
iptables -A FORWARD -p udp -i eth1 -d 192.168.117.184 --dport 3074 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 -d 192.168.117.184 --dport 88 -j ACCEPT
iptables -A FORWARD -p udp -i eth1 -d 192.168.117.184 --dport 88 -j ACCEPT


##let internal computers make connections
#set iptables to allow everything from home pcs
iptables -A INPUT -i eth0 -p all -s 192.168.117.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -p all -j DROP

##syn flood provention##
# create new chains
#iptables -N syn-flood
# limits incoming packets
#iptables -A syn-flood -m limit --limit 300/second --limit-burst 50 -j RETURN
# log attacks
#iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
# silently drop the rest
##iptables -A syn-flood -j DROP

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth0 -j REJECT
##by default drop connections from the WAN interface.
iptables -A INPUT -i eth1 -j DROP
Thanks in advanced for any help/pointers, Mark

__________________
DESKTOP: i7 3960x@4.7Ghz 1.4v vcore | P9X79 Pro | 16Gb 1866 DDR3 | 250gb Crucial M4 | 1TB WD Green| Nvidia GTX 780 | Silver Arrow SB-E | Linux Mint/Win 8.1 | Silverstone FT02
Home Server: i5-4570s | 8Gb DDR3| ASRock H87M-ITX | three 2tb drives (4tb raid5) | Ubuntu
HTPC: i5 3570T | 4Gb DDR3 | Intel DQ77KB | OpenElec Pxe boot
Media Players: Intel NUC (Pxebooting Openelec) | NowTV box running Plex
Firewall: i5 2310 | 4Gb DDR3 | DH67CF ITX | Running Astaro
PORTABLE: Nexus 4 | Nexus 7 2013| Asus EEE transformer | HP Touchpad | 13" MacBook Pro Retina oct 2013 16Gb Ram

Last edited by markp1989; 09-13-11 at 06:36 PM.
markp1989 is offline Heatware Profile   QUOTE Thanks
Old 09-29-11, 08:11 PM   #2
thideras
Destroyer of Empires and User Accounts, El Huginator
Premium Member #3
First Responders

 
thideras's Avatar 

Join Date: May 2006
Location: South Dakota

 
I can't help since I haven't built one from the ground up, but have you checked out PFSense? I'm actually using this over Astaro.

__________________
Desktop: Gigabyte Z77X-UD5H | 3570k | 32 GB | GTX 770 Classified | 1 TB Samsung Evo & 2 TB HDD | Windows 3.1 | 4x 2560x1400 Monitors
VM Server 1: Dell R710 | 2x L5630 | 96 GB RAM | 8x 300 GB Savvio | IBM M1015 | 34 TB Raw disk | XenServer
VM Server 2: Dell R710 | 2x L5630 | 96 GB RAM |
8x 300 GB Savvio | XenServer
Router: Dell R410 | E5620 | 32 GB RAM | 3x 300 GB | pfsense
"That's not overkill, or a lot. That's just thiderastic." -txus.palacios
"Clouds are silent, cold, and wet. Servers are none of these things." -Bobnova

Current project: Rackmount Overkill (New) | Little Overkill (New)
Articles: Rack Mounting 101 | Dell Perc 5/i Throughput Benchmarks
My Website


Want to talk directly to all the moderators at once? Call the Mod Hotline!
thideras is offline Author Profile Benching Profile Heatware Profile   QUOTE Thanks
Old 09-30-11, 10:56 AM Thread Starter   #3
markp1989



Join Date: Jun 2008
Location: London

 
Thanks for replying to me, I looked at PFSense but I cannot remember why I didnt try it out.

right now I have most stuff i listed in the op working, the only think i haven't bothered with is QOS, I have been torrenting whilst on the xbox with out problems so I haven't bothered looking in to it properly yet.

I have a spare machine, so I can give PFSense a test, if i like it i can just swap the machines over to limit down time. even though an internet connection isn't an essential I still get nagged at if it goes down for 2 minutes.

__________________
DESKTOP: i7 3960x@4.7Ghz 1.4v vcore | P9X79 Pro | 16Gb 1866 DDR3 | 250gb Crucial M4 | 1TB WD Green| Nvidia GTX 780 | Silver Arrow SB-E | Linux Mint/Win 8.1 | Silverstone FT02
Home Server: i5-4570s | 8Gb DDR3| ASRock H87M-ITX | three 2tb drives (4tb raid5) | Ubuntu
HTPC: i5 3570T | 4Gb DDR3 | Intel DQ77KB | OpenElec Pxe boot
Media Players: Intel NUC (Pxebooting Openelec) | NowTV box running Plex
Firewall: i5 2310 | 4Gb DDR3 | DH67CF ITX | Running Astaro
PORTABLE: Nexus 4 | Nexus 7 2013| Asus EEE transformer | HP Touchpad | 13" MacBook Pro Retina oct 2013 16Gb Ram
markp1989 is offline Heatware Profile   QUOTE Thanks
Old 10-03-11, 07:10 PM   #4
grumperfish
Member

 
grumperfish's Avatar 

Join Date: Nov 2005
Location: South Florida

 
I switched from ipcop to smoothwall as I liked the QoS functions and add-ons (guardian is neat), but ipcop had a pretty basic support community and updates lagged to the point where snort was unusable by the time I switched. I tried pfsense, but I had trouble wrapping my head around BSD. I remember one of the key pro points about pfsense being a total failover feature, but I never got far enough along to try it out.

Smoothwall will do everything in your requirements, other than probably taking less time to set up.

__________________
Desktop: i7 2600K @ 4.6ghz w/ TR HR-02 + SD 120x38mm // Gigabyte Z68XP-UD3P // MSI R9 280X 3GB
16GB G-Skill RipjawsX 1600mhz // Samsung 830 256GB // 6TB // Thermaltake Armor // Corsair TX750
Server: Q6600 G0 // EP35-DS3R // 4GB DDR2 // 4850 512MB // 840Pro 128GB // 4.25TB // Corsair TX650
Laptop: Latitude D630 // C2M T7300 // 4GB DDR2 // X3100 // Samsung 830 128GB
Smoothwall: P4 2.4C // 1GB DDR // AOpen MX4GVR // 20GB // Corsair CX430
I like HEAT
grumperfish is offline Heatware Profile   QUOTE Thanks
Thanks!
markp1989 (10-29-11)

Post Reply New Thread Subscribe


Overclockers Forums > Software > Internet, Networking, and Security
Internet, Networking, and Security Networking and Viruses/Malware trouble. Get the answers here.
Forum Jump

Thread Tools Search this Thread
Search this Thread:

Advanced Search


Mobile Skin
All times are GMT -5. The time now is 07:24 PM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
You can add these icons by updating your profile information to include your Heatware ID, Benching Profile ID or your Folding/SETI profile ID. Edit your profile!
X

Welcome to Overclockers.com

Create your username to jump into the discussion!

New members like you have made this the best community on the Internet since 1998!


(4 digit year)

Why Join Us?

  • Share experience
  • Max out your hardware
  • Best forum members anywhere
  • Customized forum experience

Already a member?