[markp1989]

I'm in the process of setting up a firewall running Debian, i was running Astaro but the last update was giving me problems and I fancied a change

So far, I have the following installed/configured:
Dnsmasq - Internal DHCP and DNS server.
Dans Guardian (with Squid) - currently I only have antivirus scanning on, I plan to setup advert blocking at some point soon.
NTP
Snort intrusion detection

Things I need help on.
QOS <---this is a must, I do torrent a lot. my family use skype and xbox which both need low latency.
DHCP Reservations, needed for the xbox EDIT: figured out this aswell
Port Forwarding, from the WAN to the xbox, needs ports 3074 and 88 EDIT: got that working.
General IP tables help/pointers.

This is what I have so far in the way of IP tables, I just wana know if there is anything really wrong that I shouldn't be doing in this file?

eth0 is the internal network
eth1 is the internet (50mb down, 5mb up fiber).

Code:

#!/bin/sh
##eth0 is in internal GREEN card , 192.168.117.1
##eth1 is the internet RED card , Dynamic address from ISP 
sleep 10 ##script is ran at boot, adding a small delay so I can ssh in and edit the file if i mess something up when editing. 
PATH=/usr/sbin:/sbin:/bin:/usr/bin
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
#iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


# enable "transparent mode" for dans guardian (except for my xbox)
iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.117.184 -p tcp --dport 80 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
# redirect NTP requests to this machine.
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 123 -j DNAT --to-destination 192.168.117.1:123
# redirect DNS requests to this machine
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 192.168.117.1:53


##xbox port forwarding
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3074 -j DNAT --to 192.168.117.184:3074
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 3074 -j DNAT --to 192.168.117.184:3074
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 88 -j DNAT --to 192.168.117.184:88
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 88 -j DNAT --to 192.168.117.184:88
iptables -A FORWARD -p tcp -i eth1 -d 192.168.117.184 --dport 3074 -j ACCEPT
iptables -A FORWARD -p udp -i eth1 -d 192.168.117.184 --dport 3074 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 -d 192.168.117.184 --dport 88 -j ACCEPT
iptables -A FORWARD -p udp -i eth1 -d 192.168.117.184 --dport 88 -j ACCEPT


##let internal computers make connections
#set iptables to allow everything from home pcs
iptables -A INPUT -i eth0 -p all -s 192.168.117.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -p all -j DROP

##syn flood provention##
# create new chains
#iptables -N syn-flood
# limits incoming packets
#iptables -A syn-flood -m limit --limit 300/second --limit-burst 50 -j RETURN
# log attacks
#iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
# silently drop the rest
##iptables -A syn-flood -j DROP

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth0 -j REJECT
##by default drop connections from the WAN interface.
iptables -A INPUT -i eth1 -j DROP

Thanks in advanced for any help/pointers, Mark

[thideras]

I can't help since I haven't built one from the ground up, but have you checked out PFSense? I'm actually using this over Astaro.

[markp1989]

Thanks for replying to me, I looked at PFSense but I cannot remember why I didnt try it out.

right now I have most stuff i listed in the op working, the only think i haven't bothered with is QOS, I have been torrenting whilst on the xbox with out problems so I haven't bothered looking in to it properly yet.

I have a spare machine, so I can give PFSense a test, if i like it i can just swap the machines over to limit down time. even though an internet connection isn't an essential I still get nagged at if it goes down for 2 minutes.

[grumperfish]

I switched from ipcop to smoothwall as I liked the QoS functions and add-ons (guardian is neat), but ipcop had a pretty basic support community and updates lagged to the point where snort was unusable by the time I switched. I tried pfsense, but I had trouble wrapping my head around BSD. I remember one of the key pro points about pfsense being a total failover feature, but I never got far enough along to try it out.

Smoothwall will do everything in your requirements, other than probably taking less time to set up.