23388
Comment: Fill UPnP section
|
23484
Add rsyslogd section stub and reference in Requirements section
|
Deletions are marked like this. | Additions are marked like this. |
Line 35: | Line 35: |
* Carefully controlled log files - [[#rsyslogd|rsyslogd]] | |
Line 613: | Line 614: |
= rsyslogd = rsyslogd... TODO |
I have been working to set up a Soekris net5501 to act as a home router/server. My efforts are documented here to serve as an example for others attempting similar setup scenarios. Note that this guide is only intended to cover post-installation software setup and so should be applicable to nearly any hardware.
Under construction. I hope to get this finished eventually.
If you notice any errors please mail me, leave a ?comment, or fix them.
If you know of a better place in the wiki for this to go, please ?suggest it.
Contents
Requirements
Here is a list of requirements with links to the relevant sections.
- 100% Debian, no external software
- Stock Debian kernel
?dnsmasq server, providing
- DNS, including local DNS
- DHCP server, including static IPs
Support dual-stack network; IPv4 and IPv6 - ?SixXS
Provide local private network bridge - ?Networking
Ethernet ports + private secured wireless (?hostap)
- Provide public network
Unsecured wireless (?hostap)
Simple and robust ?firewall
- Reasonable security for the router
- Port forwarding (single, range, or all)
With ?UPnP support
- Modify TOS packet header bits
?Traffic control to provide a better internet experience for multiple users/connections
- Use TOS packet header bits
Carefully controlled log files - ?rsyslogd
Document Conventions
- eth0 is WAN ethernet port
- aiccu is the interface of the SixXS ipv6 tunnel
- eth1-eth3 are LAN ethernet (private)
wlan0 is private wireless (?hostap)
wlan0_0 is public wireless (?hostap)
- br0 bridges eth1-eth3 and wlan0
- private local ipv4 network: 192.0.2.0/24 (choose your own, probably 192.168.x.0/24)
- private local ipv6 network: 2001:db8::/32 (? from SixXS)
- public local ipv4 network: 192.0.3.0/24 (choose your own, probably 192.168.x+1.0/24)
- public local ipv6 network: 2001:db8::1/32 (? from SixXS)
SixXS
Register with SixXS and request an tunnel and subnet. Choose your tunnel type carefully. I chose the less efficient AYIYA type because it will work behind masquerading.
Use aiccu to bring up the tunnel.
OPTIONAL: To avoid using your SixXS password in plaintext in the aiccu configuration file, add a TIC Password for the tunnel, then use "$HANDLE/$TUNNELID" as your username and the password you chose in the configuration.
aiccu.conf:
username $HANDLE password $PASSWORD protocol tic server tic.sixxs.net ipv6_interface aiccu tunnel_id $TUNNELID automatic true requiretls false
Now you should have an interface named "aiccu" and ipv6 connectivity. Test with:
ping6 -c 2 www.kame.net
Basic Networking
/etc/network/interfaces:
# The loopback network interface auto lo iface lo inet loopback # The primary network interface (WAN) auto eth0 #allow-hotplug eth0 # hotplugging does not seem to work reliably iface eth0 inet dhcp # Network bridge (LAN) auto br0 iface br0 inet static address 192.0.2.1 netmask 255.255.255.0 network 192.0.2.0 broadcast 192.0.2.255 bridge_ports eth1 eth2 eth3 wlan0 iface br0 inet6 static address (from sixxs) netmask 64 # Public wireless network auto wlan0_0 iface wlan0_0 inet static address 192.0.3.1 netmask 255.255.255.0 network 192.0.3.0 broadcast 192.0.3.255 iface wlan0_0 inet6 static address (from sixxs) netmask 64
Set up /etc/hosts to make local DNS work correctly:
Change this line:
127.0.1.1 hostname.example.org hostname
To:
192.168.68.1 hostname.example.org hostname2.example2.org hostname
Test: make sure both hostname -s and hostname -f work correctly now.
dnsmasq
Fill dnsmasq.conf:
interface=br0 dhcp-range=private,192.0.2.51,192.0.2.250,48h interface=wlan0_0 dhcp-range=public,192.0.3.51,192.0.3.250,48h domain-needed bogus-priv # Set the NTP time server address to be the same machine as # is running dnsmasq dhcp-option=42,0.0.0.0 # Send microsoft-specific option to tell windows to release the DHCP lease # when it shuts down. dhcp-option=vendor:MSFT,2,1i # Set the limit on DHCP leases, the default is 150 ## here, raised to the maximum number of hosts on networks dhcp-lease-max=506 # Set the DHCP server to authoritative mode. In this mode it will barge in # and take over the lease for any client which broadcasts on the network, # whether it has a record of the lease or not. This avoids long timeouts # when a machine wakes up on a new network. DO NOT enable this if there's # the slighest chance that you might end up accidentally configuring a DHCP # server for your campus/company accidentally. The ISC server uses # the same option, and this URL provides more information: # http://www.isc.org/index.pl?/sw/dhcp/authoritative.php #dhcp-authoritative
OPTIONAL: For static host configuration, create /etc/dnsmasq.d/static-hosts.conf:
# static DHCP hosts # Optionally, use IPs from 2 to 50 (outside of DHCP range). # example for private network #dhcp-host=xx:xx:xx:xx:xx:xx,192.0.2.10 # example for public network #dhcp-host=xx:xx:xx:xx:xx:xx,192.0.3.16
OPTIONAL: To use custom nameservers, create /etc/alt.dns:
# Google Public DNS nameserver 8.8.8.8 nameserver 8.8.4.4
And uncomment line in /etc/default/dnsmasq:
IGNORE_RESOLVCONF=yes
And add line to /etc/dnsmasq.conf:
resolv-file=/etc/alt.dns
Firewall
Firewall shell scripts are slow (see ?http://www.faqs.org/docs/iptables/saveandrestore.html), and scripts for iptables-restore/ip6tables-restore must be maintained individually. In order to keep performance, use a single script, and gain readability to easy maintenance, I built a script that uses iptables-restore and family.
Create /usr/local/sbin/build-firewall.sh:
#!/bin/sh # What markup will make this line correct? set -e case "$1" in apply) ;; restore) ;; build) ;; save) ;; *) echo "Usage: $0 {apply|build|restore|save}" echo echo "apply: iptables-apply (includes connection check)" echo "build: just write iptables and ip6tables scripts" echo "restore: iptables-restore (apply immediately without check)" echo "save: restore, then save iptables and ip6tables scripts to /etc/network/" exit 1 ;; esac policies() { ipboth RAW :PREROUTING ACCEPT ipboth RAW :OUTPUT ACCEPT ipboth MANGLE :PREROUTING ACCEPT ipboth MANGLE :INPUT ACCEPT ipboth MANGLE :FORWARD ACCEPT ipboth MANGLE :OUTPUT ACCEPT ipboth MANGLE :POSTROUTING ACCEPT ip4 NAT :PREROUTING ACCEPT ip4 NAT :OUTPUT ACCEPT ip4 NAT :POSTROUTING ACCEPT ipboth FILTER :INPUT DROP ipboth FILTER :FORWARD DROP ipboth FILTER :OUTPUT DROP } rules() { # Use no "double quotes" in rules! # DNAT # modify DNAT ip4 NAT :DNAT_MOD - ip4 NAT -A PREROUTING -j DNAT_MOD # do not change destination IP/port for these packets ip4 NAT -A DNAT_MOD -i eth0 -p icmp -j RETURN ip4 NAT :DNAT_SKIP - ip4 NAT -A DNAT_MOD -i eth0 -g DNAT_SKIP # manual port forwarding ip4 NAT :MANUAL_DNAT - ip4 NAT -A DNAT_MOD -i eth0 -j MANUAL_DNAT ## example: to specific host (modify static-hosts.conf if necessary) #ip4 NAT -A MANUAL_DNAT -p tcp -m tcp --dport 33333 -j DNAT --to-destination 192.0.2.10 ## example: to specific host and different destination port (modify static-hosts.conf if necessary) #ip4 NAT -A MANUAL_DNAT -p tcp -m tcp --dport 81 -j DNAT --to-destination 192.0.3.11:80 ## example: to different destination port on router #ip4 NAT -A MANUAL_DNAT -p tcp -m tcp --dport 81 -j DNAT --to-destination :80 # upnp ip4 NAT :DNAT_UPNP - ip4 NAT -A DNAT_MOD -i eth0 -j DNAT_UPNP ## example, from linux-igd upnpd ##ip4 NAT -A DNAT_UPNP -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.0.2.96:80 # forward all remaining ports ip4 NAT :DNAT_ALLPORTS - ip4 NAT -A DNAT_MOD -i eth0 -j DNAT_ALLPORTS #ip4 NAT -A DNAT_ALLPORTS -j DNAT --to-destination 192.0.2.10 # END DNAT # masquerading ip4 NAT -A POSTROUTING -s 192.0.2.0/24 ! -d 192.0.2.0/24 -o eth0 -j MASQUERADE ip4 NAT -A POSTROUTING -s 192.0.3.0/24 ! -d 192.0.3.0/24 -o eth0 -j MASQUERADE # IPv6 ip4 FILTER -A INPUT -p ipv6 -j ACCEPT ip4 FILTER -A FORWARD -p ipv6 -j ACCEPT ip4 FILTER -A OUTPUT -p ipv6 -j ACCEPT # loopback ipboth FILTER -A INPUT -i lo -j ACCEPT ipboth FILTER -A OUTPUT -o lo -j ACCEPT # BLOCKING # drop RH0 ip6tables -A INPUT -m rt --rt-type 0 -j DROP ip6tables -A FORWARD -m rt --rt-type 0 -j DROP ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP # host block ipboth FILTER :HOST_BLOCK - ipboth FILTER -A INPUT -j HOST_BLOCK ipboth FILTER -A FORWARD -j HOST_BLOCK ipboth FILTER -A OUTPUT -j HOST_BLOCK ## examples # ipboth FILTER -A HOST_BLOCK --source 75.0.1.25 -j HOST_BLOCK_EXEC # ipboth FILTER -A HOST_BLOCK --destination 75.0.1.25 -j HOST_BLOCK_EXEC ipboth FILTER :HOST_BLOCK_EXEC - ipboth FILTER -A HOST_BLOCK_EXEC -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix Blocked-host_ --log-level notice ipboth FILTER -A HOST_BLOCK_EXEC -j DROP # invalid ipboth FILTER :VALIDITY_CHECK - ipboth FILTER :INVALID - ipboth FILTER -A INPUT -j VALIDITY_CHECK ipboth FILTER -A FORWARD -j VALIDITY_CHECK ipboth FILTER -A VALIDITY_CHECK -m state --state INVALID -j INVALID ipboth FILTER -A INVALID -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix Invalid-packet_ --log-level info ipboth FILTER -A INVALID -j DROP ## more validity checks here, like previous line # fragmented ipboth FILTER :FRAGMENT_CHECK - ipboth FILTER -A INPUT -j FRAGMENT_CHECK ipboth FILTER -A FORWARD -j FRAGMENT_CHECK ipboth FILTER :FRAGMENTED - ip4 FILTER -A FRAGMENT_CHECK -f -j FRAGMENTED ip6 FILTER -A FRAGMENT_CHECK -m frag --fragmore -m length --length 0:1279 -j FRAGMENTED ipboth FILTER -A FRAGMENTED -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix Fragmented-packet_ --log-level info ipboth FILTER -A FRAGMENTED -j DROP # END BLOCKING # local dhcp ipboth FILTER -A INPUT -p udp -i br0 --sport 67:68 --dport 67:68 -j ACCEPT ipboth FILTER -A INPUT -p udp -i wlan0_0 --sport 67:68 --dport 67:68 -j ACCEPT # out ipboth FILTER -A OUTPUT -p udp -o br0 --sport 67:68 --dport 67:68 -j ACCEPT ipboth FILTER -A OUTPUT -p udp -o wlan0_0 --sport 67:68 --dport 67:68 -j ACCEPT # spoofed ipboth FILTER :SPOOFED - ip4 FILTER -A INPUT -j SPOOFED # TODO: add ip6 here ip4 FILTER -A FORWARD -j SPOOFED # TODO: add ip6 here ipboth FILTER -A SPOOFED -i eth0 -j RETURN ip6 FILTER -A SPOOFED -i aiccu -j RETURN ip4 FILTER -A SPOOFED -i br0 -s 192.0.2.0/24 -j RETURN #ip6 FILTER -A SPOOFED -i br0 -s :: -j RETURN # TODO: fix with correct ipv6 addresses ip4 FILTER -A SPOOFED -i wlan0_0 -s 192.0.3.0/24 -j RETURN #ip6 FILTER -A SPOOFED -i wlan0_0 -s :: -j RETURN # TODO: fix with correct ipv6 addresses ipboth FILTER -A SPOOFED -m limit --limit 6/min -j LOG --log-prefix Spoofed-packet_ --log-level notice ip4 FILTER -A SPOOFED -j REJECT --reject-with icmp-net-unreachable ip6 FILTER -A SPOOFED -j REJECT --reject-with icmp6-adm-prohibited # ICMP ip4 FILTER -A OUTPUT -p icmp -j ACCEPT ip6 FILTER -A OUTPUT -p ipv6-icmp -j ACCEPT ipboth FILTER :ICMP - ip4 FILTER -A INPUT -p icmp -j ICMP ip6 FILTER -A INPUT -p ipv6-icmp -j ICMP ip4 FILTER -A FORWARD -p icmp -j ICMP ip6 FILTER -A FORWARD -p ipv6-icmp -j ICMP ipboth FILTER -A ICMP -m limit --limit 20/sec --limit-burst 100 -j ACCEPT ip4 FILTER -A ICMP -p icmp -m icmp --icmp-type echo-request -j DROP ip6 FILTER -A ICMP -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j DROP ipboth FILTER -A ICMP -m limit --limit 20/sec -j ACCEPT ipboth FILTER -A ICMP -j DROP # established connections ipboth FILTER -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ipboth FILTER -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ipboth FILTER -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SPECIFIC SERVICES # ssh ip4 NAT -A DNAT_SKIP -p tcp --dport ssh -j RETURN ipboth FILTER -A INPUT -p tcp --dport ssh -j ACCEPT ipboth FILTER -A OUTPUT -p tcp --dport ssh -j ACCEPT # upstream dhcp ip4 NAT -A DNAT_SKIP -p tcp --dport 67:68 -j RETURN ipboth FILTER -A INPUT -p udp -i eth0 --sport 67:68 --dport 67:68 -j ACCEPT ipboth FILTER -A OUTPUT -p udp -o eth0 --sport 67:68 --dport 67:68 -j ACCEPT # ddns ipboth FILTER -A OUTPUT -p tcp -o eth0 --dport 5000 -j ACCEPT #*check*# port 5000? ipboth FILTER -A OUTPUT -p tcp -o aiccu --dport 5000 -j ACCEPT #*check*# port 5000? # SixXS ip4 NAT -A DNAT_SKIP -p tcp --dport 3874 -j RETURN ip4 NAT -A DNAT_SKIP -p udp -m multiport --dport 3740,5072 -j RETURN ip4 FILTER -A OUTPUT -p tcp -o eth0 --dport 3874 -j ACCEPT ip4 FILTER -A OUTPUT -p udp -o eth0 -m multiport --dport 3740,5072 -j ACCEPT # dns ip4 NAT -A DNAT_SKIP -p tcp -m multiport --dport domain,mdns -j RETURN ip4 NAT -A DNAT_SKIP -p udp -m multiport --dport domain,mdns -j RETURN ipboth FILTER -A INPUT -p tcp -i br0 -m multiport --dport domain,mdns -j ACCEPT ipboth FILTER -A INPUT -p udp -i br0 -m multiport --dport domain,mdns -j ACCEPT ipboth FILTER -A INPUT -p tcp -i wlan0_0 -m multiport --dport domain,mdns -j ACCEPT ipboth FILTER -A INPUT -p udp -i wlan0_0 -m multiport --dport domain,mdns -j ACCEPT ipboth FILTER -A OUTPUT -p udp -o br0 --dport mdns -j ACCEPT ipboth FILTER -A OUTPUT -p udp -o wlan0_0 --dport mdns -j ACCEPT ipboth FILTER -A OUTPUT -p tcp -o eth0 --dport domain -j ACCEPT ipboth FILTER -A OUTPUT -p udp -o eth0 --dport domain -j ACCEPT ip6 FILTER -A OUTPUT -p tcp -o aiccu --dport domain -j ACCEPT ip6 FILTER -A OUTPUT -p udp -o aiccu --dport domain -j ACCEPT # ntp ip4 NAT -A DNAT_SKIP -p udp --dport ntp -j RETURN ipboth FILTER -A INPUT -p udp --dport ntp -j ACCEPT ipboth FILTER -A OUTPUT -p udp --sport ntp -j ACCEPT # www/https ip4 NAT -A DNAT_SKIP -p tcp --dport www -j RETURN ipboth FILTER -A INPUT -p tcp --dport www -j ACCEPT ipboth FILTER -A OUTPUT -p tcp -o eth0 -m multiport --dports www,https -j ACCEPT ip6 FILTER -A OUTPUT -p tcp -o aiccu -m multiport --dports www,https -j ACCEPT # upnp ip4 NAT -A DNAT_SKIP -p tcp -m multiport --dports 5000,49152 -j RETURN ip4 NAT -A DNAT_SKIP -p udp --dport 1900 -j RETURN ip4 FILTER :UPNP_FORWARD - ip4 FILTER -A INPUT -i br0 -p udp -m multiport --ports 1900 -j ACCEPT ip4 FILTER -A INPUT -i br0 -p tcp -m multiport --ports 2869,5000,49152 -j ACCEPT ip4 FILTER -A INPUT -i br0 -p igmp -j ACCEPT ip4 FILTER -A OUTPUT -o br0 -p udp -m multiport --ports 1900 -j ACCEPT ip4 FILTER -A OUTPUT -o br0 -p tcp -m multiport --ports 2869,5000,49152 -j ACCEPT ip4 FILTER -A OUTPUT -o br0 -p igmp -j ACCEPT ip4 FILTER -A FORWARD -i eth0 -o br0 -j UPNP_FORWARD ## example, from linux-igd upnpd ##ip4 FILTER -A UPNP_FORWARD -d 192.0.2.10/24 -p tcp -m tcp --dport 80 -j ACCEPT # END SPECIFIC SERVICES # from private ipboth FILTER :FROM_PRIVATE - ipboth FILTER -A FORWARD -i br0 -j FROM_PRIVATE ipboth FILTER -A FROM_PRIVATE -o br0 -j ACCEPT ipboth FILTER -A FROM_PRIVATE -o eth0 -j ACCEPT ipboth FILTER -A FROM_PRIVATE -o aiccu -j ACCEPT ipboth FILTER -A FROM_PRIVATE -o wlan0_0 -m limit --limit 3/min -j LOG --log-prefix Rejected-private-to-public_ --log-level info ip4 FILTER -A FROM_PRIVATE -o wlan0_0 -j REJECT --reject-with icmp-net-prohibited ip6 FILTER -A FROM_PRIVATE -o wlan0_0 -j REJECT --reject-with icmp6-adm-prohibited # from public ipboth FILTER :FROM_PUBLIC - ipboth FILTER -A FORWARD -i wlan0_0 -j FROM_PUBLIC ipboth FILTER -A FROM_PUBLIC -o eth0 -j ACCEPT ipboth FILTER -A FROM_PUBLIC -o aiccu -j ACCEPT ipboth FILTER -A FROM_PUBLIC -o br0 -m limit --limit 3/min -j LOG --log-prefix Rejected-public-to-private_ --log-level info ip4 FILTER -A FROM_PUBLIC -o br0 -j REJECT --reject-with icmp-net-prohibited ip6 FILTER -A FROM_PUBLIC -o br0 -j REJECT --reject-with icmp6-adm-prohibited ipboth FILTER -A FROM_PUBLIC -o wlan0_0 -m limit --limit 3/min -j LOG --log-prefix Rejected-public-to-public_ --log-level info ip4 FILTER -A FROM_PUBLIC -o wlan0_0 -j REJECT --reject-with icmp-host-prohibited ip6 FILTER -A FROM_PUBLIC -o wlan0_0 -j REJECT --reject-with icmp6-adm-prohibited # DROP/REJECT # unmatched packets ip4 FILTER -A INPUT -m limit --limit 20/min -j LOG --log-prefix Unmatched-INPUT_ --log-level debug ip6 FILTER -A INPUT -m limit --limit 20/min -j LOG --log-prefix Unmatched-v6-INPUT_ --log-level debug ip4 FILTER -A FORWARD -m limit --limit 20/min -j LOG --log-prefix Unmatched-FORWARD_ --log-level debug ip6 FILTER -A FORWARD -m limit --limit 20/min -j LOG --log-prefix Unmatched-v6-FORWARD_ --log-level debug ip4 FILTER -A OUTPUT -j LOG --log-prefix Unmatched-OUTPUT_ --log-level debug ip6 FILTER -A OUTPUT -j LOG --log-prefix Unmatched-v6-OUTPUT_ --log-level debug # end DROP/REJECT # TOS ipboth MANGLE :TOS_CHAIN - ipboth MANGLE -A PREROUTING -j TOS_CHAIN # Correcting TOS for incorrectly marked packets ipboth MANGLE :FIX_TOS - ipboth MANGLE -A TOS_CHAIN -m tos ! --tos Normal-Service -j FIX_TOS # Large packets with Minimize-Delay TOS ipboth MANGLE -A FIX_TOS -m tos ! --tos Minimize-Delay -j RETURN ipboth MANGLE -A FIX_TOS -p tcp -m length --length 0:512 -j RETURN ipboth MANGLE -A FIX_TOS -p udp -m length --length 0:1024 -j RETURN ipboth MANGLE -A FIX_TOS -j TOS --set-tos Maximize-Throughput # Add TOS for unmarked packets ipboth MANGLE :ADD_TOS - ipboth MANGLE -A TOS_CHAIN -m tos --tos Normal-Service -j ADD_TOS # TCP control packets (from www.docum.org / Stef Coene) ipboth MANGLE :ACK_TOS - ipboth MANGLE -A ADD_TOS -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -j ACK_TOS ipboth MANGLE -A ACK_TOS -m length --length 0:256 -j TOS --set-tos Minimize-Delay ipboth MANGLE -A ACK_TOS -m length --length 256: -j TOS --set-tos Maximize-Throughput ipboth MANGLE -A ADD_TOS -p tcp --tcp-flags SYN,RST,ACK ACK -j RETURN # Specify general TOS settings here for protocol/port ipboth MANGLE -A ADD_TOS -p icmp -j TOS --set-tos Minimize-Delay ipboth MANGLE -A ADD_TOS -p tcp -m multiport --ports smtp -j TOS --set-tos Minimize-Cost #ipboth MANGLE -A ADD_TOS -p tcp -m multiport --ports 000 -j TOS --set-tos Maximize-Reliability ipboth MANGLE -A ADD_TOS -p tcp -m multiport --ports www,https -j TOS --set-tos Maximize-Throughput ipboth MANGLE -A ADD_TOS -p tcp -m multiport --ports domain,mdns,auth,5154,3389,5900 -j TOS --set-tos Minimize-Delay #ipboth MANGLE -A ADD_TOS -p udp -m multiport --ports 000 -j TOS --set-tos Minimize-Cost #ipboth MANGLE -A ADD_TOS -p udp -m multiport --ports 000 -j TOS --set-tos Maximize-Reliability #ipboth MANGLE -A ADD_TOS -p udp -m multiport --ports 000 -j TOS --set-tos Maximize-Throughput ipboth MANGLE -A ADD_TOS -p udp -m multiport --ports domain,67:68,ntp,5154,5060:5064,iax,1720,1731 -j TOS --set-tos Minimize-Delay # END TOS # SHAPING # add shaping assist fwmarks ipboth MANGLE :MARKING_IN - ipboth MANGLE -A PREROUTING -j MARKING_IN ipboth MANGLE -A MARKING_IN -i eth0 -j RETURN ipboth MANGLE -A MARKING_IN -i aiccu -j RETURN ipboth MANGLE -A MARKING_IN -i br0 -j MARK --set-mark 0x2/0xf ipboth MANGLE -A MARKING_IN -i br0 -j RETURN ipboth MANGLE -A MARKING_IN -i wlan0_0 -j MARK --set-mark 0x3/0xf ip4 MANGLE -A OUTPUT -j MARK --set-mark 0x4/0xf #*check* breaks radvd on ipv6 side # END SHAPING # TCPMSS clamp ipboth MANGLE -A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ipboth MANGLE -A POSTROUTING -o aiccu -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu } # build IPTABLES=$( mktemp /tmp/iptables.XXX ) IP6TABLES=$( mktemp /tmp/ip6tables.XXX ) RAW_IP4=$( mktemp ) MANGLE_IP4=$( mktemp ) NAT_IP4=$( mktemp ) FILTER_IP4=$( mktemp ) RAW_IP6=$( mktemp ) MANGLE_IP6=$( mktemp ) FILTER_IP6=$( mktemp ) ip4() { TABLE=$( eval "echo \$${1}_IP4" ) shift 1 echo $* >> $TABLE } ip6() { TABLE=$( eval "echo \$${1}_IP6" ) shift 1 echo $* >> $TABLE } ipboth() { ip4 $@ ip6 $@ } ipboth RAW "*raw" ipboth MANGLE "*mangle" ip4 NAT "*nat" ipboth FILTER "*filter" policies rules for TABLE in RAW_IP4 MANGLE_IP4 NAT_IP4 FILTER_IP4 RAW_IP6 MANGLE_IP6 FILTER_IP6 ; do eval "echo COMMIT >> \$${TABLE}" done echo "# iptables firewall for owenhs" >> $IPTABLES echo "# ip6tables firewall for owenhs" >> $IP6TABLES cat $RAW_IP4 $MANGLE_IP4 $NAT_IP4 $FILTER_IP4 >> $IPTABLES cat $RAW_IP6 $MANGLE_IP6 $FILTER_IP6 >> $IP6TABLES rm -f $RAW_IP4 $MANGLE_IP4 $NAT_IP4 $FILTER_IP4 $RAW_IP6 $MANGLE_IP6 $FILTER_IP6 case "$1" in apply) iptables-apply -t 30 $IPTABLES ip6tables-apply -t 30 $IP6TABLES echo "iptables and ip6tables applied successfully" rm -f $IPTABLES $IP6TABLES ;; restore) iptables-restore $IPTABLES ip6tables-restore $IP6TABLES echo "iptables and ip6tables restored successfully" rm -f $IPTABLES $IP6TABLES ;; build) echo "new: $IPTABLES" echo "new: $IP6TABLES" ;; save) iptables-restore $IPTABLES ip6tables-restore $IP6TABLES mv /etc/network/iptables /tmp/iptables.bak0 mv /etc/network/ip6tables /tmp/ip6tables.bak0 mv $IPTABLES /etc/network/iptables mv $IP6TABLES /etc/network/ip6tables mv /tmp/iptables.bak0 $IPTABLES mv /tmp/ip6tables.bak0 $IP6TABLES echo "old: $IPTABLES" echo "old: $IP6TABLES" ;; esac
UPnP
Note that UPnP has some flaws. Use it only if you understand and accept them. If you choose not to use UPnP, you should remove the applicable parts of the firewall script.
/etc/default/linux-igd:
EXTIFACE=eth0 INTIFACE=br0 ALLOW_MULTICAST=yes
/etc/upnpd.conf:
iptables_location = "/sbin/iptables" debug_mode = 3 create_forward_rules = yes forward_rules_append = no forward_chain_name = UPNP_FORWARD prerouting_chain_name = DNAT_UPNP duration = 86400 # One day from time of addition description_document_name = gatedesc.xml xml_document_path = /etc/linuxigd listenport = 49152 paranoid = 1
hostap
hostapd.conf... TODO
Traffic Control
script... TODO
rsyslogd
rsyslogd... TODO
Contact/Comments
Feedback is appreciated.
You can contact me at greenfreedom10@gmail.com.
I'd suggest recording the installation parts in the InstallingDebianOn namespace -- PaulWise 2010-02-21 01:01:02
Thanks Paul, but I do not plan to include any hardware-specific installation information. I added a note above. -- ?green 2010-02-21 03:08:07
Contributing to InstallingDebianOn would still be appreciated, as would the hardware info that the InstallingDebianOn templates suggest to add -- PaulWise 2010-02-21 12:37:45