Labels

Thursday, June 20, 2013

How to : Configure a simple Debian gateway

More people requisite to use a dedicated Debian machine as a gateway for a LAN, this has many benefits compared to using a dedicated hardware firewall.

Overview
In this tutorial, we create 1 files and change 6 other files for testing our Debian Gateway.
1. Configure IP address information
2. Configure dns address
3. Modify Source list
4. Install Basic Packages
5. Create a file; NAT and basic firewall with iptables
6. Permission created file.
7. Modify startup file.
8. Reboot server or Run created file.


Steps
1. Configure IP address information : vim.tiny /etc/network/interfaces
2. Configure dns address : vim.tiny /etc/resolv.conf
3. Modify Source list : vim /etc/apt/sources.list
4. Install Basic Packages : apt-get update.
5. Create a file; NAT and basic firewall with iptables : vim /usr/bin/nat_firewall.sh
6. Permission created file : using chmod
7. Modify startup file : vim /etc/rc.local
8. Reboot server
Step : 1
Configure IP address information :

root@server# vim.tiny /etc/network/interfaces
    # The loopback network interface
        auto lo
        iface lo inet loopback

        # The primary network interface  (WAN interface)
        auto eth0
        iface eth0 inet static
           address 117.25.153.77
           netmask 255.255.255.224
           gateway 117.25.153.65

        # The secondary network interface (LAN interface)
        auto eth1
        iface eth1 inet static
           address 192.168.100.1
           netmask 255.255.255.0
          
    SAVE + EXIT

root@server# /etc/init.d/networking restart

Step : 2
Configure dns address :

root@server#  vim.tiny /etc/resolv.conf
    nameserver 4.2.2.1
    nameserver 4.2.2.2

Step : 3
Modify Source list :

root@server#  vim /etc/apt/sources.list
        deb http://ftp.us.debian.org/debian/ squeeze main
        deb http://security.debian.org/ squeeze/updates main
        deb http://ftp.us.debian.org/debian/ squeeze-updates main
       
    SAVE + Exit
   

Step : 4
Install Basic Packages :

root@server# apt-get update.
root@server# apt-get -q -y install build-essential rcconf vim-nox iftop

Step : 5
Create a file; NAT and basic firewall with iptables :

root@server# vim /usr/bin/nat_firewall.sh
        ##########################
                #!/bin/bash

                echo -e "\n>>> LOADING NAT FIREWALL ...\n"

                echo -e ">>> RESETING IMPORTANT PARAMETERS ...\n"

                #Reduce DoS'ing ability by reducing timeouts ...

                echo 1 > /proc/sys/net/ipv4/ip_forward
                echo 1 > /proc/sys/net/ipv4/tcp_syncookies
                echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
                echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
                echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
                echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
                echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
                echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
                echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
                echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
                echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
                echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
                echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
                echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
                echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
                echo 0 > /proc/sys/net/ipv4/tcp_sack
                echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog

                echo -e ">>> RESETING FIREALL ...\n"
               
                iptables -F INPUT
                iptables -F OUTPUT
                iptables -F FORWARD
                iptables -F -t mangle
                iptables -F -t nat
                iptables -F
                iptables -X
                iptables -Z
                iptables -t nat -F
                iptables -t nat -X
                iptables -t nat -Z
                iptables --table nat -F
                iptables --delete-chain
                iptables --table nat --delete-chain
                iptables -t mangle --delete-chain

                echo -e ">>> LOADING MODULES ...\n"

                WAN="eth0"
                LAN="eth1"

                IPT="/sbin/iptables"
                LAN_IP="192.168.100.0/24" # IP addresses on the LAN side
                WAN_IP="117.25.153.77"    # IP from ISP Connected to Internet

                echo -e ">>> SETING POLIECY ...\n"

                $IPT -F INPUT
                $IPT -P INPUT ACCEPT
                $IPT -F OUTPUT
                $IPT -P OUTPUT ACCEPT
                $IPT -F FORWARD
                $IPT -P FORWARD ACCEPT

                echo -e ">>> SETING CUSTOM RULES ...\n"

                $IPT -A INPUT -i lo -j ACCEPT
                $IPT -A INPUT -i $LAN -j ACCEPT
                $IPT -A INPUT -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT


                # SNAT/NAT
                $IPT -t nat -A POSTROUTING -s $LAN_IP -d 0/0 -j SNAT --to-source $WAN_IP

                # TPROXY (Uncomment 'remove hash #' this line after you configure squid proxy)
               #$IPT -t nat -A PREROUTING -p tcp -s $LAN_IP --dport 80 -j REDIRECT --to-port 8080

                #
                echo -e ">>> FIRWALL LOADED [DONE] \n"
                ##########################
               
                Save & Exit




Step : 6
Permission created file : using chmod
root@server# chmod 755 /usr/bin/nat_firewall.sh
root@server# /usr/bin/nat_firewall.sh   /** note Run the file ...

Step : 7
Modify startup file : vim /etc/rc.local

root@server# vim /etc/rc.local
    /usr/bin/nat_firewall.sh  /* add this line before exit
   
Step : 8
Reboot server

root@server# reboot

 
Labels: