Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Linux as a router isn't really that much of an idea in our case

  1. #1

    Default Linux as a router isn't really that much of an idea in our case

    We try to use Linux as a router in our home (bf&I and before x-mas a little one). We have our phones, tablets, one desktop and some smart home appliances, and we also would like to have a separate WLAN intended for occasional friends and guests.
    We figured out we would like to use Linux on our router but it appears it doesn't work as we would like. We do get full control over the system, but we are unsure what traffic we would like to keep inside and what route out. ICMP, for example, and also UDP with the exception of DNS queries. (Windows would be much better since it's implementation of internet sharing doesn't require the user to make those decisions). There is also no way to verify the security of our system. For example, iptables is supposed to have text-to-rules interpretators, but I have not yet found a way to test given rules in any way. I'm thinking of something like unit testing in software engineering.
    Our Linux box, as it appears, will be much too insecure for us to use and security is the main reason we opted for this rather then a standard domestic wifi/lan box.
    The output of our current configuration is listed below. It is the output of iptables-save. Also don't worry about the obviously missing wifi interfaces for now. They are in the mail:

    Code:
    # Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
    *security
    :INPUT ACCEPT [10380635:5321211941]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [10345804:4108452830]
    COMMIT
    # Completed on Tue Oct 24 23:40:04 2017
    # Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
    *raw
    :PREROUTING ACCEPT [10387433:5321462253]
    :OUTPUT ACCEPT [10345804:4108452830]
    COMMIT
    # Completed on Tue Oct 24 23:40:04 2017
    # Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
    *mangle
    :PREROUTING ACCEPT [10387433:5321462253]
    :INPUT ACCEPT [10387433:5321462253]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [10345804:4108452830]
    :POSTROUTING ACCEPT [10345804:4108452830]
    COMMIT
    # Completed on Tue Oct 24 23:40:04 2017
    # Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
    *nat
    :PREROUTING ACCEPT [6902:256552]
    :INPUT ACCEPT [104:6240]
    :OUTPUT ACCEPT [507836:30475116]
    :POSTROUTING ACCEPT [507685:30461100]
    -A POSTROUTING -o enp1s0 -j MASQUERADE
    COMMIT
    # Completed on Tue Oct 24 23:40:04 2017
    # Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [10345805:4108453014]
    :Badflags - [0:0]
    :Firewall - [0:0]
    :Rejectwall - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j Badflags
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j Badflags
    -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
    -A INPUT -p icmp -j Firewall
    -A INPUT -i enp1s0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp --sport 137 --dport 137 -j DROP
    -A INPUT -j Rejectwall
    -A FORWARD -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i enp1s0 -m state --state INVALID,NEW -j DROP
    -A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT
    -A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
    -A FORWARD -i enp4s0 -o enp1s0 -j ACCEPT
    -A Badflags -j LOG --log-prefix " Badflags "
    -A Badflags -j DROP
    -A Firewall -j LOG --log-prefix " Firewall "
    -A Firewall -j DROP
    -A Rejectwall -j LOG --log-prefix " Rejectwall "
    -A Rejectwall -j REJECT --reject-with icmp-port-unreachable
    COMMIT
    # Completed on Tue Oct 24 23:40:04 2017

  2. #2

    Default Re: Linux as a router isn't really that much of an idea in our case

    If you are really wanting to implement your own router, particularly using
    a distribution that is not focused on being a router, you should probably
    be a network guru. Linux can do anything, and many distributions focus on
    being a router entirely and therefore abstract some of those decisions
    away for you. openSUSE's goal is not to do that, though, so it may not be
    the best distro for the job, even though I think it is the best distro in
    general and for many specific purposes.

    Look at things like vyata or pfsense for router-focused distros. I've
    seen the latter setup by friends as an OpenVPN server while also being a
    router.

    For more:
    https://en.wikipedia.org/wiki/List_o..._distributions

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

  3. #3
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    16,296

    Default Re: Linux as a router isn't really that much of an idea in our case

    I would recommend using a distribution like openWRT for a router. It's
    an alternative firmware that runs on a lot of routers (as well as x86
    PCs) and is purpose-built for doing what you're looking for.

    I use it on a Netgear router myself (as well as in a virtual machine for
    a software router for a virtual lab environment). Easy to set up and
    easy to use.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  4. #4

    Default Re: Linux as a router isn't really that much of an idea in our case

    I appreciate your suggestions. However, we chose not to use an embedded Linux since we need our box to do more then simply function as a router. ab over there mentioned VPN, which actually is very high on our list of things to do. We will also use it as a file server/cloud, and we already purchased a 2-terabyte 2.5-inch HDD for that purpose. Linux also has far more software available then say BSD and openSUSE has Yast, which is great.

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    8,212

    Default Re: Linux as a router isn't really that much of an idea in our case

    Setting up openSUSE as a filtering router is much easier than many other distros, but requires some basic networking knowledge, maybe even some intermediate knowledge.

    Unlike other distros, openSUSE has an iptables graphical tool called susefirewall, you can find its configuration tool in YaST > Firewall.

    The community documentation is at the following, and see if the YaST tool makes sense to you.
    Post any questions you may have aferwards

    https://doc.opensuse.org/documentati....firewall.html

    Although not commonly used, those with experience using other iptables management tools in other distros might find those same tools in our repositories.

    There are a variety of tools which are commonly used to test rules, including the applications to use specific protocols. Admins commonly use the telnet client to do simple probing (never use the telnet server today). Depending on how you best learn these kinds of things, there are many sources today... I and others have sometimes described procedures in details sometimes in these forums, I imagine that there are likely YouTube videos and there are likely blogs.

    So, don't be discouraged about what to do, it's part of the process to learn how to learn.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6

    Default Re: Linux as a router isn't really that much of an idea in our case

    Quote Originally Posted by tsu2 View Post
    Setting up openSUSE as a filtering router is much easier than many other distros, but requires some basic networking knowledge, maybe even some intermediate knowledge. Unlike other distros, openSUSE has an iptables graphical tool called susefirewall, you can find its configuration tool in YaST > Firewall. The community documentation is at the following, and see if the YaST tool makes sense to you. Post any questions you may have aferwards https://doc.opensuse.org/documentati....firewall.html Although not commonly used, those with experience using other iptables management tools in other distros might find those same tools in our repositories. There are a variety of tools which are commonly used to test rules, including the applications to use specific protocols. Admins commonly use the telnet client to do simple probing (never use the telnet server today). Depending on how you best learn these kinds of things, there are many sources today... I and others have sometimes described procedures in details sometimes in these forums, I imagine that there are likely YouTube videos and there are likely blogs. So, don't be discouraged about what to do, it's part of the process to learn how to learn. TSU
    THANK YOU! This is what I have been looking for. A more in-depth guide to iptables and firewalling, rather then tutorials and relative simple questions and answers you can find on Stack Exchange. If anyone has more of this sort in store, then please tell me about it. Frankly, we have negative experiences with GUI tools for iptables. UFW has been especially problematic in other distributions. That's why I still prefer to write my own rules by hand. I'll have to take a closer look at susefirewall, though. Telnet for this purpose is new to me. Until now I've been using nmap to find open ports, and in the case of the rules I posted earlier, verify that they actually detect and log port scans properly. Still, I'm learning these things very much as I go and that makes me a little uncertain from time to time.

  7. #7

    Default Re: Linux as a router isn't really that much of an idea in our case

    On 10/25/2017 04:06 AM, SuseGirl93 wrote:
    >
    > susefirewall, though. Telnet for this purpose is new to me. Until now


    telnet is a crappy program for port detection; it's easy because it is
    what people on inferior OS's may have learned as it is the only "tool"
    they have, but on Linux you have netcat, nmap, hping, and others. Ignore
    telnet unless you are stuck without any real tools.

    > I've been using nmap to find open ports, and in the case of the rules I
    > posted earlier, verify that they actually detect and log port scans
    > properly. Still, I'm learning these things very much as I go and that
    > makes me a little uncertain from time to time.


    Yast is great, but if it does not do what you would like I have some
    articles here that I have found to be useful for changing over to a custom
    firewall solution:

    https://www.novell.com/coolsolutions/feature/18139.html
    https://www.novell.com/coolsolutions/feature/19967.html

    If you do not learn a bit from David there, as you have from tsu2 earlier,
    then you're good enough already. I learned a lot when I first read these
    articles a decade ago and recommend them to everybody.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    8,212

    Default Re: Linux as a router isn't really that much of an idea in our case

    telnet is not a port detection tool, it's a port <probing> tool.
    Detection only is testing whether the port is open or not, probing is so much more which detection may or may not return. I consider detection more a synonym of scanning, not probing.

    Diff telnet vs nmap...

    You test only a single port
    It's simple and doesn't require setting up. You simply specify the port number in the command when you don't want to test the default telnet port.
    You return information immediately that tells you
    Whether the port is blocked
    Whether the port is open but unresponsive
    If a service is available on the open port, the banner (text response)

    So, telnet is something that takes a second to run and returns info on all the possible possible state and if a service is running, perhaps information about that service application (eg mail server banner).

    For all that,
    It's a primary tool in my toolbox.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  9. #9

    Default Re: Linux as a router isn't really that much of an idea in our case

    On 10/25/2017 08:56 AM, tsu2 wrote:
    >
    > telnet is not a port detection tool, it's a port <probing> tool.
    > Detection only is testing whether the port is open or not, probing is so
    > much more which detection may or may not return. I consider detection
    > more a synonym of scanning, not probing.
    >
    > Diff telnet vs nmap...
    >
    > You test only a single port


    Code:
    netcat -zv google.com 443
    nmap -p 443 google.com

    > It's simple and doesn't require setting up. You simply specify the port
    > number in the command when you don't want to test the default telnet
    > port.


    Yes, see the nmap and netcat examples above; super-simple. ;-)

    > You return information immediately that tells you
    > Whether the port is blocked
    > Whether the port is open but unresponsive
    > If a service is available on the open port, the banner (text
    > response)


    Yes, all of that and more.

    > So, telnet is something that takes a second to run and returns info on
    > all the possible possible state and if a service is running, perhaps
    > information about that service application (eg mail server banner).


    I guess I disagree on this point. The Linux version of telnet may show
    you some useful information when you connect (like that you have
    connected), and that is a nice improvement over the windows version which
    just sits and flashes a cursor at you, since that is a lot like what
    happens when the connection has not yet been accepted or rejected. All
    one really needs is to know that the TCP three-way handshake succeeded,
    and that is what netcat and nmap (and others) test.

    netcat and nmap will also let you do UDP stuff, which telnet cannot.

    They also let you do a lot more, such as setup a listener (firewall
    testing is really useful with this feature) on an arbitrary port. netcat
    is also binary-safe, where telnet will mess up any non-ascii data going
    through it.

    While I like my tools more than yours, and you the opposite, at the end of
    the day one reason we like Linux is because we have many tools, as part of
    the distro, all ready for simple installation via 'zypper' and managed via
    packages. Hooray for things in common!

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

  10. #10
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    16,296

    Default Re: Linux as a router isn't really that much of an idea in our case

    Not a bad approach, but something to consider is that a system that's
    "soup to nuts" everything from a services standpoint, the more probable
    that you'll run into a conflict or something down the road that
    potentially takes multiple services out.

    OpenWRT does include the ability to set it up as a VPN server, and with a
    router that has a USB port, you can serve files using NFS or SAMBA.

    What I've done in my home network is put OpenWRT on a router, and used
    port forwarding to connect various services to single-purpose virtual
    machines (and/or Docker containers, depending on the service). That way
    if (for example) my OpenVPN AS configuration flips out, it doesn't take
    down my personal web sites (which actually sit behind a secure IAM system
    my employer makes - so each web service has its own Docker container).

    While I could put openVPN on my router, I chose not to, since the OpenVPN
    AS appliance is easy to set up (and the eval with 2 connections is
    sufficient for my needs).

    Service isolation has significant benefits - and virtualization and/or
    containers make managing the different services pretty easy while
    providing that isolation without needing a ton of bare metal to host
    those services.

    Just some things to think about.

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •