Linux as a router isn't really that much of an idea in our case

We try to use Linux as a router in our home (bf&I and before x-mas a little one). We have our phones, tablets, one desktop and some smart home appliances, and we also would like to have a separate WLAN intended for occasional friends and guests.
We figured out we would like to use Linux on our router but it appears it doesn’t work as we would like. We do get full control over the system, but we are unsure what traffic we would like to keep inside and what route out. ICMP, for example, and also UDP with the exception of DNS queries. (Windows would be much better since it’s implementation of internet sharing doesn’t require the user to make those decisions). There is also no way to verify the security of our system. For example, iptables is supposed to have text-to-rules interpretators, but I have not yet found a way to test given rules in any way. I’m thinking of something like unit testing in software engineering.
Our Linux box, as it appears, will be much too insecure for us to use and security is the main reason we opted for this rather then a standard domestic wifi/lan box.
The output of our current configuration is listed below. It is the output of iptables-save. Also don’t worry about the obviously missing wifi interfaces for now. They are in the mail:

# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*security
:INPUT ACCEPT [10380635:5321211941]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10345804:4108452830]
COMMIT
# Completed on Tue Oct 24 23:40:04 2017
# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*raw
:PREROUTING ACCEPT [10387433:5321462253]
:OUTPUT ACCEPT [10345804:4108452830]
COMMIT
# Completed on Tue Oct 24 23:40:04 2017
# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*mangle
:PREROUTING ACCEPT [10387433:5321462253]
:INPUT ACCEPT [10387433:5321462253]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10345804:4108452830]
:POSTROUTING ACCEPT [10345804:4108452830]
COMMIT
# Completed on Tue Oct 24 23:40:04 2017
# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*nat
:PREROUTING ACCEPT [6902:256552]
:INPUT ACCEPT [104:6240]
:OUTPUT ACCEPT [507836:30475116]
:POSTROUTING ACCEPT [507685:30461100]
-A POSTROUTING -o enp1s0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 24 23:40:04 2017
# Generated by iptables-save v1.6.0 on Tue Oct 24 23:40:04 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [10345805:4108453014]
:Badflags - [0:0]
:Firewall - [0:0]
:Rejectwall - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j Badflags
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -j Firewall
-A INPUT -i enp1s0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 137 --dport 137 -j DROP
-A INPUT -j Rejectwall
-A FORWARD -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp1s0 -m state --state INVALID,NEW -j DROP
-A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT
-A FORWARD -i enp3s0 -o enp1s0 -j ACCEPT
-A FORWARD -i enp4s0 -o enp1s0 -j ACCEPT
-A Badflags -j LOG --log-prefix " Badflags "
-A Badflags -j DROP
-A Firewall -j LOG --log-prefix " Firewall "
-A Firewall -j DROP
-A Rejectwall -j LOG --log-prefix " Rejectwall "
-A Rejectwall -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Oct 24 23:40:04 2017

If you are really wanting to implement your own router, particularly using
a distribution that is not focused on being a router, you should probably
be a network guru. Linux can do anything, and many distributions focus on
being a router entirely and therefore abstract some of those decisions
away for you. openSUSE’s goal is not to do that, though, so it may not be
the best distro for the job, even though I think it is the best distro in
general and for many specific purposes.

Look at things like vyata or pfsense for router-focused distros. I’ve
seen the latter setup by friends as an OpenVPN server while also being a
router.

For more:
https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

I would recommend using a distribution like openWRT for a router. It’s
an alternative firmware that runs on a lot of routers (as well as x86
PCs) and is purpose-built for doing what you’re looking for.

I use it on a Netgear router myself (as well as in a virtual machine for
a software router for a virtual lab environment). Easy to set up and
easy to use.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I appreciate your suggestions. However, we chose not to use an embedded Linux since we need our box to do more then simply function as a router. ab over there mentioned VPN, which actually is very high on our list of things to do. We will also use it as a file server/cloud, and we already purchased a 2-terabyte 2.5-inch HDD for that purpose. Linux also has far more software available then say BSD and openSUSE has Yast, which is great.

Setting up openSUSE as a filtering router is much easier than many other distros, but requires some basic networking knowledge, maybe even some intermediate knowledge.

Unlike other distros, openSUSE has an iptables graphical tool called susefirewall, you can find its configuration tool in YaST > Firewall.

The community documentation is at the following, and see if the YaST tool makes sense to you.
Post any questions you may have aferwards

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html

Although not commonly used, those with experience using other iptables management tools in other distros might find those same tools in our repositories.

There are a variety of tools which are commonly used to test rules, including the applications to use specific protocols. Admins commonly use the telnet client to do simple probing (never use the telnet server today). Depending on how you best learn these kinds of things, there are many sources today… I and others have sometimes described procedures in details sometimes in these forums, I imagine that there are likely YouTube videos and there are likely blogs.

So, don’t be discouraged about what to do, it’s part of the process to learn how to learn.

TSU

THANK YOU! This is what I have been looking for. A more in-depth guide to iptables and firewalling, rather then tutorials and relative simple questions and answers you can find on Stack Exchange. If anyone has more of this sort in store, then please tell me about it. Frankly, we have negative experiences with GUI tools for iptables. UFW has been especially problematic in other distributions. That’s why I still prefer to write my own rules by hand. I’ll have to take a closer look at susefirewall, though. Telnet for this purpose is new to me. Until now I’ve been using nmap to find open ports, and in the case of the rules I posted earlier, verify that they actually detect and log port scans properly. Still, I’m learning these things very much as I go and that makes me a little uncertain from time to time.

On 10/25/2017 04:06 AM, SuseGirl93 wrote:
>
> susefirewall, though. Telnet for this purpose is new to me. Until now

telnet is a crappy program for port detection; it’s easy because it is
what people on inferior OS’s may have learned as it is the only “tool”
they have, but on Linux you have netcat, nmap, hping, and others. Ignore
telnet unless you are stuck without any real tools.

> I’ve been using nmap to find open ports, and in the case of the rules I
> posted earlier, verify that they actually detect and log port scans
> properly. Still, I’m learning these things very much as I go and that
> makes me a little uncertain from time to time.

Yast is great, but if it does not do what you would like I have some
articles here that I have found to be useful for changing over to a custom
firewall solution:

https://www.novell.com/coolsolutions/feature/18139.html
https://www.novell.com/coolsolutions/feature/19967.html

If you do not learn a bit from David there, as you have from tsu2 earlier,
then you’re good enough already. I learned a lot when I first read these
articles a decade ago and recommend them to everybody.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

telnet is not a port detection tool, it’s a port <probing> tool.
Detection only is testing whether the port is open or not, probing is so much more which detection may or may not return. I consider detection more a synonym of scanning, not probing.

Diff telnet vs nmap…

You test only a single port
It’s simple and doesn’t require setting up. You simply specify the port number in the command when you don’t want to test the default telnet port.
You return information immediately that tells you
Whether the port is blocked
Whether the port is open but unresponsive
If a service is available on the open port, the banner (text response)

So, telnet is something that takes a second to run and returns info on all the possible possible state and if a service is running, perhaps information about that service application (eg mail server banner).

For all that,
It’s a primary tool in my toolbox.

TSU

On 10/25/2017 08:56 AM, tsu2 wrote:
>
> telnet is not a port detection tool, it’s a port <probing> tool.
> Detection only is testing whether the port is open or not, probing is so
> much more which detection may or may not return. I consider detection
> more a synonym of scanning, not probing.
>
> Diff telnet vs nmap…
>
> You test only a single port

netcat -zv google.com 443
nmap -p 443 google.com

> It’s simple and doesn’t require setting up. You simply specify the port
> number in the command when you don’t want to test the default telnet
> port.

Yes, see the nmap and netcat examples above; super-simple.

> You return information immediately that tells you
> Whether the port is blocked
> Whether the port is open but unresponsive
> If a service is available on the open port, the banner (text
> response)

Yes, all of that and more.

> So, telnet is something that takes a second to run and returns info on
> all the possible possible state and if a service is running, perhaps
> information about that service application (eg mail server banner).

I guess I disagree on this point. The Linux version of telnet may show
you some useful information when you connect (like that you have
connected), and that is a nice improvement over the windows version which
just sits and flashes a cursor at you, since that is a lot like what
happens when the connection has not yet been accepted or rejected. All
one really needs is to know that the TCP three-way handshake succeeded,
and that is what netcat and nmap (and others) test.

netcat and nmap will also let you do UDP stuff, which telnet cannot.

They also let you do a lot more, such as setup a listener (firewall
testing is really useful with this feature) on an arbitrary port. netcat
is also binary-safe, where telnet will mess up any non-ascii data going
through it.

While I like my tools more than yours, and you the opposite, at the end of
the day one reason we like Linux is because we have many tools, as part of
the distro, all ready for simple installation via ‘zypper’ and managed via
packages. Hooray for things in common!

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

Not a bad approach, but something to consider is that a system that’s
“soup to nuts” everything from a services standpoint, the more probable
that you’ll run into a conflict or something down the road that
potentially takes multiple services out.

OpenWRT does include the ability to set it up as a VPN server, and with a
router that has a USB port, you can serve files using NFS or SAMBA.

What I’ve done in my home network is put OpenWRT on a router, and used
port forwarding to connect various services to single-purpose virtual
machines (and/or Docker containers, depending on the service). That way
if (for example) my OpenVPN AS configuration flips out, it doesn’t take
down my personal web sites (which actually sit behind a secure IAM system
my employer makes - so each web service has its own Docker container).

While I could put openVPN on my router, I chose not to, since the OpenVPN
AS appliance is easy to set up (and the eval with 2 connections is
sufficient for my needs).

Service isolation has significant benefits - and virtualization and/or
containers make managing the different services pretty easy while
providing that isolation without needing a ton of bare metal to host
those services.

Just some things to think about.

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

For inspecting traffic, try “ss”, you can also use “iftop”. “iptraf” is also a great utility if your a bit less comfortable with networking.

If you have a gui, you can use “etherape” to watch your network, it’s fascinating, although not as useful.