«
»

Simulating a Home Network Router By iptables

By Majid Varzideh

With the basics of iptables configuration out of the way, lets tackle a more practical example. For a typical firewall, there is very little traffic destined to or from the firewall itself. In general, the only traffic that would fit this profile would be administrative sessions to configure the firewall itself. The vast majority of a firewall’s traffic is passing through the firewall, and will thus be checked against the FORWARD chain. The following examples would configure the linux firewall with the same access controls as a typical home network router such as a Linksys or Netgear router or firewall. This example assumes that 192.168.1.0/24 is the internal network on interface eth0 and the external interface is eth1 and configurations are:
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp -s 192.168.1.0/24 -i eth0 –dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
The INPUT chain allows port 80 to go to the firewall itself from the internal network. Many the home routers have a Web interface for configuring them, and while your configuration may not need this port open to the firewall, it is included here to help emphasize how the different chains are used. It is important to specify the input interface (using –i) so that the source IP cannot be spoofed by an external attacker. In this way, you ensure that even if a packet was generated with the proper source IP, if it came in on the outside interface (eth1) it would not match the rule and would thus not be permitted.The FORWARD rule allows any outbound traffic from the internal network to
the external network.This configuration is simple to implement; however, the 192.168.1.0 IP range is a private IP range and is not routable on the Internet.Thus, this range wouldn’t allow traffic from the
internal network to the Internet quite yet.To make this Linux firewall a useful replacement for a home network router, you need to enable NAT(which will be described later), which allows all of the systems on your internal network to appear as a single IP address when communicating on the Internet.

Source : Open Source Security Tools From syngress

This entry was posted on May 6, 2009 at 3:52 pm and is filed under Linux administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply