Ubuntu firewall / router / nat

Setting up Ubuntu as a Firewall / Router / Nat

As described in the overview I executed this task in three steps. This document describes the first step in which both interfaces were configured and a firewall rule was put in place.

eth0: Set as a static address (192.168.1.16) and connected to a Linksys router. That router was set to forward ssh requests to this address.
eth1: Set as a static address (192.168.2.1) and connected to a laptop for testing. This port would fulfill DHCP requests.

Note: When I first brought up the box I configured sshd to require a ssh key on the box. I think this is very good security. Some brief instructions are here.

Install dhcp server

If the package "dhcp3-server" is not installed do that at this time either through the graphical package manager or with the command:
sudo apt-get install dhcp3-server

Enable packet forwarding for IPV4

Edit the file /etc/sysctl.conf
Uncomment the line (or add if not present):

net.ipv4.ip_forward=1

Set Interface Addresses

I wanted eth0 to have an address of 192.168.1.16 and eth1 to have an address of 192.168.2.1
I had a Linksys router with address 192.168.1.1 connected to my cable modem. Interface eth0 would connect to this router.
I would connect a test laptop to eth1 and verify that it received an address and could connect to the Internet. This would be on the "2" network (192.168.2.x).
The Ubuntu box would use the Linksys router as a gateway.

In the first test you can skip the iptables line and just boot and run "ifconfig" to verify that each interface has the desired address.

Edit file /etc/network/interfaces and set the contents like so:

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
        address 192.168.1.16
        netmask 255.255.255.0
        network 192.168.1.0
        up route add default gw 192.168.1.1 eth0
        pre-up iptables-restore < /etc/iptables.rules
auto eth1
iface eth1 inet static
        address 192.168.2.1
        netmask 255.255.255.0
        network 192.168.2.0

Configure dhcp Server

Edit the file /etc/default/dhcp3-server and enter the line:

INTERFACES="eth1"

This should be the only line in the file unless you have more than two network interfaces and need a dhcp server on another one.

Set DHCP Configuration

Edit the file /etc/dhcp3/dhcpd.conf and set your configuration.
Set the domain name as you want it to appear for the network. I have the lease time set to 1 hour (3600 seconds). The default is 600.
The file has quite a few default entries. The name server is set to be the address of the Linksys router. My uncommented entries at this step are:

ddns-update-style none;
option domain-name "mydomain.com";
option domain-name-servers 192.168.1.1;
default-lease-time 3600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.100 192.168.2.150;
}
log-facility local7;

Set Up Firewall

The firewall rules will vary depending on your needs. Create some text containing the initial iptables setting such as "iptable-rules-thisbox" and load iptables with the command:

sudo sh iptables-rules-thisbox

This simply executes the rules as root. Then test the rules until they meet your needs and you are satisfied with them. Now save the rules like so:

iptables-save > /etc/iptables.rules

The rules I am using are listed below. Some of the addresses have "x" in the dotted notation. Those are addresses that are allowed to ssh into my box. The "x" characters represent digits in addresses meaningful to my requirements. You will need to tailor the firewall to your specific needs.

EXT_IF=eth0             # Define your external interface here
INT_IF=eth1             # Define your internal interface here
INT_NET='192.168.2.0/24'    # Define your internal network address here
IPTABLES="/sbin/iptables"

# Set up some default policies at this point to avoid any potential race
# condition between flushing the rules and setting up temporary blocks.
#
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

# Flush and delete existing chains
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -Z

# Temporary blocks while the chains are being set up
#
$IPTABLES -A INPUT -i ! lo -j DROP
$IPTABLES -A OUTPUT -o ! lo -j DROP
$IPTABLES -A FORWARD -j DROP

# Unblock loopback traffic right away.
#
$IPTABLES -A INPUT -i lo -j ACCEPT     # Internal, no restrictions

# Log error, then drop
$IPTABLES -N ERRORDROP
$IPTABLES -A ERRORDROP -j LOG --log-level alert --log-prefix "netfilter:ERROR:generic: "
$IPTABLES -A ERRORDROP -j DROP

# Log, then drop
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG --log-prefix "netfilter:badpac: "
$IPTABLES -A LOGDROP -j DROP

# NoLog drop
$IPTABLES -N NOLOGDROP
$IPTABLES -A NOLOGDROP -j DROP

#SSH trusted host log connection...
$IPTABLES -N ssh-trusted-syn-log
$IPTABLES -A ssh-trusted-syn-log -p tcp --tcp-flags SYN SYN -j LOG --log-prefix "netfilter:SSH_TRUSTED: "
$IPTABLES -A ssh-trusted-syn-log -j ACCEPT

$IPTABLES -N ssh-in
$IPTABLES -A ssh-in -p tcp --tcp-flags SYN SYN -s 32.x.x.x/24 -j ssh-trusted-syn-log #Acme Outbound address
$IPTABLES -A ssh-in -p tcp --tcp-flags SYN SYN -s 24.x.x.x/32 -j ssh-trusted-syn-log #fred's box
$IPTABLES -A ssh-in -p tcp --tcp-flags SYN SYN -s 208.x.x.x/32 -j ssh-trusted-syn-log #joe's box
$IPTABLES -A ssh-in -p tcp --tcp-flags SYN SYN -s 75.x.x.x/32 -j ssh-trusted-syn-log #bob's box
$IPTABLES -A ssh-in -p tcp --tcp-flags SYN SYN -s 192.168.1.0/24  -j ssh-trusted-syn-log #TEMPORARY HACK while this box sits behind linksys
$IPTABLES -A ssh-in -j LOG --log-prefix "netfilter:SSH_ILLEGAL: "
$IPTABLES -A ssh-in -j DROP

#$IPTABLES -i eth0 -t nat -A PREROUTING  -p tcp --dport ssh -j DNAT --to-destination 192.168.1.16  #all ssh is DNAT'd to p6;

# External-Input chain
$IPTABLES -N ext-in
$IPTABLES -A ext-in -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow established and related connections/traffic
$IPTABLES -A ext-in -p tcp --dport ssh -j ssh-in #all "new" ssh external connections
$IPTABLES -A ext-in -p udp --dport 6798 -j ACCEPT # FWTOOL upd port
$IPTABLES -A ext-in -j LOGDROP

# Input chain
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT     # Internal, no restrictions
$IPTABLES -A INPUT -j ext-in     # External interface(s)
$IPTABLES -A INPUT -j ERRORDROP             # Shouldn't be here

# Output chain # The following takes care of an info leak problem if you configure any NAT port forwarding rules in the future.
$IPTABLES -A OUTPUT -o $EXT_IF -m state -p icmp --state INVALID -j DROP

# Forward chain
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#anything beyond here is NOT established, and is coming from an external interface
$IPTABLES -A FORWARD -p tcp --dport ssh -j ssh-in #all "new" ssh external connections
#FORWARD TABLE HAS A POLICY OF DROP, so if we didn't pick it up above, it's gone
#the question is HOW did it get here,
$IPTABLES -A FORWARD -j LOG --log-prefix "netfilter:ERROR:FORWARD: "
$IPTABLES -A FORWARD -j DROP

# NAT handling
$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o $EXT_IF -j MASQUERADE

#open things up now that all is setup
$IPTABLES -D INPUT 1
$IPTABLES -D OUTPUT 1
$IPTABLES -D FORWARD 1