still a work in progress - dna. Be a few days before I get it all up * [#introduction Introduction] ** [#netfilter__what_s_that_ Netfilter? what's that?] ** [#iptables iptables] * [#the_s45firewall_script The S45firewall script] * [#what_should_the_firewall_do_ What should the firewall do?] * [#example_router_port_configurations_and_firewall_scripts Example router port configurations and firewall scripts] ** [#openwrt_default_configuration_and_firewall OpenWRT default configuration and firewall] *** [#port_configuration Port configuration] *** [#firewall_configuration Firewall configuration] ** [#private_wan_interface__public_lan_interface Private WAN interface, public LAN interface] *** [#port_configuration Port configuration] *** [#firewall_configuration Firewall configuration] ** [#individual_ports Individual ports] *** [#port_configuration Port configuration] *** [#firewall_configuration Firewall configuration] ** [#node_ap_on_wan_port Node AP on WAN port] *** [#port_configuration Port configuration] *** [#firewall_configuration Firewall configuration] ** [#dmz_segment DMZ segment] *** [#port_configuration Port configuration] *** [#firewall_configuration Firewall configuration] ** [#the_ultimate_cheap_bastard The ultimate cheap bastard] *** [#port_configuration Port configuration] *** [#firewall_configuration Firewall configuration] ! Introduction The OpenWRT Linux distribution used on the Linksys WRT54G(s) has a basic firewall as part of the distribution. This firewall is configured for typical home AP use. The firewall uses iptables to load rules into the netfilter part of the Linux kernel. As a firewall this is pretty neat, there is no running process, you can verify it is configured how you want and you can log what is going on. This Wiki page makes a brief introduction to netfilter and iptables and details what a MW Node firewall should do. Examples are then given for six different configurations. These examples should be able to be used with only minor changes (such as the interfaces in your particular router). A future evolution will reduce these configurations to a single script with a small number of input parameters (probably through environment variables). !! Netfilter? what's that? Well, there is a lot of stuff written about netfilter. Probably the best place to start is in the (http://www.netfilter.org/documentation/index.html#documentation-faq netfilter FAQ page ). In a nutshell there is a packet switch/filter built into the linux kernel. As packets are received they pass through the netfilter and may be acted upon at various points. / \ / \ -> NIC - PREROUTING - routing ---- FOREWARD ---------- POSTROUTING - NIC -> \ / | \ / | | | | | INPUT --- applications --- OUTPUT There are two tables of interest, the filter table where the INPUT, OUTPUT and FOREWARD chains are defined and the nat table where the PREROUTING and POSTROUTING chains live. The routing decission determines the path a packet takes through netfilter. If IP forewarding is "on" then packets that are not addressed to the router itself are passed through to the FORWARD chain. Note, only packets for networks this router is configured for are passed through here. Well, if you want to get technical this is what it really looks like: (/files/Misc/Minitar/PacketFlow.png netfilter diagram) At each of the chains in the path rules can be defined that tell netfilter what to do with packets that match a rule. This could be as simple as ACCEPTing the packet or it could send it to a different chain for further processing. !! iptables iptables is a tool that is used to manipulate the filtering rules. It is very flexible and has lots of options. Check the man page for details. In our firewall scripts we use iptables to clear the netfilter tables and create the rules we want to apply. We use the following tables/chains: * filter / INPUT for packets inbound to our router * filter / OUTPUT for packets outbound from our router * filter / FOREWARD for packets we are forwarding from one segment to another * nat / PREROUTING for SNAT from our private segment to public segment * nat / POSTROUTING for DNAT for port forwarding into our private segment ! The S45firewall script The default firewall script ( /etc/init.d/S45firewall ) serves as the base for developing variations for the other described router configurations. There are a couple of bad configuration examples and it is a little more verbose than it needs to be ( for such a simple use ) but nevertheless it is a good starting point. This script is used when the WAN port is connected to the Internet ( unsecure side) and allows the following: * ssh connection from WAN * Port forwarding (bad example conflicts with ssh from WAN) * forwarding to DMZ machine (again bad example) * INPUT rules to allow access to the router from the LAN and allow ICMP/GRE packets * OUTPUT rules to allow anything out from the router * FORWARD rules to allow LAN to LAN and LAN to WAN * FORWARD rules to support the specified port forwarding and DMZ configuration * PREROUTING rules for port forwarding and DMZ DNAT address conversion * POSTROUTING rules for LAN to WAN SNAT (well, MASQ actually) address conversion annotated S45firewall script ++++ #!/bin/sh . /etc/functions.sh WAN=$(nvram get wan_ifname) LAN=$(nvram get lan_ifname) > clear the iptables and creates a new "user" chain for each table/chain combination ## CLEAR TABLES for T in filter nat mangle; do iptables -t $T -F iptables -t $T -X done iptables -N input_rule iptables -N output_rule iptables -N forwarding_rule iptables -t nat -N prerouting_rule iptables -t nat -N postrouting_rule > Optional things are added to the "user" chains ## Allow SSH from WAN # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT > This example conflicts with the above one. The rule entered first will take precdence ## Port forwarding # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2 # iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT > This example sends incoming ports to the 192.168.1.2 machine, it is not a true DMZ > which should be on a separate network segment ## DMZ (should be placed after port forwarding / accept rules) # iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 # iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT > The default tables/chains have the general policy set along with actions to deal with junk ## INPUT ## (connections with the router as destination) # base case iptables -P INPUT DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP > we alow packets from the private segment and ICMP(ping) and GRE(router chatter) from anywhere # allow iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces iptables -A INPUT -p icmp -j ACCEPT # allow ICMP iptables -A INPUT -p gre -j ACCEPT # allow GRE > The input_rule chain has one target (above) to allow ssh form the WAN interface # # insert accept rule or to jump to new accept-check table here # iptables -A INPUT -j input_rule # reject (what to do with anything not allowed earlier) iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable ## OUTPUT ## (connections with the router as source) # base case iptables -P OUTPUT DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # allow iptables -A OUTPUT -j ACCEPT #allow everything out > everything after the above line is unreachable in this chain # # insert accept rule or to jump to new accept-check table here # iptables -A OUTPUT -j output_rule # reject (what to do with anything not allowed earlier) iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable ## FORWARDING ## (connections routed through the router) # base case iptables -P FORWARD DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # allow iptables -A FORWARD -i br0 -o br0 -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT > The forwarding_rule chain is where all the exciting things are happening # # insert accept rule or to jump to new accept-check table here # iptables -A FORWARD -j forwarding_rule # reject (what to do with anything not allowed earlier) # uses the default -P DROP > In this case postrouting SNAT is performed using the MASQ target > makes all packets from the private segment look like they come from the router ## MASQ iptables -t nat -A PREROUTING -j prerouting_rule iptables -t nat -A POSTROUTING -j postrouting_rule iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE ++++ ! What should the firewall do? The firewall has to do a couple of things to be usefull in a MW node: * Allow unrestricted access from your private segment into the MW segment. * NAT the addresses from your private segment to an address in your node segment. * Allow you to access your private segment from the MW network (only you, or your machines). * Allow administrative access (ssh) to the router from both the private and public segments. In addition you may want to allow some services to be accessible: * DNS lookup * ssh to a server on the Internet * POP3 email from an email server * SMTP to an email server * HTTP to selected web sites * forward ports from the MW segment to a machine in either the private or DMZ segment Note: By exposing these services clients connected to your Node will be "tunneling" through your private network to reach the Internet via your broadband connection. You may want to think about what you expose if you have a capped connection. ! Example router port configurations and firewall scripts !! OpenWRT default configuration and firewall This configuration is useful for setting up a private wireless network but should not be used as part of a MW Node. Any machine connected to the LAN ports would be bridged with the Node and exposed to hacking. Public WAN WRT PORT Private LAN +-------+ -------------------| WAN | +-------+ +----- +-------+ | | WLAN |----------< Antenna (radio used as AP) | +-------+ | +-------+ ports bridges | | LAN 1 |---------- together | +-------+ | +-------+ | | LAN 2 |---------- | +-------+ | +-------+ | | LAN 3 |---------- | +-------+ | +-------+ | | LAN 4 |---------- +----- +-------+ !!! Port configuration No changes required. !!! Firewall configuration Use the S45firewall script as is out of the box. !! Private WAN interface, public LAN interface This is the simplest useful node configuration. It does not require any changes to the OpenWRT port assignment. In this configuration there is a single WAN port and a bridged LAN ( bridge the remaining 4 switch ports and the wirless port ). Private LAN WRT PORT Public LAN ( i.e. Melbourne wireless space ) +-------+ -------------------| WAN | +-------+ +----- +-------+ | | WLAN |----------< Antenna (radio used as Node AP) | +-------+ | +-------+ ports bridges | | LAN 1 |---------- to link radio together | +-------+ | +-------+ | | LAN 2 |---------- to node server | +-------+ | +-------+ | | LAN 3 |---------- Switch port 3 | +-------+ | +-------+ | | LAN 4 |---------- Switch port 4 +----- +-------+ In this configuration the router is using the WAN port to give you a connection from your private LAN space into the MW node. The firewall needs to be set up differently to the case where the LAN is the private side and the WAN is the public (Internet) side. !!! Port configuration No changes in NVRAM required. !!! Firewall configuration !! Individual ports Another common use of the WRT is as a dedicated router. This is the case, for example at NodeGHO where there are three AP each serving different address ranges and the WRT is used to route traffic between them. WRT PORT Public LAN ( i.e. Melbourne wireless space ) +-------+ | WAN |---------- +-------+ +-------+ | WLAN |----------< Antenna (radio used as Node AP) +-------+ +-------+ | LAN 1 |---------- to AP Norther +-------+ +-------+ | LAN 2 |---------- to AP Southern +-------+ +-------+ | LAN 3 |---------- to AP Mobile +-------+ +-------+ | LAN 4 |---------- +-------+ In this case because each of the connected AP's service a diferent address range the LAN ports are not in bridge mode. Each port consumes one address from the AP's range. NodeGHO does not have a private segment ( I don't think) so there is no need for any firewall between the varius segments, traffic will be routed form segment to segment as required. If one of the unused ports was connected to a private segment then the firewall configuration would be similar to the above case with the exception of the br0 interface. !!! Port configuration !!! Firewall configuration !! Node AP on WAN port This is a simplification of the individual port configuration and is the configuration used in the MWRP examples. The AP is connected to the router through the WAN port to avoid conflicts with the boot default addresses of both devices being the same. WRT PORT Public LAN ( i.e. Melbourne wireless space ) +-------+ | WAN |---------- to AP radio +-------+ +----- +-------+ | | WLAN |----------< Antenna (radio used as link | +-------+ | +-------+ ports bridges | | LAN 1 |---------- to link radio together | +-------+ | +-------+ | | LAN 2 |---------- to node server | +-------+ | +-------+ | | LAN 3 |---------- Switch port 3 | +-------+ | +-------+ | | LAN 4 |---------- Switch port 4 +----- +-------+ !!! Port configuration !!! Firewall configuration !! DMZ segment If you want to provide services to the network but don't want tohave them exposed in the node itself or forward ports into your private space then you may want to configure a DMZ segment. Again use one port to connect the node to your private space and create two bridges of the remaining ports, the external Node ports and the DMZ ports. In this way you can expose only those ports on the DMZ server machines you want to and can avoid having to spend too much effort hardening the machines. Private LAN WRT PORT Public LAN ( i.e. Melbourne wireless space ) +-------+ -------------------| WAN | +-------+ +----- +-------+ | | WLAN |----------< Antenna (radio used as Link / AP) | br0 +-------+ | +-------+ ports bridges | | LAN 1 |---------- to link or AP radio together +----- +-------+ +----- +-------+ DMZ LAN | | LAN 2 |---------- to node server | br1 +-------+ | +-------+ | | LAN 3 |---------- Switch port 3 | +-------+ | +-------+ | | LAN 4 |---------- Switch port 4 +----- +-------+ !!! Port configuration !!! Firewall configuration !! The ultimate cheap bastard This is my favorite configuration. It is the one to use if you are too cheap to buy more than one router/AP and you want to do everything. This is really getting your money's worth from the router. Use the WAN port to make your broadband connection, use the wired LAN ports internally within your house and use the radio as your MW Node AP. If you have wireless devices you can configure the firewall to allow them to work from "outside". Feeling cheaper still, try to convince the next Node to connect to you to using WDS and you have a built in link as well. Public Internet WRT PORT Public LAN ( i.e. Melbourne wireless space ) +-------+ -------------------| WAN | +-------+ +-------+ | WLAN |----------< Antenna (radio used as Node AP) +-------+ +----- +-------+ ports bridges | | LAN 1 |---------- together | +-------+ | +-------+ Private LAN | | LAN 2 |---------- | +-------+ | +-------+ | | LAN 3 |---------- | +-------+ | +-------+ | | LAN 4 |---------- +----- +-------+ Here you have two firewall configurations collapsed into one box. The Internet to LAN and the MW segment to LAN. Also because the two firewalls are collapsed onto the one box there is the MW segment to Internet configuration as well !!! Port configuration !!! Firewall configuration