TOOLS, TINKERINGS & CODE
So, you’ve got an existing (somewhat complex) network, with a dsl/router
(or other such device) and the tought of reconfiguring all the router’s
routes and/or all the machines in your network and installing a
proxy/nat/firewall to control the access to the internet.
Enter option 2, a bridge.
Ok, I’ve only done this the once, and I’ve done it with debian, so that’s
what I’m going to show you… In fact, I’m going to show you step by step
how I did it.
Things you need:
Things you don’t need:
Ok lets get started
Step 1 -=- Install Debian
Doesn’t realy matter how you partition it, just make sure you have enough room for a squid cache.
You don’t need to select any Tasks on the “Task Selection Screen”.
Step 2 -=- Install all the required bits
Ok, once you’ve got debian installed we’ll start apt-getting
[root@localhost root]# apt-get install kernel-2.6.8 kernel-source-2.6.8 iptables bridge-tools
You don’t have to use kernel 2.6.8, it’s just the one I used
We’ll get to installing squid now
[root@localhost root]# apt-get install squid
Step 3 -=- Install the optional bits
Unless you intend to use vi to do all your editing, you should install
your prefered editor now… I prefer mcedit
[root@localhost root]# apt-get install mc
Step 4 -=- Reboot into our new kernel
[root@localhost root]# reboot
Step 5 -=- Lets get started with the configuration
Create a file, something like br.sh and start editing it
#!/bin/shBRCTL="/usr/sbin/brctl"IPTABLES="/sbin/iptables"IFCONFIG="/sbin/ifconfig"ROUTE="/sbin/route"SED="/bin/sed"IF1="eth0"IF2="eth1"BRIDGE="br0"BRIDGEIP="192.168.0.253/24"GATEWAY="192.168.0.1"LAN=$BRIDGEIP# We need to split the /* off the IP address so we can use it our own way# % is used cos some sh's don't like /'soIFS="${IFS}"IFS='%'set - `echo ${BRIDGEIP} | ${SED} -e 's@/@%@g' -e 's@^%@/@'`IFS="${oIFS}"IP=${1}# Make sure there's no bridge running - if there is, we'll assume we're# working on our firewall scriptsecho "Checking for bridge"CHECK=`ifconfig ${BRIDGE} | grep ${IP}`if ! [ -z "$CHECK" ]; then# Yeh ok, there's a bridge, lets be paranoid and start from scratch# It's not the most efficient way (as it takes quite a bit of time# to re-start the bridge) but it's the safestecho "Bridge Detected - Cleaning slate"# Drop the route$ROUTE del default gw $GATEWAY# Flush the tables$IPTABLES -t nat -F$IPTABLES -F#Shut down the interfaaces$IFCONFIG $BRIDGE down$IFCONFIG $IF1 down$IFCONFIG $IF2 down# Make like the military and destroy the bridge$BRCTL delif $BRIDGE $IF1$BRCTL delif $BRIDGE $IF2$BRCTL delbr $BRIDGEfi# Dunno if we actualy use this, but damn sure it's better in then outecho "1" > /proc/sys/net/ipv4/ip_forward# Ok, lets get to building a bridge$BRCTL addbr $BRIDGE# We probably don't need stp, if you have more then one bridge# I suggest you invest time into thinking about stp$BRCTL stp $BRIDGE off# Add some interfaces to our bridge$BRCTL addif $BRIDGE $IF1$BRCTL addif $BRIDGE $IF2# Now that we're over that, we'll bring up the interfaces$IFCONFIG $IF1 up$IFCONFIG $IF2 up$IFCONFIG $BRIDGE $BRIDGEIP up# Add a route$ROUTE add default gw $GATEWAY# Save some typingINPUT="${IPTABLES} -A INPUT"# Now, we havn't put all this effort in to be insecure, so we'll drop all incomming# packets by default$IPTABLES -P INPUT DROP# We better let established and related packets in, or we might not do much talking$INPUT -d ${IP}/32 -m state --state ESTABLISHED,RELATED -j ACCEPT# SSH is handy for remote administration, for the love of god either use a sshkey or# a realy good password (both preferably)$INPUT -p TCP -d ${IP}/32 --destination-port 22 -j ACCEPT# Ok, I'm to lazy to look up ICMP codes, so we'll just let all ICMP in$INPUT -p ICMP -d ${IP}/32 -j ACCEPT# Explicitly allow traffic into squid - without this the traffic wanders off into# the other side of the bridge$INPUT -i $BRIDGE -p TCP -d ${IP}/32 -s $LAN --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT# Save on typingFORWARD="${IPTABLES} -A FORWARD"# Now, we havn't put all this effort in to be insecure, so we'll drop all forwarded# packets by default$IPTABLES -P FORWARD DROP# We better let established and related packets through, or we might not do much talking$FORWARD -d $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT# Ok, I'm to lazy to look up ICMP codes, so we'll just let all ICMP through$FORWARD -p ICMP -s $LAN -j ACCEPT# Permit ssh traffic$FORWARD -p TCP -s $LAN --destination-port 22 -j ACCEPT# Permit DNS traffic - you and I might be fine with IP addresses but normal# people prefer the friendly name$FORWARD -p UDP -s $LAN --destination-port 53 -j ACCEPT# Let SMTP, POP3, and IMAP in for all our mail tasks$FORWARD -p TCP -s $LAN --destination-port 25 -j ACCEPT$FORWARD -p TCP -s $LAN --destination-port 110 -j ACCEPT$FORWARD -p TCP -s $LAN --destination-port 143 -j ACCEPT# Let ftp through, you might want to remove it$FORWARD -p TCP -s $LAN --destination-port 21 -j ACCEPT# Let https through, we can't do much to transparently proxy this$FORWARD -p TCP -s $LAN --destination-port 443 -j ACCEPT# Set up the transparent proxy$IPTABLES -t nat -A PREROUTING -i $BRIDGE -p tcp --dport 80 -j REDIRECT --to-port 3128# Add your own rules below here$IPTABLES -I FORWARD -p TCP -d 192.168.0.2 --destination-port 5190 -j ACCEPTOk, now we save that file somewhere convenient (I like to make a scripts dir in / and put my scripts in there) and then
[root@localhost root]# chmod +x br.sh
Step 6 -=- Configure your squid
Ok, now that’s beyond the scope of this document, but basicly you just need to let your network out.
Step 7 -=- Make it happen on boot
We cheat here… there’s so much we should do with this script, but as this is pretty much a dedicated system you can cheat.
[root@localhost root]# ln -s /scripts/br.sh /etc/rc2.d/S99br.sh
After another reboot we should be running our firewall bridge.
Note: you might want to remove all the interface info for the eth’s you used from /etc/network/interfaces otherwise you will probably run into issue.