Jump to content



Photo

Linux gateway/router issues, please help!

linux debian gateway router

  • Please log in to reply
58 replies to this topic

#31 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 06 January 2013 - 16:34

"though would have been prepared to do this myself"

Just so you know - updating those would not be free ;) Cisco is not cheap!! You can pick up older hardware from 3rd party for not all that much. But the images they have installed is where lots of cost comes from.

Now (cough, cough) you might have alternate sources for your images?? Now some people might be ok with (cough, cough) sharing images if they know its only going to go on VM for learning.. Putting on actual hardware is a different matter, and brings into question other concerns of trust and where that hardware might end up in the end, etc.

As to securing your network - any of the distros out there will be good. Keep in mind you made no mention of an application firewall or reverse proxy. If you looking to secure web/ftp applications a normal firewall does not promise any extra security for flaws/exploits into those applications.

Your firewall to will allow you to secure it from who you don't want to access it - but if you open that up to the public net, then the security of the application comes down to that application. Not the firewall that just provided access - if that is your concern then you need to look for a reverse proxy, etc. that can filter for application exploits and block them, etc.

edit: that is info about the feature set, not the actual feature set image. Again (cough, cough) actual purchase of the feature set is NOT CHEAP!!


#32 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 06 January 2013 - 16:48

"though would have been prepared to do this myself"

Just so you know - updating those would not be free ;) Cisco is not cheap!! You can pick up older hardware from 3rd party for not all that much. But the images they have installed is where lots of cost comes from.

Now (cough, cough) you might have alternate sources for your images?? Now some people might be ok with (cough, cough) sharing images if they know its only going to go on VM for learning.. Putting on actual hardware is a different matter, and brings into question other concerns of trust and where that hardware might end up in the end, etc.


Of course, I wouldn't even dream of promoting the unauthorized use and sharing of proprietary images for illegitimate purposes, even if the hardware were only to be used for study purposes and will not be sold or passed on to anyone else after use. I fully understand and adhere to strict proprietary software licences, after all, all of my software is entirely legit and paid for... :rolleyes: (or open source in accordance the GNU General Public License Agreement)

As to securing your network - any of the distros out there will be good. Keep in mind you made no mention of an application firewall or reverse proxy. If you looking to secure web/ftp applications a normal firewall does not promise any extra security for flaws/exploits into those applications.

Your firewall to will allow you to secure it from who you don't want to access it - but if you open that up to the public net, then the security of the application comes down to that application. Not the firewall that just provided access - if that is your concern then you need to look for a reverse proxy, etc. that can filter for application exploits and block them, etc.


Could you recommend a 'free' solution of this manner for Server 2008 R2?

edit: that is info about the feature set, not the actual feature set image. Again (cough, cough) actual purchase of the feature set is NOT CHEAP!!


My mistake, this was a link someone else sent me...

#33 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 06 January 2013 - 20:32

If you want you could do what I did, keep the NAT setup on debian and get SNORT/Suricata and put that on it and run it in IPS which will protect your servers and clients :)

#34 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 06 January 2013 - 20:42

If you want you could do what I did, keep the NAT setup on debian and get SNORT/Suricata and put that on it and run it in IPS which will protect your servers and clients :)


Nice idea though sadly this still leaves me with the issue of my improperly configured NAT not allowing me access the FTP server from outside of my .1 network and vice/versa :/ and thus back to the beginning of my problem...

#35 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 07 January 2013 - 12:56

Or you could just run pfsense and install the snort package.

Who do you want to be able to access your ftp server?? People on the .0 or people on the internet? Cuz people on the internet is not going to happen unless you have control or access to the nat router between the .0 and the internet to create the forward to your .0 address.

#36 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 07 January 2013 - 14:00

Or you could just run pfsense and install the snort package.

Who do you want to be able to access your ftp server?? People on the .0 or people on the internet? Cuz people on the internet is not going to happen unless you have control or access to the nat router between the .0 and the internet to create the forward to your .0 address.


People on the internet mostly, though accessing the the router that connects to the internet is no problem, the first thing I did when I moved in was demanded the admin password to the router configuration setup from the landlord so am able to forward ports no problem :laugh: Was able to access my web server via the internet before I introduced my Debian nat gateway to the scenario...

#37 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 07 January 2013 - 14:39

many routers do not like a double nat scenerio. esp soho routers. You would have to forward the port to your debian from your router then forward the port from your debian to your computer.

#38 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 07 January 2013 - 15:09

many routers do not like a double nat scenerio. esp soho routers. You would have to forward the port to your debian from your router then forward the port from your debian to your computer.


Makes sense, though was having trouble forwarding ports using IPtables due to unfamiliarity with the correct syntax, found a great deal of guides on the web though none of them really explained in detail exactly how to correctly construct the syntax of the tables and as such any attempt I made to do so broke the nat routing on the Debian box. I am beginning to sway towards the idea of installing pfsense and setting this up as this would allow me to configure the route properly and as such I would be able to see what correct IPtables and configurations should look like for my purposes.

#39 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 07 January 2013 - 16:26

"I would be able to see what correct IPtables and configurations should look like for my purposes."

Not if you go with pfsense it wouldn't it would allow you to see the correct PF syntax - since pfsense runs on freebsd, and freebsd uses PF not iptables.

You could go with a router/firewall disto that uses iptables though if that is your ultimate goal. I do believe ipcop using iptables since it is linux based. If you goal is to be able to use a simple gui to admin iptables, and then look at the underlying actual iptables rules then something other than pfsense should be your choice.

If your goal is to have a very stable, secure and very well supported and developed distro to use as your gateway/firewall then I would highly suggest pfsense.

As sc302 stated if you have access to the .0 nat router to the internet - then yeah you just need to create the forward to whatever your router .0 wan interface is. Good idea to set this as static outside the .0 routers dhcp servers scope, or setup dhcp reservation in that router for your routers wan interface mac so it always has the same IP if your going to do this.

My question is what if some user on the .0 wants to forward ports to their IP - do they also have access? Only 1 person would be able to forward port 21.

Also keep in mind with ftp, and double nat you can run into some issues. Are you going to be doing active or passive connections? Now many soho and router distros do have ftp helpers to work through the data port to be open and changing the IP to the public one that the ftp server might send, etc. But with a double nat you can have problems, etc. You can make it work if you have access to both routers, but its more complicated to be sure.

As with anything its a good idea to fully understand the protocol in question to get it to work through a firewall - here is a great reference for ftp active vs passive, etc.

http://slacksite.com/other/ftp.html

#40 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 07 January 2013 - 16:31

When I was doing the iptables for my two snort IPS systems, I searched and searched the net and found virtually nothing, some examples that didn't really work, had to spend ages looking at how iptables worked and eventually (after many attempts) got my own syntax and rules to work fine.

#41 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 18 January 2013 - 16:17

Not if you go with pfsense it wouldn't it would allow you to see the correct PF syntax - since pfsense runs on freebsd, and freebsd uses PF not iptables. You could go with a router/firewall disto that uses iptables though if that is your ultimate goal.


Once again my mistake, at this point I am not too concerned about getting to grips with IPtables specifically, just making a working configuration is my current goal...

My question is what if some user on the .0 wants to forward ports to their IP - do they also have access? Only 1 person would be able to forward port 21.


Fortunately no one else in the building has any requirement, desire or technical know-how to forward ports so access to port forwarding configuration is entirely in my hands and the entire port range is available for my use. :D

Also keep in mind with ftp, and double nat you can run into some issues. Are you going to be doing active or passive connections? Now many soho and router distros do have ftp helpers to work through the data port to be open and changing the IP to the public one that the ftp server might send, etc. But with a double nat you can have problems, etc. You can make it work if you have access to both routers, but its more complicated to be sure. As with anything its a good idea to fully understand the protocol in question to get it to work through a firewall.


Thanks for the link, I will look into it later today before I set up my pfsense, you are correct that I should understand what I am going to do before I set it up, with regards to potential issues with double NAT with FTP I am quite happy to explore my options and do a little experimentation...

#42 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 02 February 2013 - 14:27

Ok, so I have installed pfSense as my router/firewall OS and am rather happy with this, the web based configuration is wonderful and very feature rich and now, happily, NAT is working correctly and proving a smooth connection with no issues. It's certainly more than I could have hoped for and any previous reluctance I had regarding using this has now evaporated though, sorry to say, I do still require some further advice...

I am having some issues with port forwarding, to be quite honest I am unsure of how to make double port forwarding work correctly, I have been testing this with my soulseek client as it allows for the option of testing if your port forwarding configuration is working correctly and am repeatedly being told that the port is closed. here are some details that may help:

ADSL router IP is still 192.168.0.1
WAN interface on pfSense box is 192.168.0.20 (provided by DHCP on .0 subnet, statically assigned)
LAN interface on pfSense box is 192.168.1.1 (providing DHCP to .1 subnet)
Soulseek client is running on .1 subnet on workstation 192.168.1.100
Soulseek port 40069

Could anyone please advise on how to correctly set a firewall rule on my pfSense to forward this port correctly? I have already opened port 40069 on the ADSL router to 192.168.0.20, it is from here on I am having issues.

Thanks again all :)

#43 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 February 2013 - 14:04

What to you mean opened it? You need to forward it as well, if your going to run in a double nat setup. It going to be easier to just put the ip address of pfsense wan into DMZ, or exposed HOST of your adsl router - now ALL unsolicited traffic will be sent to pfsense wan IP.

But if not that port tcp from what quick google says for soulseeker needs to be forwarded to the pfsense wan IP on that port. Double check your settings, did the IP of pfsense wan change? Post up your settings and we can take a look.

Do you have anyway to put that adsl router into bridge mode so that pfsense gets public IP!

Then just forward whatever ports you want to whatever IPs behind pfsense you want to see the traffic.

So I would for a test, sniff on your pfsense wan interface - do you test, do you see the packets?? If not then pfsense is never seeing anything to be able to forward. If you see the traffic then you have something wrong in pfsense forwards. Under diag menu the packet capture item.

#44 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 03 February 2013 - 14:42

Thanks again for the response.

What to you mean opened it? You need to forward it as well


My apologies, yes, port is forwarded...

For the record I have now managed to successfully forward this port via the double NAT setup, it appears that I was missing quite a crucial stage in forwarding the port I required on my pfSense via a NAT forwarding rule as apposed to just a firewall rule, upon creation of the NAT rule a firewall rule was automatically created to accommodate and now the port forwarding is working as needed.

This is beginning to make much more sense to me now. :D

It going to be easier to just put the ip address of pfsense wan into DMZ, or exposed HOST of your adsl router - now ALL unsolicited traffic will be sent to pfsense wan IP.


Hmm, please elaborate further, is this not a little bit of a security flaw?

Do you have anyway to put that adsl router into bridge mode so that pfsense gets public IP!


Sorry, no, my ADSL router is installed with default firmware from Virgin and has limited control over the routers capabilities.

So I would for a test, sniff on your pfsense wan interface - do you test, do you see the packets??



Upon sniffing on the WAN interface I appear to have captured an awful lot of packets from a variety of different global IPs to a widely varying range of ports! Is this ok?


Anyways, now that I have the port forwarding issue resolved I have one more question:

I have an SMB server running on the .1 subnet and would like to allow other machines on the .0 subnet to be able to access and use these resources, is there any special way to allow this level of communication across different subnets? A friend of mine told me that by default SMB is distributed across the broadcast address, is this correct? If so is it just a matter of creating an appropriate NAT/firewall rule or is there some particular method to allow hosts outside of .1 to 'see' hosts within it?

#45 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 February 2013 - 15:20

Why do you have boxes on the 0 network? Are these wireless clients to your isp router?

Are boxes on the 0 network to be considered hostile? Why do you want to run boxes behind pfsense and then have your own boxes on its wan side?

No smb does not go over broadcast, but broadcast can be used as a way to resolve a netbios name box with a smb share.. You could allow SMB or CIFS or whatever other file sharing you want to allow be it ftp, webdav, scp, sftp, AFP, etc.

But if these wireless boxes are under your control and you want them to be able to broadast for names and access your other boxes on the .1 network.. I would change out your setup.

Before we talk about that - its a Firewall yes there will be lots of noise/traffic on the WAN side.. And if you have clients on wireless clients on the 0 network you would be seeing that traffic as well.

Forwarding all ports, ie dmz, exposed host on your isp router to your pfsense would just mean pfsense would working as designed and seeing all the internet noise and then firewalling it, etc.

But I would prob suggest you change your config a bit and remove clients off the 0 and everything should be on the .1 behind pfsense.

So I would turn off wireless on your isp router, then get a wireless router and put it behind your pfsense as AP.. Then since you can not put your isp gateway into bridge mode. Set pfsense wan as dmz or exposed host on it - nothing would need to be on the 0 network now other than pfsense.

All your wireless and wired boxes behind pfsense would have access to file shares, could broadcast for names, etc. Now you wouldn't have to worry about doing forwards on 2 devices, isp router and pfsense when you want to allow unsolicited traffic inbound to one of your boxes behind pfsense. And the double nat can almost become mute - until you run into something that doesn't like double nats - ftp can be a bit of a pain as one example.