Configure an old PC HardDisk free

like a safe Internet Gateway


Don't throw that old PC away just yet, it still has some life in it yet. No matter how bad your old PC is it can always be used as a router, and your old router as a switch. All you need is two nic cards for it. Originally I did this on a Pentium 3 with 256 MBs of memory, 10GB HD. I had that setup for around 6 months before the hard disk finally died. Therefore I've looked around to a solution hard disk free and more secure... you can't install a rootkit on a read_only support!!

Iptables is a very dynamic tool to configure things with Linux box, like free Linux firewall and Linux router to share internet connection. So this notes is ’bout configuring Linux box as a secure and safe internet gateway using iptables.

I’m always comfortable with fedora core so I used a fedora based distro name NST - NetworkSecurityToolkit . That is a Linux livecd (based on Fedora Core 5) mainly devoted to the network security that means: it has all the necessary software gear to analyze and study the network.

Features:

use the NST live cd to bootup a safe and un-writable linux system and load from a read_only floppy all the gateway setup (20k bytes). The gateway is completely closed to prevent attacks, only two Masters PC in the dirty network could be admin that by ssh or https. The safe local network has a dhcp server to allow a "dynamic" network connection.

USAGE

Download the last NST CD ISO image (can be downloaded here ) and burn it.

Put that into the old PC and adjust the booting option to boot from cd.

Select the default boot option of the NST booting.

During the bootup choose the new administrator password.

On another linux box prepare a clean floppy:

>fdformat /dev/fd0H1440

>mkfs.ext2 /dev/fd0

>mount -t ext2 /dev/fd0 /mnt/floppy

Download all the files from gateway.tar

Copy that on the /mnt/floppy and untar with:

> tar xvf gateway.tar

Adjust files and scripts as suggestion in the section below; and at the end and start your gateway:

>/mnt/floppy/startgw.sh

ENJOY !!!


HOWTO
setup the files and scripts necessary

Note: never mind you can dowload all the follows files and scripts here (gateway.tar ).

I have the "dirty" Internet network connection (eth0) with a fixed ip and the "clean" network internal (eth1). The ifcfg-eth0 file configured to obtain the network information statically is as follows:

DEVICE=eth0
BOOTPROTO=none
IPADDR=<number>
NETMASK=255.255.255.0
NETWORK=<number.0>
BROADCAST=<number.255>
GATEWAY=<number>
ONBOOT=yes

but if your "dirty" Internet connection is based on a DHCP the same file has the following look:

DEVICE=eth0
BOOTPROTO=dhcp

The file to the "clean" network internal ifcfg-eth1 is:

DEVICE=eth1
BOOTPROTO=none
IPADDR=192.168.0.1
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes

To setup the DNS I've prepared a small script named setup_dns.sh :

#!/bin/bash
#
# Adds DNS Servers
echo ""
echo ""
echo "Re_Write /etc/resolv.conf to setup mynetwork.org DNS servers "
echo ""
echo "#setup_dns.sh script!!" > /etc/resolv.conf
echo "search mynetwork.org" >> /etc/resolv.conf
echo "nameserver <numberDNS1>" >> /etc/resolv.conf
echo "nameserver <numberDNS2>" >> /etc/resolv.conf
#

The dhcp.conf file has been configured to serve the clean network and give the IP to the PC connected by dhcp:

ddns-update-style interim;
ignore client-updates;

subnet 192.168.0.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                  192.168.0.1;
        option subnet-mask              255.255.255.0;

        option nis-domain               "mynetwork.org";
        option domain-name              "mynetwork.org";
#       option domain-name-servers      192.168.1.1;
        option domain-name-servers      <numberDNS1>, <numberDNS2>;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.1.1;
#       option netbios-name-servers     192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.0.128 192.168.0.254;
        default-lease-time 21600;
        max-lease-time 43200;
}

The router setup (iptables, nat, ipforwarding) is based on the script named router.sh :

#!/bin/bash
#
# MASTER PCs IP to manage the gateway (ssh _or_ https)
#
MASTER1=<numberIpMaster1>
MASTER2=<numberIpMaster2>
#
#
# cleanInterface (eth0)
#    Network Interface used to connect the NST system to your LAN.
#
# dirtyInterface (eth1)
#    Network Interface used to connect the NST system to the Internet.
#
# cleanNetwork (192.168.0.0/24)
#    The clean network (your internal LAN).
#
# portForwards (optional ARRAY)
#    Allows one to specify where to forward connection attempts from the
#    Internet to the internal LAN. This optional feature permits one to
#    make specific services within the LAN available through the Internet.

# Adjust the following for your configuration

cleanInterface="eth1";
dirtyInterface="eth0";
cleanNetwork="192.168.0.0/24";

portForwards=(
# Redirect Internet connections to 22222 to ssh service on this NST probe
# 22222 127.0.0.1 22
# Redirect Internet connections to 8080 to http server
# running on 192.168.0.10 in the LAN
# 8080 192.168.0.10 80
)

#
# What follows should not require any adjustments
#

add_port_forwards() {
  local pfsize="${#portForwards[@]}";
  local n="$((pfsize / 3))";
 
  # Verify table has 3 entries for each row
  if (( pfsize != (n * 3) )); then
    cat <<EOF
***Error*** There should be 3 fields for each port forward table entry.
However, there were ${pfsize} total fields found. Your port forwarding
table is being ignored.

EOF
    return 1;
  fi
 
  # Install port forwards
  for ((i=0; i < n; i++)); do
    local dport="${portForwards[i*3]}";
    local cip="${portForwards[i*3+1]}";
    local cport="${portForwards[i*3+2]}";

    echo "Forwarding connections to port \"${dport}\" to \"${cip}:${cport}";
    $iptables -t nat -I PREROUTING -i ${dirtyInterface} -p tcp --dport ${dport} -j DNAT --to-destination ${cip}:${cport}
    $iptables -A FORWARD -i ${dirtyInterface} -p tcp -s 0/0 -d ${cip}/32 --destination-port ${dport} --syn -j ACCEPT
  done
}

# set a few variables
echo ""
echo "setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
 
# adjust /proc
echo "applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
 
#echo "  applying port forwarding rules"
echo ""
echo "flush any existing chains and set default policies"
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
 
# setup nat
echo "applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i ${cleanInterface} -j ACCEPT
$iptables -A INPUT -i ${cleanInterface} -j ACCEPT
$iptables -A OUTPUT -o ${cleanInterface} -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s ${cleanNetwork} -o ${dirtyInterface} -j MASQUERADE
 
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
 
# allow established and related packets back in
$iptables -A INPUT -i ${dirtyInterface} -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# blocking reserved private networks incoming from the internet
echo "applying incoming internet blocking of reserved private networks"
echo ""
$iptables -I INPUT -i ${dirtyInterface} -s 10.0.0.0/8 -j DROP
$iptables -I INPUT -i ${dirtyInterface} -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i ${dirtyInterface} -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i ${dirtyInterface} -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i ${dirtyInterface} -s 10.0.0.0/8 -j DROP
$iptables -I FORWARD -i ${dirtyInterface} -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i ${dirtyInterface} -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i ${dirtyInterface} -s 127.0.0.0/8 -j DROP
 
# icmp
echo "applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i ${dirtyInterface} -j DROP
 
# apply icmp type match blocking
echo "applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
 
# custom port forwarding rules
echo "applying port forwarding rules"
echo ""
add_port_forwards;

#accept https access
echo "applying https accept rules"
echo ""
$iptables -A INPUT -i ${dirtyInterface} -p TCP --dport 443 -j ACCEPT
$iptables -A OUTPUT -o ${dirtyInterface} -p TCP --sport 443 -j ACCEPT
#accept ssh from MASTER PCs
echo "applying ssh MASTERs accesses rules"
echo ""
$iptables -A INPUT -i ${dirtyInterface} -p TCP --dport 22  -s $MASTER1 -j ACCEPT
$iptables -A OUTPUT -o ${dirtyInterface} -p TCP --sport 22  -d $MASTER1 -j ACCEPT
$iptables -A INPUT -i ${dirtyInterface} -p TCP --dport 22  -s $MASTER2 -j ACCEPT
$iptables -A OUTPUT -o ${dirtyInterface} -p TCP --sport 22  -d $MASTER2 -j ACCEPT

 
# drop all other packets
echo "applying default drop policies"
echo ""
$iptables -A INPUT -i ${dirtyInterface} -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i ${dirtyInterface} -p udp --dport 0:65535 -j DROP
echo "### quicktables is loaded ###"
echo ""

Last to a fast start I've realize a script which make the gateway startup simple: startgw.sh

#!/bin/bash
#
# Adjust the following for your configuration

echo ""
echo ""
echo "setting global variables"
echo ""
cp="/bin/cp"
#
# Config the NIC cards eth0 eth1
echo "Setup eth0 and eth1; and restart the network"
echo ""
if [ -e /mnt/floppy/ifcfg_eth0 ]; then cp /mnt/floppy/ifcfg_eth0 /etc/sysconfig/network-scripts/ifcfg-eth0 ; fi
if [ -e /mnt/floppy/ifcfg_eth1 ]; then cp /mnt/floppy/ifcfg_eth1 /etc/sysconfig/network-scripts/ifcfg-eth1 ; fi
/etc/init.d/network restart
#
# Config the dhcp server
echo "Config the dhcpd server and start it"
echo ""
if [ -e /mnt/floppy/dhcpd.conf ]; then cp /mnt/floppy/dhcpd.conf /etc/dhcpd.conf ; fi
/etc/init.d/dhcpd start

# adjust /etc/resolv.conf
echo "Setup DNS servers: it means: re_write /etc/resolv.conf"
echo ""
if [ -e /mnt/floppy/setup_dns.sh ]; then /mnt/floppy/setup_dns ; fi
#
#
# apply the router rules
echo "Setup the router _and_ firewall rules"
echo ""
if [ -e /mnt/floppy/router.sh ]; then /mnt/floppy/router.sh ; fi