Once in a while our home server dies, is reinstalled because someone opened up the webserver so anyone could execute arbitrary code or just because it is time for new hardware; today was the latter.

Oracle’s current specs:

• AMD Athlon(tm) Dual Core Processor 4450e
• 768MB of DDR2-RAM
• 100Gb of filesystem
• 1.5Tb in RAID-5
• 2 network interfaces: 1 Gigabit, 1 100Mbit
• some fancy mainboard with surroundsound output and VGA/DVI

So, what does she do, you ask? Oracle is our everything. She is called Oracle because she sees and knows everything that happens inside our network and can foresee which packets will reach our system. She is the gateway to the Matrix.

She runs a bunch of stuff making our daily life a lot easier. Her most important task is to protect the Matrix from the outside world whilst connecting us with it, firewalling, routing traffic, NAT’ing, all done with Firehol.

Firehol is by far the easiest iptables front-end I have every come across and although primitive at first sight it is incredibly powerful once you get the hang of it.

Today some basic stuff: how to firewall your connections and NAT traffic so the clients behind the gateway can connect to the internet: sudo apt-get install firehol ulogd sudo sed -i s/NO/YES/g /etc/default/firehol

Time to edit /etc/firehol/firehol.conf with your favorite editor (do this as sudo’er or root): version 5 FIREHOL_LOG_MODE="ULOG"

internal interface, accept all connections from the matrix to the gateway, trusted network

interface eth0 matrix client all accept server all accept

the internet, do some protective stuff and accept only http and ssh connections

interface eth2 ziggo protection strong client all accept server ssh accept server http accept

campusnet, home of the evil nerds, allow all connections to campusnet but prevent campusnet from being able to connect to us

interface tap0 utwente protection strong client all accept server all reject

route traffic originating from within the matrix to the outside world

router matrix2ziggo inface "eth0" outface "eth2" client all accept route all accept masquerade

route traffic originating from within the matrix to campusnet

router matrix2utwente inface "eth0" outface "tap0" client all accept route all accept masquerade

That’s all I need to tell Firehol, for it to protect our interfaces, NAT is to the outside world and to campusnet, it really doesn’t get much simpler.

A few things:

• tap0 is an openVPN interface which connects the matrix to campusnet
• ziggo is the name of our isp
• the names assigned to the interfaces (such as matrix or matrix2ziggo) are completely arbitrary
• we install and use ulogd so that firehol will log to /var/log/ulog/syslogmenu.log instead of /var/log/syslog
• all traffic for campusnet will now be routed over tap0/openvpn if the tunnel is up

That’s about everything you need to setup a small gateway, the openVPN part is not necessary at all, obviously, but I though someone might find it useful…

Ohw, wait, one last thing:

sudo invoke-rc.d firehol start

Let’s not forget to start the firewall now, shall we?

Update:

A problem came to my attention today, namely the get-iana.sh script which rebuilds the RESERVED_IPS file found in /etc/firehol.

This script is called get-iana in Ubuntu/Debian and an be found in /sbin. Unfortuantely, that script does not work since the format of the output file from IANA has changed. Though this has been solved in the CVS from Firehol the script contained in the Ubuntu/Debian packages is faulty.

To fix it edit the file /sbin/get-iana and replace the content with the content from this page.

Save the file and now run sudo /sbin/get-iana, let it run and when it asks you to save it to RESERVED_IPS answer with yes and then restart the firewall with sudo invoke-rc.d firehol restart

To automate this whole thing I created the following files:

/etc/firehol/get-iana-answerfile with content yes

/etc/cron.monthly/firehol with content:

!/bin/sh

/sbin/get-iana < /etc/firehol/get-iana-answerfile /usr/sbin/invoke-rc.d firehol restart

What this does is run a cronjob every month, that, if there are changes to the RESERVED_IPS file from IANA will save those changes and restart the firewall. In this case the firewall will always be restarted which might not be optimal, but since it’s only once a month…