Here is a quick’n dirty and maybe incomplete guide on howto turn a CentOS PC into an internet router. I mainly focused on network/firewall setup./etc/sysconfig/networking/devices/ifcfg-providername:
[geshi lang=bash]
# no ipv6 at the moment
IPV6INIT=no
# yes, activate it during system boot
ONBOOT=yes
# should users be able to start/stop connection? see /usr/sbin/adsl-setup
USERCTL=no
# we have our own caching nameserver in our intranet
# which connects directly to dns root servers
PEERDNS=no
TYPE=xDSL
DEVICE=ppp0
BOOTPROTO=dialup
PIDFILE=/var/run/pppoe-adsl.pid
# if set to “MASQUERADE” /usr/sbin/adsl-connect starts /etc/ppp/firewall-masq
# which does some essential things for NAT
FIREWALL=MASQUERADE
PING=.
PPPOE_TIMEOUT=80
LCP_FAILURE=3
LCP_INTERVAL=20
CLAMPMSS=1412
# 6 second is the standard, see /usr/sbin/adsl-start
CONNECT_POLL=6
# after this timeout, adsl-start exits
CONNECT_TIMEOUT=60
PERSIST=yes
SYNCHRONOUS=no
# change standard route
DEFROUTE=yes
# your DSL username here. See also /etc/ppp/pap-secrets and /etc/ppp/chap-secrets
USER=loginname
ETH=eth1
PROVIDER=providername
# no dial on demand, its a persistent connection, monitoring is done in adsl-start/adsl-connect
DEMAND=no
# normally not used, when DEMAND=no, just to be sure
IDLETIMEOUT=100000
[/geshi]
Copy /etc/sysconfig/networking/devices/ifcfg-providername to /etc/sysconfig/network-scripts/ifcfg-providername. These files are essentialy the same.
Edit /etc/ppp/pap-secrets and /etc/ppp/chap-secrets:
"loginname" "providername" "passwort"
Firewall Setup:
Add file /etc/ppp/ip-up.local and edit:
[geshi lang=bash]
#!/bin/bash
DEV_LAN=eth0
IP_LAN=10.70.1.254
ANY=0.0.0.0/0
NET_LAN=10.70.1.0/24
IPT=/sbin/iptables
# IP-Forwarding im Kernel zunaechst deaktivieren – wird am Schluss des Skriptes
# wieder aktiviert
echo 0 > /proc/sys/net/ipv4/ip_forward
# Alle alten Regeln loeschen, anschliessend die Default-Policy setzen
$IPT -F
$IPT -X
$IPT -F -t filter
$IPT -F -t nat
$IPT -F -t mangle
$IPT -t filter -X
$IPT -t nat -X
$IPT -t mangle -X
# In der NAT-Tabelle (-t nat) eine Regel fuer alle ueber das Internet-
# Device (-o) ausgehenden Pakete, die maskiert werden sollen, hinter dem
# Routing (POSTROUTING) anhaengen (-A).
$IPT -t nat -A POSTROUTING -o $IFNAME -j MASQUERADE
# auf der Firewall selbst laufen keine Dienste, die an der Internet-IP hoeren, alles erlauben
$IPT -P INPUT ACCEPT
# nur Forwarden wird explizit eingestellt
$IPT -P FORWARD DROP
# private IP-Adressen auf dem externen Interface blockieren
$IPT -t nat -A PREROUTING -i $IFNAME -s 192.168.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $IFNAME -s 10.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -i $IFNAME -s 172.16.0.0/12 -j DROP
$IPT -t nat -A PREROUTING -i $IFNAME -s 127.0.0.0/8 -j DROP
# Portforwarding fuer SSH (port 2222) und SMTP (Port 2525) zu LAN-Server
$IPT -t nat -A PREROUTING -p TCP -i $IFNAME -d $IPLOCAL –dport 2222 -j DNAT –to-destination 10.70.1.1:
22
$IPT -t nat -A PREROUTING -p TCP -i $IFNAME -d $IPLOCAL –dport 2525 -j DNAT –to-destination 10.70.1.1:
25
$IPT -A FORWARD -p tcp -i $IFNAME -d 10.70.1.1 –dport 22 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IFNAME -d 10.70.1.1 –dport 25 -j ACCEPT
# smb unterbinden
$IPT -A FORWARD –sport 135:139 -j REJECT
$IPT -A FORWARD –sport 445 -j REJECT
$IPT -A FORWARD –dport 135:139 -j REJECT
$IPT -A FORWARD –dport 445 -j REJECT
# ICMP: ping-Antworten, wichtige Fehlerpaeckchen
$IPT -A FORWARD -p ICMP –icmp-type 0 -j ACCEPT
$IPT -A FORWARD -p ICMP –icmp-type 3 -j ACCEPT
$IPT -A FORWARD -p ICMP –icmp-type 5 -j ACCEPT
$IPT -A FORWARD -p ICMP –icmp-type 11 -j ACCEPT
# vom LAN alles akzeptieren, sonst nur bereits bestehende Verbindungen
$IPT -A FORWARD -i $DEV_LAN -j ACCEPT
$IPT -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IFNAME -m state –state NEW,INVALID -j REJECT
# Logging
$IPT -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG
# Forward fuer openvpn erlauben
$IPT -A FORWARD -i tun+ -j ACCEPT
sleep 2
# Forwarding im Kernel nun wieder aktivieren
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/ddclient -syslog
# NTP bei einer neuen Verbindung restarten
# (NTP kommt mit wechselnden Interfaces nicht klar,
# siehe http://hints.georglutz.de/wiki/NTP)
/etc/init.d/ntpd restart
[/geshi]
dyndns.org :
Install the current ddclient for RHEL from DAG (http://dag.wieers.com/packages/ddclient/).
Deactivate the daemon with ntsysv . We want to start it manually at the end in
the firewall script.
Change settings in /etc/ddclient/ddclient.conf for your dynamic DNS service. Minimal configuration for dyndns.org :
daemon=0 protocol=dyndns2 use=if, if=ppp0 server=members.dyndns.org login=your-login password=test your-dynamic-host.dyndns.org
Complete installation:
- deactivate SSH for external interface / bind only to local address (option
ListenAddress - deactivate sendmail at least for the external interface or deactivate it at all
- configure NTP. Accurate timestamps are essential for log analysis.