NAT'ing firewall - Adding advanced features
From ArchWiki
Contents |
Introduction
This document is an extension to the NAT'ing firewall - Share your broadband connection wiki. It will explain how to add extra functionality to your firewall/gateway. Needless to say, I'm assuming you have a fully functional simple firewall (as described in the aforementioned document) already.
HTTP proxy - Squid
Squid is going to run it as a transparent web proxy server. No need to configure any browsers on the LAN: they'll use it automagically. A lightweight alternative is to use Polipo, a simple caching proxy.
Installation
pacman -S squid
Configuration
nano /etc/squid/squid.conf
Add these lines to the config file:
http_port 10.0.0.1:3128 # change it to the IP of eth0 icp_port 0 # disables ICP queries to neighbor caches, unless you have other Squids, I guess. acl ALbox_network src 10.0.0.1/28 # <-- change CIDR appropriately acl all src 0.0.0.0/0.0.0.0 http_access allow ALbox_network http_access deny all httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on maximum_object_size 50000 KB # max size of cachable objects minimum_object_size 0 KB cache_mem 7867 KB # read docs for more info cache_dir aufs /var/cache/squid 300 16 256 # assign disk space for Squid's cache, see docs visible_hostname proxy.foo.bar # hostname that will be shown in status/error messages
Transparency
Using Shorewall with Squid Transparency happens by redirecting all www requests eth0 picks up, to Squid. Edit /etc/shorewall/rules and add
REDIRECT loc 3128 tcp www # redirect to Squid on port 3128 ACCEPT $FW net tcp www # allow Squid to fetch the www content
Run
/etc/rc.d/shorewall restart /etc/rc.d/squid start
et voila: a transparent proxy!
Ad blocking - adzapper
Adzapper is a plugin for Squid. It catches ads of all sorts (even Flash animations) and replaces them with an image of your choice, so the layout of the page isn't altered too much.
Installation
pacman -S adzapper
Configuration
echo "redirect_program /usr/bin/adzapper.wrapper" >> /etc/squid/squid.conf
(squid 2.6.STABLE13-1)
echo "url_rewrite_program /usr/bin/adzapper.wrapper" >> /etc/squid/squid.conf echo "url_rewrite_children 10" >> /etc/squid/squid.conf
That's it! If you want, you can configure adzapper to your liking. The configuration out of the box works wonderfully well though.
nano /etc/adzapper/adzapper.conf
Content filtering - DansGuardian
Now that everyone on the LAN can access the web, it's time to filter it! >-) Here's a rudimentary guide to DansGuardian, a very powerful content filtering tool. I was going to use DansGuardian to filter ads, but it seems there is no site with a freely downloadable ad host list.
Some blacklists with a category for ads:
Shalla's Blacklists Free of charge for personal and partly for commercial usage. Commercial usage requires signing a usage contract.
URLBlacklist You can download it once for free to try the service.
Installation
pacman -S dansguardian
Configuration
nano /etc/dansguardian/dansguardian.conf filterip = 10.0.0.1 # eth0 IP filterport = 8080 proxyip = 10.0.0.1 # eth0 IP proxyport = 3128 reserveaddresslookups = on # "... unless you have a local caching DNS, leave it off ..." <- we do!! :) usernameidmethodproxyauth = off # usernameidmethodntml = off # it's going to be a transparent proxy: auth wouldn't make much sense usernameidmethodident = off # daemonuser = 'proxy' # same uid Squid uses daemongroup = 'proxy' # same gid Squid uses
Now we have to make use of DansGuardian: instead of letting Squid catch the HTTP requests, we'll direct them to DansGuardian first. DG will in turn forward the allowed requests to Squid.
nano /etc/shorewall/rules REDIRECT loc 8080 tcp www # 8080 (DG port) used to be 3128 (Squid port)
Testing
/etc/rc.d/shorewall restart /etc/rc.d/dansguardian start elinks www.badboys.com
You should see a "Access denied" page generated by DansGuardian. If not, you'll be exposed to gay porn which is why I suggest you to use elinks. ;) The badboys.com domain is listed in /etc/dansguardian/bannedsitelist .
Setup filters
Check out the files in /etc/dansguardian/ : they're all used for filtering. Edit /etc/dansguardian/dansguardianf1.conf , it's the config for group "1". This is the default group all users belong to. If you want, you can make several groups with different sets of rules. I'm not going to do it, but if you do, be sure to add your steps to this Wiki. The dansguardianf1.conf file contains all the different rules DG can use to censor the WWW traffic. If you don't comment out a line, be sure to check the filename the line describes: it contains the actual rules.
nano /etc/dansguardian/dansguardianf1.conf
Add Anti-virus layer to Squid
Adding Anti-virus capabilities to Squid is done using the HAVP program to interface it with ClamAV.
Installing dependencies
Follow this link to install ClamAV on your system.
Once ClamAV is installed, install HAVP from AUR. Details on installing an AUR package can be found here, and the HAVP package can be found here.
Configuration
Once HAVP is installed, create a user group for the HAVP instance:
adduser havp
Change the owner of the antivirus logs and temporary file-testing directories to havp :
chown -R havp:havp /var/run/havp chown -R havp:havp /var/log/havp
Add the mandatory lock option to your filesystem (needed by HAVP) : In your /etc/fstab, modify :
[...] / ext3 defaults 1 1
to :
[...] / ext3 defaults,mand 1 1
Then reload your filesystem :
mount -o remount /
Add this info in your /etc/squid/squid.conf :
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default cache_peer_access 127.0.0.1 allow all
Make sure your port in your /etc/havp/havp.config matches the cache_peer port in /etc/squid/squid.conf.
Testing
Reload your squid and start HAVP :
/etc/rc.d/squid restart /etc/rc.d/havp start
Don't forget to add HAVP to your rc.conf if your want it to launch on boot :
DAEMONS=([...] squid havp [...]_
You can try the antivirus capabilities with a test virus (not a real virus) available here.
Traffic shaping - Shorewall
Shorewall can shape traffic! This is very useful, especially when you're not the only one on the LAN. Don't you just hate it when your ping sores just because some n00b forgot to disable or limit the upload of their P2P program. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. And then there's everything in between. ;)
Installation
If you already installed Shorewall, there's nothing to be done for now. If not, scroll up and do it!
Configuration
Read Shorewall's Traffic Shaping/Control guide. It's very good and it saves me a lot of typing. :P
Here's my config as an example:
- /etc/shorewall/tcdevices : here's where you define the interface you want to have shaped and its rates. I've got a ADSL connection with a 4MBit down/256KBit up profile.
ppp0 4mbit 256kbit
- /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You'll assign each one to a type of traffic to shape.
# interactive traffic (ssh) ppp0 1 full full 0 # online gaming ppp0 2 full/2 full 5 # http ppp0 3 full/4 full 10 # rest ppp0 4 full/6 full 15 default
- /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.
1 0.0.0.0/0 0.0.0.0/0 tcp ssh 2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000 3 0.0.0.0/0 0.0.0.0/0 tcp http 3 0.0.0.0/0 0.0.0.0/0 tcp https 4 0.0.0.0/0 0.0.0.0/0 all
I've split it up my traffic in 4 groups:
- interactive traffic or ssh: although it takes up almost no bandwidth, it's very annoying if it lags due to leechers on the LAN. This get the highest priority.
- online gaming: needless to say you can't play when your ping sucks. ;)
- webtraffic: can be a bit slower
- everything else: every sort of download, they're the cause of the lag anyway.
Time server - OpenNTPd
The following text is a shameless copy/paste of Network Time Protocol. I've edited a bit to get it up to date.
OpenNTPD is a FREE, easy to use implementation of the Network Time Protocol. It provides the ability to sync the local clock to remote NTP servers and can act as NTP server itself, redistributing the local clock.
OpenNTPD is primarily developed by Henning Brauer as part of the OpenBSD Project.
OpenNTPD is a brand new implementation of the ntp protocol. It is much easier to configure and use than ntpd.
Installation
pacman -S openntpd
Configuration
Once installed, the /etc/ntpd.conf file must be edited. This is much easier than with ntpd.
The default configuration is actually usable if all you want is to sync the local computer.
# $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) #listen on * #listen on 127.0.0.1 #listen on ::1 # sync to a single server #server ntp.example.org # use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers servers pool.ntp.org
To sync to a particular server, uncomment and edit the "server" directive.
server ntp.example.org
The "servers" directive works the same as the "server" directive, however, if the dns name resolves to multiple IP address, ALL of them will be synced to. The default, "pool.ntp.org" is working and should be acceptable in most cases.
Any number of "server" or "servers" directives may be used.
If you want the computer you run OpenNTPD on to also be a time server, simply uncomment and edit the "listen" directive:
listen on 10.0.0.1 # change to eth0 IP
If you want to see the status of of your syncing, look at /var/log/daemon.log
You also need to open up the firewall to allow traffic from the LAN to the NTPd and from the internet back into the firewall. I wasn't aware of the latter: without your NTPd will act very unpredictable. Sometimes a client on the LAN will get an NTP-response from the router, but mostly ntpdate will give an error like
no server suitable for synchronization found
nano /etc/shorewall/rules
NTP/ACCEPT loc $FW NTP/ACCEPT $FW net
/etc/rc.d/shorewall/restart
Control those logs - logrotate
The firewall will probably be installed, configured and put somewhere out of sight. So it should pretty much be an "install and forget" appliance. You'll need to configure logrotate to make sure the box isn't brought down by a lack of diskspace because of too much logfiles.
Logrotate is installed by default, so you won't have to pacman it.
Configuration
nano /etc/logrotate.conf
I'm keeping 1 month (4 weeks) of backlogs and I'm compressing them to save diskspace. Here's a good Wiki from the Gentoo Wiki on logrotate.
Finishing touches
Basically the same stuff as in the simple guide:
Edit DAEMONS list
Update your DAEMONS list to make sure every service you've installed is started at boot time:
- squid : if you're running a caching web proxy
- dansguardian : if you're going to filter webcontent (add squid too)
- openntpd : if you're running an NTP client / server
This will result in the following line:
DAEMONS=(... squid dansguardian openntpd)
"Lock" config files
Update the NoUpgrade list in /etc/pacman.conf with the config files we just edited:
# Squid NoUpgrade = etc/squid/squid.conf # AdZapper NoUpgrade = etc/adzapper/adzapper.conf # DansGuardian # add every DG config file you've edited to the list below NoUpgrade = etc/dansguardian/dansguardian.conf # Traffic shaping NoUpgrade = etc/shorewall/tcclasses etc/shorewall/tcdevices etc/shorewall/tcrules # OpenNTPd NoUpgrade = etc/ntpd.conf
Final clean up
Review the list of packages without dependencies and decide which ones can be removed.
pacman -Qe