NAT'ing firewall - Adding advanced features

From ArchWiki

Jump to: navigation, search


Contents

Introduction

This document is an extension to the NAT'ing firewall - Share your broadband connection wiki. It will explain how to add extra functionality to your firewall/gateway. Needless to say, I'm assuming you have a fully functional simple firewall (as described in the aforementioned document) already.

HTTP proxy - Squid

Squid is going to run it as a transparent web proxy server. No need to configure any browsers on the LAN: they'll use it automagically. A lightweight alternative is to use Polipo, a simple caching proxy.

Installation

pacman -S squid

Configuration

nano /etc/squid/squid.conf

Add these lines to the config file:

http_port 10.0.0.1:3128 # change it to the IP of eth0
icp_port 0 # disables ICP queries to neighbor caches, unless you have other Squids, I guess.

acl ALbox_network src 10.0.0.1/28 # <-- change CIDR appropriately
acl all src 0.0.0.0/0.0.0.0

http_access allow ALbox_network
http_access deny all

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on 
httpd_accel_uses_host_header on

maximum_object_size 50000 KB # max size of cachable objects
minimum_object_size 0 KB

cache_mem 7867 KB # read docs for more info
cache_dir aufs /var/cache/squid 300 16 256 # assign disk space for Squid's cache, see docs

visible_hostname proxy.foo.bar # hostname that will be shown in status/error messages

Transparency

Using Shorewall with Squid Transparency happens by redirecting all www requests eth0 picks up, to Squid. Edit /etc/shorewall/rules and add

REDIRECT	loc	3128	tcp	www # redirect to Squid on port 3128
ACCEPT		$FW	net	tcp	www # allow Squid to fetch the www content

Run

/etc/rc.d/shorewall restart
/etc/rc.d/squid start

et voila: a transparent proxy!

Ad blocking - adzapper

Adzapper is a plugin for Squid. It catches ads of all sorts (even Flash animations) and replaces them with an image of your choice, so the layout of the page isn't altered too much.

Installation

pacman -S adzapper

Configuration

echo "redirect_program /usr/bin/adzapper.wrapper" >> /etc/squid/squid.conf

(squid 2.6.STABLE13-1)

echo "url_rewrite_program /usr/bin/adzapper.wrapper" >> /etc/squid/squid.conf
echo "url_rewrite_children 10" >> /etc/squid/squid.conf


That's it! If you want, you can configure adzapper to your liking. The configuration out of the box works wonderfully well though.

nano /etc/adzapper/adzapper.conf

Content filtering - DansGuardian

Now that everyone on the LAN can access the web, it's time to filter it! >-) Here's a rudimentary guide to DansGuardian, a very powerful content filtering tool. I was going to use DansGuardian to filter ads, but it seems there is no site with a freely downloadable ad host list.

Some blacklists with a category for ads:
Shalla's Blacklists Free of charge for personal and partly for commercial usage. Commercial usage requires signing a usage contract.
URLBlacklist You can download it once for free to try the service.

Installation

pacman -S dansguardian

Configuration

nano /etc/dansguardian/dansguardian.conf
filterip = 10.0.0.1 # eth0 IP
filterport = 8080
proxyip = 10.0.0.1 # eth0 IP
proxyport = 3128
reserveaddresslookups = on # "... unless you have a local caching DNS, leave it off ..." <- we do!! :)
usernameidmethodproxyauth = off # 
usernameidmethodntml = off # it's going to be a transparent proxy: auth wouldn't make much sense
usernameidmethodident = off #
daemonuser = 'proxy' # same uid Squid uses
daemongroup = 'proxy' # same gid Squid uses

Now we have to make use of DansGuardian: instead of letting Squid catch the HTTP requests, we'll direct them to DansGuardian first. DG will in turn forward the allowed requests to Squid.

nano /etc/shorewall/rules
REDIRECT	loc	8080	tcp	www	# 8080 (DG port) used to be 3128 (Squid port)

Testing

/etc/rc.d/shorewall restart
/etc/rc.d/dansguardian start
elinks www.badboys.com

You should see a "Access denied" page generated by DansGuardian. If not, you'll be exposed to gay porn which is why I suggest you to use elinks. ;) The badboys.com domain is listed in /etc/dansguardian/bannedsitelist .

Setup filters

Check out the files in /etc/dansguardian/ : they're all used for filtering. Edit /etc/dansguardian/dansguardianf1.conf , it's the config for group "1". This is the default group all users belong to. If you want, you can make several groups with different sets of rules. I'm not going to do it, but if you do, be sure to add your steps to this Wiki. The dansguardianf1.conf file contains all the different rules DG can use to censor the WWW traffic. If you don't comment out a line, be sure to check the filename the line describes: it contains the actual rules.

nano /etc/dansguardian/dansguardianf1.conf

Add Anti-virus layer to Squid

Adding Anti-virus capabilities to Squid is done using the HAVP program to interface it with ClamAV.

Installing dependencies

Follow this link to install ClamAV on your system.

Once ClamAV is installed, install HAVP from AUR. Details on installing an AUR package can be found here, and the HAVP package can be found here.

Configuration

Once HAVP is installed, create a user group for the HAVP instance:

adduser havp

Change the owner of the antivirus logs and temporary file-testing directories to havp :

chown -R havp:havp /var/run/havp
chown -R havp:havp /var/log/havp

Add the mandatory lock option to your filesystem (needed by HAVP) : In your /etc/fstab, modify :

[...] / ext3 defaults 1 1

to :

[...] / ext3 defaults,mand 1 1

Then reload your filesystem :

mount -o remount /


Add this info in your /etc/squid/squid.conf :

cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default
cache_peer_access 127.0.0.1 allow all

Make sure your port in your /etc/havp/havp.config matches the cache_peer port in /etc/squid/squid.conf.

Testing

Reload your squid and start HAVP :

/etc/rc.d/squid restart
/etc/rc.d/havp start

Don't forget to add HAVP to your rc.conf if your want it to launch on boot :

DAEMONS=([...] squid havp [...]_

You can try the antivirus capabilities with a test virus (not a real virus) available here.

Traffic shaping - Shorewall

Shorewall can shape traffic! This is very useful, especially when you're not the only one on the LAN. Don't you just hate it when your ping sores just because some n00b forgot to disable or limit the upload of their P2P program. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. And then there's everything in between. ;)

Installation

If you already installed Shorewall, there's nothing to be done for now. If not, scroll up and do it!

Configuration

Read Shorewall's Traffic Shaping/Control guide. It's very good and it saves me a lot of typing. :P

Here's my config as an example:

  • /etc/shorewall/tcdevices : here's where you define the interface you want to have shaped and its rates. I've got a ADSL connection with a 4MBit down/256KBit up profile.
ppp0        4mbit        256kbit 
  • /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You'll assign each one to a type of traffic to shape.
# interactive traffic (ssh)
ppp0            1       full    full    0
# online gaming
ppp0            2       full/2  full    5
# http
ppp0            3       full/4  full    10
# rest
ppp0            4       full/6  full    15              default
  • /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.
1       0.0.0.0/0       0.0.0.0/0       tcp     ssh
2       0.0.0.0/0       0.0.0.0/0       udp     27000:28000
3       0.0.0.0/0       0.0.0.0/0       tcp     http
3       0.0.0.0/0       0.0.0.0/0       tcp     https
4       0.0.0.0/0       0.0.0.0/0       all

I've split it up my traffic in 4 groups:

  1. interactive traffic or ssh: although it takes up almost no bandwidth, it's very annoying if it lags due to leechers on the LAN. This get the highest priority.
  2. online gaming: needless to say you can't play when your ping sucks. ;)
  3. webtraffic: can be a bit slower
  4. everything else: every sort of download, they're the cause of the lag anyway.

Time server - OpenNTPd

The following text is a shameless copy/paste of Network Time Protocol. I've edited a bit to get it up to date.

OpenNTPD is a FREE, easy to use implementation of the Network Time Protocol. It provides the ability to sync the local clock to remote NTP servers and can act as NTP server itself, redistributing the local clock.

OpenNTPD is primarily developed by Henning Brauer as part of the OpenBSD Project.

OpenNTPD is a brand new implementation of the ntp protocol. It is much easier to configure and use than ntpd.

Installation

pacman -S openntpd

Configuration

Once installed, the /etc/ntpd.conf file must be edited. This is much easier than with ntpd.

The default configuration is actually usable if all you want is to sync the local computer.

# $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $
# sample ntpd configuration file, see ntpd.conf(5)
# Addresses to listen on (ntpd does not listen by default)
#listen on *
#listen on 127.0.0.1
#listen on ::1
# sync to a single server
#server ntp.example.org
# use a random selection of 8 public stratum 2 servers
# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers
servers pool.ntp.org

To sync to a particular server, uncomment and edit the "server" directive.

server ntp.example.org

The "servers" directive works the same as the "server" directive, however, if the dns name resolves to multiple IP address, ALL of them will be synced to. The default, "pool.ntp.org" is working and should be acceptable in most cases.


Any number of "server" or "servers" directives may be used.

If you want the computer you run OpenNTPD on to also be a time server, simply uncomment and edit the "listen" directive:

listen on 10.0.0.1 # change to eth0 IP

If you want to see the status of of your syncing, look at /var/log/daemon.log

You also need to open up the firewall to allow traffic from the LAN to the NTPd and from the internet back into the firewall. I wasn't aware of the latter: without your NTPd will act very unpredictable. Sometimes a client on the LAN will get an NTP-response from the router, but mostly ntpdate will give an error like

no server suitable for synchronization found 
nano /etc/shorewall/rules
NTP/ACCEPT       loc       $FW
NTP/ACCEPT       $FW       net
/etc/rc.d/shorewall/restart

Control those logs - logrotate

The firewall will probably be installed, configured and put somewhere out of sight. So it should pretty much be an "install and forget" appliance. You'll need to configure logrotate to make sure the box isn't brought down by a lack of diskspace because of too much logfiles.

Logrotate is installed by default, so you won't have to pacman it.

Configuration

nano /etc/logrotate.conf

I'm keeping 1 month (4 weeks) of backlogs and I'm compressing them to save diskspace. Here's a good Wiki from the Gentoo Wiki on logrotate.

Finishing touches

Basically the same stuff as in the simple guide:

Edit DAEMONS list

Update your DAEMONS list to make sure every service you've installed is started at boot time:

  • squid : if you're running a caching web proxy
  • dansguardian : if you're going to filter webcontent (add squid too)
  • openntpd : if you're running an NTP client / server

This will result in the following line:

DAEMONS=(... squid dansguardian openntpd)

"Lock" config files

Update the NoUpgrade list in /etc/pacman.conf with the config files we just edited:

# Squid
NoUpgrade  = etc/squid/squid.conf
# AdZapper
NoUpgrade  = etc/adzapper/adzapper.conf
# DansGuardian # add every DG config file you've edited to the list below
NoUpgrade  = etc/dansguardian/dansguardian.conf
# Traffic shaping
NoUpgrade  = etc/shorewall/tcclasses etc/shorewall/tcdevices etc/shorewall/tcrules
# OpenNTPd
NoUpgrade  = etc/ntpd.conf

Final clean up

Review the list of packages without dependencies and decide which ones can be removed.

pacman -Qe
Personal tools