SheevaPlug:Ubuntu Router/Firewall @Apr 3, 2010 7:26:45 PM

The SheevaPlug Development Kit, as sold to me by NewIT in the UK (http://www.newit.co.uk/shop/products.php?cat=5) came with Ubuntu 9.04 on an 8GB SDHC card. Here I describe what I did to make the SheevaPlug into a router/firewall.

First of all you will have noted that the SheevaPlug is a little limited in Ethernet ports to be a router, being that it only has one. So I popped into the local Apple Store to buy a USB Ethernet adapter (http://store.apple.com/uk/product/MB442Z/A) which, at under £20, isn't bad value - especially as it works out-of-the-box with the SheevaPlug.

You could wait until the GuruPlug Server Plus is available with two Gigabit ethernet ports, but for me the 100Mbps USB Ethernet adapter will do fine for my ADSL broadband.

I think I should explain that my ADSL router (a nice Cisco 837 configure:Cisco837) is only bridging the IP network onto its Ethernet ports. It isn't doing and NAT or other nastiness to my IPv4 connection, but it is also terminating an IPv6 tunnel into Sixxs (https://www.sixxs.net/main/)

The very first thing I need to do is make the SheevaPlug more secure. Initially there is only a root user with a very publicly known password, and the root user can connect using ssh. If we connect the SheevaPlug to the Internet is this state it is very likely to be powned!

To make the SheevaPlug more secure: change the root users password, disable ssh access for the root user:

# passwd # nano /etc/ssh/sshd_config # service sshd restart

make sure /etc/ssh/sshd_config includes the following line - in the default SheevaPlug install line 26 has PermitRootLogin yes which we must change!

PermitRootLogin no

and make a new user that you will use to log in (I'll use myuser as an example), add them to the sudo group, and make sure the sudo group has sudo permisions:

# adduser myuser # adduser myuser sudo # visudo

the last line of /etc/sudoers must be uncommented and be something like this:

%sudo ALL=(ALL) ALL - perhaps with the "NOPASSWD" option, but personally I have left that off.

From this point on I'll assume you've logged on as the user you've just created.

So, on with making the SheevaPlug into a router/firewall. I need to setup some the IP addresses on the SheevaPlug.

My ISP allocates me an IPv4 /29 subnet (8 IP addresses, including the unusable network and broadcast addresses and the address that the router gets) so I have 5 usable IPv4 addresses in my WAN side network. I need to allocate one of those IPv4 addresses to the SheevaPlug. The SheevaPlug will then NAT into my home LAN to one IPv4 /24 subnet (more subnets will come later when I get a VLAN capable switch).

I also have an IPv6 /48 subnet routed from Sixxs and I want the SheevaPlug to route a /64 subnet into my home LAN.

eth1 is the USB Ethernet adapter that I'm using for my WAN, so this is what I add to /etc/network/interfaces on the SheevaPlug

auto eth1 iface eth1 inet static name External Ethernet interface address 82.xxx.yyy.28 netmask 255.255.255.248 network 82.xxx.yyy.24 broadcast 82.xxx.yyy.31 gateway 82.xxx.yyy.30 iface eth1 inet6 static address 2a01:mmmm:nnnn:1: :28/64 netmask 64

eth0 is the built-in Ethernet port on the SheevaPlug that I am using for my LAN, so this is what I add to /etc/network/interfaces

auto eth0 iface eth0 inet static name Internal Ethernet interface address 10.xxx.yyy.20 netmask 255.255.255.0 network 10.xxx.yyy.0 broadcast 10.xxx.yyy.255 gateway 10.xxx.yyy.1 iface eth0 inet6 static address 2a01:mmmm:nnnn:64: :20/64 netmask 64

and if I restart the networking and connect the Ethernet adapters I can ping and ping6 hosts on both networks.

sudo service networking restart

The SheevaPlug Development Kit, as sold to me by NewIT in the UK (http://www.newit.co.uk/shop/products.php?cat=5) came with Ubuntu 9.04 on an 8GB SDHC card. Here I describe what I did to make the SheevaPlug into a router/firewall.

First of all you will have noted that the SheevaPlug is a little limited in Ethernet ports to be a router, being that it only has one. So I popped into the local Apple Store to buy a USB Ethernet adapter (http://store.apple.com/uk/product/MB442Z/A) which, at under £20, isn't bad value - especially as it works out-of-the-box with the SheevaPlug.

You could wait until the GuruPlug Server Plus is available with two Gigabit ethernet ports, but for me the 100Mbps USB Ethernet adapter will do fine for my ADSL broadband.

I think I should explain that my ADSL router (a nice Cisco 837 [[configure:Cisco837]]) is only bridging the IP network onto its Ethernet ports. It isn't doing and NAT or other nastiness to my IPv4 connection, but it is also terminating an IPv6 tunnel into Sixxs (https://www.sixxs.net/main/)

The very first thing I need to do is make the SheevaPlug more secure. Initially there is only a root user with a very publicly known password, and the root user can connect using ssh. If we connect the SheevaPlug to the Internet is this state it is very likely to be powned! 

To make the SheevaPlug more secure: change the root users password, disable ssh access for the root user:

{{{# passwd
# nano /etc/ssh/sshd_config
# service sshd restart}}}

make sure /etc/ssh/sshd_config includes the following line - in the default SheevaPlug install line 26 has PermitRootLogin yes which we must change!

{{{PermitRootLogin no}}} 

and make a new user that you will use to log in (I'll use myuser as an example), add them to the sudo group, and make sure the sudo group has sudo permisions:

{{{# adduser myuser
# adduser myuser sudo
# visudo}}}

the last line of /etc/sudoers must be uncommented and be something like this:

{{{%sudo ALL=(ALL)  ALL}}} - perhaps with the "NOPASSWD" option, but personally I have left that off.

From this point on I'll assume you've logged on as the user you've just created.

So, on with making the SheevaPlug into a router/firewall. I need to setup some the IP addresses on the SheevaPlug.

My ISP allocates me an IPv4 /29 subnet (8 IP addresses, including the unusable network and broadcast addresses and the address that the router gets) so I have 5 usable IPv4 addresses in my WAN side network. I need to allocate one of those IPv4 addresses to the SheevaPlug. The SheevaPlug will then NAT into my home LAN to one IPv4 /24 subnet (more subnets will come later when I get a VLAN capable switch).

I also have an IPv6 /48 subnet routed from Sixxs and I want the SheevaPlug to route a /64 subnet into my home LAN.

eth1 is the USB Ethernet adapter that I'm using for my WAN, so this is what I add to /etc/network/interfaces on the SheevaPlug

{{{auto eth1
iface eth1 inet static
 name External Ethernet interface
 address 82.xxx.yyy.28
 netmask 255.255.255.248
 network 82.xxx.yyy.24
 broadcast 82.xxx.yyy.31
 gateway 82.xxx.yyy.30
iface eth1 inet6 static
 address 2a01:mmmm:nnnn:1: :28/64
 netmask 64}}}

eth0 is the built-in Ethernet port on the SheevaPlug that I am using for my LAN, so this is what I add to /etc/network/interfaces

{{{auto eth0
iface eth0 inet static
 name Internal Ethernet interface
 address 10.xxx.yyy.20
 netmask 255.255.255.0
 network 10.xxx.yyy.0
 broadcast 10.xxx.yyy.255
 gateway 10.xxx.yyy.1
iface eth0 inet6 static
 address 2a01:mmmm:nnnn:64: :20/64
 netmask 64}}}

and if I restart the networking and connect the Ethernet adapters I can ping and ping6 hosts on both networks.

{{{sudo service networking restart}}}

mdsh.com/wiki

mdsh.com /wiki