mdsh.com/wiki

SheevaPlug:Ubuntu Router/Firewall @Apr 4, 2010 9:59:52 AM

The SheevaPlug Development Kit, as sold to me by NewIT in the UK ( http://www.newit.co.uk/shop/products.php?cat=5 ) came with Ubuntu 9.04 on an 8GB SDHC card. Here I describe what I did to make the SheevaPlug into a router/firewall.

First of all you will have noted that the SheevaPlug is a little limited in Ethernet ports to be a router, being that it only has one. So I popped into the local Apple Store to buy a USB Ethernet adapter ( http://store.apple.com/uk/product/MB442Z/A ) which, at under £20, isn't bad value - especially as it works out-of-the-box with the SheevaPlug.

You could wait until the GuruPlug Server Plus is available with two Gigabit ethernet ports, but for me the 100Mbps USB Ethernet adapter will do fine for my ADSL broadband.

I think I should explain that my ADSL router, a nice Cisco 837 configure:Cisco837, is only bridging the IP network onto its Ethernet ports. It isn't doing and NAT or other nastiness to my IPv4 connection, but it is also terminating an IPv6 tunnel into Sixxs ( https://www.sixxs.net/main/ ).

The very first thing I need to do is make the SheevaPlug more secure.

Initially there is only a root user with a very publicly known password, and the root user can connect using ssh. If we connect the SheevaPlug to the Internet is this state it will get powned!

To make the SheevaPlug more secure: change the root users password and disable ssh access for the root user:

# passwd
# nano /etc/ssh/sshd_config
# service sshd restart

make sure /etc/ssh/sshd_config includes the following line - in the default SheevaPlug install line 26 has PermitRootLogin yes which we must change!

PermitRootLogin no

and make a new user that you will use to log in (I'll use myuser as an example), add them to the sudo group, and make sure the sudo group has sudo permisions:

# adduser myuser
# adduser myuser sudo
# visudo

the last line of /etc/sudoers must be uncommented and be something like this:

%sudo ALL=(ALL) ALL
perhaps with the "NOPASSWD" option, but personally I have left that off.

From this point on I'll assume you've logged on as the user you've just created.

So, on with making the SheevaPlug into a router/firewall.

Setup some the IP addresses on the SheevaPlug.

My ISP allocates me an IPv4 /29 subnet (8 IP addresses, including the unusable network and broadcast addresses and the address that the router gets) so I have 5 usable IPv4 addresses in my WAN side network. I need to allocate one of those IPv4 addresses to the SheevaPlug. The SheevaPlug will then NAT into my home LAN to one IPv4 /24 subnet (more subnets will come later when I get a VLAN capable switch).

I also have an IPv6 /48 subnet routed from Sixxs and I want the SheevaPlug to route a /64 subnet into my home LAN.

eth1 is the USB Ethernet adapter that I'm using for my WAN, so this is what I add to /etc/network/interfaces on the SheevaPlug:

auto eth1
iface eth1 inet static
name External Ethernet interface
address 82.xxx.yyy.28
netmask 255.255.255.248
network 82.xxx.yyy.24
broadcast 82.xxx.yyy.31
gateway 82.xxx.yyy.30
iface eth1 inet6 static
address 2a01:mmmm:nnnn:1: :28/64
netmask 64

eth0 is the built-in Ethernet port on the SheevaPlug, which I am using for my LAN, so this is what I add to /etc/network/interfaces:

auto eth0
iface eth0 inet static
name Internal Ethernet interface
address 10.xxx.yyy.20
netmask 255.255.255.0
network 10.xxx.yyy.0
broadcast 10.xxx.yyy.255
gateway 10.xxx.yyy.1
iface eth0 inet6 static
address 2a01:mmmm:nnnn:64: :20/64
netmask 64

and if I restart the networking and connect the Ethernet adapters I can ping and ping6 hosts on both networks:

sudo service networking restart

You make need to kill the dhcp daemon, since it doesn't seem to go away when you convert an interface from being 'dhcp' to being 'static'.

Make the Sheevaplug route IPv4 and IPv6

Now that we have a server connected to the Internet WAN and home LAN we need to convert it into a router. We also need to create a firewall script that will protect the LAN hosts from being attacked over IPv4 and IPv6, while allowing them NAT IPv4 access and direct IPv6 to the Internet.

To make a Linux Kernel route IPv4 you run this as root:

/sbin/sysctl -w net.ipv4.ip_forward="1"

To make a Linux kernel route IPv6 you run this as root:

/sbin/sysctl -w net.ipv6.conf.all.forwarding="1"

So, what I do is to write a two scripts, one for IPv4 and one for IPv6. In those scripts I include all the sysctl calls I want, to enable routing and tweak the IP security, and all the iptables calls I want to create my kick-ass firewall. This tutorial is not going to describe how to create a firewall - there are plenty of other web sites doing that. But once you have your firewall honed to perfection you want to apply it to your SheevaPlug router.

Because this is just my home network I only want to implement the firewall when the Internet WAN facing Ethernet port is up. The easiest way to achieve that is to run the scripts I just described in the 'pre-up' phase of enabling eth1 (the USB Ethernet adapter). Like this:

auto eth1
iface eth1 inet static
pre-up /usr/local/firewall/IPv4
pre-up /usr/local/firewall/IPv6
name External Ethernet interface
address 82.xxx.yyy.28
...

Now if we bounce eth1 it will get reconfigured with routing enabled and all the firewall rules applied:

$ sudo ifdown eth1 && sudo ifup eth1

Other services that make a home router useful

DHCP

DNS

RADVD

---

The SheevaPlug Development Kit, as sold to me by NewIT in the UK ( http://www.newit.co.uk/shop/products.php?cat=5 ) came with Ubuntu 9.04 on an 8GB SDHC card. Here I describe what I did to make the SheevaPlug into a router/firewall. First of all you will have noted that the SheevaPlug is a little limited in Ethernet ports to be a router, being that it only has one. So I popped into the local Apple Store to buy a USB Ethernet adapter ( http://store.apple.com/uk/product/MB442Z/A ) which, at under £20, isn't bad value - especially as it works out-of-the-box with the SheevaPlug. You could wait until the GuruPlug Server Plus is available with two Gigabit ethernet ports, but for me the 100Mbps USB Ethernet adapter will do fine for my ADSL broadband. I think I should explain that my ADSL router, a nice Cisco 837 [[configure:Cisco837]], is only bridging the IP network onto its Ethernet ports. It isn't doing and NAT or other nastiness to my IPv4 connection, but it is also terminating an IPv6 tunnel into Sixxs ( https://www.sixxs.net/main/ ). !The very first thing I need to do is make the SheevaPlug more secure.! Initially there is only a root user with a very publicly known password, and the root user can connect using ssh. If we connect the SheevaPlug to the Internet is this state it will get powned! To make the SheevaPlug more secure: change the root users password and disable ssh access for the root user: {{{# passwd # nano /etc/ssh/sshd_config # service sshd restart}}} make sure /etc/ssh/sshd_config includes the following line - in the default SheevaPlug install line 26 has PermitRootLogin yes which we must change! {{{PermitRootLogin no}}} and make a new user that you will use to log in (I'll use myuser as an example), add them to the sudo group, and make sure the sudo group has sudo permisions: {{{# adduser myuser # adduser myuser sudo # visudo}}} the last line of /etc/sudoers must be uncommented and be something like this: {{{%sudo ALL=(ALL) ALL}}} perhaps with the "NOPASSWD" option, but personally I have left that off. From this point on I'll assume you've logged on as the user you've just created. So, on with making the SheevaPlug into a router/firewall. !Setup some the IP addresses on the SheevaPlug.! My ISP allocates me an IPv4 /29 subnet (8 IP addresses, including the unusable network and broadcast addresses and the address that the router gets) so I have 5 usable IPv4 addresses in my WAN side network. I need to allocate one of those IPv4 addresses to the SheevaPlug. The SheevaPlug will then NAT into my home LAN to one IPv4 /24 subnet (more subnets will come later when I get a VLAN capable switch). I also have an IPv6 /48 subnet routed from Sixxs and I want the SheevaPlug to route a /64 subnet into my home LAN. eth1 is the USB Ethernet adapter that I'm using for my WAN, so this is what I add to /etc/network/interfaces on the SheevaPlug: {{{auto eth1 iface eth1 inet static name External Ethernet interface address 82.xxx.yyy.28 netmask 255.255.255.248 network 82.xxx.yyy.24 broadcast 82.xxx.yyy.31 gateway 82.xxx.yyy.30 iface eth1 inet6 static address 2a01:mmmm:nnnn:1: :28/64 netmask 64}}} eth0 is the built-in Ethernet port on the SheevaPlug, which I am using for my LAN, so this is what I add to /etc/network/interfaces: {{{auto eth0 iface eth0 inet static name Internal Ethernet interface address 10.xxx.yyy.20 netmask 255.255.255.0 network 10.xxx.yyy.0 broadcast 10.xxx.yyy.255 gateway 10.xxx.yyy.1 iface eth0 inet6 static address 2a01:mmmm:nnnn:64: :20/64 netmask 64}}} and if I restart the networking and connect the Ethernet adapters I can ping and ping6 hosts on both networks: {{{sudo service networking restart}}} You make need to kill the dhcp daemon, since it doesn't seem to go away when you convert an interface from being 'dhcp' to being 'static'. !Make the Sheevaplug route IPv4 and IPv6! Now that we have a server connected to the Internet WAN and home LAN we need to convert it into a router. We also need to create a firewall script that will protect the LAN hosts from being attacked over IPv4 and IPv6, while allowing them NAT IPv4 access and direct IPv6 to the Internet. To make a Linux Kernel route IPv4 you run this as root: {{{/sbin/sysctl -w net.ipv4.ip_forward="1"}}} To make a Linux kernel route IPv6 you run this as root: {{{/sbin/sysctl -w net.ipv6.conf.all.forwarding="1"}}} So, what I do is to write a two scripts, one for IPv4 and one for IPv6. In those scripts I include all the sysctl calls I want, to enable routing and tweak the IP security, and all the iptables calls I want to create my kick-ass firewall. This tutorial is not going to describe how to create a firewall - there are plenty of other web sites doing that. But once you have your firewall honed to perfection you want to apply it to your SheevaPlug router. Because this is just my home network I only want to implement the firewall when the Internet WAN facing Ethernet port is up. The easiest way to achieve that is to run the scripts I just described in the 'pre-up' phase of enabling eth1 (the USB Ethernet adapter). Like this: {{{auto eth1 iface eth1 inet static pre-up /usr/local/firewall/IPv4 pre-up /usr/local/firewall/IPv6 name External Ethernet interface address 82.xxx.yyy.28 ...}}} Now if we bounce eth1 it will get reconfigured with routing enabled and all the firewall rules applied: {{{$ sudo ifdown eth1 && sudo ifup eth1}}} !Other services that make a home router useful! DHCP DNS RADVD