iptable-rules and DNS-setup

General support questions
Post Reply
Elmi
Posts: 12
Joined: 2014/01/19 17:16:30

iptable-rules and DNS-setup

Post by Elmi » 2014/04/16 13:03:37

Hi,

I plan to set up a small box as firewall. Since this project is in phase of planning and I don't already have the hardware, I can't just do some experiments - and therefore have to ask some stupid questions to find out if and how things are possible I want to do:

Assumed this box has an eth0 which is connected to the outer world and a eth1 which is connected to my inner network which has to be secured:

1. How should an IP-Table rule look like that blocks all incoming connections on eth0?

2. How should an IP-Table rule look like that allows a connection on eth1 to the outer world on some specific ports only (e.g. port 22, 80, 443) as long as none of a blocked IP is accessed?

3. How should an IP-table rule look like that blocks an IP or an IP range for all accesses?

4. How should a local DNS-server configuration look like that is available for all connections on eth1 and itself accesses an other (outer) DNS to resolve the request?

5. How should a IP-table rule look like that blocks all DNS requests on eth1 that are for an other DNS than the one running locally?

Any help is appreciated :-)

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: iptable-rules and DNS-setup

Post by gerald_clark » 2014/04/16 13:07:17

Just buy a router.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptable-rules and DNS-setup

Post by TrevorH » 2014/04/16 13:14:28

For about US$100 you can buy a 3 port gigabit "Ubiquiti Edgerouter Lite" firewall that's specifically designed to be a firewall/router. It uses far less power than a full blown PC and is hardened and designed to be a firewall.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Elmi
Posts: 12
Joined: 2014/01/19 17:16:30

Re: iptable-rules and DNS-setup

Post by Elmi » 2014/04/16 13:16:55

OK, the hardware is not a problem, there are small boxes with embedded AMD CPUs available that consume less than 20 W. Nevertheless I do NOT want to have something premanufactured since one can't trust all these closed devices. So...how can this be done using a plain Linux system?

Greg_E
Posts: 143
Joined: 2014/04/04 18:53:45

Re: iptable-rules and DNS-setup

Post by Greg_E » 2014/04/16 15:52:02

Not to add fuel to the fire, but there are several small routers that run open source firmware and I think that Ubiquity router mentioned above is one of them.

http://en.wikipedia.org/wiki/DD-WRT

Elmi
Posts: 12
Joined: 2014/01/19 17:16:30

Re: iptable-rules and DNS-setup

Post by Elmi » 2014/04/16 16:24:30

OK, to come back to my original question: I DEFINITELY do not want to use anything else than CentOS on a special low-power box. So...anybody able to to help with my question?

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: iptable-rules and DNS-setup

Post by gerald_clark » 2014/04/16 16:27:18

You want simple answers to complex questions.
Making a secure edge router will require years of experience with Linux security.
You should get a dedicated router distribution, or buy a dedicated router.

Elmi
Posts: 12
Joined: 2014/01/19 17:16:30

Re: iptable-rules and DNS-setup

Post by Elmi » 2014/04/17 05:03:25

gerald_clark wrote:You should get a dedicated router distribution, or buy a dedicated router.
So in this case...any distribution you can recommend and that is a full open source project with no custom/commercial/closed source extensions?

User avatar
vonskippy
Posts: 839
Joined: 2006/12/30 03:00:04
Location: Western Slope Colorado

Re: iptable-rules and DNS-setup

Post by vonskippy » 2014/04/17 05:14:41

PFSense, IPCOP are two of many.

Just to recap, there is NO WAY you can harden a full blown distro (like CentOS or any other Linux/BSD OS) like a specially made (by experts) hardened, stripped down to the bare essentials, tested, tested again, tested by their user base firewall appliance. To try is just plain stupid. Security is not a few IPTABLE rules and a minimal Distro install, it goes far far far far beyond simple configuration hacks.
For the 2.5^15th time :: Better Details = Better Answers

Post Reply