Ubuntu Servers :: Setting Up Gateway / Router And Firewall
Jul 20, 2011
So what I want to do is setup a gateway(or router, idk what Ubuntu refers to it as.). So my set up would be Modem>Server>Switch>Router. I know that I need to set up it up as a DHCP server as well. I would also like to setup it up as a firewall too. I already have two Gbit cards that are already configured. So how do I do this? I already tried one tutorial, but it was old and was for Debian. I also installed ebox, but I couldnt figure that out either.
I want to do is setup a gateway(or router, idk what Ubuntu refers to it as.). So my set up would be Modem>Server>Switch>Router. I know that I need to set up it up as a DHCP server as well. I would also like to setup it up as a firewall too. I already have two Gbit cards that are already configured. So how do I do this? I already tried one tutorial, but it was old and was for Debian. I also installed ebox, but I couldnt figure that out either.
story is my brother is a dindows lover (gamer) and hes been gettin attacked by virus's,etc cause he runs his Vista setup with no firewall or antivirus
He says the firewall,etc slows down the PC too much for gaming He doesnt want to use Linux as his games wont play on Linux as on dindows
He wants to know if you can install a Linux firewall/gateway or whatever into his Linksys WRT54GC router and thus protect his PC without using a firewall or av in it.
EDIT: precisely; he has a Linksys wireless-G connected to a always-on Verizon Westel 6100G modem so its a wired connection, not wireless
post the "perfect" tutorial for setting up a router and firewall for Ubuntu 10.10 Server 64-bit? I'm kind of a n00b when it comes to Linux, so I get really confused with some things, I have seen things on the ubuntu wiki about this... but it really confuses me =
I'm trying to setup my ubuntu sys as a router and firewall... Internet -> Ubuntu (Router) -> Switch (no DHCP on it) -> Computers I've already setup bind and dhcp3 and got those working perfectly... I've also setup Squid3 and Dansguardian for content filtering (blocking ads and such) and got them working too... I want to set it all up to be transparent, and allow the system itself to function as a powerful firewall router, giving absolutely NO issues to client computers connected, and no speed reduction at all.... I want to setup the firewall to allow all outgoing connections, but block everything incoming (stealth the network)... Forcing all http/s traffic to pass through dansguardian, then to squid...
But am very confused on how to pull this off... The system is running Ubuntu 10.10 Server 64-bit, with 4 GB of RAM, 320 GB SSD, and two 1Gb NIC cards... Sorry if I'm not very clear, I do speak english perfectly, but just kinda new to the "Linux world", I was using SONICWALL but that's getting a little too costly to my network and wanna do a free alternative... Something completely CUSTOM, not using some network security distro.
could set up a firewall on my linux machine? I have is to connect my router wired to the linux machine and then from the linux machine to my main computer, and obviously routing the internet connection through the linux box as a firewall. I use a Netgear DG834G router
I have linux server setup on a network with 2 interfaces. One (eth0) is connected to the regular network and the other (eth1) has a DHCP server and transparent web cache listening on it. The machines connected on the eth1 side are on a different subnet and the linux server is there gateway. Untrusted machines are introduced to this network to keep them isolated.
This isolation works well, too well. There are a small set of resources on the regular network I would like to make available to machines on untrustworthy network. I think I need to use iptables but alas I've had no luck in piecing together the command I need (in one case looking myself out and having to physically reset the machine).
The dhcp doesnt work unless i put a switch or router between the ubuntu gateway and the connecting computer.
setup
Code:
Code:
Code:
Code:
Im on ubuntu 10.04. is this normal? or should i be able to connect without having a router or switch between the ubuntu server and the internal network....
I am having a little trouble setting up a NAT firewall using iptables. I have 1 PC dedicated to being the firewall running Ubuntu 10.04 LTS. There are 2 NICs in this PC. One NIC is connected to the modem & the other is hooked into my router, sharing the connection through to the other PC on my LAN. Thing is that I am having troubles setting this up using iptables. I have it sharing the connection, but can't seem to make it forward 2 ports through to my webserver on the LAN. I am also wanting to setup init.d to control iptables. I have been trying to google this, but haven't found anything useful to get this accomplished. I put the following into rc.local to make the forwarding work:
/sbin/iptables -F /sbin/iptables -N block /sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT /sbin/iptables -A block -j LOG /sbin/iptables -A block -j DROP /sbin/iptables -A INPUT -j block /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
Our firewall (debian) currently has 4 public ip addresses (eth0 1.2.3.4, eth0:0 1.2.3.5, eth0:1 1.2.3.8, eth0:2 1.2.3.9) and 3 internal subnets (eth1 10.1.x.x, eth1:0 10.2.x.x, eth2 10.7.x.x). We are experiencing the following two problems which I believe have the same root cause. 1) The firewall cannot access beyond the isp gateway (1.2.3.1). 2) From externally, we can ping eth0 with no trouble, however, pinging the eth0:0, eth0:1 and eth0:2 interfaces have results similar to the following:
Code: PING 1.2.3.8 (1.2.3.8) 56(84) bytes of data. 64 bytes from 1.2.3.8: icmp_seq=2 ttl=57 time=59.0 ms 64 bytes from 1.2.3.8: icmp_seq=2 ttl=57 time=63.0 ms (DUP!) 64 bytes from 1.2.3.8: icmp_seq=13 ttl=57 time=59.3 ms 64 bytes from 1.2.3.8: icmp_seq=13 ttl=57 time=63.0 ms (DUP!) 64 bytes from 1.2.3.8: icmp_seq=24 ttl=57 time=62.0 ms 64 bytes from 1.2.3.8: icmp_seq=24 ttl=57 time=65.6 ms (DUP!)
I get the feeling that I'm missing something obvious, especially since all traffic on the internal subnets can access externally as normal.
I got 2 servers, each on different locations (server 1 and server 2). I want all traffic on server1 included web browsing, applications etc., be always going through server2, like a gateway. I want the traffic to be encrypted (maybe use VPN?) So if I browse, or any logs pick up ip adresses from applications used by server1, I want it to display the IP address from server2 (Might be the wrong way to say it).
I always wants server2 to act as an firewall and logserver that logs all the traffic. I was thinking about using Snort for IPS/IDS solutions and OpenVPN for the traffic, but what can I use as a firewall? Most firewalls I find on google has its own OS/Distribution. Maybe Squid for logs? But squid does not support much protocols. Distribution on both servers are updated Debian/Ubuntu based.
I want to set up a Linux box as a wireless router to replace our existing Netgear WNR1000 router, as I believe the Netgear does not support the coming IPv6 protocol. Unfortunately, it is not flashable with OpenWRT or DD-WRT presently.
As we have Comcast, our cable modem acts as a dumb modem according to the customer support guy I talked to, and our router is the one that asks for the IP address from DHCP. Thus, when Comcast switches over to IPv6, I don't believe my existing router would work, correct?
My idea is to take a Linux box and put two NICs and a wireless adapter in it, using IPCop or Smoothwall to set up a router. I could then enable IPv6 support for when we have IPv6 with Comcast. Is that possible? Would there be a way to get BIND to hand out private IP addresses in the same subnet on the both the LAN NIC and the wireless card?
I live on a property with 3 other units and we all share a cable connection. There's a modem connected to a wireless router (I'll call it the "main" router), which until recently I connected to with an 80' or so long ethernet cable because I don't get a good signal, and all I've got is a desktop anyway. When plugged directly into the main router, I can get very fast download speeds - the fastest I've seen over bittorrent, for example, is about 2.2 Mb/s, and it's over 1 Mb/s most of the time for popular torrents or sites with good bandwidth. A friend with a laptop is staying with me for a month, so I wanted to set up a wireless router in my home, and my desktop needed to be moved to a location where running a wire is kind of awkward, so I planned on using the wireless too.
I don't have a spare proper router with an uplink port laying around, but I did have a spare DSL modem/wireless router combo (which I'll call the "secondary" router) that I used to use at a former residence, and I thought I'd try to use it here. I plugged it into my computer, configured its security settings how I wanted (64-bit WEP) and looked through for settings that seemed like they might pertain to using it in this capacity. I didn't really find any except for something that seemed to turn off its DHCP, which I did. Then I unplugged my computer and plugged in the ethernet cable that runs to the main router (which is a normal ethernet cable, not crossover). I found that this setup does "just work" for the most part - our computers see the signal and can log in and access the internet through the main router's cable connection. However:
1. I can't figure out how to access the secondary router's settings once it's been plugged into the main one, even if I unplug it from the main one. What happens is that as soon as I connect the two routers together, it's almost like the secondary ceases to exist independently until it's settings are purged via the reset button. I plug it's IP address into a browser like usual, and nothing happens (it's an Actiontec whose stock one is 192.168.0.1 and the main router is a Netgear with an IP of 192.168.1.1).
I can log into the main one like normal through a wireless connection to the secondary, though. If I look at "attached devices" in the main router's config, it lists all the client computers in the network, but there's no IP that could be for the router (I'm sure of this). Each computer connected through my secondary router gets assigned its own IP like normal, and port forwarding works without a hitch. Again, this persists until the secondary is reset - after the two routers are connected but until the secondary is reset, there doesn't to be a way into the secondary's config. The security settings are acting as they should, though (ie, you need the secondary's WEP key to log on).
2. Internet download speeds when connected to the secondary over wireless are extremely slow compared to what the connection is capable of (can't seem to top 90 Kb/s) but for some reason the max attainable internet upload speed seems to be about the same as normal (around 200 Kb/s). This is puzzling to me. Back when I was using the secondary router for it's intended purpose as a DSL gateway under XP, I downloaded at around 300 Kb/s all the time with it using the same wireless card I am now, so I know the hardware I have is capable of it. Now both of our wireless cards are getting the same mediocre speeds (seemingly bottlenecked at around 90 Kb/s), even with a full signal (ie, the computer right next to the router).
If we connect to the secondary router with a cable rather than wireless, there's no problem and downloads are really fast (note again though that the max upload speed doesn't seem affected whether wired or wireless, as determined by running internet speed tests in both configurations). Ping times over wireless are also extremely high - ie, 800ms+ even when pinging the main router at 192.168.1.1.
It almost seems like there's something inferior or bottlenecked about the wireless signal the secondary router puts out, but I don't know what that could be or how to change it. (I also don't really understand anything about the setup I created here though, other than that I plugged it in and crossed my fingers and it works for basic, non-bandwidth-intense tasks). basically I'm curious whether there's a way to have normal access to the secondary router's settings in this setup, and whether there's a way to make the bandwidth over wireless less mediocre.
a wireless router (box) is went stuck, I found that when it is stuck it uses strange IP local address remote address 10.112.112.112, today is also went stuck but this time the gateway was 10.112.112.112. I had to switch off, switch on teh router to function properly. I am using DSL connection normally the gateway is likie that 78.8.... and my IP (dynamic) like 78.8.240..... Is there any default meaning of 10.112.112.112 in teh net connections?
I have been searching google for a while now and have not found exactly what I am looking for. I would like to use my fresh install of ubuntu server 11.04 as my router/gateway for my home. I am not an expert at linux by any means but I can usually figure stuff out. I believe I need iptables, bind, and a few others probally. It eventually will also be a samba server but I have done a little with samba before. I do have 2 network cards, my router at the moment is starting to die and would love to have a more powerful router. I would also like to figure out how to do port forwarding in the router, as well as be able to see the load on the network cards. Maybe there is a program to show usage by user? As well as be able to do packet pritorization.
I've set up a Lan-to-Lan (routed) OpenVPN tunnel. For redundancy I want to set up a second VPN tunnel on a fallback gateway/firewall on the client side. Currently, both sides (server/client) know how to route packets across each others physical LAN. So no NAT is used. When the primary gateway (fw1) is connected to the VPN server all traffic runs via the fw1 tunnel. Than when the secondary gateway (fw2) connects to the VPN server and fw1 is still connected all traffic for fw1 will be delivered to fw2 and effectively destroying traffic intended for fw1. This is of course no problem if I first shutdown (fence) fw1, than set up fw2 to use the gateway IP address from fw1 and set up the VPN tunnel to the VPN server. Effectively replacing fw1 with fw2 on the client side. However, I can't seem to find a decent howto.
I am also exploring the possibility to let both tunnels active and let OpenVPN (or another tool) decide how to route packets back and forth the different LANs. A virtual IP between two gateway's both running a VPN or something similar. This would be the preferred method of course. However, I don't know how to tackle this one but I'm pretty sure there are people out there who are happy to share their 2 cents.
I have 17 system (sys1,sys2,sys3.....sys17) in my office, and i am willing to setup a dedicated system to act as a firewall for that i have selected sys1 with two NIC(eth0 for local network and eth1 for internet) and i have configured to access internet in my office for that i have opened a wellknown port 80.but my clients are not accessing the internet..
and please check my sample IP configuration !!!
interface : eth1 (ISP IP)just for example IP :192.168.0.2 gateway:192.168.0.1 dns:202.56.230.5 dns:202.56.230.6
Interface : eth0 (my local lan )
192.168.1.1 255.255.255.0
IP address of xp clients ranges form 192.168.1.2 to 192.168.1.16 with default 255.255.255.0
my question is that which gateway address and dns i have to give to my clients for accessing internet ?...
I'm running Ubuntu 10.04 and my setup is as follows:
As you can see, I am directly connected to router 192.168.25.1, and so my ip address is 192.168.25.101. I want my ip address to be 192.168.13.101, and make router 192.168.13.1 my gateway router. Is this possible under the current physical layout (I do not want to have to connect directly into 192.168.13.1, but keep my computer where it is at)?
When I run tracepath, it shows 192.168.13.1 is one hop away.
What I've tried:
The problem is under this manual setup, I cannot ping 192.168.13.1 and running command netstat -rn returns the following:
Does anyone have experience with the D-LINK DIR-655 gateway OR router OR wireless access point? On the surface, I like this box, but it is giving me grief. First, it wants me to use a win-dose CD configurator application. I use the embedded web page configurator. Next, there are several configuration wizards at the embedded web page. After trying the wizards, I went to the manual screens to tinker to get something working.
So what is going on? When a LAN client connects, I want DHCP to present at least two "nameserver" values ... which then make their way into /etc/resolv.conf The DIR-655 plays some nameserver games like caching and blacklisting and other things. However, I get some ad-vert page from "dnssearch" or "yahoo" or similar when names don't resolve. I really don't want this behavior. Network-manager does not report the connection down, however streaming anything stops or "reconnects", browsing times out, LAN side traffic seems to stop as well.
I recently upgraded an Ubuntu 8.04 server to 10.04 server. My previous configuration had two network interfaces both routed to the same LAN with the same gateway. This functioned for me so as to support different services on each interface, such as http and smb on one, torrents on another. This routed fine in 8.04 (routing table below). Once I upgraded to 10.04, any packets that traveled beyond the LAN did not return. I checked and there is no local firewall running. Thinking that this was strange I set up a virtual machine and tested it in a different environment at work (and also with a virtual firewall configuration) with the same results.
I also tested several other current operating systems, including Debian 5.04 and Open Solaris 9, all of which routed two interfaces with the same gateway fine. I rolled back from 10.04 to 9.10 and the problem persists, so the change exits also between 8.04 and 9.10. at least identify what is unique to Unbuntu 9.10 and above that is preventing having two interfaces with the same gateway, something that other operating systems do not seem to have trouble with?
I have a fedora 14 box which has a static IP and I can not contact the internet or even my gateway router.I know it has to do with my kernal IP routing table but I can not find the command to do what I need...Here is my kernal IP routing table
Presently this client access the net through following setup ADSL modem -> hub -> all computers
Now they want to do some kind of bandwidth control, content filtering. So I tried setting up squid with dansguardian. This is what I did ADSL -> linux server -> all computers.
The linux server has two NIC cards. One to the ADSL router and another to the local hub. This is how my squid.conf file looks like
Have set the gateway server as 121.x.x.1. Which is the gateway server of the ISP. Now I can ping the local network, but cant ping the gateway or any other website. Also I am unable to access the router administration page.
I'm thinking of setting up my own sms gateway using my own linux server and regular old nokia phone, along the lines of what is described here [URL]
I was wondering if anyone out there has been down this road before, and in particular knows about approximately how many messages could be sent/received per minute? In the application I have in mind (an instantaneous online survey from an audience of hundreds) I would need to be receiving hundreds of sms texts in around a minute. I was wondering if that was pushing it in terms of the capabilities of an old phone.
I have seen tutorials on setting up a secured firewall/router/gateway using ubuntu server as the platform. However, I am wondering if anyone has had experience with using an aircard (wireless broadband card via usb) to set up a router.
Which card do you recommend? Any precautions? Any specific code already written to automatically recognize mobile broadband cards and restart the connection if it goes stale?
In an effort to learn more about firewalls and iptables I have left behind gui set-up tools and have setup a firewall using iptables that logs to its own file. The firewall is as follows:
Code: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :TCP - [0:0]
2. PC with wired Internet connection + WIFI adapter OS: Windows XP Connection name and parameters same as above except ip: 192.168.1.40
I can see trial is getting connected with excellent strength. When i try to run an Internet on Ubuntu it is not working. Firewall is not active and Router is enabled.
