Secure and Manage Voyage Linux
Last week we installed Voyage Linux on a Compact Flash card. Today we'll learn basic package management, set up networking, and build a basic firewall that allows remote SSH administration.
Wired Ethernet interfaces are easy. Just configure them in the usual way, in /etc/network/interfaces. You should do this while your Compact Flash card is still mounted on your Linux PC.
Voyage Linux helpfully includes a set of sample configurations. Suppose you're building an Internet gateway for a small network. You'll have a WAN interface and a LAN interface. Your LAN interface must be a static address, and your WAN address depends on what type of Internet account you have. So let's say your WAN interface is eth0, and the LAN interface is eth1:
#this is required. always include this auto lo iface lo inet loopback #WAN is DHCP auto eth0 iface eth0 inet dhcp #WAN is static (addresses come from your ISP) auto eth0 iface eth0 inet static address 188.8.131.52 gateway 184.108.40.206 netmask 255.255.255.0 #LAN must be static. You assign an address auto eth0 iface eth0 inet static address 192.168.1.50 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255
Delete whichever WAN configuration you're not going to use, and you might want to label the physical ports and cables so you always know which one is which.
Now you can install your Compact Flash card on your routerboard, power it up, plug in your LAN port and open an SSH session. The default login is "root" and the default password is "voyage", which you obviously must change right away:
$ ssh email@example.com # remountrw # passwd root # remountro
Voyage is based on Debian Etch, and it uses familiar old apt-get for package management and dependency-resolving. Voyage's filesystem is mounted read-only by default, so you have to change to read/write, make your changes, then change it back to read-only. Installing or removing packages is done with these commands:
# remountrw # apt-get install [package name] # apt-get remove [package name] # remountro
When you're removing a package, adding the --purge option also gets rid of configuration files. Always return the filesystem to read-only to prevent accidental mistakes, and to extend the life of your Compact Flash card.
Just like on Debian, run apt-get update && apt-get upgrade periodically to keep your system up-to-date. And run apt-get clean regularly to remove downloaded packages, to save space.
Now you'll want a nice iptables firewall, both for protection and for sharing an Internet connection. Voyage comes with a script for generating a simple NAT iptables firewall, /usr/local/sbin/nat.sh. It's no good if you're running any public services, but it's fine for protecting a private network with no public services. The way to use it is either create a startup link and run it at boot, or run it from your /etc/network/interfaces, like this:
#WAN address auto eth0 iface eth0 inet static address 220.127.116.11 gateway 18.104.22.168 netmask 255.255.255.0 up nat.sh eth0 eth1 "192.168.1.0/24"
The syntax is nat.sh [nat device] [output device] [network address].
If you're running any services, or just want more control, you'll need to write your own iptables script. This example does not open any ports for public services, but it allows SSH sessions from inside the LAN to the firewall box, sets up NAT and IP masquerading, turns on IP forwarding, blocks incoming requests for initiating connections, allows your LAN hosts to initiate outgoing connections for Web surfing, email, and so forth, and permits important ICMP messages. Some admins think that blocking all ICMP messages is good security, but actually it's a bad networking practice. You need at least the ones specified in the script for networking to work correctly.
Run this script the same way as nat.sh- store it in /usr/local/sbin/, and bring it up or down with the WAN interface. Remember to make it executable, and make it owned only by root, and non-writable for extra insurance. After you have written it, of course:
SSH Through the Firewall
Suppose you want to enable remote administration so you can log in from home, or other remote locations. SSH is the tool for the job, and there are a couple of ways you can get through your firewall. The simplest method is to write an iptables rule that allows remote SSH connections. You'll log into the firewall, and from there open a second SSH session to whatever internal host you want to get to.
You should create an unprivileged user on your Voyage router for this- never ever accept root logins over untrusted networks. Then add an iptables rule like this:
$ipt -A INPUT -p tcp -i $WAN_IFACE --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
Be sure to configure your SSH access controls in /etc/ssh/sshd_config (see Resources). You can use iptables to be even more restrictive by specifying a source IP address:
$ipt -A INPUT -p tcp -i $WAN_IFACE -s 22.214.171.124 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
There are many ways to set up SSH for easy, secure remote logins. A nice option is to disable password logins entirely, and authenticate via encryption keys only. (See Resources to learn more.)
Never ever perform any kind of sensitive logins from public computers, or untrusted PCs of any kind. The most secure protocols on Earth cannot foil keystroke loggers.