In the first two parts of this series we took a tour of the Soekris 4521 single-board computer and installed the Pyramid Linux operating system. Now it’s time to build a good stout iptables firewall.
Just Say No To Lard
When you’re used to hacking on old PCs it’s easy to fall into bad habits, like stuffing all manner of services on border routers and turning them into “Internet gateway/LAN servers” because you have the capacity, and you don’t want to clutter up the place with big old PCs dedicated to specialized jobs. But this isn’t really the best way to design your network. Putting a router and a firewall on a single device makes sense for us ordinary mortals with simple routing needs and not-too complex firewalling schemes. Put the intrusion-detection/proxies/Web/mail/FTP/file/etc. servers somewhere else.
You might add name services to a firewall/router for smaller LANs. Pyramid handles both DHCP and DNS with dnsmasq. It makes a great wireless access point, though some security-conscious admins would prefer that be a separate box as well. However you elect to put it all together, parts 3 and 4 of this series will show you how to do all of these things.
Pyramid Linux has practically zero documentation. There are no man or info pages, no user forums or mail lists, and Metrix.net offers only a rudimentary Wiki. Be sure to check out the Wiki first because it has useful installation and FAQ sections. You can get command options with the –help flag, like dnsmasq –help. And, a lot of the old Pebble Linux documentation is still valid.
Pyramid Linux on a Soekris board has three points of entry: the serial console, SSH over Ethernet, and the SSL-protected Web interface. You don’t really need the serial console after Pyramid is installed.
The Web GUI is pretty Spartan. It lets you configure the DHCP server, configure network interfaces, do some port forwarding and collect wireless statistics. But you can’t create or delete users, bring interfaces up and down, set routes, write iptables rules, view logfiles – you get the idea. In fact if you disable your wireless interface in the Web GUI it will disappear from the page completely – you’ll have to edit /etc/network/interfaces to bring it back. (eth0 and eth1 can be disabled without vanishing.) So you’re going to need those command-line skills.
Pyramid mounts the root filesystem read-only. This is good for a couple of reasons: it extends the life of your compact flash card, and it might prevent a blunder or two. So what to do when you need to edit some files? No problem. Pyramid comes with two scripts for re-mounting the filesystem as read-write or read-only: /sbin/rw and /sbin/ro. Run /sbin/rw when you need to make some edits, then run /sbin/ro when you’re finished.
Building a good Internet-connection sharing firewall is most network admins’ #1 job. Pyramid comes with an iptables script that opens Port 22 to the world, plus a lot of things I just plain don’t understand. I’m not saying it’s a bad way; I just have a certain way of writing iptables scripts that I know works and is battle-tested, and that’s what I stick with. If you want to try my way of setting up iptables, hike on over to my series on Practically Networked and read Building Network Appliances With Linux, Part 5: Internet-connection Sharing Firewall and Building Network Appliances With Linux, Part 6: Running Servers. You might also check out Part 4 for some tips on locking down Pyramid – it’s all just plain old Debian, so the same sensible rules like disabling root logins for SSH and turning off useless services apply.
Host and Domain Name
Change these to your own on the System Services tab. You should leave “Set clock using NTP” enabled, and then edit /etc/ntp.conf. Delete the default entries and replace them with this:
pool.ntp.org pool.ntp.org pool.ntp.org
Or if you have a local time server, use that.
You can configure a simple DHCP server in the Web GUI. It won’t let you do anything but set up a range of dynamically-assigned IPs, like Figure 1.
(Click for a larger image)
As you can see, the default lease time is 2 hours, which is pretty short. You can’t assign hostnames, servers, or static IPs. There’s a gotcha here you need to watch out for – you probably don’t want to DHCP-serve the world, so make sure that your DHCP server is enabled only on eth0, the default LAN interface.
If you want DHCP to supply static IPs you’ll need to configure /etc/dnsmasq.conf. First make sure it accepts requests only from the LAN:
You can match up IPs to MAC addresses or hostnames. This example assigns the IP, hostname, and lease time to the MAC address:
If you want it to be a permanent assignment, make the lease time infinite. You can assign other options as well, such as NTP servers. This example makes Pyramid the local time server:
The number 42 means time server. You’ll find all these number codes in RFC 2132. You can dish out mailservers, as this example for alrac.net shows:
localmx mx-target=server15.alrac.net mx-host=alrac.net,server15.alrac.net,10
Dnsmasq acts as both a caching nameserver and as a local DNS server. To easily set up local DNS, first create a master /etc/hosts file on Pyramid:
127.0.0.1 localhost pyramid 192.168.1.25 server15 192.168.1.100 workstation1 192.168.1.101 workstation2 192.168.1.102 workstation3 192.168.1.103 workstation4
Then make sure your upstream DNS servers are configured in /etc/resolv.conf:
nameserver 188.8.131.52 nameserver 184.108.40.206
And that’s all there is to it; dnsmasq takes care of the rest.
You now have a good stout iptables NAT firewall with name services. Next week in Part 4 we’ll make a wireless access point.