Trying to setup a network server

[porchrat]

OK so I've got this old machine lying around being useless. I want to make it useful again. So I have decided to turn it into a sort of network server.

Basically the current network setup is this: All the machine connect to this one wifi router that then connects to the ADSL router. I want to set this machine up between those 2 to act as a firewall.

Naturally I want to use Linux or some close cousin thereof to do this job (I ain't paying for no server!). To get an idea of my level of Linux experience normally I use Ubuntu and have done exclusively for the better half of a decade. I did briefly dabble with Gentoo out of necessity (one of the older machines was running it) but for the most part Ubuntu is the limit of my Linux experience.

I have tried looking this sort of thing up on the Almighty Google but I really don't know what I'm looking for if I'm entirely honest with myself.

So my request is this: What distro and apps would be best to use for something like this?

 

[HavocXphere]

For a firewall you'd look at IPCop or Smoothwall if I'm not mistaken.

Libs is the resident expert on this stuff.

 

[bin3]

For a firewall I would probably recommend that you add another network card or 2 to your old machine.

Connect the one network to your router (RED zone)
Connect the other network to your LAN (GREEN zone)

Then get something like Smoothwall / IPCop or similar: plug it in and pray ...

Kidding: Most of these will pretty much install and configure itself -- it makes it a bit easier to have a specific red and green NIC though not strictly necessary.

 

[porchrat]

This old machine already had a network module on the motherboard and another card. However I think the reason that network card was added was because the module on the motherboard is fscked.

I say think because I have inherited this machine from someone else and he can't remember what works and what doesn't. It is also running Gentoo and the drives are so filled with garbage that it runs like molasses on horse tranquilisers

 

[AstroTurf]

Use smoothwall or ipcop if all you want it for is a proxy/firewall between yourself and the net

use Ubuntu server if you want a fileserver/printserver/proxy etc.

 

[porchrat]

Do you guys think that maybe I'm overreacting here? Are the 2 routers between me and the Interwebz enough protection? I mean sure they don't inspect everything going out but they default deny everything coming in unless I setup a DMZ. Couple that with the fact that the machines with important stuff on them run Linux and carry default deny policies for all incoming traffic...

I just don't know connecting anything to the Interwebz makes me nervous...

 

[AstroTurf]

just get smoothwall on the machine and you will be quite safe.

 

[porchrat]

I've had a look at ipcop. Didn't know about smoothwall so I will give that a look too.

I'm still considering just formatting this machine and installing ubuntu server to run it as a backup storage machine.

I would like Libs to comment too. He does do this sort of stuff for a living

 

[HazMan]

Have you considered Untangle ? I use it in a couple of locations and the free (Lite) version works very well.

 

[porchrat]

Whether it is light or not is really neither here nor there. This machine has 2GB of RAM and an ancient Athlon. It isn't exactly going to save power.

That is mostly why I'm against running this thing as a server 24/7. It is going to chew a fair amount of power. I'm thinking now on second thought of running it as a backup server and just leaving my routers as firewalls.

 

[Alton Turner Blackwood]

Whether it is light or not is really neither here nor there. This machine has 2GB of RAM and an ancient Athlon. It isn't exactly going to save power.

That is mostly why I'm against running this thing as a server 24/7. It is going to chew a fair amount of power. I'm thinking now on second thought of running it as a backup server and just leaving my routers as firewalls.

^This

I think you're being a little too paranoid

 

[porchrat]

^This

I think you're being a little too paranoid

I know from experience that I am exceptionally paranoid when it comes to this sort of thing. Luckily I have the presence of mind to realise that I am paranoid about this particular subject and I don't trust my judgment. As I know I am possibly being irrational here installing a 3rd firewall I thought it best to seek the advice and opinions of the fine folks here at MyBB.

At least here I know I'm going to get rational experienced IT folks giving me their advice.

 

[HavocXphere]

^This

I think you're being a little too paranoid

Dunno. I already had one box infected remotely because I was relying on the router's NAT...which naturally doesn't work if one is temporarily using a ppp connection.

 

[MyWorld]

Dunno. I already had one box infected remotely because I was relying on the router's NAT...which naturally doesn't work if one is temporarily using a ppp connection.

Could you supply us with the details please, I'm kinda interested in this sort of thing.

How did they gain access, was your router set to drop outside connections, anything that can make for some good reading.

 

[HavocXphere]

Could you supply us with the details please, I'm kinda interested in this sort of thing.

How did they gain access, was your router set to drop outside connections, anything that can make for some good reading.

It was mostly a case of carelessness tbh.

Router on standard NAT setup. Laptop connected to it. No AV on laptop. XP SP3. Used for NS downloads. I wanted to download something with jdownloader over cybersmart cap so dialed a windows ppp connection...which bypasses the NAT on the router. And forgot that I had disabled the comodo FW on the laptop a few days beforehand (can't remember the reason). That went well for a while & one day the box has this super sketchy feel to it....where you can just feel *something* is wrong. Installed AV & removed some worm (sorry can't remember the name). Thought about it for a while & concluded that I hadn't introduced the worm to the PC so it must've come from outside.

I've been watching this since then...if you set it up just like I did but leave the FW on you can see incoming connection attempts on the ppp dial-up on port 135,139 and 445 (All related to Win shares I think). Since then I've been blocking all activity on those ports that isn't from the LAN addr range. Someone or something out there is scanning IPs for these vulnerabilities...any given ppp connection is likely to get scanned at least once a day.

was your router set to drop outside connections,

It was, but as soon as you dial a pppoe connection from a PC this gets bypassed. Stupid but that is the way it is.

 

[koffiejunkie]

Your ADSL router probably has a firewall going already. I haven't seen one made in the last 5 years that don't. Maybe check on that first before planning your next step.

I give my old computers to poor schools - just saying.

 

[porchrat]

Your ADSL router probably has a firewall going already. I haven't seen one made in the last 5 years that don't. Maybe check on that first before planning your next step.

I give my old computers to poor schools - just saying.

I normally give my old computers to old schools too. One school in particular actually. That is what I did with the last 2.

I need a backup machine regardless of what I do here. The only reason I've been considering turning this thing into a firewall machine instead (and then either buying drives and putting them in external cases or buying a new machine for backups) is because I'm paranoid about people on the Interwebz hackz0ring me.

The idea was after some consideration that if I didn't need the firewall machine in between that I would just turn it into a backup machine and I wouldn't need to invest in more drives or another box which I don't really have the cash for at the moment.

Yes my ADSL router also has a firewall. The only time I ever screw with the firewall is when I need to let someone remote into a particular machine but that is a rare occurrence and I never just turn the firewall off I always use DMZ.

 

[MyWorld]

Why not then just install a personal firewall on all you machines?

There is some GUI tools out there for Linux personal firewalls as well. Personally I would not bother with firewalls on my desktop Linux machines (4 of them), my usernames and passwords are strong. They have to hack my router firewall, then get my username somehow, and then try and get to the password.

Tonight I switch of the machine and router and all their efforts are for naught since I'll have a new IP on next restart. Never in a million years will they be able to hack someone this way, unless they are very, very, very lucky.

Where this becomes a problem is when you are connected 24/7 on static IP or like in HavocXphere's case where your machine has no firewall and a known vulnerability.

 

[koffiejunkie]

I need a backup machine regardless of what I do here. The only reason I've been considering turning this thing into a firewall machine instead (and then either buying drives and putting them in external cases or buying a new machine for backups) is because I'm paranoid about people on the Interwebz hackz0ring me.

I feel you're on the wrong track - or I'm making too many assumptions. If your ADSL router already blocks inbound connections, adding a second firewall won't add much value. Your biggest concern should not be incoming connections. Blocking incoming connections doesn't bring you anything if the machine behind the firewall doesn't listen on any ports anyway.

Your biggest concern should be outbound connections made by your desktop. In other words, those nasty frames in compromised websites, clicking links in e-mails you shouldn't entirely trust. If you want to solve this with a firewall, you have to use a default deny policy for outbound traffic on your firewall, and open ports to specific destination IPs. Trying to correlate outgoing connections when all you have to work on is the destination IP (remember, on the firewall you don't see the domain name) is prone with error and not a tenable solution.

Far better is using a personal firewall on your desktop that will pop up whenever something tries to connect outbound, so you can decide weather it's what you want or not, and set up policies as you go. It's a bit of work in the beginning but after a while it doesn't bother you except when something unexpected happens, and that's exactly what you want. I use Little Snitch on the Mac for this. Once you have a good set of policies, you can then translate that to a policy on your adsl router's firewall (I assume you can block outbound connections?).

The one problem with iptables is that it's not DNS aware at runtime, in other words, you cant block a DNS name, and expect that iptables will block the corresponding IP. In the case of a dedicated firewall, iptables only sees an IP address. And even if you're running iptables on your desktop, it still doesn't work.

Here's an example. Let's say you want to block outgoing connections to googleads.g.doubleclick.net (which mybb uses). Let's see what's in DNS:

# dig googleads.g.doubleclick.net

; <<>> DiG 9.7.3 <<>> googleads.g.doubleclick.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52619
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;googleads.g.doubleclick.net.   IN      A

;; ANSWER SECTION:
googleads.g.doubleclick.net. 33512 IN   CNAME   pagead.l.doubleclick.net.
pagead.l.doubleclick.net. 210   IN      A       74.125.230.153
pagead.l.doubleclick.net. 210   IN      A       74.125.230.154

So we know that googleads.g.doubleclick.net will resolve to 74.125.230.153 and 74.125.230.154. Let's say we block that:

# iptables -A OUTPUT -d googleads.g.doubleclick.net -j REJECT

Now what does iptables do? IT does a DNS lookup, gets the resulting IP address(es), and block that:

# iptables -L OUTPUT -n --line-num 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            74.125.230.154      reject-with icmp-port-unreachable 
2    REJECT     all  --  0.0.0.0/0            74.125.230.153      reject-with icmp-port-unreachable

Now, reject any connections destined to those two IPs, but what if they change? Or what if doubleclick adds a 3rd server to the mix? You're iptables rule won't know that.

There's a further pitfall to this approach. You might want to block access to one domain that is hosted on the same IP address as another domain you don't want to block. iptables is not the tool for that.

There is some GUI tools out there for Linux personal firewalls as well.

Could you recommend a few? Any ones that aren't simply a front-end for iptables?

 

[ponder]

Could you recommend a few? Any ones that aren't simply a front-end for iptables?

Firewall Builder - http://www.fwbuilder.org/

You can also check out Turtle Firewall Project & Easy Firewall Generator for IPTables but I don't think they come near Firewall Builder.