Tutorial: Router Configuration
So far we have only used Guarddog to protect a single workstation (i.e. the computer Guarddog is running on), but as many people know a computer running Linux can also act as a fantastic router for connecting multiple networks. In this tutorial we will go through how Guarddog can be used on a gateway machine to protect a LAN from the internet.Important
Guarddog only supports router configurations on machines running Linux kernel series 2.4 or later with iptables.
The diagram also shows the zones that we will setup in Guarddog.
There seems to be a bit of confusion surrounding the function of a firewall
versus the task of packet routing. Firewalls act as network traffic
filters. Filtering and blocking unwanted and dangerous
network traffic. They are security devices. Features such as routing and
IP masquerade are not primarily security devices. They are advanced networking
features.
Guarddog is a firewall and is not used for configuring networking
features such as IP masquerade and routing. These networking features must
be configured using a different program.
Note
This misconception arose because in the past on Linux, before kernel series 2.4, the networking sub-system was such that it wasn't possible to separate advanced routing functionality from normal firewall functionality. This lead to firewall programs that also included direct support for advanced routing features such as IP masquerade and port forwarding for example.Tip
Guidedog is a user friendly utility for configuring advanced networking features and is designed to work along side Guarddog.
Before we continue, you should go and configure the routing setup for your machine
and confirm that it is routing/masquerading network traffic as expected.
To make the task of debugging your gateway configuration easier, you can
disable Guarddog by checking the Disable firewall
checkbox on the Advanced tab and then applying the
changes. This will allow you to test your routing setup separately without
Guarddog blocking any test traffic.
Warning
I strongly recommend that you do not test your network setup while connected to a hostile network like the Internet. Attach a machine to the network card that you plan to connect to the internet and give it an IP address so that it can act as a pretend Internet.
If you configured and tested your routing and network settings with
Guarddog disabled, enable firewalling in Guarddog again and apply.
If all is going well then you will find that your LAN is once
again totally cut off from the internet. Guarddog has a fail-safe, "what is
not explicitly permitted, is denied" design. What this means in this
situation is that since Guarddog hasn't been told to allow traffic from your
LAN out to the internet, or visa versa, it will assume that the traffic should
be blocked. This is intended to make it easy to get a secure configuration
(even if it is too secure) and difficult to have an insecure configuration.
The way we specify to Guarddog that computers on the LAN are allowed to access computers on the Internet is by using zones. We simply create a zone to hold the addresses of all of the computers on our LAN and then specify that this zone is connected to the Internet, and probably to the Local zone also, and then go to the Protocols tab and tick on whatever protocols should be allowed between the LAN and the Internet.
The way we specify to Guarddog that computers on the LAN are allowed to access computers on the Internet is by using zones. We simply create a zone to hold the addresses of all of the computers on our LAN and then specify that this zone is connected to the Internet, and probably to the Local zone also, and then go to the Protocols tab and tick on whatever protocols should be allowed between the LAN and the Internet.
Go to the Zone tab and create a new zone and call
it "LAN". In the Zone Addresses list enter the IP
addresses of the computers on your LAN.
The address list understands several notations for addresses and can also
accept whole network blocks. If you are running an IP masqueraded network
using the 192.168.1.0/255.255.255.0 private address space, you can enter
the whole block into a single address line using 192.168.1.0/255.255.255.0
format or the shorter 192.168.1.0/24 format.
Next, go to the Connection list and tick Internet and Local to specify that your LAN zone should be connected to the Internet and Local zones.
Now, go to the Protocol tab and make sure that Protocols Served from Zone: is set to Internet. In the list of protocols below you should see a column of check boxes for the Local zone and another column for the LAN zone. Just like when we were turning on protocols for the local zone in the first tutorial, we can do the same for the LAN zone. Tick the list of protocols that machines in the LAN zone should be able to use with the Internet.
When you are ready, apply the changes and see if your machines on your LAN can access the internet. That's all there is to it.
Next, go to the Connection list and tick Internet and Local to specify that your LAN zone should be connected to the Internet and Local zones.
Now, go to the Protocol tab and make sure that Protocols Served from Zone: is set to Internet. In the list of protocols below you should see a column of check boxes for the Local zone and another column for the LAN zone. Just like when we were turning on protocols for the local zone in the first tutorial, we can do the same for the LAN zone. Tick the list of protocols that machines in the LAN zone should be able to use with the Internet.
When you are ready, apply the changes and see if your machines on your LAN can access the internet. That's all there is to it.
Subscribe to email feed
