Tutorial: Router Configuration
So far we have only used Guarddog to protect a single workstation (i.e. the computer Guarddog is running on), but as many people know a computer running Linux can also act as a fantastic router for connecting multiple networks. In this tutorial we will go through how Guarddog can be used on a gateway machine to protect a LAN from the internet.
Guarddog only supports router configurations on machines running Linux kernel series 2.4 or later with iptables.
The diagram above shows the network configuration of a typical LAN connected to the Internet via a Linux based system acting as a router. The LAN that we wish to protect is on the left side of the diagram. The internet is shown on the right side. All communication between the LAN and internet passes through the gateway machine which is marked by the dog. Guarddog runs on the gateway machine. The most important aspect of this setup from a security point of view is that all of the network traffic between the LAN and the internet passes through one machine: the gateway. This provides us with an obvious "choke point" that we can place the firewall on to filter the network traffic.
The diagram also shows the zones that we will setup in Guarddog.
There seems to be a bit of confusion surrounding the function of a firewall versus the task of packet routing. Firewalls act as network traffic filters. Filtering and blocking unwanted and dangerous network traffic. They are security devices. Features such as routing and IP masquerade are not primarily security devices. They are advanced networking features.
This misconception arose because in the past on Linux, before kernel series 2.4, the networking sub-system was such that it wasn't possible to separate advanced routing functionality from normal firewall functionality. This lead to firewall programs that also included direct support for advanced routing features such as IP masquerade and port forwarding for example.
Guarddog is a firewall and is not used for configuring networking features such as IP masquerade and routing. These networking features must be configured using a different program.
Guidedog is a user friendly utility for configuring advanced networking features and is designed to work along side Guarddog.
Before we continue, you should go and configure the routing setup for your machine and confirm that it is routing/masquerading network traffic as expected. To make the task of debugging your gateway configuration easier, you can disable Guarddog by checking the Disable firewall checkbox on the Advanced tab and then applying the changes. This will allow you to test your routing setup separately without Guarddog blocking any test traffic.
I strongly recommend that you do not test your network setup while connected to a hostile network like the Internet. Attach a machine to the network card that you plan to connect to the internet and give it an IP address so that it can act as a pretend Internet.
If you configured and tested your routing and network settings with Guarddog disabled, enable firewalling in Guarddog again and apply. If all is going well then you will find that your LAN is once again totally cut off from the internet. Guarddog has a fail-safe, "what is not explicitly permitted, is denied" design. What this means in this situation is that since Guarddog hasn't been told to allow traffic from your LAN out to the internet, or visa versa, it will assume that the traffic should be blocked. This is intended to make it easy to get a secure configuration (even if it is too secure) and difficult to have an insecure configuration.
The way we specify to Guarddog that computers on the LAN are allowed to access computers on the Internet is by using zones. We simply create a zone to hold the addresses of all of the computers on our LAN and then specify that this zone is connected to the Internet, and probably to the Local zone also, and then go to the Protocols tab and tick on whatever protocols should be allowed between the LAN and the Internet.
Go to the Zone tab and create a new zone and call it "LAN". In the Zone Addresses list enter the IP addresses of the computers on your LAN. The address list understands several notations for addresses and can also accept whole network blocks. If you are running an IP masqueraded network using the 192.168.1.0/255.255.255.0 private address space, you can enter the whole block into a single address line using 192.168.1.0/255.255.255.0 format or the shorter 192.168.1.0/24 format.
Next, go to the Connection list and tick Internet and Local to specify that your LAN zone should be connected to the Internet and Local zones.
Now, go to the Protocol tab and make sure that Protocols Served from Zone: is set to Internet. In the list of protocols below you should see a column of check boxes for the Local zone and another column for the LAN zone. Just like when we were turning on protocols for the local zone in the first tutorial, we can do the same for the LAN zone. Tick the list of protocols that machines in the LAN zone should be able to use with the Internet.
When you are ready, apply the changes and see if your machines on your LAN can access the internet. That's all there is to it.
|Tutorial: Using Zones||Up||Important Notes|