Monday, January 21, 2008

Conquering the Network

Yesterday, I managed to do the most significant accomplishment in this month (year). I got my network working correctly. Previously, my wireless network consisted of the modem connected through a LAN port on my router, which essentially caused it to behave like a hub:
_______
____ | |
Internet | |===============|LAN | (((|)))
=======|___| | | |
Modem |______|-----|
Router
This worked for internet, but not for the more advanced features of networking. For example, port forwarding is not possible, nor is firewalling. The reason for this is because the Modem is what is essentially doing all of the networking. If we have the router do its job, there will be a problem with something called "double NATting", which essentially screws up the internet. Now, for about a month, I was attempting to correct this, but for some reason, it didn't work. My ISP uses PPPoE for providing internet, and as much as I tried, I could not find out how to get the Router to connect to the ISP. Then I ran into this guide (from my Router manufacturer, duh). Of course, this isn't the first time I tried following it, but this is the first time I followed it entirely and successfully. It turns out that getting your router to connect to you ISP correctly is an elaborate ritual of making sure things turn on and off at the right times. I'll show you what I mean.

Now, most importantly, you have to get the modem into bridge mode, this is easy in the original network because typing the address of the gateway takes me to the modem. I go to the PPPoE location and select bridge mode. Now, one thing that I forgot to do was to hard reset the router (to factory defaults). I thought it was just a hard reset, but I needed to get back to factory defaults. That was important. Next thing, my router had an extra field in it that wasn't addressed in the guide called "MAC address". This was a fairly ambiguous field: Does it mean the MAC address of the router? It should already know that. Is it the MAC address of the modem? It doesn't work when I do that. Well, when I reset it to factory defaults, the question was answered. It was the MAC address of the router. After all that is set up, begins the dance of toggling on and off the modem and router. First you unplug the router, then turn off the modem, then turn ON the modem, then repower the router. Once I did that intricate dance, then the router would connect via PPPoE. Once I got that done, here's what my network looks like:

_______
____ | |
Internet | |====== | | (((|)))
=======|___| \========|WAN | |
Modem |______|-----|
Router

Now that the modem is connected to the WAN port, the way it SHOULD be, I can take advantage of all of the services the router provides such as firewalling and port forwarding. However, I still have to use the router to do that stuff. After my past with it, I want to mess with the router as little as possible. It turns out with one service on the router, I can take care of both of those.

Most routers have an option called the Demilitarized Zone (DMZ). This is where the router sends all of the packets that don't get through the firewall. Usually there is nothing in there, so those packets get dropped. Now, in my network, I'm the only one who takes advantage of all of those services. The other family members, not so much. So I figured this, so I don't have to deal with the firewall, I move to a place unprotected by the firewall, i.e. the DMZ.

Now, going to the DMZ without any protection is .... well, kinda stupid. Because, you're leaving the haven of the router firewall into the malicious world of the unadulterated internet. So, you need your own protection. Luckily, most Linux distributions ship with a VERY good firewall called IPTables. Now, since we're in kinda paranoia node, we want to set iptables to drop by default. You do this by typing:
sudo iptables -P INPUT DROP
Next, we don't want to be TOTALLY isolated. If a session has been established, we want to let it through. You do this with
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Now I've simulated the firewall. Now, if I want to forward ports, I put individual rules in it. For example, to let ssh in, you put
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
This lets the port for ssh right through. Instead of putting ssh, you can also put the port number too. It'll still work. The Ubuntu wiki has a more thorough discussion on iptables.

One last thing. These rules will disappear when you restart. The wiki article has more details on how to make the rules permanent, but here's my favorite way. Put these lines in your /etc/network/interface:
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules
This makes sure that ALL of your changes are saved. Since I plan to have iptables change a lot, this is how I like it.

3 comments:

Vicken said...

Very cool. . .maybe you can put hardware models so this page will show up under searches. The diagrams appear a little off from the blogger page formatting I suspect.

Larry said...
This comment has been removed by the author.
Larry said...

You said you had no DMW!

Although opening software based implementations of firewalls can never match up to hardware based firewalls. I wouldn't recommend having DMW enabled.

Regardless, it's good that you have it properly configured now.