Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

211

212

213

214

215

216

217

218

219

220

Address

All connections form the private addresses are masqueraded, and appear as coming from one

external address - that of the router.

This can be done by enabling the masquerading action for source NAT rules.

• Enforce the Internet Usage Policy from the Customer's Network

Connections from the customer's network should be monitored.

This can be done by putting rules in the forward chain, or/and by masquerading (source NAT)

only those connections, that are allowed.

Filtering has some impact on the router's performance. To minimize it, the filtering rules that match

packets for established connections should be placed on top of the chain. These are TCP packets

with options non-syn-only.

Examples of setting up firewalls are discussed below.

Example of Firewall Filters

Assume we want to create a firewall that:

• protects the Wandy router from unauthorized access from anywhere. Only access from the

'trusted' network 10.5.8.0/24 is allowed

• protects the customer's hosts within the network 192.168.0.0/24 from unauthorized access

from anywhere

• gives access from the Internet to the http and smtp services on 192.168.0.17

• allows only ICMP ping from all customer's hosts and forces use of the proxy server on

192.168.0.17

The basic network setup is illustraded in the following diagram:

The IP addresses and routes of the Wandy router are as follows:

[admin@Wandy] > ip address print

Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 10.0.0.217/24 10.0.0.0 10.0.0.255 Public

1 192.168.0.254/24 192.168.0.0 192.168.0.255 Local

[admin@Wandy] > ip route print

Flags: X - disabled, I - invalid, D - dynamic, J - rejected,

C - connect, S - static, R - rip, O - ospf, B - bgp

# DST-ADDRESS G GATEWAY DISTANCE INTERFACE

0 S 0.0.0.0/0 r 10.0.0.254 1 Public

1 DC 192.168.0.0/24 r 0.0.0.0 0 Local

2 DC 10.0.0.0/24 r 0.0.0.0 0 Public

[admin@Wandy] >

To protect the router from unauthorized access, we should filter out all packets with the destination

addresses of the router, and accept only those which are allowed. Since all packets with destination

to the router's address are processed against the input chain, we can add the following rules to it:

[admin@Wandy] > ip firewall rule input

[admin@Wandy] ip firewall rule input> add protocol=tcp tcp-options=non-syn-only \

\... connection-state=established comment="Allow established TCP connections"

[admin@Wandy] ip firewall rule input> add protocol=udp comment="Allow UDP

connections"

[admin@Wandy] ip firewall rule input> add protocol=icmp comment="Allow ICMP

messages"

[admin@Wandy] ip firewall rule input> add src-addr=10.5.8.0/24 \

\... comment="Allow access from 'trusted' network 10.5.8.0/24"

[admin@Wandy] ip firewall rule input> add action=reject log=yes \

\... comment="Reject and log everything else"

[admin@Wandy] ip firewall rule input> print

Flags: X - disabled, I - invalid, D - dynamic