Tutorial: Router Configuration

Tutorial: Router Configuration

So far we have only used Guarddog to protect a single workstation (i.e. the one Guarddog is running on), but as many people know a Linux box can also act as a fantastic router for connecting multiple networks. In this tutorial we will go through how Guarddog can be used on a machine acting as a gateway to protect a LAN placed behind the gateway from the internet.

Important

Guarddog only supports router configurations on machines running Linux kernel series 2.4 with iptables.

Anatomy of a typical LAN connected to the Internet

A typical router configuration with Guarddog running on the router system.

The diagram above shows the network configuration of a typical LAN connected to the Internet via a Linux based system acting as a router. On the left side of the diagram is our LAN that we wish to protect. The Internet is shown on the right hand side. All communication between the LAN and Internet passes through the gateway machine which is marked with the dog. Guarddog runs on the gateway machine. The most important aspect of this setup from a security point of view is that all of the traffic between the LAN and the Internet passes through one machine: the gateway. This provides us with an obvious "choke point" that we can use to place the firewall to filter the traffic.

The diagram also shows the zones that we will implement in Guarddog.

"Repeat after me: Guarddog is a firewall"

There seems to be a bit of confusion surrounding the function of a firewall versus the task of packet routing. Firewalls act as network traffic filters. Filtering and blocking unwanted and dangerous network traffic. They are security devices. Features such as routing and IP masquerade are not primarily security devices. They are networking features.

Note

This misconception arised because in the past (before Linux kernel series 2.4) on Linux the networking system was such that it wasn't possible to separate advanced routing functionality from normal firewall functionality. This lead to firewall programs that also included direct support for advanced routing features such as IP masquerade, port forwarding etc.

Guarddog is a firewall and can not be used for configuring networking features such as IP masquerade and routing. These networking features must be configured outside of Guarddog.

Tip

Guidedog is a user friendly utility for configuring advanced networking features and is designed to work along side Guarddog.

Configure Routing and Network Settings

Before we continue you should go configure the routing setup for your machine and confirm that it is routing/masquerading network traffic as expected. To make the task of debugging your gateway configuration easier, you can disable Guarddog by checking the Disable firewall checkbox on the Advanced tab and then applying the changes. This will allow you to test your routing setup separately without Guarddog blocking any test traffic.

Warning

I strongly recommend that you do not debug your network setup while connected to a hostile network like the Internet. Attach a machine to the network card that you plan to connect to the internet and give it an IP so that it can act as a pretend Internet.

Teaching Guarddog to Allow Traffic to/from your LAN

If your configured and tested your routing and network settings with Guarddog disabled, go enable Guarddog again and apply the changes. If all is going well then you should find that your LAN is once again totally cut off from the internet. Guarddog has a fail-safe, "what is not explicitly permitted is denied" design. What this means in this situation is that since Guarddog hasn't been told to allow traffic from your LAN out to the internet, or visa versa, it will assume that the traffic should be blocked. This is intended to make it easy to get a secure configuration (even if it is too secure) and difficult to have an insecure configuration.

The way we specify to Guarddog that computers on your LAN are allowed to access computers on the Internet is done using zones. We simply create a zone to hold the addresses of all of the computers on our LAN and then specify that this zone is connected to the Internet and probably the Local, and then go to the Protocols tab and tick on which protocols should be allowed between the LAN and the Internet.

Step by Step

Go over to the Zone tab and create a new zone and call it LAN. In the Zone Addresses list enter the IP addresses of the computers on your LAN. The address list understands several notations for addresses and can also accept whole network blocks. If you are running an IP masqueraded network with 192.168.1.0/255.255.255.0 private address space, you can enter the block into a single address line in 192.168.1.0/255.255.255.0 format or the shorter 192.168.1.0/24 format.

Go to the Connection list and tick Internet and Local to specify that your LAN zone should be connected to the Internet and Local zones.

Now, go to the Protocol tab and make sure that Protocols Served from Zone: is set to Internet. In the list of protocols below you should see a column of checkbox for the Local zone and another row for the LAN zone. Just like when we were turning on protocols for the local zone in the first tutorial, we can do the same for the LAN zone. Tick the protocols in the list that machines in the LAN zone should be able to use with the Internet.

When you're ready, apply the changes and see if your LAN can access the internet. That's all there is to it.

KDE Logo