Tag Archives: router

Presenting – The PiWall.

Having a dreaded man-cold, not really being able to be awake more than a few hours before everything started to hurt last week, I decided to start with a old project.

I grabbed one of my old Raspberry Pi Model B’s, glued a USB Ethernet adapter to it, attached an old Wifi USB dongle, and started having fun.

IMAG1398

Now, this is related to the loss of the NSLU2, and also some new ideas with a “PiES” concept (I’ll get into more detail later on about that).

The main functions to be targeted with this little bundle of fun will be the following:

* Firewall with the standard NATting, DHCP / DNS features
* Bridged LAN interfaces (Ethernet and WLAN (with hostapd))
* IPSEC enabled (becoming a cheap extender of the Mesh IPSEC network)
* SQUID-proxy (since the throughput needs all the help it can get)

Sadly, I started compiling the latest Squid, and of course it broke within a function – I’ll drill down to a less new version, but I refuse to run the old and dirty one in the repos for Rasbian (yes, it runs Rasbian, that’s been put on a diet).

It’s not built to perform fast – or even that well. It’s purpose built to be CHEAP. However, with all the additionals, of course it will become somewhat not that cheap if I am to create more of these small bundles of joy.

But, imagine getting your hands on a Raspberry Pi 2 Model B as well.. Aaaaw.. More fun stuff!

Either way – I’ll get this concept working first in full, and extend the functionality.
Might have to move on to the “C&C” for the PiES soon tho, so I can control my Pi-army in a nice way :).

More to come!

“default” iptables-setup.

This is always something in progress – but, more or less this is (was) a basic fw-setup:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
#
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# and some good stuff to have enabled..
#no spoofing
echo "net.ipv4.conf.default.rp.filter=1" >> /etc/sysconf.conf
echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysconf.conf
#no broadcasts
#echo "net.ipv4.icmp_echo_ignore_broadcasts" = 1 >> /etc/sysconf.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses" = 1 >> /etc/sysconf.conf
#more..
echo "net.ipv4.conf.all.secure_redirects = 1" >> /etc/sysconf.conf
#echo "net.ipv4.conf.all.send_redirects = 1" >> /etc/sysconf.conf

echo "net.ipv4.conf.all.accept_source_route = 1" >> /etc/sysconf.conf
#echo "net.ipv6.conf.all.accept_source_route = 1" >> /etc/sysconf.conf

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

#yes, you should have fail2ban ;)
#/etc/init.d/./fail2ban restart

#fix tap0 forwarding etc.
#clarify - eth1 internet
#clarify - eth0 lan

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state NEW -i eth1 -j REJECT

iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# portforwarding-rules

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport [port] -j DNAT --to [ip:port]

kernel: Neighbour table overflow

This issues is related to a bit too many arp-entries (in ie – a router).
If you’re for instance having bittorrent traffic doing all those arp’s, you’ll end up with a lot of
entries in your logs. Also, it’s a performance issue later on, since you’ll have problem flushing
and creating new connections to ip’s not listed in the arp already.

Example log:

 kernel: Neighbour table overflow.
  kernel: printk: 100 messages suppressed.
  kernel: Neighbour table overflow.
  kernel: printk: 151 messages suppressed.
  kernel: Neighbour table overflow.

To the solution:

start with doing a couple of arp -anv, or by someother means check your concurrent connections.

Next up (example)

echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 3072 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 

By default, you will have (a guess) a value of 128 in gc_thresh1 and *2 for thresh2 (256) and *2 for thresh3 (512).

Set your limits with how many concurrent connections your hardware and software can handle.

Now, if you’re running something like zeroshell, add the echo-parts into your startup-scripts.
Otherwise, I’d recommend that this is added as a if-up.d script or it’s relevant counterpart.