Virtual Server Slackware network clients not going through firewall
by dalacor from LinuxQuestions.org on (#5T48Q)
For years I have used Slackware and E2guardian to manage Internet filtering.
The procedure I have been using to date is to build a physical box with one network card. Install Slackware and E2guardian for Internet filtering.
In IPtables I had this set for transparent Internet filtering using E2guardian
Code:iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443I determined (years ago) that I needed to set the Slackware box as the gateway for all computers/printers on the network for the following two reasons.
When connecting to the network via VPN, you could not connect to the servers/printers on the internal network unless the computers on the network used the IP address of the Slackware box as the gateway. The Dns address could be the Windows Dns Server Ip address, but the gateway had to be the Slackware box for the VPN to work.
Second, the access denied page for https traffic only showed the correct page for some reason when the gateway was the Slackware box.
Because the Internet router was set to block all incoming connections - only forwarding the VPN connection, I was not too worried about the network being hacked as all the incoming ports were closed. However, for some years I have been wanting to use IPtables to whitelist ports that are actually being used and block all other outgoing ports. The idea being to prevent someone from say connecting to a website using SFTP and coping all the files across to use a simple example. In short, the idea is to whitelist only legitimate outgoing traffic as Cyber Security is a huge problem nowadays.
In addition, I want to virtualise Slackware as there is simply no need to have a physical computer running effectively 3 programs and that's it.
I have setup Slackware as a VM in Hyper-V. No issues with installing, updating etc.
I have created a basic IPtables on the Slackware box. Initially only setting this:
Code:iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROPSo that I could see that the firewall was actually working. Then adding extra rules. I have no problems setting up the Firewall to allow DNS and ICMP etc queries etc from the Slackware box to the outside world. I can even allow or block my computer to ping or connect to the slackware via SSH. So the firewall works effectively on the actual Slackware box controlling what traffic comes into and out of that box.
Where I am completely stuck is that if I setup my laptop to use the Slackware box as the gateway, but use the Internet router as the Dns server, my laptop continues to connect to the Internet, ping websites and my email still connects using Imap ports etc, regardless of what settings I have in IpTables even if I just drop everything and allow nothing.
For the moment on this test setup, I have not setup E2guardian or the VPN as I just want to get the basics setup before complicating it with other services not relevant to iptables.
It is obvious to me that the Internet filtering program E2guardian itself handled forwarding of Internet traffic - once port 80 and port 443 was redirected to E2guardian ports. The VPN also obviously handled forwarding of traffic presumably with the push route command to forward the traffic.
I had always thought that using Slackware box as the gateway meant that all the traffic was going through the box and by default the IP tables firewall which up till now has been defaulted to allow. But apparently not.
I have done some researching, but every example I have come across talks about IP Forwarding and two network cards. The new setup will be a Virtual Machine and if possible I would like to not have two network cards as I am not sure that I see any benefit as the Internet router drops all external traffic anyway. In addition, I am not sure how easy it would be to setup a virtual slackware to use two physical network cards anyway? So would need a really clear benefit to two network cards. The only purpose is to whitelist outgoing ports that are actually used to connect to the outside world. Internal traffic such as DHCP etc obviously does not need to go through the firewall.
My first priority however is to actually get the network clients to use the slackware firewall. Can anyone advise how to achieve this as I don't know why the netowrk computers are not going through the gateway (slackware box) in the first place? Thank you.
The procedure I have been using to date is to build a physical box with one network card. Install Slackware and E2guardian for Internet filtering.
In IPtables I had this set for transparent Internet filtering using E2guardian
Code:iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443I determined (years ago) that I needed to set the Slackware box as the gateway for all computers/printers on the network for the following two reasons.
When connecting to the network via VPN, you could not connect to the servers/printers on the internal network unless the computers on the network used the IP address of the Slackware box as the gateway. The Dns address could be the Windows Dns Server Ip address, but the gateway had to be the Slackware box for the VPN to work.
Second, the access denied page for https traffic only showed the correct page for some reason when the gateway was the Slackware box.
Because the Internet router was set to block all incoming connections - only forwarding the VPN connection, I was not too worried about the network being hacked as all the incoming ports were closed. However, for some years I have been wanting to use IPtables to whitelist ports that are actually being used and block all other outgoing ports. The idea being to prevent someone from say connecting to a website using SFTP and coping all the files across to use a simple example. In short, the idea is to whitelist only legitimate outgoing traffic as Cyber Security is a huge problem nowadays.
In addition, I want to virtualise Slackware as there is simply no need to have a physical computer running effectively 3 programs and that's it.
I have setup Slackware as a VM in Hyper-V. No issues with installing, updating etc.
I have created a basic IPtables on the Slackware box. Initially only setting this:
Code:iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROPSo that I could see that the firewall was actually working. Then adding extra rules. I have no problems setting up the Firewall to allow DNS and ICMP etc queries etc from the Slackware box to the outside world. I can even allow or block my computer to ping or connect to the slackware via SSH. So the firewall works effectively on the actual Slackware box controlling what traffic comes into and out of that box.
Where I am completely stuck is that if I setup my laptop to use the Slackware box as the gateway, but use the Internet router as the Dns server, my laptop continues to connect to the Internet, ping websites and my email still connects using Imap ports etc, regardless of what settings I have in IpTables even if I just drop everything and allow nothing.
For the moment on this test setup, I have not setup E2guardian or the VPN as I just want to get the basics setup before complicating it with other services not relevant to iptables.
It is obvious to me that the Internet filtering program E2guardian itself handled forwarding of Internet traffic - once port 80 and port 443 was redirected to E2guardian ports. The VPN also obviously handled forwarding of traffic presumably with the push route command to forward the traffic.
I had always thought that using Slackware box as the gateway meant that all the traffic was going through the box and by default the IP tables firewall which up till now has been defaulted to allow. But apparently not.
I have done some researching, but every example I have come across talks about IP Forwarding and two network cards. The new setup will be a Virtual Machine and if possible I would like to not have two network cards as I am not sure that I see any benefit as the Internet router drops all external traffic anyway. In addition, I am not sure how easy it would be to setup a virtual slackware to use two physical network cards anyway? So would need a really clear benefit to two network cards. The only purpose is to whitelist outgoing ports that are actually used to connect to the outside world. Internal traffic such as DHCP etc obviously does not need to go through the firewall.
My first priority however is to actually get the network clients to use the slackware firewall. Can anyone advise how to achieve this as I don't know why the netowrk computers are not going through the gateway (slackware box) in the first place? Thank you.