A Linksys WRT54G provides a cheap and easy Linux platform in a small physical package. I use the DD-WRT firmware available from www.dd-wrt.com.

Dynamic Network Address Translation maps several internal addresses to a single external address. All connections appear to come from that address. It is desirable sometimes to have static NAT where several external addresses that are forwarded to internal hosts.

For example:

195.167.182.123 -> 10.0.0.1
195.167.182.124 -> 10.0.0.2
195.167.182.125 -> 10.0.0.x

It may be useful to have a “catch all” address that other addresses can be translated to, this is shown in the last line of the example above.

Firstly add the external aliases to the external interface of the WRT54G, which is vlan1.

ifconfig vlan1:1 195.167.182.124 netmask 255.255.255.248 broadcast 195.167.182.127
ifconfig vlan1:2 195.167.182.125 netmask 255.255.255.248 broadcast 195.167.182.127

The catch all address is already specified as the routers external address.

The following IPTables commands will add NAT for these addresses, and ensure all other traffic is translated to the main address.

# Default accept all.
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

# Clear all chains.
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test “X$c” = “XChain” ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done

# Reset counters.
iptables -Z

# Allow new connections, to and from the router.
iptables -A INPUT -i lo -m state –state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state –state NEW -j ACCEPT
# Allow established and related connections.
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Nat mapping for 195.167.182.123 -> 10.0.0.1
iptables -t nat -I PREROUTING -i vlan1 -d 195.167.182.123 -j DNAT –to-destination 10.0.0.1
iptables -t nat -I POSTROUTING -o vlan1 -s 10.0.0.1 -j SNAT –to-source 195.167.182.123

# Nat mapping for 195.167.182.124 -> 10.0.0.2
iptables -t nat -I PREROUTING -i vlan1 -d 195.167.182.1241 -j DNAT –to-destination 10.0.0.2
iptables -t nat -I POSTROUTING -o vlan1 -s 10.0.0.2 -j SNAT –to-source 195.167.182.124

# NAT all other connections.
iptables -t nat -A POSTROUTING -o vlan1 -s 10.0.0.0/24 -j MASQUERADE

# Fix mss.
iptables -t mangle -A POSTROUTING -p tcp –tcp-flags SYN,RST SYN -m tcpmss –mss 1421:65535 -j TCPMSS –clamp-ms

IPTables is very efficient with a small to medium number of rules, once the number of rules increases, packet latency can increase across the firewall interfaces, as every new connection has to be checked against every rule.

Using custom chains within IPTables, can improve the efficiency and overall throughput of the firewall.

A good firewall design is important! Using the principle of Block All, Allow Some

As well as the standard INPUT, FORWARD and OUTPUT chains in IPTables it is very useful to add your own. Custom chains also allow selective tracking and logging of traffic flows.

For example:
# Make a new chain called “dropandlog”
iptables -N dropandlog

# Configure the chain.

# Limit how many log entries to make, and log.
iptables -A dropandlog -m limit –limit 15/minute -j LOG –log-prefix Firewall:

# Drop the packets passed to this chain.
iptables -A dropandlog -j DROP

Now any rules which have a jump (-j) target of dropandlog will pass the matched traffic to the chain.

For example:

iptables -A INPUT -p tcp –dport 22 -j dropandlog

This rule sends any packets on the default ssh port, coming in on the input chain to the chain dropandlog. They will be shown in the logfile with the prefix “Firewall:”.

Using separate chains cuts down the amount of rules traffic has to pass through and so improves firewall efficiency.

For example the following script:

iptables -A INPUT -p tcp ! –syn -m state –state NEW -j drop

iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j drop
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j drop
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j drop
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j drop
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j drop

These rules only match TCP traffic. However all UDP and ICMP traffic will also be forced to go through each rule, slowing them down. It is much more efficient therefore to refactor this to use protocol specific chains.

#New chain tcpfilter.
iptables -N tcpfilter

# Rules for chain tcpfilter.
iptables -A tcpfilter -p tcp ! –syn -m state –state NEW -j drop
iptables -A tcpfilter -p tcp –tcp-flags ALL FIN,URG,PSH -j drop
iptables -A tcpfilter -p tcp –tcp-flags ALL ALL -j drop
iptables -A tcpfilter -p tcp –tcp-flags ALL NONE -j drop
iptables -A tcpfilter -p tcp –tcp-flags SYN,RST SYN,RST -j drop
iptables -A tcpfilter -p tcp –tcp-flags SYN,FIN SYN,FIN -j drop

# Redirect all tcp traffic to tcpfilter
iptables -A INPUT -p tcp -j tcpfilter

This type of chain can be replicated for each protocol, or for different traffic Each traffic type can then make its way through the firewall, in the most efficient way possible.

I’m currently using the DD-WRT firmware on this platform, however these instructions should work for other firmware which contains IPTables as well.

Instructions for upgrading your router to DD-WRT can be found at James Stephens Blog or on the DD-WRT wiki under Installation.

A lot of the rules are generic and with a little tweaking can be applied to other platforms.

It is important to note that unlike a standard Linux router, with interfaces labelled as eth0, eth1 etc, the WRT54G has a single switch split into Virtual LANS.

• vlan1 is the WAN interface.
• vlan0 is the LAN interface(s).
• eth1 is the Wireless interface.
• br0 is a bridge comprising of eth1 and vlan0

Any external address applied to the router through the web-interface is applied to vlan1, the internal address is applied to br0, and is therefore available to all internal clients.

Before designing IPTables rules it is useful to examine the diagrams here, and understand where traffic flows in relation to the interfaces above.

Traffic heading in or out of the router, for example to it’s external address or internal address will hit the input and output chains.

Traffic which is destined for other hosts, such as those defined by the static NAT rules explained here, will pass through the forward chain of the router.

I’ve covered using custom chains to achieve greater efficiency and carry out multiple tasks previously.

Firstly on the router we need to clear the chains that are set-up by the web interface. James Stephens provides a good way to do this in his example scripts which are on his site at http://www.sns.ias.edu/~jns.

# Set default policies to ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

# Flush all tables and chains.
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test “X$c” = “XChain” ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done

# Zero counters.
iptables -Z

This allows us to start with a fresh IPTables set-up, allowing the script to be run at any time, not just on start up.

Now add these rules:

# Allow all loopback traffic
iptables -A INPUT -i lo -m state –state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state –state NEW -j ACCEPT

# Allow all ESTABLISHED and RELATED traffic
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow all LAN traffic to router
iptables -A INPUT -i br0 -s $LANIP -m state –state NEW -j ACCEPT

# Allow all traffic from router to ANY
iptables -A OUTPUT -m state –state NEW -j ACCEPT

# Allow all traffic from LAN to ANY
iptables -A FORWARD -s $LANIP -m state –state NEW -j ACCEPT

This allows connections that are already in progress when the script is run, as well as accepting new connections. We also allow traffic from the LAN interface to reach the router and allow the router to talk to other systems.

Finally we need to enable IP Forwarding to allow routing to continue, and tighten out default policies.

# Tighten Default policies.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

This gives a blank slate to build on. I recommend adding some of the general security IPTables rules I’ve posted here, or looking at my example scripts.

Does exactly what it says on the Tin - Prevents Traceroute by incrementing the TTL of each default traceroute packet that comes through the specified interface.

/usr/local/sbin/iptables -t mangle -A PREROUTING -p TCP –dport 33434:33542 -j \
TTL –ttl-inc 1

It’s not foolproof by far!