Recent Tweets @jon_peterson
Posts tagged "Ubuntu"
Protecting a Windows laptop with iptables

Background:

One night last week I sat down to tune up the native firewall running on my copy of Windows 7.  I quickly became frustrated with how long it was taking to point-and-click my way through the process of pruning back permissions.  Between the annoyance of finding entries that various installers had entered without my permission and seeing that almost every rule had triplicates to cover each profile (Private, Public, and Domain), I decided that there had to be a better way.

As much as I would love to cut the Microsoft-cord and live in a pure open-source world, some of my frequently used applications don’t come in Linux-flavor (iTunes, Guitar Pro, Visio, etc).  Occasionally, I also like to take my laptop to local LAN parties and get my Unreal Tournament and StarCraft II on.  Because of this, I am reliant on a non-virtualized Window operating system.  After some thought and research, I decided to create a virtual machine to act as a gateway/firewall for my host OS.

Preparation:

  • I first started by downloading and installing an updated version of Oracle’s VirtualBox virtualization environment.
  • I also grabbed the 64-bit version of the Ubuntu Server 11.04 ISO.  Debian or Fedora would have easily taken care of the job as well.

Install the VM:

  1. Create a new VM.



  2. I have 16GB of RAM in my laptop, so I had no problem dishing out 512MB to the VM, but if you need to be more frugal with your memory, you’ll probably be fine with 128MB.
  3. I allocated 4GB to the dynamically-expanding virtual hard drive, but again, you could probably go as low as 2GB without problems.
  4. Removed the floppy device and disabled the audio.
  5. Set up the network adapters as listed below.





  6. Point the CD device at the Ubuntu Server ISO.
  7. Start the VM.
  8. Select “Install Ubuntu Server”.
  9. When Ubuntu asks which network interface to use as the primary, select “eth0”.  That will be Bridged Adapter.



  10. Pick a hostname.
  11. I chose to format the disk using the quick “Guided - Use Entire Disk” method for simplicity sake, but you can partition it up however you want.
  12. When it comes time to set a username and password, note that if you configure the firewall the way I did, there will be no access to the VM’s operating system except through the VirtualBox window.  Because of this, I wouldn’t bother making an uber-secure 16-character password for this.
  13. Disable automatic updates (the VM will not have the ability to connect to the internet).
  14. Don’t select any packages.
  15. Wait for the install to complete.
  16. Answer ‘yes’ to the GRUB question.
  17. Reboot the VM.  Optionally you can shut down instead, remove the CD device, and start back up.

Configure the VM:

  1. Log in to the VM.
  2. Edit the network interfaces configuration file to include the following:
    sudo vim /etc/network/interfaces

    auto lo
    iface lo inet loopback

    auto eth0
    iface eth0 inet dhcp

    auto eth1
    iface eth1 inet static
        address 192.168.56.1
        netmask 255.255.255.0
        network 192.168.56.0
  3. Create the iptables firewall setup script.  Note that all scripts in the ‘if-up.d’ directory will automatically be run when a network interface comes up.  To allow incoming connections to reach your Windows OS, add space-separated port numbers into the FORWARDED_TCP_PORTS or FORWARD_UDP_PORTS arrays.
    For example, allowing a web server: “FORWARDED_TCP_PORTS=( 80 443 )”

    sudo vim /etc/network/if-up.d/iptables

    #!/bin/bash

    IPTABLES=/sbin/iptables
    IF_PUBLIC=eth0
    IF_PRIVATE=eth1
    HOST=192.168.56.2
    FORWARDED_TCP_PORTS=()
    FORWARDED_UDP_PORTS=()

    echo -n "Flushing existing iptables rules... "
    $IPTABLES -F
    $IPTABLES -F -t nat
    $IPTABLES -X
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP
    echo "DONE"

    echo -n "Setting up ingress rules... "
    # No inbound traffic allowed
    echo "DONE"

    echo -n "Setting up egress rules... "
    # No outbound traffic allowed
    echo "DONE"

    echo -n "Setting up the NAT... "
    $IPTABLES -A FORWARD -m state --state INVALID -j DROP
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $IF_PRIVATE -j ACCEPT
    $IPTABLES -t nat -A POSTROUTING -s $HOST -o $IF_PUBLIC -j MASQUERADE
    echo "DONE"

    echo -n "Setting up forwarded ports... "
    for PORT in ${FORWARDED_TCP_PORTS[@]}; do
        $IPTABLES -A FORWARD -p tcp --dport $PORT -i $IF_PUBLIC -j ACCEPT
        $IPTABLES -t nat -A PREROUTING -p tcp --dport $PORT -i $IF_PUBLIC -j DNAT --to $HOST:$PORT
    done
    for PORT in ${FORWARDED_UDP_PORTS[@]}; do
        $IPTABLES -A FORWARD -p udp --dport $PORT -i $IF_PUBLIC -j ACCEPT
        $IPTABLES -t nat -A PREROUTING -p udp --dport $PORT -i $IF_PUBLIC -j DNAT --to $HOST:$PORT
    done
    echo "DONE"

  4. Add execution permissions to the script.
    sudo chmod +x /etc/network/if-up.d/iptables
  5. Configure the kernel to allow IP forwarding by uncommenting the line:
    “net.ipv4.ip_forward=1” in the sysctl configuration file.
    sudo vim /etc/sysctl.conf

  6. Shut down the VM and optionally take a snapshot.

Configure VirtualBox Networking

  1. In the main VirtualBox application, open up the network preferences (found in the File -> Preference window and under the Network section).
  2. Select the Host-Only Adapter and click the edit button on the right-hand side of the pane (looks like a screwdriver).
  3. Verify the IPv4 address is 192.168.56.1.
  4. On the DHCP Server tab, uncheck the “Enable Server” option.



Configure the Windows Host Networking

  1. Open the Windows network adapters control window.  This will be labeled and in different places depending on your version of Windows.
  2. Right-click on your Wireless LAN and/or Wired LAN adapter and click properties.
  3. Uncheck or remove everything except what is shown in the image below.



  4. Select the IPv4 protocol and click the Properties button.  Fill out the values to match the following image below.



  5. Click “OK” twice to return back to the list of network adapters.  Right-click on the “VirtualBox Host-Only” adapter and click properties.
  6. Uncheck or remove everything except what is shown in the image below.



  7. Select the IPv4 protocol and click the Properties button.  Fill out the values to match the following image below.  I have my own DNS server as the preferred server and the OpenDNS servers as two alternate servers (more than two DNS servers can be specified by using the “Advanced…” button).



  8. Optionally, you could disable your native Windows firewall entirely unless you want to maintain application-level firewall rules.
  9. Press “OK” and you’re done.

Done!

With any luck, you should be able to start up your Firewall VM, minimize it, and go about your business on the interwebs.

Text
Single A Theme :: Version 1.3.2 :: By Storyware