Break the bridge and set up the split internal network
First we need to set up your router's physical networks. For this part of the HOWTO, I'll be using configuration options that make sense on a WRT54GL with the default Kamikaze configuration. If you run a different router or you've tweaked your network configuration heavily, you're on your own with this section, but my Shorewall configuration should still work for you if you change the appropriate interface lines.
*Split wired and wireless networks onto separate interfaces
Edit the /etc/config/network file. Remove the entire section labeled "#### LAN configuration". If you do not have this section, find the "config interface lan" line and remove this entire section. In its place add two new sections:
#### Wired LAN configuration config interface wired option ifname "eth0.0" option proto "static" option ipaddr 192.168.1.1 option netmask 255.255.255.0 option gateway 192.168.1.254 option dns 192.168.1.254 #### Wireless LAN configuration config interface wireless option ifname "wl0" option proto "static" option ipaddr 192.168.2.1 option netmask 255.255.255.0 option gateway 192.168.2.254 option dns 192.168.2.254
Replace the IP addresses and netmasks of the interfaces as you see fit. Be sure the gateway and DNS server settings match the chosen IP's.
DNSmasq supports the use of /etc/ethers to define static mappings:
# Main server 00:01:23:45:67:89 192.168.1.42
Be sure to define these static mappings outside the DHCP ranges. As long as they fall within the subnet defined by the IP and netmask on an interface, DNSmasq will still put the clients in the correct subnet with the accompanying gateways and such.
Note that if you have any subnets living behind any machines on these networks (VPN server, for example) that you want to route back and forth to your main network, you should set that up here with a "config route" stanza. For example:
config route vpn option interface wired option target 192.168.10.0 option netmask 255.255.255.0 option gateway 192.168.1.42
Of course, 192.168.1.42 is still responsible for handling the actual routing to the 192.168.10.0/24 subnet, but this will allow OpenWRT to route packets destined to that subnet to the appropriate gateway. Don't worry if you want to add some firewalling to this; Shorewall will give us that power later.
To serve DHCP information on both interfaces, you'll need to edit your /etc/config/dhcp file. Remove the "config dhcp" section with "option interface br0" and replace it with:
config dhcp option interface wired option start 150 option limit 49 option leasetime 12h config dhcp option interface wireless option start 150 option limit 49 option leasetime 12h
This will serve IP's between 192.168.1.150 and 192.168.1.199 on the wired interface and between 192.168.2.150 and 192.168.2.199 on the wireless. Again, change the "start" and "limit" values to suit your environment.
There's just one more quick change. In the /etc/config/wireless file, change "option network br0" to "option network netwireless". All your other options will be unchanged from your existing configuration.
Install and configure Shorewall for firewalling
Now we'll use Shorewall to set up and configure a powerful iptables-based firewall. I'll mostly concentrate on configuring Shorewall to use the various network interfaces in the router. The documentation at Shorewall's site will help you set up specific rules to customize this installation, although I will provide some examples.
*Install Shorewall and iptables
If you're using a custom-built image, be sure to include Shorewall along with all the iptables-mod packages (found in the Base System configuration). If you're using a stock image, you'll need to install an array of packages:
ipkg install shorewall iptables iptables-mod-extra iptables-mod-iprange iptables-mod-ipset iptables-mod-nat iptables-mod-ulog iptables-utils
*Set up zones
Now we want to set up Shorewall to use our newly configured interfaces. What happens next may seem a bit counter-intuitive, but I'll explain after everything is set up. For now, remove all uncommented lines in /etc/shorewall/interfaces and replace them with:
wan eth0.1 detect routeback,norfc1918,dhcp,routefilter,nosmurfs,logmartians loc eth0.0 detect routeback,dhcp,tcpflags,routefilter,nosmurfs,logmartians loc wl0 detect routeback,dhcp,tcpflags,routefilter,nosmurfs,logmartians
Now likewise purge all uncommented lines from /etc/shorewall/hosts and replace them with:
eth eth0.0:192.168.1.0/24 wifi wl0:192.168.2.0/24
If you changed the network settings up above, be sure to incorporate those changes here. If you have any other subnets lurking on this network (again, a VPN server is the most obvious example), you need to tell Shorewall about them by creating additional zones. For example:
Note that Shorewall only allows zone names to be five characters long.
Now purge all uncommented lines from /etc/shorewall/zones and replace them with:
fw firewall wan ipv4 loc ipv4 eth:loc ipv4 wifi:loc ipv4
The notation 'eth:loc' tells shorewall that traffic in the 'eth' zone also belongs in the 'loc' zone.
Again, if an additional subnet exists (like our 'vpn' subnet above), add a line for it as well:
Now we've created Shorewall 'zones' representing traffic coming from each of our interfaces (and possibly from a VPN or other internal subnet as well). We initially set all traffic on both the eth0.0 (wired) and wl0 (wireless) interfaces to be in the 'loc' zone, then we further placed all wired traffic in the 'eth' zone, all wireless traffic in the 'wifi' zone, and all traffic from the VPN on the wired interface in a special 'vpn' zone. This will allow us to set up rules that govern all or any combination of these different kinds of traffic.
*Set up the firewall
Now we need to set up Shorewall to control our iptables firewalling. First we want to set up some general rules. Remove all lines between the header and the "#LAST LINE -- DO NO REMOVE" in /etc/shorewall/policy and replace them with:
loc wan ACCEPT loc $FW ACCEPT $FW loc ACCEPT wan all DROP info #THIS LINE MUST BE LAST all all REJECT info
This sets up Shorewall to allow traffic internal systems to access the router and the internet freely but to drop and log all packets from the outside.
Clearly these policies are a bit over-reaching -- we do want the outside world to be able to initiate some connections, for example, and we don't want to log every ping attempt that hits our router -- so we'll add some more specific policies. Once again, purge everything between the header and the "#LAST LINE -- DO NOT REMOVE" in /etc/shorewall/rules and insert:
# Allow local clients to use the firewall's DNS and allow the firewall to use external DNS DNS/ACCEPT loc $FW DNS/ACCEPT $FW wan # Allow local clients to use the firewall's SSH without restrictions SSH/ACCEPT loc $FW # Allow the firewall to ping the WAN ACCEPT $FW wan icmp 8 # Silently drop WAN pings (to clean up the logs) DROP wan $FW icmp 8 # Allow WAN clients to use the firewall's SSH with limiters ACCEPT wan $FW tcp 22 - - 4/min:8
Parts of the first few entries are not strictly necessary, but we include them so that a policy change later doesn't lock us out of the router. The last line provides some rudimentary anti-cracking protection -- it will allow only four connection attempts per minute on the SSH port (22) from any WAN client and will allow only eight in a burst. This will slow down brute-force cracking attempts to the point that they'll never possibly work while not noticably affecting legitimate users.
Certainly this isn't all Shorewall can do. A few other possible rules to provide more functionality:
Route VPN traffic (TCP port 1194) to the VPN server (192.168.1.42)
# Allow WAN clients to use OpenVPN on port 1194 DNAT wan loc:192.168.1.42 tcp 1194
Route bittorrent traffic on particular ports to a specified host (192.168.1.42)
# Route bittorrent on 6881-6899 to 192.168.1.42 DNAT wan loc:192.168.1.42 tcp 6881:6899
Route SSH traffic on a nonstandard external port (2201) to a specified host (192.168.1.42)
# Allow WAN clients to use internal server's SSH with limiters DNAT wan loc:192.168.1.42:22 tcp 2201 - - 4/min:8
Note that, because we split the wired and wireless networks into separate interfaces, we can define rules that apply to only one or the other. For example, the above SSH rule could be rewritten as
# Allow WAN clients to use internal server's SSH with limiters DNAT wan eth:192.168.1.42:22 tcp 2201 - - 4/min:8
We could also force all wireless clients to pass HTTP requests through a transparent proxy:
# Force wireless HTTP traffic through a transparent proxy REDIRECT wifi 3128 tcp www
Shorewall is an extremely powerful firewall system. There's plenty of great documentation at the Shorewall site if you need more help.
*Other configuration bits
First we need to set up IP Masquerading. This is what you expect a hardware firewall/router to do -- take packets from the internal network and route them to the external network with masqueraded IP's so that external systems can make sense of them. To do this, again clear everything between the header and the "#LAST LINE" of /etc/shorewall/masq and add:
eth0.0 eth0.1 wl0 eth0.1
We also need to set the routestopped parameters. The /etc/shorewall/routestopped file tells Shorewall what to do if it is stopped, either because loading fails or because it is stopped from the command line. We want to be sure that local packets can still move about, so we'll purge everything between the header and the "#LAST LINE" and add:
eth0.0 - routeback wl0 - routeback
The default install of Shorewall in OpenWRT is disabled so it doesn't break your router. Edit /etc/shorewall/shorewall.conf and make sure it contains the following lines:
The first you will have to change; it should be the first non-comment line in the file. The second should already be set, but check it to make sure; if it is not set, nothing we did above will work.
*Test and start Shorewall
Now that all our settings are in place, it's time to test and start Shorewall. Run a quick
to make sure that all the pieces fit together. If there are any errors, disable Shorewall using the /etc/shorewall/shorewall.conf setting and find some help. If there are not, however, go ahead and
After what may take up to a few minutes of compiling, Shorewall will take over firewalling on your router.
(Last edited by existentialhero on 16 Sep 2007, 09:12)