New IT forum
27 June 2022, 12:42:40 pm *
Welcome, %1$s. Please login or register.

: PiHub now in stock.
Pages: [1]

Author Topic: GuruPlug as a Router and Shorewall Firewall  (Read 12251 times)


  • Newbie
  • *
  • Posts: 3
GuruPlug as a Router and Shorewall Firewall
« on: 14 October 2010, 03:55:50 pm »


before i start sorry for my english.. i try my best :)

just wanted to tell you my experiences and problems with installing my guruplug server as a router and using the debian repository firewall 'shorewall'.

this guide will be very rudimental. would be good if have already some knowledge with shorewall for better understanding.

first of all you need to clean the stuff which guruplug is shipped with:

/etc/rc.local  --> comment call of out
apt-get remove --purge ifplugd # remove ifplugd
blacklist some modules (ipv6, libertas, bluetooth) you probably won't need: /etc/modprobe.d/blacklist add: ipv6, libertas_sdi,btmrvl_sdio, bluetooth

now that the guruplug is clean the next step: configuring the network interfaces

let's configure the wireless device uap0:

Code: [Select]
uaputl sys_cfg_ssid "XXXX" # WLAN Name
uaputl sys_cfg_protocol 32 # Modus WPA2
uaputl sys_cfg_wpa_passphrase "XXXX" # WLAN password
uaputl sys_cfg_cipher 8 8       # Set the Cipher
uaputl sys_cfg_channel 0 1 # automatic channel
uaputl bss_start
/etc/init.d/udhcpd start # start DHCP server

afterwards i inserted the original code to set leds:
Code: [Select]
# Set leds
echo 1 > `eval ls /sys/class/leds/*plug*\:green\:health/brightness`
echo 1 > `eval ls /sys/class/leds/*plug*\:green\:wmode/brightness`

i had some problems with apt-get some folders were deleted after reboot (because it is a tmpfs) so i had to create them automatically on restart in /etc/rc.local:
Code: [Select]
mkdir -p /var/cache/apt/archives/partial
touch /var/cache/apt/archives/lock

Code: [Select]
start #start of ip lease range
end # end of ip lease range
interface wireless-guru  # you have to put here the bridge interface we create later in this post
opt      lease  86400
opt     router
opt     subnet
opt     dns
opt     domain     network.lan # DNS Domain (you can configure it via bind9 /etc/bind/named.conf.local more later)
max_leases     101
lease_file     /var/lib/udhcpd.leases
auto_time       5

in my case the following scenario:
  • eth1 is my external interface connected to a cable modem gets ip via DHCP of ISP (ISP Kabel Deutschland)
  • eth0 internal interface wired
  • uap0 internal interface wireless
  • wireless-guru bridged interface (eth0 and uap0) ip: subnet mask:

my /etc/network/interfaces looks like that:
Code: [Select]
auto lo
iface lo inet loopback

auto uap0
iface uap0 inet static

auto eth0
iface eth0 inet static

auto wireless-guru
iface wireless-guru inet static
bridge_stp off
bridge_ports eth0 uap0

auto eth1
iface eth1 inet dhcp

in order to use this setup you have to install the package bridge-utils --> apt-get install bridge-utils

now we have a working network. eth0 and uap0 are now in the same network using the bridge wireless-guru. a DHCP server is listening to give the clients an ip.

before you go on installing shorewall and securing you guruplug server please make sure your network is working properly (e.g. PING etc.).

the next step is installing a DNS server, which forwards the DNS request to the nameserver of the ISP:
Code: [Select]
apt-get remove --purge dnsmasq (onboard DNS Server from guruplug)
Code: [Select]
apt-get install bind9for me that was enough because the bind server reads the Nameservers IPs of my ISP from /etc/resolv.conf and forwards the requests.

now to the security issues:

Code: [Select]
apt-get install shorewall
go to dir /etc/shorewall

you have to set some options to make routing work:
edit file: shorewall.conf set IP_FORWARDING=On
echo 1 > /proc/sys/net/ipv4/ip_forward #enable ip forwading on the system

1. create zones
edit file: zones
Code: [Select]
net     ipv4                   # internet
loc     ipv4                            # local
fw      firewall                        # firewall

2. create interfaces
edit file: interfaces
Code: [Select]
loc     wireless-guru routeback
net     eth1    detect  dhcp = broadcast address
the option dhcp means that the external interface gets the ip via dhcp.
the option routeback is VERY important, if you forget to put it here your hosts in your private LAN won't communicate with each other because the FW will block it.

3. create policies
edit file: policy
Code: [Select]
fw      all     ACCEPT
loc     all     ACCEPT
net     all     DROP    info
all     all     REJECT  info

the option info means, that every blocked traffic will be logged into /var/log/messages (very useful for debugging)
every traffic will be blocked apart from source loc or fw to every location (all) or specified explicit in the rules see next step

4. create rules
edit file: rules
COMMENT 123 = NTP, 25 = SMTP, XXXX = SSH, 80 HTTP, 21 = FTP
ACCEPT  all     all     udp     123     123
ACCEPT  all     all     tcp     80
ACCEPT  all     all     tcp     21
ACCEPT  all     all     tcp     XXXX
ACCEPT  all     all     tcp     25

this file tells the firewall which ports should be reachable.

5. interfaces with should be reachable when shorewall is stopped
edit file: routestopped
Code: [Select]
wireless-guru #Name of the Bridge

6. Masquerading
edit file: masq
Code: [Select]
eth1    wireless-guru #external interface to internal interface
Entries on this page set up network address translation for traffic routed between some network and a particular interface.
This is the main file to make your guruplug a router;)

After this configurations your firewall should be working. you can test it with shorewall check and afterwards start it with shorewall start.
If you make changes use shorewall restart to apply them.

Now try from a client in LAN if DNS is working via Windows:
Code: [Select]

Nicht autorisierende Antwort:

if your output is similar to mine DNS is working.

Next step try tracert: tracert .. it should trace the hops to the destination url.

on the guruplug i have the following working outputs:

Code: [Select]
[email protected]:/etc/shorewall# ifconfig
eth0      Link encap:Ethernet  HWaddr f0:ad:4e:ff:15:79
          RX packets:2148330 errors:0 dropped:0 overruns:0 frame:0
          TX packets:625304 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2755343591 (2.5 GiB)  TX bytes:424094313 (404.4 MiB)

eth1      Link encap:Ethernet  HWaddr f0:ad:4e:ff:15:7a
          inet addr:  Bcast:  Mask:
          RX packets:218652 errors:0 dropped:6 overruns:0 frame:0
          TX packets:142504 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:76464404 (72.9 MiB)  TX bytes:142865610 (136.2 MiB)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:582 errors:0 dropped:0 overruns:0 frame:0
          TX packets:582 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:49067 (47.9 KiB)  TX bytes:49067 (47.9 KiB)

uap0      Link encap:Ethernet  HWaddr 00:24:23:24:85:a9
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:268284 errors:0 dropped:0 overruns:0 frame:0
          TX packets:299699 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:38126330 (36.3 MiB)  TX bytes:117547359 (112.1 MiB)

wireless-guru Link encap:Ethernet  HWaddr 00:24:23:24:85:a9
          inet addr:  Bcast:  Mask:
          RX packets:2151892 errors:0 dropped:0 overruns:0 frame:0
          TX packets:655469 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2716657446 (2.5 GiB)  TX bytes:503221944 (479.9 MiB)

PLZ make sure that your ISP gives you a MTU of 1500 or routing won't work. I got stuck for many hours till i figured out, that my ISP gave me a MTU of 576 and routing failed. now i have to set MTU manually in /etc/rc.local on every reboot
Code: [Select]
ifconfig eth1 mtu 1500
Code: [Select]
[email protected]:/etc/shorewall# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface     *        U     0      0        0 wireless-guru      *        U     0      0        0 eth1
default         95-91-55-254-dy         UG    0      0        0 eth1
default         UG    0      0        0 wireless-guru

That's all to make the guruplug to a linux router with a firewall ;)
« Last Edit: 18 October 2010, 09:35:50 am by j1m »


  • Full Member
  • ***
  • Posts: 108
Re: GuruPlug as a Router and Shorewall Firewall
« Reply #1 on: 31 May 2012, 08:27:47 pm »

Impressive work! Thanks for sharing it.


  • Full Member
  • ***
  • Posts: 187
Re: GuruPlug as a Router and Shorewall Firewall
« Reply #2 on: 01 June 2012, 07:20:45 am »

I use guruplugs as routers between segments of my domestic network. I have a triangle of guruplugs in case one of the gplugs fail - as one did earlier this week though it was a software glitch rather than hardware. I didn't notice the failure for a day! I use quagga as routing software though I only use RIP for dynamic routing. Other routing protocols are available except for Cisco's proprietary eigrp.

The above security notes are helpful - my external security is handled by the DSL router through a DMZ LAN segment. The extra firewalling notes should help improve my security though I suspect there will have to be a lot of rules implemented!

The gplug routers are also used as internal DHCP and DNS servers in failover and master/slave configurations respectively.
Tony Pemberton
Pages: [1]

Powered by MySQL Powered by PHP SMF 2.0.10 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!