Projects‎ > ‎

Wandboard

The idea is to use a Wandboard as a router between my internet provider and my internal networks

I will be using a WandBoard Daula and it has the following key features:
  • Architecture: ARMv7l Cortex-A9
  • Processor: Freescale i.MX6 Dual
  • RAM: 1024 MB
  • SD: 2 * Micro SD (one for Os and one for user data)
  • USB: 1
  • Ethernet: Gigabit
  • Wireless: B/G/N, Bluetooth
The first thing to decide is which Linux distributions we want to use and since I'm planing to use this as a router one thing that is very important is that the distribution I will be using must be updated for many years so using a precompiled binary release for for instance Ubuntu doesn't sound like a good idea.

In this guide will we be using archlinux|ARM.

Installation

The installation of the basic system is quite easy and it can be found on the Wandboard homepage.
Since we want to have other system updated all the time have I decided to use the mainline kernel instead of wandboard(3.0.35) kernel.

[robert@alarm ~]$ uname -a
Linux alarm 3.13.6-3-ARCH #1 SMP PREEMPT Sun Mar 23 16:20:05 MDT 2014 armv7l GNU/Linux

User management

The first we need to do after the installation is to add a user:
[root@alarm ~]# useradd -m -s /bin/bash robert
[root@alarm ~]# passwd robert

IP configuration

eth0(onboard Ethernet) will be connected to internet and eth1(USB dongle: USB31000S) will be connected to the local LAN:

[root@alarm robert]# cat /etc/netctl/eth0
Description='Public interface'
Interface=eth0
Connection=ethernet
IP=dhcp
ExecUpPost='/usr/bin/ntpd -gq || true'

[root@alarm robert]# cat /etc/netctl/eth1
Description='Private interface'
Interface=eth1
Connection=ethernet
IP='static'
Address=('10.0.0.1/24')
[root@alarm robert]# netctl enable eth0
[root@alarm robert]# netctl enable eth1


DNS and DHCP

The internal network will be using 10.0.0.x net. To simplify using different hosts on the network is dnsmasq configured to be a dns server so it will be possible to use debian and laptop instead of using IP numbers.
root@alarm robert]# pacman -S dnsmasq

[root@alarm robert]# cat /etc/dnsmasq.conf
interface=eth1
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,24h # dhcp lease: 24 hours
dhcp-host=00:11:22:33:44:55,debian,10.0.0.2,infinite    
dhcp-host=01:11:22:33:44:55,laptop,10.0.0.3,infinite
[root@alarm robert]# 
[root@alarm robert]# pacman -S dnsmasq
[root@alarm robert]# systemctl enable iptables

Firewall

The firewall rules below are based on Simple stateful firewall and it's a basic firewall that only allows incoming connections to a ssh server. Since I will be using the computer as a router will I also allow dhcp and dns data on the local network.


[root@alarm ~]# cat /etc/iptables/iptables.rules
# Generated by iptables-save v1.4.21 on Sat Apr  5 02:57:03 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [96:11950]
:IN_SSH - [0:0]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 30/min --limit-burst 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A IN_SSH -m recent --rcheck --seconds 10 --hitcount 3 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --rcheck --seconds 1800 --hitcount 4 --rttl --name sshbf --mask 255.255.255.255 --rsource -j DROP
-A IN_SSH -m recent --set --name sshbf --mask 255.255.255.255 --rsource -j ACCEPT
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A fw-interfaces -i eth1 -j ACCEPT
COMMIT
# Completed on Sat Apr  5 02:57:03 2014
# Generated by iptables-save v1.4.21 on Sat Apr  5 02:57:03 2014
*nat
:PREROUTING ACCEPT [60:15588]
:INPUT ACCEPT [5:596]
:OUTPUT ACCEPT [13:1098]
:POSTROUTING ACCEPT [14:1138]
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Apr  5 02:57:03 2014

[root@alarm robert]# 
[root@alarm robert]# systemctl enable iptables
[root@alarm robert]# echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/90-firewall.conf





Comments