[CS-FSLUG] Christiansource Digest, Vol 124, Issue 1

Tim Young Tim.Young at LightSys.org
Fri Oct 17 15:52:50 CDT 2014 

If you want all your field-based internet devices to connect through 
your VPN, then you do not need a firewall.  If you want your 
home-based Internet devices to go through it, then you will end up 
setting it up as a firewall.

If you just want "ease of setup and configuring a VPN" you should 
probably go with a firewall distro instead of using mint.  It can 
make the task to be just a few hours (or minutes, if you know what 
you are doing).  If you need to build everything in mint, it will 
probably take a bit longer.  But, if you are trying to set up the VPN 
on a mint computer that you already have, then using mint is the 
obvious way to go.

If all you are doing is giving yourself a vpn endpoint for all your 
field-based Internet devices, then all you really need to set up on 
mint is a VPN (openvpn, probably), possibly some port-forwarding in 
your "Internet modem" to get the VPN to be accessible from outside 
your home, and Dynamic DNS.  You can skip all the firewall and 
routing stuff.  The dynamic dns may be able to be done in your modem, 
or it may need to be done on mint (using ddclient or something like 
that.)

There is a good chance that you do have a firewall, but do not know 
it.  :)  Most Internet modems have something like that built into 
them.  If you do not have a firewall, I would recommend getting one.  
The "shellshock" vulnerability that came out recently was a 
Linux/Unix specific vulnerability.  A firewall is a wise move for any 
platform.

     - Tim Young

On 10/17/2014 3:39 PM, davidm at hisfeet.net wrote:
> Thanks Tim, I've never bothered with a firewall since I started 
> using Linux. So far as I know I've never had n intrusion. I don't 
> really know if I need a firewall, or a vpn. maybe all I need is a 
> proxy. But I need to have it set up so it includes my whole LAN.  
> I'll study the link you sent, and see where that gets me.
>
>
>
> On 2014-10-16 12:00, christiansource-request at ofb.biz wrote:
>> Send Christiansource mailing list submissions to
>>     christiansource at ofb.biz
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>     http://ofb.biz/mailman/listinfo/christiansource_ofb.biz
>> or, via email, send a message with subject or body 'help' to
>>     christiansource-request at ofb.biz
>>
>> You can reach the person managing the list at
>>     christiansource-owner at ofb.biz
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Christiansource digest..."
>>
>> Today's Topics:
>>
>>    1. Trying to set up my desktop to serve as a sort of "gateway"
>>       (davidm at hisfeet.net)
>>    2. Re: Trying to set up my desktop to serve as a sort of
>>       "gateway" (Tim Young)
>>
>> List-Post: <mailto:christiansource at ofb.biz>
>> Content-Transfer-Encoding: 8bit
>> From: davidm at hisfeet.net
>> Precedence: list
>> MIME-Version: 1.0
>> To: christiansource at ofb.biz
>> Date: Wed, 15 Oct 2014 19:01:55 -0400
>> Message-ID: 
>> <b60d06d51bdb8dcf406ed91cacfe427a.squirrel at trinity.pjlhosting.com>
>> Content-Type: text/plain;charset=iso-8859-1
>> Subject: [CS-FSLUG] Trying to set up my desktop to serve as a sort of
>>     "gateway"
>> Message: 1
>>
>> Well, really a gateway to the gateway. I want to connect to a VPN, 
>> or at
>> least to a private proxy, for use in Mexico, but I want each and 
>> all of
>> our Internet devices to be connected through it.
>>
>> I have read that it is possible to set up a Linux box to interpose 
>> itself
>> between the Internet, and everything on the LAN, and still provide 
>> the
>> devices on the LAN to communicate with the WAN. I think the 
>> article I was
>> reading was for a Firewall, which would be OK, but my purpose is 
>> for a
>> VPN.
>>
>> I have installed an extra communication card with an Ethernet 
>> connector,
>> and the computer does recognize that it is there, and identifies it
>> properly, but I haven't the faintest idea how to adjust the 
>> machine to my
>> purposes, or what information to look for in that regard.
>>
>> I've just spent several hours looking for answer, but don't seem 
>> to be
>> getting anywhere. I'll be using Mint 11 I think.
>>
>>
>>
>>
>>
>>  Hi,
>>  Is your mint "firewall" something you will be using for more than
>> just the gateway and VPN endpoint? If you are only using it for a
>> firewall/gateway, I would recommend using "PFSense" or a different
>> firewall distro. It will make the task of building a firewall a lot
>> simpler.
>>
>>  I do not know mint well, so there may be some easier way to do it
>> through a GUI or something. But here are the pieces you need.
>>
>>  I will call the Linux computer a "firewall" as that is what it will
>> be serving as.
>>
>>  KERNEL
>>  You need to tell the Linux kernel on your firewall that it is to
>> allow packets to forward (route) through it. We do that by changing
>> the value in the kernel: /proc/sys/net/ipv4/ip_forward
>>  The way to do this is through "sysctl", which seems to be in
>> /etc/sysctl.conf (or a file in /etc/sysctl.d) that says:
>>  net.ipv4.ip_forward=1
>>
>>  IP ADDRESSING
>>  Then, you need to have two different IP addresses and IP address
>> pools on either network interface.
>>  Typically, people use 192.168.1.1 or 192.168.0.1 for their IP
>> addresses. Because you are wanting to do a VPN, you should NOT use
>> either of these. VPNs are a little tricky, and it usually helps to
>> have a different IP address pool than the one you are accessing from.
>> So it is usually good to pick a slightly more obscure number.
>>
>>  So, for kicks, let's add 20 to the default number, and we will use
>> these on the "inside" network card and outside network card.
>>  192.168.20.1
>>  192.168.21.1
>>
>>  FIREWALL RULE (MASQUERADING)
>>  Then, you need to set up MASQUERADING on the external network card.
>> This is done through an IPTables rule. If you are using something 
>> like
>> firewallbuilder or some other firewalling thing, it may do it for 
>> you.
>> But it boils down to a basic line that says something like:
>>  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>
>>  DONE:
>>  That is the main bit of info. It looks like a possible mint faq 
>> could
>> be here:
>>  http://thesystemmaster.com/unix/gateway_mint.php [2]
>>
>>  Setting up a VPN may be a little bit harder. I would probably use
>> openvpn if you can.
>>
>>  - Tim Young
>
>> Links:
>> ------
>> [1] http://cs.uninetsolutions.com
>> [2] http://thesystemmaster.com/unix/gateway_mint.php
>>
>> ______________________________________________
>> ChristianSource FSLUG mailing list
>> Christiansource at ofb.biz
>> http://ofb.biz/mailman/listinfo/christiansource_ofb.biz
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ofb.biz/pipermail/christiansource_ofb.biz/attachments/20141017/e083f7ff/attachment.htm>

More information about the Christiansource mailing list