Build your own Advanced Open Source Linux Router Firewall

From Fyzix
Jump to: navigation, search

Purpose

My co-worker didn't trust his existing router firewall. Why should you?

Additionally, he wanted to monitor hardware on his internal network. For example, this device can help verify a Synology NAS has benign behavior (or not).

To that end I built this project code named Cervin, which is the French/Swiss name for Matterhorn.

Hardware

Prices as of 2016-03-11

Hardware Total cost before S/H: $307.24

Operating System

Used Rufus to write ISO image to bootable USB media.

Features

  • IPTables rule set with anti-port scan, trip port, restrict, and watch features.
    • Restrict feature allows you to restrict hosts on the internal network from reaching the internet.
    • Watch feature allows you to monitor untrusted hardware on your internal network to see its' behavior. This can be analyzed in ELK Stack.
  • DNS Server for name resolution & local DNS cache (i.e. faster resolution for commonly accessed sites)
  • DHCP Server for dynamic IP address leasing
  • QoS traffic shaping
  • Openvpn in bridged mode
  • IDS using Suricata, Barnyard2, and Snorby
  • ELK Stack for log analytics
  • Automated updates
  • Menu to edit configuration
  • Support for VLAN Tagging for use with Centrylink FTTH (VLAN 201)

TODO

  • Better support for IPv6
  • Variablize parameters so Menu configuration can make changes that descend through all configurations (e.g. Only need to make a single change for an IPAddress and changes reflect in interfaces file, firewall script, and Unbound DNS configuration).
  • ELK Stack was disabled when IDS was enabled. Both are resource intensive (ELK Stack more so). Thus, it makes sense to have the router ship the files using FileBeat to a remote ELK instance with a lot of horsepower. I have not yet built or documented this configuration.

Build

Reference Documentation

Notes

Once built, the default fan configuration for this device is set to be rather noisy. To fix this, enter the BIOS (DEL key at boot) -> PC Health Status -> Smart FAN Configurations -> CPUFAN Smart Mode Enable -> ESC and Save & Exit Setup.