Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google      Sign In   
  • Create Account

Photo
- - - - -

Smoothwall Express 3.0 on Nokia IP330


  • Please log in to reply
No replies to this topic

#1 Swimmer

Swimmer

    TMN Seasoned Veteran

  • Inactive Moderator
  • PipPipPipPipPipPipPipPipPipPip
  • 6,411 posts
  • Location: Purdue University

Posted 21 November 2007 - 09:43 PM

Smoothwall Express 3.0 on a Nokia IP330


Introduction:
With the latest release from the Smoothwall Open Source Project, the need for an update version of this guide was apparent.  This project has gone from a complete DIY to a very robust solution for a soho or small business.  Add in the flexibility of the hardware that is being used, the Nokia IP330 series, and the end result can be one of true pleasure.

Disclaimer: testmy.net and its mods are not responsible for any damage to hardware, software, systems, or bodily harm if you decided to attempt this.  I strongly recommend that you attempt this only if you are confident in your computer skills and have some time to troubleshoot. 

Background:  What is the Nokia IP330?
The Nokia IP330 was originally released in 1998-1999 and was about $5,000 US.  Since then hardware and software for hardware firewalls and Intrusion Detection Systems (IDS) have improved greatly.  As companies often grow, their equipment is replaced and you can normally get this off-lease or refurbished equipment on sites such as Ebay.com for fairly cheap.  I was able to get my hardware for $63.00 shipped.  This included an AMD K6-2 400MHz CPU, 256mb of SDRAM, and a 2 GB hard drive.  What this piece of hardware is, basically, is a computer packed into a 1u rack mount case. 

      The hardware is the foundation on which the software will run.  As of right now I know of a few different configuration of this hardware.  I was one of the fortunate ones who got a 400 MHz processor.  Most of them, that I see now, are 266 MHz.  The other thing that is important is the amount of ram.  The hardware supports up to 512mb of ram.  From what I can tell it takes just standard PC100/133 SDRAM.  As far as the hard drive goes, I am pretty sure you can use what ever size you need up to about 20GB.  The smaller the hard drive the more often you are going to need to clear out the logs so that you donít run out of space.  From past experience I have not been able to get anything bigger than 20GB to be recognized by the BIOS.  20GB is more than enough room as long as the snort logs are managed.

Now that you know a little bit about the hardware, the other major component that you are going to use is Smoothwall.  Smoothwall is an open source program that was started in 2000.  Since then it has grown into one of the most used open source firewalls on the planet.  It is recognized for it easy install and easy use/setup.  These are all key things for people that are just starting out in the world of firewalls.  As you advance in your knowledge you can download plug-ins that are developed to give you more control of your hardware and firewall.  We will be using the most recent stable version of Smoothwall Express which is version 3.0

What you are going to need:


-Nokia IP330
-Screw driver (Note you could need a torx screw driver)
-Donor computer (A computer to install the software)
-About 1-3 hours depending on how fast your are.
-Smoothwall 3.0 burned on a CD
        - Null Modem Serial cable (HIGHLY RECOMMENDED)


Letís get started:

First things first, YOU WILL VOID ANY TYPE OF WARRENTY ON THE HARDWARE IF YOU OPEN THE CASE.  This should not be that big of a deal because the IP330 is a piece pf End of Life/End of Sale equipment.  With that being said, lets go.  (If you are able to boot your device and get the MAC address from the Network Interface Cards that is awesome.  However, if you are not, don't worry I will address this later.)

1) Remove power cord from unit and open the case.
Posted Image


2) Remove the hard drive from the case itself.  There are 4 - 6 screws that are located below the hard drive on the underside of the case.  The power cable can be a bit difficult to remove but it does come out!  Also remove the IDE connection from the hard drive.

3) This is the part for the Donor computer.  What you are going to do is install the hard drive on its OWN channel.  That means that one cable will run to just the hard drive pulled from the IP330 and the other will run to the CD-ROM drive.  Smoothwall 3.0 is really picky about having the hard drive and CD ROM drive on their own channels, or atleast it was for the IP330 hardware.

4) Insert the CD into the CD-ROM drive.

5)  Boot the computer.  You might need to change the boot order so that the CD-ROM boots.  You should see a Smoothwall install screen where you need to press enter.  This will begin the installation process

6) Follow the install process.  You can probe for network adapters and just use what ever it comes up with.  Select GREEN/RED for the type of network you want to set up.  This is NOT the default configuration!!  Make sure you select GREEN/RED and not GREEN/RED(ISDN or MODEM). 

7) Now that the install is complete restart the donor computer.  You should be greeted by the Smootwall boot screen.  Allow the box to boot.  You should then see the log in prompt.

8 ) Log in as root and use the password that you set during the install.

9) Now you should be logged in and have a command line type of interface.  Type vi /var/smoothwall/ethernet/settings .  This will bring up the config for the Ethernet settings for the new box. 

10) At the top of the screen you should see CONFIG_TYPE=
a) 1 for RED/DSL
B) 2 for RED/GREEN
c) 3 for RED/GREEN/ORANGE
    We are going to select 3 for that type.  So the line should look like CONFIG_TYPE=3

Posted Image <- weird camera angle the case is not bent


11) Next it is time to see all of the driver types.  You should see GREEN_DRIVER, RED_DRIVER, ORANGE_DRIVER.  You are going to set all of those values to eepro100 .

12) Once you set that all up it is time to config the zones.  Green= internal (trusted)  Orange=DMZ  RED=wan.  Green is going to be DHCP controlled along with RED since you are going to be getting an IP from are modem of some sort.
Here is how my box is currenly configured:

mobilewall (root) ~ $ more /var/smoothwall/ethernet/settings
CONFIG_TYPE=3
GREEN_DEV=eth0
ORANGE_DEV=eth1
PURPLE_DEV=
RED_DEV=eth2
ORANGE_DRIVER=eepro100
ORANGE_DRIVER_OPTIONS=
ORANGE_DISPLAYDRIVER=eepro100
GREEN_DRIVER=eepro100
GREEN_DRIVER_OPTIONS=
GREEN_DISPLAYDRIVER=eepro100
RED_DRIVER=eepro100
RED_DRIVER_OPTIONS=
RED_DISPLAYDRIVER=eepro100
GREEN_ADDRESS=10.0.0.1
GREEN_NETMASK=255.255.255.0
GREEN_NETADDRESS=10.0.0.0
GREEN_BROADCAST=10.0.0.255
ORANGE_ADDRESS=10.10.0.1
ORANGE_NETMASK=255.255.255.0
ORANGE_NETADDRESS=10.10.0.0
ORANGE_BROADCAST=10.10.0.255
RED_DHCP_HOSTNAME=mobilewall
RED_ADDRESS=0.0.0.0
RED_NETMASK=0.0.0.0
RED_TYPE=DHCP
RED_NETADDRESS=0.0.0.0
RED_BROADCAST=255.255.255.255


13) Also make sure that you set GREEN_DEV=eth0 , ORANGE_DEV=eth1 , RED_DEV=eth2 . 

14)  When all of these changes are completed press Esc, the shift+; , then type wq! . ( Note: it has to be wq! and not WQ! )

15) Next it is time to set the MAC addresses for the interfaces.  Type vi /etc/rc.d/rc.network .  This should bring up another text screen.  What you are looking for is a for loop statement. At the end there is the word done.  They type the following each on a separate line.  This step must be done otherwise when the device boots you will lease an IP address on the Green Network but will not be able to pull up the Web based GUI.
ifconfig eth0 hw ether 00:a0:8e:e:50:78
ifconfig eth1 hw ether 00:a0:8e:e:50:7c
ifconfig eth2 hw ether 00:a0:8e:e:50:80

#!/bin/sh
. /var/smoothwall/ethernet/settings

echo "Setting up ISDN"
. /etc/rc.d/rc.isdn
echo "Setting up ADSL"
. /etc/rc.d/rc.adsl

/sbin/modprobe ppp_synctty
/sbin/modprobe ppp_async

echo "Setting up loopback"
ifconfig lo localhost up

echo "Loading QOS modules"
/sbin/modprobe sch_sfq
/sbin/modprobe sch_htb

echo "Loading SPI modules"
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_ACCOUNT
/sbin/modprobe ipt_CLASSIFY
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_state
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_connmark
/sbin/modprobe ipt_ipp2p
/sbin/modprobe ipt_dscp
/sbin/modprobe xt_mark
/sbin/modprobe xt_tcpudp
/sbin/modprobe xt_length
/sbin/modprobe xt_MARK
/sbin/modprobe xt_CONNMARK

echo "Loading MASQ helper modules"
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_mms
/sbin/modprobe ip_nat_mms
/sbin/modprobe ip_conntrack_pptp
/sbin/modprobe ip_nat_pptp

# Remove possible leftover files
rm -f /var/smoothwall/red/*

for NIC in 0 1 2 3; do
        ETHX="eth${NIC}"
        if [ "$GREEN_DEV" = "$ETHX" ]; then
                if [ "$GREEN_DRIVER" != "" ]; then
                        /sbin/modprobe $GREEN_DRIVER $GREEN_DRIVER_OPTIONS
                fi
        fi
        if [ "$ORANGE_DEV" = "$ETHX" ]; then
                if [ "$ORANGE_DRIVER" != "" ]; then
                        /sbin/modprobe $ORANGE_DRIVER $ORANGE_DRIVER_OPTIONS
                fi
        fi
        if [ "$RED_DEV" = "$ETHX" ]; then
                if [ "$RED_DRIVER" != "" ]; then
                        /sbin/modprobe $RED_DRIVER $RED_DRIVER_OPTIONS
                fi
        fi
done
ifconfig eth0 hw ether 00:a0:8e:e:78:50
ifconfig eth1 hw ether 00:a0:8e:e:78:80
ifconfig eth2 hw ether 00:a0:8e:e:78:7c


# Forwarding.  This is set here to shutup warnings from ipchains.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/tcp_ecn

echo "Bringing network up"
. /etc/rc.d/rc.netaddress.up

. /var/smoothwall/ppp/settings
if [ "$AUTOCONNECT" = "on" ]; then
        echo "Bringing up modem/ISDN link"
        /usr/bin/smoothcom updown UP
fi


These are MAC address pulled from a IP330 that was still running the original software.  These are also what my hardware is running for MAC addresses. If you are going to run more than one on a network you are going to need to make up unique ones for each NIC.  If you have issues connecting to your ISP after setting these MACs, try changing them as these are just generic Intel MAC addresses.

16) Next will be the configuration for the output via the console.  This is very very very important with 3.0!!!  If you decide NOT to do this then when the host is updated you will hose your IP 330.  So I highly recommend doing this.  You will be adding this line:  1:2345:respawn:/sbin/agetty -h ttyS0 9600 vt100
mobilewall (root) ~ $  more /etc/inittab
id:3:initdefault:

l0:0:wait:/etc/rc.d/rc.halt halt
l6:6:wait:/etc/rc.d/rc.halt reboot

si::sysinit:/etc/rc.d/rc.sysinit

# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -h now

# Run gettys in standard runlevels
1:2345:respawn:/sbin/agetty -h ttyS0 9600 vt100
2:2345:respawn:/sbin/agetty 38400 tty2
3:2345:respawn:/sbin/agetty 38400 tty3
4:2345:respawn:/sbin/agetty 38400 tty4
5:2345:respawn:/sbin/agetty 38400 tty5
6:2345:respawn:/sbin/agetty 38400 tty6



18) Again, when all of these changes are completed press Esc, the shift+; , then type wq! . ( Note: it has to be wq! and not WQ! )  What you just did is allow the output to go to the serial port.

19) Now type vi /etc/lilo.conf
lower the boot value to boot the device faster. (would recommend this)

Sample Config:

mobilewall (root) ~ $ more /etc/lilo.conf
boot=/dev/harddisk
map=/boot/map
install=/boot/boot-bmp.b
prompt
timeout=10
lba32
default=SmoothWall
read-only
root=/dev/harddisk4
bitmap=/boot/image.bmp
bmp-colors=13,,12;14,,12
bmp-table=100p,348p,1,3,
bmp-timer=74,29,;,,
append="ramdisk_size=8192 no-scroll panic=30"
image=/boot/vmlinuz-2.6.16.53
        initrd=/boot/initrd-2.6.16.53.gz
        label=SmoothWall



20) Again, when all of these changes are completed press Esc, the shift+; , then type wq! . ( Note: it has to be wq! and not WQ! )  What you just did is allow the boot prompt to go to the serial port.

21)Type lilo press enter then type shutdown -h now .  At this point the computer should shutdown.  Remove the hard drive and reinstall it into the IP330 case.

22) Connect an Ethernet cord to the GREEN NIC and an Ethernet cord from the modem to the RED NIC.

23) You should be able to go to http://GREEN_ADDRESS:81 and see the Web based GUI.  Click on the maintenance tab. 

24) If you configured the optional Serial console then keep reading.  On the maintenance tab apply the first fix.  Reboot and connect the null modem cable to the IP330's console port.

25) You will notice that the fix has made it so that you can not get to the web based GUI, but any computer on the Green interface will get an IP address.  Repeat step #15, adding the MAC address, and then reboot the IP 330 once again.  This should restore access to the GUI and network access in general.

26) That should be it.  If you have problem you can see what is going on by plugging in a null modem serial cable into the console port on the Nokia and into a serial port on any computer.  The configure HyperTerminal and you should be able to see what is going on.


Conclusion:

What you have just done take a old piece of hardware and make it useful again!  Not only that but it looks cool, is functional, and provides additional security to your network.  As always if you have question feel free to post in the HELP Hardware/Networking section of the Forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Speed Test Version 13.7
© 2013 TestMy Net LLC - TestMy.net - Legal - Advertise