RFC: Ubuntu Gateway

[John Moser]

I pondered this ages ago and I'll ponder it again:  Network gateway.

Everyone's probably familiar with those little Linksys routers (or the
Belkin or D-Link ones, or whatever) that you put between you and the
evil Internet thing.  Small, useless, but give you NAT to protect
yourself at least.  I've always had the belief that I could do better
myself-- I'm not the only one, either, considering the prevalance of
things like OpenWRT for Linksys WRT-54G.

Let's for the moment assume you have a multi-NIC (both wired and
wireless) Ubuntu box instead, and consider what we can do with it.
Note that this also applies to small embedded systems like the
WRT-54G, if they have more hard disk space/memory; that sort of
hardware could be packed into the same form factor, at higher premium
of course (roughly $100 more).

First off, let's outline a few things we know are explicitely possible.

 - Router
 - Switch (bridging NICs)
 - Wireless Access Point (hostap)
 - Firewall
 - NAT
 - DHCP
 - Proxy server
 - Transparent proxy server - Firewall can force routed packets on
port 80 to local ports, and Squid can pick them up and forward them to
any specific proxy server address
 - Any host of server software
 - Network security software (snort etc)

Of these, we know we definitely want to run as a Router, with
switching function, NAT, and DHCP.  We'd also want wireless acces
point, with WPA and all.

Users would definitely want a firewall.  A default full stateful
firewall would be useful (iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT ; iptables -A FORWARD -m state --state
NEW -i !eth0 -j ACCEPT), as well as stateful on input (replace FORWARD
with INPUT).  More flexible controls -- port forwarding, UPnP, a DMZ,
blocking specific outgoing port ranges -- would help power users.

A caching transparent proxy server option would personally interest
me.  This would be Squid with transparent HTTP proxy, and a proxy
setup that intercepts port 80 FORWARD requests and redirects them to
localhost (iptables -t nat -A PREROUTING -i !eth0 -d !192.168.1.0/24
-p tcp --dport 80 -j REDIRECT --to-port 3128).  Squid could handle
several gigabytes wide cache for the network.

Another interesting thought about transparent proxy servers is you can
give the user the option to add Dan's Guardian or any generic parent
proxy (i.e. Websense) as a mandatory parent, meaning Squid has to
traverse a content filter.  In primary schools, this would satisfy
regional regulations about properly controling students' access to
questionable materials:  The school supplies the service (Websense),
and the students duck around the proxy configuration in IE (registry
hack or Portable Firefox); the outgoing HTTP connection gets forced to
proxy anyway, unless it's on a weird port (unlikely).  I used to play
with this stuff when I was 16, because I'd broke through the high
school's proxy server and a week later was showing the teachers how
this worked and also explaining some other stuff out there that let me
counter this sort of attack (yeah I know, I did this all the time,
they always let me get away with breaking their security systems over
and over...).

The last thing is, of course, apt-cacher, and configuring Apt (by
automatic scanning of the local network, or adding mDNS, of course) to
use it.

These sort of things seem interesting to me.  It would be rather
unlikely that an end user would manually set up a 6 NIC + wifi desktop
machine, designate eth0 as the WAN port, plug in their cable/dsl
modem, and install "Ubuntu Network Gateway Edition" or whatnot;
however it's also exceedingly unlikely an end user would download
Ubuntu Netbook Edition for their laptop.  What is likely is that, as
with the Netbook version, hardware vendors would ship a mid-end $200
gateway with an advanced "Transparent Internet Accelerator" (caching
proxy server) and "Transparent Parental Controls" using a 16GB SSD (SD
card is like $25), 2 gigs of RAM ($20), and the typical i686-based
hardware that i.e. a WRT-54G ships with ($60), totaling what, $105 at
a glance, bulk manufacture orders being much less?

Does anyone else want to join in on this thought experiment and
consider what the administrative console would look like; what the end
user would want; how to market it to manufacturers; how manufacturers
would market it to end-users; etc?