Installing a Linux Firewall/Router
This a description of my experience configuring a spare computer to serve as a Linux firewall/router. I had to look in a number of places to find the information I needed, but I've tried to list everything I did so that anyone can duplicate my efforts by only reading this. The equipment I used for this project consisted of the following:
- Workstation running Mandrake Linux 8.2 with one NIC
- Firewall (Pentium 200)
- 2 NICs
- 1 patch cable
- 1 crossover cable
The patch cable runs from my cable modem to the first NIC on the firewall. The crossover cable then runs from the second NIC in the firewall to my workstation.
My workstation was already using the Road Runner connection and was assigned a dynamic IP address with dhcpcd. I shut down networking with this command: "/etc/init.d/networking stop". I then unplugged the power from the cable modem for 30 seconds or more. While the modem was unplugged, I ran the Ethernet cable from the modem to the first NIC (eth0) in the firewall. I then ran the crossover cable from the second NIC (eth1) in the firewall to my workstation. I plugged in the cable modem and booted into the Linux install on the firewall.
I installed RedHat 7.3 using the "Custom" install. The install described here only takes around 300mb but you'll need extra room for logs, installing updates, etc.. I created two partitions, a 650mb root partition, and a 128mb swap partition. During the install I set eth0 to use dhcp and enabled it at boot. I also set eth1 to use dhcp as well since I did not know the information to plug in for it yet, but I did not set it to be enabled it at boot. After the install was complete, I went back and configured eth1 correctly.
In the package selection part, I deselected everything except the Networking, firewall/router, and the Emacs options (I refuse to live without Emacs). I used the "select individual packages" option to deselect things like "Finger, Finger Server, Telnet, Telnet Server", etc.. that didn't want on a firewall.
After the install was complete, I rebooted into Linux. If everything goes smoothly, the computer should have gotten an IP from Road Runner and the firewall should now be connected to the Internet. You can try pinging a server like yahoo.com to see if it worked. You can also use the "ifconfig" command to check the eth0 interface and see if it was assigned an IP address.
I only wanted to allow access to ssh from my local network so I went ahead and set a default deny in my /etc/hosts.deny file. To do that add a line like this:
I then edited my /etc/hosts.allow file to allow ssh connections from my local network. I added this line:
sshd : 192.168.0.0/255.255.255.0 : ALLOW
I then updated my system using RedHat's up2date service.
RedHat uses ipchains as the default firewall tool, but I prefer iptables. I Ran the "setup" command as root and used the "System services" tool to disable ipchains and enable iptables. I also took this opportunity to disable any other services I didn't want running. I rebooted at this point to enable the kernel updates and the other changes I had made.
I then used the Linux IP Masquerade How-To to create a set of firewall rules to enable NAT and allow my workstation to use the firewall to connect to the Internet. To keep things simple, I trimmed their rules down to the following script:
#!/bin/sh IPTABLES=/sbin/iptables #Enable forwarding echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT #The following three lines are not necessary for NAT, but provide some security #by blocking any connections from being initiated from outside the network. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT $IPTABLES -A INPUT -j DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT $IPTABLES -A FORWARD -j LOG $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I named this file "rc.firewall-2.4", made it executable (chmod 700 rc.firewall-2.4), and placed it in the /etc/rc.d directory. I then added the following line to the end of the /etc/rc.d/rc.local file:
That will enable the firewall rules when the system boots up. I ran the firewall script manually so that NAT would be enabled without having to reboot.
Now it was time to go back and configure the eth1 interface. I edited /etc/sysconfig/network-scripts/ifcfg-eth1 to contain these three lines:
DEVICE=eth1 IPADDR=192.168.0.1 ONBOOT=yes
I restarted the networking services by running "/etc/init.d/network restart".
I used linuxconf to configure my client. Under Networking -> Host name and IP network devices, I configured "Adapter 1", eth0, to use manual configuration. I gave it an IP address of 192.168.0.2 and a Netmask of 255.255.255.0. I left the other options alone. Then under Networking -> Routing and gateways, I clicked the "set" button and set the gateway as 192.168.0.1. I left the "enable routing" option un-checked. On the firewall, DHCP set the DNS server information for me, but since I entered the IP manually on the client I need to set the DNS server information myself. I just copied the information in the /etc/resolv.conf file on the firewall, to the /etc/resolv.conf file on the client. It should look something like this:
nameserver x.x.x.x search domain.com
I then restarted the networking services on the client by running "/etc/init.d/network restart" and that was it.
ResourcesHome Network Mini How-To NAT How-To Linux IP Masquerade How-To