Web Tool Bag  
Home · Articles · Downloads · Discussion Forum · Web Links · News Categories · Synonyms DatabaseMarch 28 2024 14:09:53
Navigation
Home
Articles
Downloads
Discussion Forum
Web Links
News Categories
Synonyms Database
Search
Users Online
Guests Online: 1
No Members Online

Registered Members: 856
Unactivated Members: 118
Newest Member: lakim
Forum Threads
Newest Threads
Error: Cannot find m...
Uncaught Error: _reg...
Module build failed:...
Installation
mochi script questions
Hottest Threads
Installation [12]
Any questions and... [5]
Captcha picture d... [4]
Integrate with Vi... [4]
Mods: Sucess/Than... [4]
 
Latest Articles
Ubuntu: the vpn conn...
Howto Install HP Pri...
ReactJS progress met...
react-show-more-text
react-collapsible-co...
Installing a Linux Firewall/Router

Installing a Linux Firewall/Router

This a description of my experience configuring a spare computer to serve as a Linux firewall/router. I had to look in a number of places to find the information I needed, but I've tried to list everything I did so that anyone can duplicate my efforts by only reading this. The equipment I used for this project consisted of the following:
  • Workstation running Mandrake Linux 8.2 with one NIC
  • Firewall (Pentium 200)
  • 2 NICs
  • 1 patch cable
  • 1 crossover cable
The patch cable runs from my cable modem to the first NIC on the firewall. The crossover cable then runs from the second NIC in the firewall to my workstation. 
 

My workstation was already using the Road Runner connection and was assigned a dynamic IP address with dhcpcd. I shut down networking with this command: "/etc/init.d/networking stop". I then unplugged the power from the cable modem for 30 seconds or more. While the modem was unplugged, I ran the Ethernet cable from the modem to the first NIC (eth0) in the firewall. I then ran the crossover cable from the second NIC (eth1) in the firewall to my workstation. I plugged in the cable modem and booted into the Linux install on the firewall.

Firewall Installation

I installed RedHat 7.3 using the "Custom" install. The install described here only takes around 300mb but you'll need extra room for logs, installing updates, etc.. I created two partitions, a 650mb root partition, and a 128mb swap partition. During the install I set eth0 to use dhcp and enabled it at boot. I also set eth1 to use dhcp as well since I did not know the information to plug in for it yet, but I did not set it to be enabled it at boot. After the install was complete, I went back and configured eth1 correctly.

In the package selection part, I deselected everything except the Networking, firewall/router, and the Emacs options (I refuse to live without Emacs). I used the "select individual packages" option to deselect things like "Finger, Finger Server, Telnet, Telnet Server", etc.. that didn't want on a firewall.

Firewall Configuration

After the install was complete, I rebooted into Linux. If everything goes smoothly, the computer should have gotten an IP from Road Runner and the firewall should now be connected to the Internet. You can try pinging a server like yahoo.com to see if it worked. You can also use the "ifconfig" command to check the eth0 interface and see if it was assigned an IP address.

I only wanted to allow access to ssh from my local network so I went ahead and set a default deny in my /etc/hosts.deny file. To do that add a line like this:
ALL:ALL

I then edited my /etc/hosts.allow file to allow ssh connections from my local network. I added this line:

sshd : 192.168.0.0/255.255.255.0 : ALLOW

I then updated my system using RedHat's up2date service.

RedHat uses ipchains as the default firewall tool, but I prefer iptables. I Ran the "setup" command as root and used the "System services" tool to disable ipchains and enable iptables. I also took this opportunity to disable any other services I didn't want running. I rebooted at this point to enable the kernel updates and the other changes I had made.

I then used the Linux IP Masquerade How-To to create a set of firewall rules to enable NAT and allow my workstation to use the firewall to connect to the Internet. To keep things simple, I trimmed their rules down to the following script:

#!/bin/sh  IPTABLES=/sbin/iptables  #Enable forwarding echo "1" > /proc/sys/net/ipv4/ip_forward  $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT  #The following three lines are not necessary for NAT, but provide some security #by blocking any connections from being initiated from outside the network. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT $IPTABLES -A INPUT -j DROP  $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT  $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT $IPTABLES -A FORWARD -j LOG  $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE 

I named this file "rc.firewall-2.4", made it executable (chmod 700 rc.firewall-2.4), and placed it in the /etc/rc.d directory. I then added the following line to the end of the /etc/rc.d/rc.local file:

/etc/rc.d/rc.firewall-2.4

That will enable the firewall rules when the system boots up. I ran the firewall script manually so that NAT would be enabled without having to reboot.

Now it was time to go back and configure the eth1 interface. I edited /etc/sysconfig/network-scripts/ifcfg-eth1 to contain these three lines:

DEVICE=eth1 IPADDR=192.168.0.1 ONBOOT=yes 

I restarted the networking services by running "/etc/init.d/network restart".

Client Configuration

I used linuxconf to configure my client. Under Networking -> Host name and IP network devices, I configured "Adapter 1", eth0, to use manual configuration. I gave it an IP address of 192.168.0.2 and a Netmask of 255.255.255.0. I left the other options alone. Then under Networking -> Routing and gateways, I clicked the "set" button and set the gateway as 192.168.0.1. I left the "enable routing" option un-checked. On the firewall, DHCP set the DNS server information for me, but since I entered the IP manually on the client I need to set the DNS server information myself. I just copied the information in the /etc/resolv.conf file on the firewall, to the /etc/resolv.conf file on the client. It should look something like this:

nameserver x.x.x.x search domain.com 

I then restarted the networking services on the client by running "/etc/init.d/network restart" and that was it.

Resources

Home Network Mini How-To
NAT How-To
Linux IP Masquerade How-To

Posted by admin on September 22 2007 21:47:24 6504 Reads · Print
Ratings
Rating is available to Members only.

Please login or register to vote.

No Ratings have been Posted.
Login
Username

Password



Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.
Member Poll
Which PHP framework do you preffer?

Symfony

Zend

CodeIgniter

PHP on TRAX

eZ Components

Fusebox

PhpOpenbiz

Prado

QPHP

Seagull

You must login to vote.
Shoutbox
You must login to post a message.

Vince
03/10/2011 18:17
Hi, How to remove Register from Login screen? I don't want them to register and have full access! if you leave register then they should not have any rights until the admin assigns them

webtoolz
26/09/2011 08:28
Please describe your problem with more details. Thank you.

bimmer98
22/11/2010 18:31
Help. There was a problem with the request; error regarding feedbackzdr form program

Custom web software development by Devzone Tech
Copyright © 2024 - www.webtoolbag.com