Web Tool Bag  
Home · Articles · Downloads · Discussion Forum · Web Links · News Categories · Synonyms DatabaseMay 24 2017 03:32:07
Navigation
Home
Articles
Downloads
Discussion Forum
Web Links
News Categories
Synonyms Database
Search
Users Online
Guests Online: 1
No Members Online

Registered Members: 856
Unactivated Members: 118
Newest Member: lakim
Forum Threads
Newest Threads
Uncaught Error: _reg...
Module build failed:...
Installation
mochi script questions
Redirect with captch...
Hottest Threads
Installation [12]
Any questions and... [5]
Captcha picture d... [4]
Integrate with Vi... [4]
Mods: Sucess/Than... [4]
 
Latest Articles
PHP Fatal error: Ca...
Mouse pointer disapp...
UBUNTU install via U...
Geany tried to acces...
How to create MySql ...
Installing a Simple Linux Firewall/Router

Installing a Simple Linux Firewall/Router

This a description of my experience configuring a spare computer to serve as a Linux firewall/router.
I had to look in a number of places to find the information I needed, but I've tried to list everything
I did so that anyone can duplicate my efforts by only reading this.
The equipment I used for this project consisted of the following:
  • Workstation running Mandrake Linux 8.2 with one NIC
  • Firewall (Pentium 200)
  • 2 NICs
  • 1 patch cable
  • 1 crossover cable
The patch cable runs from my cable modem to the first NIC on the firewall.
The crossover cable then runs from the second NIC in the firewall to my workstation.

My workstation was already using the Road Runner connection and was assigned a dynamic IP address with dhcpcd.
I shut down networking with this command: "/etc/init.d/networking stop". I then unplugged the power from
the cable modem for 30 seconds or more. While the modem was unplugged, I ran the Ethernet cable from the
modem to the first NIC (eth0) in the firewall. I then ran the crossover cable from the second NIC (eth1) in the firewall to my workstation. I plugged in the cable modem
and booted into the Linux install on the firewall.

Firewall Installation

I installed RedHat 7.3 using the "Custom" install. The install described here
only takes around 300mb but you'll need extra room for logs, installing updates, etc.. I created two partitions, a 650mb root partition, and a 128mb swap partition.
During the install I set eth0 to use dhcp and enabled it at boot. I also set eth1 to use dhcp as well since I did not know the information to plug in for it yet, but
I did not set it to be enabled it at boot. After the install was complete, I went back and configured eth1 correctly.

In the package selection part, I deselected
everything except the Networking, firewall/router, and the Emacs options (I refuse to live without Emacs). I used the "select individual packages" option to deselect things
like "Finger, Finger Server, Telnet, Telnet Server", etc.. that didn't want on a firewall.

Firewall Configuration

After the install was complete,
I rebooted into Linux. If everything goes smoothly, the computer should have gotten an IP from Road Runner and the firewall should now be connected to the Internet. You can try pinging a server like yahoo.com to see if it worked. You can also use the "ifconfig" command to check the eth0 interface and see if it was assigned an IP address.

I only wanted to allow access to ssh from my local network so I went ahead and set a default deny in my /etc/hosts.deny file. To do that add a line like this:
ALL:ALL

I then edited my /etc/hosts.allow file to allow ssh connections from my local network. I added this line:

sshd : 192.168.0.0/255.255.255.0 : ALLOW

I then updated my system using RedHat's up2date service.

RedHat uses ipchains as the default firewall tool, but I prefer iptables. I Ran the "setup" command as root and used the "System services" tool to disable ipchains and enable iptables. I also took this opportunity to disable any other services I didn't want running.
I rebooted at this point to enable the kernel updates and the other changes I had made.

I then used the Linux IP Masquerade How-To to create a set of firewall rules to enable NAT and allow my workstation to use the firewall to connect to the Internet. To keep things simple, I trimmed their rules down to the following script:

#!/bin/sh IPTABLES=/sbin/iptables

#Enable forwarding echo "1" >
/proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT
#The following three lines are not necessary for NAT, but provide some security
#by blocking any connections from being initiated from outside the network.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
$IPTABLES -A INPUT -j DROP $IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT $IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I named this file "rc.firewall-2.4", made it executable (chmod 700 rc.firewall-2.4), and placed it in the /etc/rc.d directory. I then added the following line to the end of the /etc/rc.d/rc.local file:

/etc/rc.d/rc.firewall-2.4

That will enable the firewall rules when the system boots up. I ran the firewall script manually so that NAT would be enabled without having to reboot.

Now it was time to go back and configure the eth1 interface. I edited /etc/sysconfig/network-scripts/ifcfg-eth1 to contain these three lines:

DEVICE=eth1 IPADDR=192.168.0.1 ONBOOT=yes 

I restarted the networking services by running "/etc/init.d/network restart".

Client Configuration

I used linuxconf to configure my client. Under Networking -> Host name and IP network devices, I configured "Adapter 1", eth0, to use manual configuration. I gave it an IP address of 192.168.0.2 and a Netmask of 255.255.255.0. I left the other options alone. Then under Networking -> Routing and gateways, I clicked the "set" button and set the gateway as 192.168.0.1. I left the "enable routing" option un-checked. On the firewall, DHCP set the DNS server information for me, but since I entered the IP manually on the client I need to set the DNS server information myself. I just copied the information in the /etc/resolv.conf file on the firewall, to the /etc/resolv.conf file on the client. It should look something like this:

nameserver x.x.x.x search domain.com 

I then restarted the networking services on the client by running "/etc/init.d/network restart" and that was it.

Thanks to broadband, now we can truly enjoy a dedicated server. This of course means more easy uploading of any web design. Not compromising on website design is something we have been looking for, for years. This has also made online advertising fairly simple, that has eventually contributed to online marketing as well.


Posted by admin on January 22 2007 22:59:55 3269 Reads · Print
Ratings
Rating is available to Members only.

Please login or register to vote.

No Ratings have been Posted.
Login
Username

Password



Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.
Member Poll
Which PHP framework do you preffer?

Symfony

Zend

CodeIgniter

PHP on TRAX

eZ Components

Fusebox

PhpOpenbiz

Prado

QPHP

Seagull

You must login to vote.
Shoutbox
You must login to post a message.

Vince
03/10/2011 21:17
Hi, How to remove Register from Login screen? I don't want them to register and have full access! if you leave register then they should not have any rights until the admin assigns them

webtoolz
26/09/2011 11:28
Please describe your problem with more details. Thank you.

bimmer98
22/11/2010 20:31
Help. There was a problem with the request; error regarding feedbackzdr form program

Copyright © 2017 - www.webtoolbag.com