Linux as a Router and Firewall

Step by Step Procedure

Step 1. Add 2 LAN cards to the Linux box. You need to have two(2) NICs, one for your private network and one for the public IP address

Step 2. Check if your networks cards are properly detected and installed. You can use the command “dmesg” to verify if it was recognized during the boot-up process

Sample output:
#dmesg |grep eth

e100: eth0: e100_probe: addr 0xfa061000, irq 177, MAC addr 00:10:DC:5E:A8:BF
e100: eth1: e100_probe: addr 0xfa060000, irq 185, MAC addr 00:10:DC:5E:A8:C0
e100: eth0: e100_watchdog: link up, 100Mbps, half-duplex
e100: eth1: e100_watchdog: link up, 100Mbps, full-duplex

Step 3. Configure eth0 for Internet with a Public IP address

For RPM-based distro, a menu-based tool called “setup” can be used to easy configuration setup such as Network
Sample Output 1: (RPM-based like RHEL,CentOS)

# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82557/8/9/0/1 Ethernet Pro 100
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:10:dc:5e:a8:bx
ONBOOT=yes
DHCP_HOSTNAME=freelinuxtutorials
IPADDR=116.x.x.x
NETMASK=255.255.255.240
GATEWAY=116.x.x.x
TYPE=Ethernet

Sample Output 2: (Debian-based)
# cat /etc/network/interfaces
auto eth0
iface eth0 inet static
address 116.x.x.x
netmask 255.255.255.240
mtu 1500
gateway 116.x.x.x

Step 4. Configure eth1 for LAN with a Private IP (Internal private network)
# cat ifcfg-eth1

BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05    # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.0.0        # Specify based on your requirement
BROADCAST=””
IPADDR=192.168.1.1        # Gateway of the LAN
NETWORK=192.168.0.0        # Optional
USERCTL=no
ONBOOT=yes

Sample Output 1: (RPM-based like RHEL,CentOS)

# cat /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1
BOOTPROTO=none
HWADDR=00:10:dc:5e:a8:cx
ONBOOT=yes
DHCP_HOSTNAME=freelinuxtutorials
TYPE=Ethernet
IPADDR=192.168.17.1
NETMASK=255.255.255.0

Sample Output 2: (Debian-based)
# cat /etc/network/interfaces
auto eth1
iface eth1 inet static
address 192.168.17.1
netmask 255.255.255.0
mtu 1500

Step 5. Host Configuration    (Optional)
# cat /etc/hosts
127.0.0.1       freelinuxtutorials localhost.localdomain   localhost

Step 6. Gateway Configuration (can be no gateway set)
# cat /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=freelinuxtutorials

Step 7. DNS Configuration
# cat /etc/resolv.conf

nameserver 203.x.x.x      # ISP Primary DNS Server
nameserver 203.x.x.x      # ISP Secondary DNS Server
Step 8. NAT configuration with IP Tables
First of all you have to flush and delete existing firewall rules. So flush rules by typing in terminal:

iptables -F
iptables -t nat -F
iptables -t mangle -F
Now delete these chains:

iptables -X
iptables -t nat -X
iptables -t mangle -X
# Set up IP FORWARDing and Masquerading

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
# Enables packet forwarding by kernel (save this setting in /etc/sysctl.conf file)

echo 1 > /proc/sys/net/ipv4/ip_forward
#Apply the configuration

service iptables save
service iptables restart
# Check if iptables is set to start during boot up

chkconfig –list iptables

Step 9. Testing
Ping the Gateway of the network from client system: ping 192.168.17.1
Try it on your client systems: ping www.yahoo.com

Configure PC on the network
PC Clients should set their gateway of the private IP of the Linux machine.
– DNS can be set using the ISP DNS, or if you have internal DNS with your customized zones is recommended esp. when you have Active Directory in place on your network

——————————————————————————————————————————————-

This is my sample NAT/firewall script:

#!/bin/sh
#
#

# set a few variables
echo “”
echo ”    setting global variables”
echo “”
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables=”/sbin/iptables”

# adjust my /proc
echo ”    applying general security settings to /proc filesystem”
echo “”
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi

# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

# setup nat
echo ”    applying nat rules”
echo “”
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.17.0/24 -o eth0 -j SNAT –to-source 116.x.x.x <—- Public IP (could be one of the IP address available given by your ISP)

# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# icmp
echo ”    applying icmp rules”
echo “”
$iptables -A OUTPUT -p icmp -m state –state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -i eth0 -j ACCEPT

# apply icmp type match blocking
echo ”    applying icmp type match blocking”
echo “”
$iptables -I INPUT -p icmp –icmp-type redirect -j DROP
$iptables -I INPUT -p icmp –icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp –icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp –icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp –icmp-type address-mask-reply -j DROP

# open ports to the firewall
echo ”    applying the open port(s) to the firewall rules”
echo “”
$iptables -A INPUT -p tcp –dport 22 -j ACCEPT
#$iptables -A INPUT -p tcp –dport 3128 -j ACCEPT
# open and forward ports to the internal machine(s)
#echo ”    applying port forwarding rules”
#echo “”
#$iptables -A FORWARD -i eth0 -p tcp –dport 80 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 116.x.x.x –dport 80 -j DNAT –to-destination 192.168.17.200:80

# logging
#echo ”    applying logging rules”
#echo “”
#$iptables -A INPUT -i eth0 -p tcp -m limit –limit 1/s –dport 0:65535 -j LOG –log-prefix “tcp connection: ”
#$iptables -A INPUT -i eth0 -p udp -m limit –limit 1/s –dport 0:65535 -j LOG –log-prefix “udp connection: ”

# drop all other packets
echo ”    applying default drop policies”
echo “”
$iptables -A INPUT -i eth0 -p tcp –dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp –dport 0:65535 -j DROP

echo “### dar firewall is loaded ###”
echo “”

—————————————————————————————————————————

Share

About the author

tux

View all posts

3 Comments

Leave a Reply