Linux as a Router and Firewall

Step by Step Procedure

Step 1. Add 2 LAN cards to the Linux box. You need to have two(2) NICs, one for your private network and one for the public IP address

Step 2. Check if your networks cards are properly detected and installed. You can use the command “dmesg” to verify if it was recognized during the boot-up process

Sample output:
#dmesg |grep eth

e100: eth0: e100_probe: addr 0xfa061000, irq 177, MAC addr 00:10:DC:5E:A8:BF
e100: eth1: e100_probe: addr 0xfa060000, irq 185, MAC addr 00:10:DC:5E:A8:C0
e100: eth0: e100_watchdog: link up, 100Mbps, half-duplex
e100: eth1: e100_watchdog: link up, 100Mbps, full-duplex

Step 3. Configure eth0 for Internet with a Public IP address

For RPM-based distro, a menu-based tool called “setup” can be used to easy configuration setup such as Network
Sample Output 1: (RPM-based like RHEL,CentOS)

# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82557/8/9/0/1 Ethernet Pro 100

Sample Output 2: (Debian-based)
# cat /etc/network/interfaces
auto eth0
iface eth0 inet static
address 116.x.x.x
mtu 1500
gateway 116.x.x.x

Step 4. Configure eth1 for LAN with a Private IP (Internal private network)
# cat ifcfg-eth1

HWADDR=00:50:8B:CF:9C:05    # Optional
NETMASK=        # Specify based on your requirement
IPADDR=        # Gateway of the LAN
NETWORK=        # Optional

Sample Output 1: (RPM-based like RHEL,CentOS)

# cat /etc/sysconfig/network-scripts/ifcfg-eth1


Sample Output 2: (Debian-based)
# cat /etc/network/interfaces
auto eth1
iface eth1 inet static
mtu 1500

Step 5. Host Configuration    (Optional)
# cat /etc/hosts       freelinuxtutorials localhost.localdomain   localhost

Step 6. Gateway Configuration (can be no gateway set)
# cat /etc/sysconfig/network


Step 7. DNS Configuration
# cat /etc/resolv.conf

nameserver 203.x.x.x      # ISP Primary DNS Server
nameserver 203.x.x.x      # ISP Secondary DNS Server
Step 8. NAT configuration with IP Tables
First of all you have to flush and delete existing firewall rules. So flush rules by typing in terminal:

iptables -F
iptables -t nat -F
iptables -t mangle -F
Now delete these chains:

iptables -X
iptables -t nat -X
iptables -t mangle -X
# Set up IP FORWARDing and Masquerading

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
# Enables packet forwarding by kernel (save this setting in /etc/sysctl.conf file)

echo 1 > /proc/sys/net/ipv4/ip_forward
#Apply the configuration

service iptables save
service iptables restart
# Check if iptables is set to start during boot up

chkconfig –list iptables

Step 9. Testing
Ping the Gateway of the network from client system: ping
Try it on your client systems: ping

Configure PC on the network
PC Clients should set their gateway of the private IP of the Linux machine.
– DNS can be set using the ISP DNS, or if you have internal DNS with your customized zones is recommended esp. when you have Active Directory in place on your network


This is my sample NAT/firewall script:


# set a few variables
echo “”
echo ”    setting global variables”
echo “”
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

# adjust my /proc
echo ”    applying general security settings to /proc filesystem”
echo “”
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi

# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

# setup nat
echo ”    applying nat rules”
echo “”
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT –to-source 116.x.x.x <—- Public IP (could be one of the IP address available given by your ISP)

# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# icmp
echo ”    applying icmp rules”
echo “”
$iptables -A OUTPUT -p icmp -m state –state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -i eth0 -j ACCEPT

# apply icmp type match blocking
echo ”    applying icmp type match blocking”
echo “”
$iptables -I INPUT -p icmp –icmp-type redirect -j DROP
$iptables -I INPUT -p icmp –icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp –icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp –icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp –icmp-type address-mask-reply -j DROP

# open ports to the firewall
echo ”    applying the open port(s) to the firewall rules”
echo “”
$iptables -A INPUT -p tcp –dport 22 -j ACCEPT
#$iptables -A INPUT -p tcp –dport 3128 -j ACCEPT
# open and forward ports to the internal machine(s)
#echo ”    applying port forwarding rules”
#echo “”
#$iptables -A FORWARD -i eth0 -p tcp –dport 80 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 116.x.x.x –dport 80 -j DNAT –to-destination

# logging
#echo ”    applying logging rules”
#echo “”
#$iptables -A INPUT -i eth0 -p tcp -m limit –limit 1/s –dport 0:65535 -j LOG –log-prefix “tcp connection: ”
#$iptables -A INPUT -i eth0 -p udp -m limit –limit 1/s –dport 0:65535 -j LOG –log-prefix “udp connection: ”

# drop all other packets
echo ”    applying default drop policies”
echo “”
$iptables -A INPUT -i eth0 -p tcp –dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp –dport 0:65535 -j DROP

echo “### dar firewall is loaded ###”
echo “”


About the author


View all posts


Leave a Reply