Connecting a Small LAN to the Internet with a Linux Firewall
Introduction
An older computer - perhaps left over as the result of upgrades - makes an ideal small router/firewall to connect a small office/home office network to the Internet via an ISDN, ADSL or even cable modem connection. Connecting a single Windows computer to a broadband connection is pretty much a no-brainer. However, life gets a little more complex when you have multiple machines. Fortunately, an old computer can be pressed into service as a firewall machine.
The firewall machine will have to have two network interfaces. The first of these - which in this example will be eth0 - is the Ethernet card which connects to the home/office LAN. The other could be any of several interfaces, such as a PPP modem interface (generally, this would appear as ppp0), a USB ADSL modem interface (which would also be ppp0), or another Ethernet card (eth1) which connects to an ADSL or cable modem, or perhaps a router.
Principles
The problem: The upstream ISP (Telstra, Optus, whoever) allocates a single IP address for your broadband connection. However, you want to connect two or more computers. And you want to secure those computers against port scans and more dangerous exploits. Both problems are solved by using a computer as a firewall, connecting your private network to the Internet.
If you haven't got enough IP addresses to go around, then the Internet standards, known as RFC's, recommend (in RFC 1918) that you use a network address chosen from one of three possible address ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
These addresses are fine for machines on a private network - an intranet - but cannot be used on the public Internet. Therefore, the firewall or router that connects the private network to the Internet must perform Network Address Translation. This process examines outgoing IP datagrams, and replaces the source IP address and port number from the originating machine with the IP address of the firewall's external interface. When replies come back to the firewall's external interface, it looks up the destination port number in an automatically-maintained table to find the corresponding internal host's IP address and destination port, and substitutes them for its own before forwarding the packet.
This process is supported on a variety of operating systems and dedicated routers. In the Linux world, it is known as masquerading, and it is supported in various ways by different versions of the Linux kernel. If your Linux distribution is based on the 2.2 series of kernels, it will support the ipchains command. If your Linux distribution is based on the 2.4 series of kernels, it will support iptables, and possibly ipchains as well, although as iptables has matured, some vendors are removing support for ipchains (for example, Red Hat 7.3 supports both, but Red Hat 8.0 supports only iptables).
Both ipchains and iptables can be used to do a lot more packet filtering, logging and accounting, but those features are not necessary for a simple firewall sitting between the Internet and a small LAN of Windows client computers.
Here is a set of step-by-step instructions for setting up a small firewall, based on Red Hat 7.3 or Red Hat 8.0. All commands should be executed while logged in as the root user. In the examples that follow, I assume that
eth0
is the internal interface and
eth1
connects to the Internet. You can substitute ppp0 for eth1 if appropriate for your system. Make sure that you substitute the correct interface names for your external and internal interfaces - if the external is eth0 and the internal is eth1, you'll need to reverse them in the steps that follow.
This is the most common reason why people follow these instructions and wind up with a non-working setup.
Step 1. Install Linux and Harden the System
Install Linux in the normal way, but make sure that you do
not
install unnecessary network services such as the Apache web server, the Samba file/print server, and so on. If you do install them, you will have to disable them or, if you intend to use them, you will have to secure them so that they cannot be exploited by an attacker. With a firewall, the less software installed, and the simpler the setup, the better.
Give the
eth0
(internal) interface an IP address from one of the ranges above - I'd suggest 192.168.0.254. Configuration of the external interface depends upon what it is - you might have to set it to use a DHCP-allocated address, if the ISP allocates IP addresses dynamically, or an address like 10.0.0.254 to talk to an Alcatel Speedtouch Pro ADSL modem (which defaults to 10.0.0.138).
You probably don't even want to install the X Window System and its desktop environments like KDE and GNOME. After all, an old machine won't have the memory to spare, anyway.
After installation you should use the
ps
or
top
commands to review what is running on the system. You especially do not want to see the following processes running:
portmap
,
snmpd
,
snmptrap
,
rpc.
anything
,
sendmail
,
nfsd
,
lockd
,
smbd
,
nmbd
,
lpd
,
named
,
dhcpd
- in fact, the system should be very minimal. Use the following command to disable unwanted services:
chkconfig --del
servicename
where
servicename
is one of:
dhcpd
,
lpd
,
named
,
netfs
,
nfs
,
nfslock
,
portmap
(this one is especially important),
sendmail
,
smb
,
snmpd
,
snmptrapd
as required.
Make sure that both the normal user and root account passwords are strong: no dictionary words, and nothing that would be easy to guess, like your car registration, partner's maiden name, etc.
Step 2. Setting Up Masquerading
Exactly how this is done depends upon whether you choose to use ipchains or iptables.
Using ipchains
It's as simple as three lines, that's all. You can give these commands (as root, obviously) to get things started or to test your setup:
ipchains -P forward DENY
ipchains -A forward -i eth1 -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
These three commands will set up masquerading. However, getting it set up so it's automatically restored is a little trickier, and will involve editing several files.
2.1.1 - Create a
/etc/sysconfig/ipchains
file
Using your favourite editor, create a file called
/etc/sysconfig/ipchains
and add the following lines:
:input ACCEPT
:forward DENY
:output ACCEPT
-A forward -i eth1 -j MASQ
2.1.2 - Enable the
ipchains
startup script
Give the command
chkconfig --level 2345 ipchains on
This sets up the
ipchains
script so that when the system starts up and enters any of runlevels 2, 3, 4 or 5, it will run the script
/etc/rc.d/init.d/ipchains
, which in turn reads the configuration file we created in the previous step and sets up the ipchains rules.
Using iptables
If your machine is based on a 2.4 kernel, iptables is a better alternative, as it is more sophisticated and capable. With iptables, the procedure is similar, but the files and command syntax are slightly different. Once again, the goal is to get the machine to boot and set things up automagically.
2.2.1 - Create a
/etc/sysconfig/iptables
file
The quickest and easiest way to do this is to type the following commands:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -P INPUT DROP
service iptables save
The first four commands enter the masquerading firewall rules, while the last one saves those rules to the configuration file.
2.2.2 - Enable the
iptables
startup script
Give the command
chkconfig --level 2345 iptables on
As with the ipchains example above, this will run the
iptables
script on startup, and apply the rules in the file created in the previous step.
Step 3. Configure the machine to perform routing
Again, use your favourite editor to edit the file
/etc/sysctl.conf
. Find the line
net.ipv4.ip_forward=0
and change the
0
to a
1
, then save the file.
Step 4. The final test
Reboot the machine (yes, I know you don't have to do this, but we're testing that the machine will restart correctly after a power failure).
Configuring Computers on your LAN
The computers on your LAN should be given addresses from the same network as the internal interface (eth0) of the firewall. In this example, the firewall eth0 interface is on 192.168.0.254, so I would allocate workstation addresses as 192.168.0.1, 192.168.0.2, and so on. The machines should be configured to use the firewall IP address as their default route, and whatever DNS servers the ISP provides.
You now have a basic - but secure - firewall to connect a small LAN to the Internet. From this point, it is possible to add more functions and features, such as configuring a transparent proxy web server to speed web page loading or control access, or to provide more complex rules to allow some degree of inbound access.
If you are using iptables, the Webmin browser-based administration tool (
http://www.webmin.com
) provides a rather nice firewall configuration module.
Further Reading
The Linux IP-Masquerade HOWTO:
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html
Tech Terms
RFC - The standards that govern the Internet and TCP/IP Protocols are called RFC's (Requests for Comments). You can look them up at
http://www.rfc-editor.org
root - The name of the Administrator account on Linux and UNIX systems.
IP Address - For the TCP/IP protocol, the address of an interface between a computer and a network. Analogous to a telephone number.
Port - Yet another number used by the TCP and UDP protocols that identifies the application (either client or server) using a connection on a particular interface or IP address. Analogous to an extension number.
Page last updated:
07/Feb/2005
Back to Home
Copyright © 1987-2010 Les Bell and Associates Pty Ltd. All rights reserved.
webmaster@lesbell.com.au
...........................