Building an Internet Firewall/Gateway
By
Gary Hoggard
25th April, 2004.
Contents
Overview
This document shows how to build a machine which will act as a firewall between your
private home network and an internet connection. The machine can also be used
as a print server and file server for the home network.
The author expects that the reader has some knowldge of Unix or Linux, especially
at the shell (command) level.
There are many good tutorials available on the internet (a
Google search
for "linux tutorial" will reveal several).
The firewall (shown below) will be an interface between your private home LAN
(local area network) and the public Internet.
It is assumed that your home LAN is "star" configuration, that is, you use a
multi-port ethernet switch connecting your PCs together.
These ethernet switches can be obtained from most computer resellers for about AUD$40.
It is also assumed that you will be connecting to the Internet via some broadband link
(such as ADSL or cable).
Be sure that your ISP (internet service provider) installs an ADSL modem or cable modem
with an ethernet port.
Some cable modems are installed via USB (universal serial bus).
These cable modems also have an ethernet port, but it would be better to get your ISP
to configure the ethernet at installation time rather than having to change it.
I have built a few of these firewalls for friends and family here in Australia.
The technology is, however, generic and should work anywhere that the assumptions (above)
are met.
I have successfully configured this for OptusNet (cable), Telstra Bigpond (cable),
and several ISPs who subcontract Telstra's ADSL network.
Now for the legal stuff... I wrote this for my own use.
If you use this, it's at your own risk and I don't guarantee or imply that any of it works.
Hardware Requirements
The best thing about this design is that any old second-hand PC can be used.
There are a few things, however, that are assumed:
- Minimum is Pentium (anything) with at least 32MB of memory.
- Install 2 ethernet ports.
I have found that buying a second-hand PC with an on-board LAN port and
then installing a LAN card for the second port works well.
If you use a PCI LAN card, it should be automatically detected by Linux.
- Keyboard and monitor are only required for installation.
- CDROM is needed for installation but can be useful later.
- A hard disk drive of at least 2GB, although 6GB (or larger) is preferred.
If you have less than 6GB, you'll need to be familiar with the Linux installation
process so you can cut the space required.
If you have more space (or, even better, a second drive) then you can set
this up as a file share on your LAN.
- A parallel port is neeeded if a shared printer is required.
Installing Linux
As there are many books, documents and web sites on how to install and configure Linux,
I will not be describing it in much detail here.
As RedHat Linux is one of the most common varieties, I have shown below the answers
to the install questions for RedHat Linux version 9.
These steps can be applied (without too much modification) for any version
from RedHat Linux 7.3 (and also includes Fedora Core).
You will also find the information can readily be applied to other
distributions of Linux.
RedHat Linux 9 Installation
- Boot the install CD (CD #1) and keep clicking on "Next" until the "Installation Type"
window is showing. Select "Server" and click "Next".
- If your not sure how to partition the disk manually (or you don't care),
select "Automatically partition" and pick the defaults until you get
to "Network Configuration".
- Set "eth1" to use DHCP (this should be the default).
This interface will connect to your ADSL or cable modem.
- Set "eth0" to not use DHCP (click the "Edit" button).
This interface will connect to your home LAN switch.
Use the following settings for "eth0":
- IP Address = 192.168.100.1
- Netmask = 255.255.255.0
- Hostname = gateway.my.home
- Gateway = 192.168.100.1
- Primary DNS = 127.0.0.1
- On the "Firewall Configuration" window, select "No firewall"
(we will configure this manually later).
- For "Additional Language Support", you may leave this as "English (USA)"
as it only affects the loaded codeset.
If you prefer, you may select whatever language(s) you wish.
- Select your timezone and set a reasonable "root" password.
- On "Package group Selection", select "Everything" (scroll to the bottom to see this).
If you have less than 6GB of disk, you will have to select your own
packages to make it fit.
The list below should help:
- Network Servers
- DNS Name Server
- (tick box) Select Individual Packages.... pick the following from "Flat View":
- dhcp
- binutils(optional)
- lynx(optional, will require perl-CGI)
- macutils(optional)
- pdksh(optional)
- vnc(optional)
- vnc-server(optional)
- X-Window System (optional)
- Text-based Internet (optional)
- Mail Server (optional)
- FTP Server (optional)
- System Tools (optional)
- Load CDs #2 and #3 when prompted.
- When the "Boot Diskette Creation" window is displayed, select
"No, I don't want to create a boot diskette" and click "Next".
- On "Graphical Interface (X) Configuration", select
"Skip X configuration" and click "Next".
- On the next screen, click "Exit" and remove the last CD
when the door automatically opens (during the reboot process).
Configuring Subsystems
This section describes how to set up various services and subsystems
on your gateway server. Although the commands shown below will work,
the services are configured in a very basic way. It is advisable
to read the online manual pages for a better understanding of them.
Log in to your gateway server as root and to run the commands below.
- Add your users who will need to administer the server:
adduser -c "Full Name" loginname
passwd loginname
- Copy some useful shell-scripts into /usr/local/bin:
firewall
... this one is very important!
myip
pscan
- Configure subsystems:
- Enable telnet & FTP:
chkconfig telnet on
chkconfig vsftpd on
service vsftpd start
- Allow MS-Windows® file sharing with Samba.
Edit /etc/samba/smb.conf and add:
[public]
comment = Public shared disk
path = /var/ftp/pub
browseable = yes
read only = no
public = yes
guest ok = yes
guest only = yes
guest account = nobody
Then run:
chmod 777 /var/ftp/pub
chkconfig smb on
service smb start
- DNS: (lots more to go here!)
/etc/named.conf
my.home zone file
reverse lookup zone file
chkconfig named on
service named start
- If you are using Telstra's Big Pond, then you will need Big Pond Advanced
(bpalogin). BPALogin (for Linux) is the Telstra Cable Modem
connect program for RedHat Linux 8/9.
Information about bpalogin can be found at
http://bpalogin.sourceforge.net/index.php?page=tutorial.
Run the following command to install it (you can get
the software from the link in the command).
rpm -Uvh bpalogin-2.0.2-1.i386.rpm
After installing run the following commands to configure and then start the service:
/usr/share/bpalogin/bpalogin.conf.sh
service bpalogin start
- Configure dhcpd. Dynamic host configuration protocol (DHCP)
is the communication protocol which most PCs use to automatically obtain
an IP address on a network. If you want your server to also be a
DHCP server, then download
the example /etc/dhcpd.conf file and
then run the commands:
chkconfig dhcpd on
service dhcpd start
Configuring Your PC for the Home LAN
If you have configured your server to be a DHCP server, then your PC's network
configuration should be set for "Automatic". If you wish to manually configure
your PC's network interface, then you will need the following information:
IP address = 192.168.100.x where 'x' is a unique number from 2 - 254
Netmask = 255.255.255.0
Gateway = 192.168.100.1
Primary DNS = 192.168.100.1
----=== end of document ===----