This paper includes my notes on setting up my Linux box as a firewall and to provide IP forwarding, or masquerading, from private networks. All I know I learned from the excellent articles in the next section.
In order to get the kernel talking to the Ethernet card that
PacBell delivered, I added the following to
alias eth1 tulip
I had to obtain and install the latest version of DHCP (1.0.2) to handle both Ethernet cards.
I reconfigured the kernel, which should be 2.2.X, as follows:
CONFIG_IP_FIREWALL=y CONFIG_IP_ALWAYS_DEFRAG=y CONFIG_IP_TRANSPARENT_PROXY=y CONFIG_IP_MASQUERADE=y CONFIG_IP_MASQUERADE_ICMP=y CONFIG_IP_NOSR=y
Note that I didn't turn on
CONFIG_EXPERIMENTAL as per
the HOWTOs and it worked just the same.
See Section 3 of RFC 1918 for the IP addresses you should use on your private network. You can also simply use the network that I've used in the initialization file below [192.168.69.0].
ipchains is used for packet filtering and replaces
ipfwadm in newer kernels. It currently handles
masquerading, but the masquerading commands are expected to be pulled
out into their own command in the future.
I've put these commands after my first Ethernet commands in
/etc/init.d/network.local and slimelinked it from
/etc/rcS.d/S40network.local so they get run at boot time.
/var/log/syslog. You'll want to keep on eye on this to see which ports you may wish to open, or to watch losers get snuffed by your firewall.
#! /bin/sh # # Local network configuration. # IP=22.214.171.124 # Configure first Ethernet card connected to Internet as default gateway. ifconfig eth0 $IP > /dev/null 2>&1 route add default gw 126.96.36.199 # Set up IP forwarding. ipchains -F forward ipchains -P forward DENY echo "1" > /proc/sys/net/ipv4/ip_forward # Configure second Ethernet on private network. Forward and masquerade # packets going to Internet. ifconfig eth1 192.168.69.1 > /dev/null 2>&1 ipchains -A forward -j MASQ -s 192.168.69.0/24 -d 0.0.0.0/0 # Firewalling. ipchains -F input ipchains -P input REJECT # ICMP and local packets cool. ipchains -A input -p icmp -j ACCEPT ipchains -A input -i lo -j ACCEPT # As are local networks. ipchains -A input -i ppp0 -j ACCEPT ipchains -A input -i eth1 -j ACCEPT # Open various ports. ipchains -A input -p tcp -d $IP www -j ACCEPT ipchains -A input -p udp -d $IP www -j ACCEPT ipchains -A input -p tcp -s 0.0.0.0/0 www -d $IP 1024: -j ACCEPT ipchains -A input -p tcp -s 0.0.0.0/0 https -d $IP 1024: -j ACCEPT # RealAudio input stream (see RealNetworks RealSystem Firewall Support). ipchains -A input -p udp -s 0.0.0.0/0 1024: -d $IP 6970:7170 -j ACCEPT # Log anything that fell through. ipchains -A input -d $IP -l
Copyright © 1999, 2001 Bill Wohler
Last modified: 2001