|Homemade Firewall with Linux|
Why, oh why ...You go to your local pop 'n mom computer-shop and for less than 200 bucks you get yourself a nice little Linksys (or D-Link, 3COM, etc.) box, that functions as a switch, router, dhcp-server, firewall, web-server ... you name it. So why would you want to make one yourself. Well, if the endproduct is all that matters, probably better spend those 200 bucks, because those boxes are pretty good. On the other hand, if you are in for some fun and you want to learn a lot about networking, tcp/ip, inet deamons and filtering, better read on.
The real issue :-) was, that I had such a nice little box (10 x 15 x 25 cm) with in it a single-board high-speed 486, 64 Mb RAM, a passive backplane for 3 other boards and just enough space for a 3.5 inch harddrive. And that all in an industrial enclosure. Well, that asks for a project ...
So, I wanted to build my own "Linksys" box. Purpose was to connect the 5-7 computers in my home (WinXX, Linux, Next, etc.) to a LAN and then to link them all to my ISP's cable modem for Internet access. I do figure, that this is today nothing special.
The reason for writing this story, is not that there are no good HOWTOs. But while building this system, I discovered some things found in none of those docs. And this story is not generic, but is therefore very specific, given that your ingredients are similar to mine.
The stuffOK, time to get to the facts. As a cookbook would do, we start with the ingredients. Not so much to have you rushing to the shop for buying the missing parts, but more to let you figure out up front if your situation is similar or not.
All in all, pretty basic, nothing fancy. The Linux kernel version is rather important, because for the last three Linux kernel versions (2.0, 2.2 and 2.4) each time the packet filtering, required a substancial rewrite. Version 2.2, goes hand in hand with the IPCHAINS software for firewall filtering. So, be careful, because the next Redhat version (7.1 ?) will probably be based on the new kernel.
Dual networkIn my case this was finally the hardest part. And it looked so simple. What I wanted was one of my 3C509's talking to the LAN through a BNC interface and the other connected to the cable-modem through an RJ45 interface. I knew about the 3C509CFG.EXE program (DOS only) to disable the PNP functionality and to set the parameters. And I had wrestled before with the 3c509.o loadable kernel modules before. This would be easy ... at least I thought.
To keep this document from becoming a 500 page novel, I will tell you only the end of the story, which is what I did, why that works and in many cases why other solutions will not work. Let's go:
So far so good. By reading the previous paragraphs, you have saved yourself at least 12 hours strugling. At least that's what I really hope, but I know that YMMV, because no situation is the same. In which case this recipe is helas not applicable to your case.
As you probably have discovered by now, my LAN will be a traditional BNC coax type. And I decided to use fixed IP addresses in the 192.168.0.XXX range. For the cable-modem, I use an RJ45 cross-over cable to the modem and my ISP gives me a dynamic address, but with a very long-term DHCP lease.
Installing RedhatWhy redhat ... don't know. At least no real preference from my side and I will be the last to start a holy war on that topic. But of course, this story is bound to the RedHat distribution and more specific to the installation procedure of version 7.0. I'm not going to explain here how to install Linux. Read at other places about boot-floppies, partitioning and such. Keep it simple, I would say.
When asked for the type of installation, choose "Custom". And when lateron asked for the packages, de-select all options. So, no printing, no networked workstation, no X-Windows, no compilers, etc. This box is becoming a firewall and we want to keep it as (c)lean as possible. The good news is also that you will only install 200 Mb, so it will not take too long.
When all is done, you choose your passwords, you set the time and let the system reboot. Which should go fine.
Redhat comes with a whole buch of admin tools, but we are going to ignore those. For more generic situations they are fine, but here we want more control and we want to know exactly what we are doing.
So, first install (rpm -i) a few more packages:
Next edit or create the following configuration files.
At this moment you are far enough to reboot the box, see if all starts (keep your fingers crossed) and check out if the network is functioning. As promised before, it is here that it becomes important that eth0 is the one to your cable modem and not the other way round. When you would use eth0 for your home-LAN, the DHCP connection to your ISP, starts as the second connection, which in my case resulted in a 2-3 min wait before it managed to connect. That is not normal and has probably to do with the old 3C509s. I first solved it by not starting eth0 through the ifcfg-eth0 file (ONBOOT="no" does the trick) and then in rc.local I would start eth0 with an "ifup eth0" command. That's rather dirty! So, I later reconfigured the two NIC boards and swapped eth0 and eth1.
Back to the main story. You should be able to ping to your PC, ping from the PC to 192.168.0.1 and your DHCP to your ISP should allow you to ping from your firewall to for example www.yahoo.com or such. Check your configuration with the command "ifconfig".
Firewall configurationFirst read the IP-Masquerade-HOWTO. [... to be done ...]
Wrapping upHope this was helpful. It isn't as difficult as it looks to be before you start. If you have the old parts lying around, it's an easy way to save yourself a few hundred bucks. And you can make it exactly as you like it.
If this page has been helpful, let me know, I can cope with some compliments ;-).