[Penguin] Homemade Firewall with Linux

Why, oh why ...

You go to your local pop 'n mom computer-shop and for less than 200 bucks you get yourself a nice little Linksys (or D-Link, 3COM, etc.) box, that functions as a switch, router, dhcp-server, firewall, web-server ... you name it. So why would you want to make one yourself. Well, if the endproduct is all that matters, probably better spend those 200 bucks, because those boxes are pretty good. On the other hand, if you are in for some fun and you want to learn a lot about networking, tcp/ip, inet deamons and filtering, better read on.

The real issue :-) was, that I had such a nice little box (10 x 15 x 25 cm) with in it a single-board high-speed 486, 64 Mb RAM, a passive backplane for 3 other boards and just enough space for a 3.5 inch harddrive. And that all in an industrial enclosure. Well, that asks for a project ...

So, I wanted to build my own "Linksys" box. Purpose was to connect the 5-7 computers in my home (WinXX, Linux, Next, etc.) to a LAN and then to link them all to my ISP's cable modem for Internet access. I do figure, that this is today nothing special.

The reason for writing this story, is not that there are no good HOWTOs. But while building this system, I discovered some things found in none of those docs. And this story is not generic, but is therefore very specific, given that your ingredients are similar to mine.

The stuff

OK, time to get to the facts. As a cookbook would do, we start with the ingredients. Not so much to have you rushing to the shop for buying the missing parts, but more to let you figure out up front if your situation is similar or not.

  • A CPU board with an Intel 486, 133Mhz and 64 Mb RAM. For this application, you can easily do with less.
  • Two 3COM 3C509B Ethernet NIC's. I had the types with AUI, BNC and RJ45.
  • A 500Mb drive. I had bigger ones in the drawer, but this one made the least noise.
  • Redhat 7.0 (Guinness), which is based on the Linux 2.2.16 kernel.
  • Temporarily you need a CD-ROM and if your CD doesn't boot, also a floppy drive.

All in all, pretty basic, nothing fancy. The Linux kernel version is rather important, because for the last three Linux kernel versions (2.0, 2.2 and 2.4) each time the packet filtering, required a substancial rewrite. Version 2.2, goes hand in hand with the IPCHAINS software for firewall filtering. So, be careful, because the next Redhat version (7.1 ?) will probably be based on the new kernel.

Dual network

In my case this was finally the hardest part. And it looked so simple. What I wanted was one of my 3C509's talking to the LAN through a BNC interface and the other connected to the cable-modem through an RJ45 interface. I knew about the 3C509CFG.EXE program (DOS only) to disable the PNP functionality and to set the parameters. And I had wrestled before with the 3c509.o loadable kernel modules before. This would be easy ... at least I thought.

To keep this document from becoming a 500 page novel, I will tell you only the end of the story, which is what I did, why that works and in many cases why other solutions will not work. Let's go:

  • With these two boards in one Linux box, the one with the lowest MAC address will become eth0 and the other eth1. This is written in none of the HOWTOs and it took me a full weekend to learn this the hard way. The IRQs, the I/O addresses, the slots they are in, that is all irrelevant, it is the MAC that matters.
  • As we will see later, the board that connects to the cable modem, must become interface eth0 (not eth1). So at this moment you must determine what is the board with the lowest MAC address and configure that one for your cable modem connection. In my case that was "IRQ=10, IO=0x300, TP=RJ45".
  • Using the 3C509CFG.EXE program, I configured the other board, which would become eth1, as "IRQ=11, IO=0x310, TP=BNC". You must check if those IRQs and IOs are free in your PC and you could gamble on AUTO TP detection, but I prefer to fix these kind of things. And of course, you must disable Plug 'n Pray.

So far so good. By reading the previous paragraphs, you have saved yourself at least 12 hours strugling. At least that's what I really hope, but I know that YMMV, because no situation is the same. In which case this recipe is helas not applicable to your case.

As you probably have discovered by now, my LAN will be a traditional BNC coax type. And I decided to use fixed IP addresses in the 192.168.0.XXX range. For the cable-modem, I use an RJ45 cross-over cable to the modem and my ISP gives me a dynamic address, but with a very long-term DHCP lease.

Installing Redhat

Why redhat ... don't know. At least no real preference from my side and I will be the last to start a holy war on that topic. But of course, this story is bound to the RedHat distribution and more specific to the installation procedure of version 7.0. I'm not going to explain here how to install Linux. Read at other places about boot-floppies, partitioning and such. Keep it simple, I would say.

When asked for the type of installation, choose "Custom". And when lateron asked for the packages, de-select all options. So, no printing, no networked workstation, no X-Windows, no compilers, etc. This box is becoming a firewall and we want to keep it as (c)lean as possible. The good news is also that you will only install 200 Mb, so it will not take too long.

When all is done, you choose your passwords, you set the time and let the system reboot. Which should go fine.

Network configuration

Redhat comes with a whole buch of admin tools, but we are going to ignore those. For more generic situations they are fine, but here we want more control and we want to know exactly what we are doing.

So, first install (rpm -i) a few more packages:

  • xinetd-
  • tcp_wrappers-7.6-15
  • dhcp-2.0-12 (dhcpcd should already be installed)
  • ipchains-1.3.9-17
  • iputils-20000418-6
  • telnet-0.17-7
  • telnet-server-0.17-7
  • wu-ftpd-2.6.1-6
When installing xinetd, it will complain about a dependancy with Python. But that is only for converting old config files. So with "rpm --nodeps -i" you have to force it to install.

Next edit or create the following configuration files.

  • /etc/sysconfig/network - do mind the forward parameter
  • /etc/sysconfig/network-scripts/ifcfg-eth0 - a new file to start eth0, which connects to the cable modem:
  • /etc/sysconfig/network-scripts/ifcfg-eth1 - a new file to start eth1, which connects to the LAN:
  • /etc/modules.conf - this one was tricky, because the 3C509 doesn't allow you to specify the I/O address and, as said before, the lowest MAC always becomes eth0. There are probably more ways to do this (like "options 3c509 irq=10,11"), but this one worked for me:
    alias eth0 3c509
    options eth0 -o 3c509 irq=10
    alias eth1 3c509
    options eth1 -o 3c509 irq=11     
    alias parport_lowlevel parport_pc
  • /etc/hosts - and add some nodes to your hosts file, at least the firewall itself: localhost.localdomain localhost mybox.mylan mybox mypc.mylan mypc

At this moment you are far enough to reboot the box, see if all starts (keep your fingers crossed) and check out if the network is functioning. As promised before, it is here that it becomes important that eth0 is the one to your cable modem and not the other way round. When you would use eth0 for your home-LAN, the DHCP connection to your ISP, starts as the second connection, which in my case resulted in a 2-3 min wait before it managed to connect. That is not normal and has probably to do with the old 3C509s. I first solved it by not starting eth0 through the ifcfg-eth0 file (ONBOOT="no" does the trick) and then in rc.local I would start eth0 with an "ifup eth0" command. That's rather dirty! So, I later reconfigured the two NIC boards and swapped eth0 and eth1.

Back to the main story. You should be able to ping to your PC, ping from the PC to and your DHCP to your ISP should allow you to ping from your firewall to for example www.yahoo.com or such. Check your configuration with the command "ifconfig".

Firewall configuration

First read the IP-Masquerade-HOWTO. [... to be done ...]

Wrapping up

Hope this was helpful. It isn't as difficult as it looks to be before you start. If you have the old parts lying around, it's an easy way to save yourself a few hundred bucks. And you can make it exactly as you like it.

If this page has been helpful, let me know, I can cope with some compliments ;-).

[back home] [Linux on Sony Vaio XG18]

  Willem van Schaik, Calgary, June 2002     http://www.schaik.com/wwwillem.html