This article describes how to set up a gateway/firewall system Using Linux Mint 8. Prerequisites include two network interfaces, one on the local LAN and the other connected to the internet. The diagram below indicates the configuration I will be using, which is typical for this type of network. Modify your IP Addressing and interface names accordingly..
The Gateway box running Linux Mint has two network interfaces;
- eth0 has a Class-C IP of 192.168.0.1 and faces inward to the Local Area Network (LAN),
- eth1 has a Class-A IP of 10.0.0.5 and faces outwards to an ADSL router.
All systems on the LAN use the same Class-C IP Address range (192.168.0.x) and each looks to the eth0 network interface on the Gateway for their Default Gateway and DNS (192.168.0.1).
Part 1a - Configuring the network interfaces
With your head full of numbers it is easy to forget which interface is which. Running the ifconfig command indicates the MAC Address (or hardware address) of each interface, seen with the abbreviation HWaddr. This is a hexadecimal number which is (mostly) hard-coded into the network interface chip. Make a note of the interface name, MAC Address and IP Address as you will be referring to them a lot..
eth0 00:02:a5:1a:27:9b 192.168.0.1 (inward-facing)
eth1 00:20:18:a2:09:86 10.0.0.5 (outward-facing)
Although Mint offers a fine Graphical User Interface, on a server I consider such things at best, surplus to requirements and at worst, a potential drain on system resources - particularly on slower machines. I prefer to configure my systems through the powerful Unix command interface remotely via an SSH connection. See SSH on Linux Mint for installing OpenSSH.
To modify the networking configuration, invoke your favourite text editor..
sudo vi /etc/network/interfaces
Configure both network interfaces with their respective settings. Ignore the first loopback configs..
#Loopback network interface
auto lo
iface lo inet loopback
Note there is no gateway setting for eth0 as 192.168.0.1 is by definition the gateway for all other systems on the network (i.e. you are building the gateway)..
#Primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
Note that eth1 has its gateway setting as the IP Address of the inward-facing network interface on the ADSL router (the outward interface being the telephone line)..
#Secondary network interface
auto eth1
iface eth1 inet static
address 10.0.0.5
netmask 255.0.0.0
network 10.0.0.0
broadcast 10.0.0.255
gateway 10.0.0.1
Save and exit from the editor (note that on Debian and other Linux systems, sometimes the first interface is referred to as eth0 and the second interface as eth0:0).
Finally restart the network system (no reboot necessary) to register the new settings..
sudo /etc/init.d/networking restart
Do not set either interface to obtain an IP Address from a DHCP Server. Servers should always have static IPs and not be reliant on another system for their network settings.
Continue to the next stage only when you can ping other systems on both sides of the server (including the web)..if not, check all settings and cables.
# ping 10.0.0.123
PING 10.0.0.123 (10.0.0.123) 56(84) bytes of data.
64 bytes from 10.0.0.123: icmp_seq=1 ttl=128 time=1.75 ms
64 bytes from 10.0.0.123: icmp_seq=2 ttl=128 time=0.959 ms
# ping 192.168.0.66
PING 192.168.0.66 (192.168.0.66) 56(84) bytes of data.
64 bytes from 192.168.0.66: icmp_seq=1 ttl=128 time=0.552 ms
64 bytes from 192.168.0.66: icmp_seq=2 ttl=128 time=0.481 ms
Part 1b - Other network settings
Another couple of important settings. To modify the machine's hostname, invoke your editor-of-choice..
vi /etc/hostname
After that, point the gateway box to the nearest DNS Server - usually the internal IP Address of the ADSL router. Also specify the name of the local domain..
vi /etc/resolv.conf
domain dungeon.net
search dungeon.net
nameserver 10.0.0.1
Part 2 - Install DNS
In its spanky new role as the LAN's default gateway, the box will also need to run a DNS service in its own right, to help speed up the resolution of host names to IP Addresses. Installing the DNS Service is a piece of piss..
sudo apt-get install bind9
..even my mother could do that.
Part 3 - Install IP Masquerading
From help.ubuntu.com..
The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus "masqueraded" as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.
IP masquerading is closely tied with firewalling and from this point on, much experimentation with different settings needs to occur in order to tailor a gateway/firewall system which suits individual needs. To get started, grab ipmasq.txt which contains some rudimentary rulesets.
Modify the file's EXTIF= and INTIF= entries to reflect the names of the interfaces on your gateway.
Copy and paste the code into a script in your text editor..
sudo vi /bin/ipmasq.sh
..and after saving, make the script executable..
sudo chmod 755 /bin/ipmasq.sh
Run the file and note any outputs. It should work as-is..
/bin/ipmasq.sh
Then test the internet connection from another workstation on the LAN..
To make the script run at boot time on the gateway, copy it to the init.d directory..
cp /bin/ipmasq.sh /etc/init.d/ipmasq.sh
..and make a simlink to rc2.d using the following name..
ln -s /etc/init.d/ipmasq.sh /etc/rc2.d/S95masquradescript
Reboot the gateway and test the internet connection again.
Further Resources
What happens next depends on the nature of the firewall and what rulesets are required. As usual, the ether abounds with helpful resources..
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/
http://ubuntuforums.org/showthread.php?t=119787
https://help.ubuntu.com/9.04/serverguide/C/firewall.html
- A.
