How to setup Linux as a Router / Firewall

Thanks http://www.akadia.com/services/linux_tips.html

One of the great features of Linux, is it’s easy installation and configuration as a IP-Router and Firewall. You can masquerade the internal LAN so called Trusted Network, which is often in the private range (no routable range, e.g. 192.168.x.x). There are two steps needed for this configuration, which we want to show you in the next example, the trusted (or masqueraded) network is 192.168.138.0. The needed steps are as follows:

  • Install two Network Cards in the PC, and attach an IP-address for each of this cards.

  • Configure the IP-Masquerading software on this Linux machine.

Install two Network Cards in the PC, and attach an IP-address for each of this cards

Install the network cards and attach an IP-Address using the following scripts in /etc/sysconfig/network-scripts for RedHat Linux.

Script: if-cfg-eth0 (first LAN card)

DEVICE=eth0
IPADDR=192.168.138.200
NETMASK=255.255.255.0
NETWORK=192.168.138.0
BROADCAST=192.168.138.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=yes
GATEWAY=192.168.126.200

Script: if-cfg-eth1 (second LAN card)

DEVICE=eth1
IPADDR=192.168.126.200
NETMASK=255.255.255.0
NETWORK=192.168.126.0
BROADCAST=192.168.126.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=yes
GATEWAY=192.168.138.200

After you have rebooted the machine, check if both LAN devices are properly configured with the command ifconfig.

eth0 Link encap:Ethernet HWaddr 00:01:02:0F:1A:85
inet addr:192.168.138.200 Bcast:192.168.138.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:146003 errors:0 dropped:0 overruns:1 frame:0
TX packets:100427 errors:0 dropped:0 overruns:0 carrier:0
collisions:500 txqueuelen:100
Interrupt:10 Base address:0x6e00

eth1 Link encap:Ethernet HWaddr 00:01:02:0F:1B:3C
inet addr:192.168.126.200 Bcast:192.168.126.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13249 errors:0 dropped:0 overruns:0 frame:0
TX packets:14200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:15 Base address:0x6d00

Configure the IP-Masquerading software on this Linux machine

Install the Script rc.firewall in /etc/rc.d/init.d, then create a symblic link in /etc/rc.d/rc3.d.

lrwxrwxrwx 1 root root S91firewall -> ../init.d/rc.firewall

#!/bin/sh
#
# rc.firewall
#
# Enable IP Masquerade (NAT = Network Address Translation,
# SUA = Single User Access)on this host

# Needed to initially load modules

/sbin/depmod -a

# Supports the proper masquerading of FTP file
# transfers using the PORT method

/sbin/modprobe ip_masq_ftp

# CRITICAL:  Enable IP forwarding since it is disabled
# by default. Redhat Users: you may try changing the options
# in /etc/sysconfig/network from:
#
# FORWARD_IPV4=false to FORWARD_IPV4=true
#

echo “1” > /proc/sys/net/ipv4/ip_forward

# MASQ timeouts
#
#  2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP “FIN”
#        packet is received.
# 160 sec timeout for UDP traffic (Important for
#         MASQ’ed ICQ users)

/sbin/ipchains -F
/sbin/ipchains -M -S 7200 10 160

# Enable simple IP forwarding and Masquerading
#
#  NOTE:  The following is an example for an internal
#  LAN address in the 192.168.138.x network with a
# 255.255.255.0 or a “24” bit subnet mask.
#
# Please change this network number and subnet mask
# to match your internal LAN setup

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.138.0/24 -j MASQ

# Now show current settings

NAT=`cat /proc/sys/net/ipv4/ip_forward`
if [ “$NAT” = “1” ]
then
echo “IP Masquerading is ON”
else
echo “IP Masquerading is OFF”
fi

/sbin/ipchains -L