HomeNetworking

Build It Yourself: A Linux Network Appliance, Part 5

Carla Schroder
By Carla Schroder

In our previous installments we did a lot of important preliminary configuration, and we hardened our firewall box. Now we’ll take a quick tour of Webmin, and set up an iptables Internet-connection sharing firewall. Don’t connect your firewall box to the Internet just yet, as there are some important steps to take first.

Cruising Webmin
Webmin is an excellent, flexible graphical configuration interface for Linux. You can find modules to configure and manage virtually every Linux service. Unlike a lot of graphical configurators, Webmin reads the source configuration files directly, so you can switch back and forth between using Webmin and editing the files yourself without making a mess.

A word of caution: Just having a good graphical interface does not instantly make you a system administrator. You need the same knowledge whether you use Webmin or you edit text configuration files directly. Take some time to look around Webmin and see what you can do with it. You can’t accidentally hurt anything, because you always have to a click a button to activate any changes.

Sharing an Internet Connection
We’re going to use two scripts for our iptables firewall; one to turn it on, and one to turn it off. Plus we’re going to enter some important kernel parameters in /etc/sysctl.conf. Make it look just like this, with no other entries: 

# /etc/sysctl.conf – Configuration file for setting system variables # See sysctl.conf (5) for information.


net.ipv4.ip_forward = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.accept_source_route = 0






Build a Linux Appliance


  • Part 1: Introduction and Hardware Requirements
  • Part 2: Install and Configure Linux
  • Part 3: The Firewall
  • Part 4: Locking Down the Firewall Box
  • Part 5: Internet Connection Sharing Firewall
  • Part 6: The Firewall

    • The first line, net.ipv4.ip_forward = 1 is what turns on Internet connection sharing. The remaining items are security features.

    I call the firewall script firewall_nat; you may name it whatever you want. (Access the firewall nat script here.)

    Copy this just as it’s shown, with these exceptions:


    • Use your own network interface names
    • Use your own IP addresses
    • On the “Enable IP masquerading” line, you have two choices. If you have a static WAN IP, use the SNAT line, substituting your own IP. If you are on DHCP, use the MASQUERADE line

    Make this script executable, and read/write for root only:

    # chmod 0700 firewall_nat
    # chown root:root firewall_nat

    This is the “shutoff” script, which I call ipt_flush. Give it the same ownership and permissions as firewall_nat: (Access the ipt_flush script here.)

    Place firewall_nat in /etc/init.d, and ipt_flush in /usr/local/bin. As root, test both of them:

    # /etc/init.d/firewall_nat
    The firewall has now started up and is faithfully protecting your system
    # ipt_flush
    The firewall is now being shut down. All policies are set to ACCEPT, all rules and chains are deleted, all counters are set to zero


    Well OK then. They work!

    Testing the Firewall
    Fire up the firewall and run this command to verify that your iptables rulesets are active: 

    # iptables -L
    
Chain INPUT (policy DROP)target   prot opt source        destination
    
ACCEPT   all — anywhere       anywhere
    
ACCEPT   tcp — localnet/24     anywhere      tcp dpt:ssh state NEW
    
ACCEPT   tcp — localnet/24     anywhere      tcp dpt:10000 state NEW
    
ACCEPT   all — anywhere       anywhere      state RELATED,ESTABLISHED
    
ACCEPT   icmp — anywhere       anywhere      icmp echo-request
    
ACCEPT   icmp — anywhere       anywhere      icmp time-exceeded
    
ACCEPT   icmp — anywhere       anywhere      icmp destination-unreachable
    
DROP    tcp — anywhere       anywhere      tcp flags:SYN,RST,ACK/SYN
    

    Chain FORWARD (policy DROP)target   prot opt source        destination
    
ACCEPT   all — anywhere       anywhere      state RELATED,ESTABLISHED
    
ACCEPT   all — anywhere       anywhere      state NEW,RELATED,ESTABLISHED
    

    Chain OUTPUT (policy ACCEPT)target   prot opt source        destination

    Connect your WAN interface to the big scary Internet, and disconnect the firewall box from the LAN. Ping Google and other sites you can reasonably expect will always work. When your ping tests succeed, boot up one of your LAN clients with a live Linux on CD-ROM, connect it to your switch/hub, and do a bit of Web-surfing to verify that everything works. This is the safest way to test LAN connectivity, since a CD-ROM cannot be compromised.

    The last step is to configure the firewall to start at boot. Do this in Webmin, using System -> Bootup and Shutdown.

    You now have a nice sturdy Internet-connection sharing iptables firewall. Next week we’ll learn how to configure it for public services like a Web or mail server, and how to prevent bad packets from escaping your network.

    Resources


    Adapted from PracticallyNetworked.com, part of the EarthWeb.com Network.





    Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

    The first line, net.ipv4.ip_forward = 1 is what turns on Internet connection sharing. The remaining items are security features.

    I call the firewall script firewall_nat; you may name it whatever you want. (Access the firewall nat script here.)

    Copy this just as it’s shown, with these exceptions:


    • Use your own network interface names
    • Use your own IP addresses
    • On the “Enable IP masquerading” line, you have two choices. If you have a static WAN IP, use the SNAT line, substituting your own IP. If you are on DHCP, use the MASQUERADE line

    Make this script executable, and read/write for root only:

    # chmod 0700 firewall_nat
    # chown root:root firewall_nat

    This is the “shutoff” script, which I call ipt_flush. Give it the same ownership and permissions as firewall_nat: (Access the ipt_flush script here.)

    Place firewall_nat in /etc/init.d, and ipt_flush in /usr/local/bin. As root, test both of them:

    # /etc/init.d/firewall_nat
    The firewall has now started up and is faithfully protecting your system
    # ipt_flush
    The firewall is now being shut down. All policies are set to ACCEPT, all rules and chains are deleted, all counters are set to zero


    Well OK then. They work!

    Testing the Firewall
    Fire up the firewall and run this command to verify that your iptables rulesets are active: 

    # iptables -L
    
Chain INPUT (policy DROP)target   prot opt source        destination
    
ACCEPT   all — anywhere       anywhere
    
ACCEPT   tcp — localnet/24     anywhere      tcp dpt:ssh state NEW
    
ACCEPT   tcp — localnet/24     anywhere      tcp dpt:10000 state NEW
    
ACCEPT   all — anywhere       anywhere      state RELATED,ESTABLISHED
    
ACCEPT   icmp — anywhere       anywhere      icmp echo-request
    
ACCEPT   icmp — anywhere       anywhere      icmp time-exceeded
    
ACCEPT   icmp — anywhere       anywhere      icmp destination-unreachable
    
DROP    tcp — anywhere       anywhere      tcp flags:SYN,RST,ACK/SYN
    

    Chain FORWARD (policy DROP)target   prot opt source        destination
    
ACCEPT   all — anywhere       anywhere      state RELATED,ESTABLISHED
    
ACCEPT   all — anywhere       anywhere      state NEW,RELATED,ESTABLISHED
    

    Chain OUTPUT (policy ACCEPT)target   prot opt source        destination

    Connect your WAN interface to the big scary Internet, and disconnect the firewall box from the LAN. Ping Google and other sites you can reasonably expect will always work. When your ping tests succeed, boot up one of your LAN clients with a live Linux on CD-ROM, connect it to your switch/hub, and do a bit of Web-surfing to verify that everything works. This is the safest way to test LAN connectivity, since a CD-ROM cannot be compromised.

    The last step is to configure the firewall to start at boot. Do this in Webmin, using System -> Bootup and Shutdown.

    You now have a nice sturdy Internet-connection sharing iptables firewall. Next week we’ll learn how to configure it for public services like a Web or mail server, and how to prevent bad packets from escaping your network.

    Resources


    Adapted from PracticallyNetworked.com, part of the EarthWeb.com Network.





    Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

    Carla Schroder
    Carla Schroder
    Previous article
    VoIPowering Your Office with Asterisk: SOHO VoIP
    Next article
    Filemaker 8.5 Puts the Web in Your Database

    Related Articles

    Must Read

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales. To address the needs of these small businesses, Small Business Computing offers detailed coverage of cost-effective technology solutions, including lists of top vendors, product comparisons, and how-to guides that offer specific tools to help solve issues.

    Advertisers

    Advertise with TechnologyAdvice on Small Business Computing and our other IT-focused platforms.

    Advertise with Us

    Menu

    Our Brands

    Property of TechnologyAdvice.
    © 2024 TechnologyAdvice. All Rights Reserved

    Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.