How to Build an Enterprise-Class Router/Firewall for under $200 (part II)

Part I of this article here 

This is the last part of my article on how to make a linux router/firewall, and it will focus on software installation and configuration as well as possible ways to expand this appliance, such as turning it into a file server, email server, spam filter, AV filter, wireless access point, etc. 

This box is going to be Ubuntu powered – although you can install any distro you'd like -  I recommend using Dapper Drake, 6.06, because of LTS (long term support)  – it will be supported for 5 years. Go ahead and download the Ubuntu ISO of your choice here. Burn the ISO and install Ubuntu server ed (I'm not going to go into details of installing the OS, there are plenty of guides out there). We are going to be using Webman, Shorewall Firewall and the DHCP daemon.

After you've installed the OS, give root a password

• sudo passwd root

Type a password twice (don't forget it now, and make it complex). Then, use su to become root.

• su

Type the password to get in as root

Now, configure the NIC cards. Identify (via trial and error) which on is your eth0 and eth1. You want the gigabyte one to be on your LAN side. It is also time to determine what your internal subnet is going to be, I'm going to use 192.168.1.x. So, type

• nano -w /etc/network/interfaces

 Delete everything on this file and start from scratch. This is assuming your eth0 card is your WAN (the one connected to your dsl or cable modem) and your IP is dynamic, and your eth1 card is your LAN card and your subnet is 192.168.1.x.

auto lo
iface lo inet lookback

auto eth0
iface eth0 inet dynamic

auto eth1
iface eht1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

If your you have a static IP, insert the correct values under eth0, following the same syntax as eth1.

To save the file in nano (the text editor), Ctrl-O and then Ctrl-X to exit nano.

Restart your networking interfaces with the following command:

• /etc/init.d/networking restart

Next step is to edit the sources file, by enabling the additional online ones and commenting out the cd-rom sources.

• nano -w /etc/apt/sources.list

If every step is followed, you should be able to surf the net on this box, and we can verify this by running update and upgrade

• apt-get update
• apt-get upgrade

DO NOT CONTINUE UNLESS YOU CAN SURF THE NET.

Now, install an SSH server so we can connect to this box via SSH (using PuTTY under Windows, download here)

• apt-get install ssh openssh-server

Now from another computer, start PuTTY and type 192.168.1.1 into the Host name box and hit connect. Ignore the waring and login (as root) when promted. If this is successful, shutdown the computer using the following command

• shutdown 0

Next step is to make sure that the computer can be run headless, so turn it on, get into the BIOS and disable all error reporting on startup. This is because the router/firewall is not going to have a keyboard, mouse or monitor hooked up to it (there is no need for that). Now, shut down again, disconnect everything but power and ethernet, wait for about 5 minutes and get into with via PuTTY.

Once you're in again, we need to configure hosts (using our trusty text editor Nano)

• nano -w /etc/hosts

Erase everything and type (or copy/paste). Modify as necesary

127.0.0.1        localhost.localdomain      localhost
192.168.1.1     server1.example.com      server1

Save and exit nano (ctrl O and ctrl X)

Install additional packages

• apt-get install libmd5-perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq openssl

Download Webmin (check for latest version, latest one as of writing of this article is 1.330)

• wget http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.330_all.deb

Install Webmin

• dpkg -i webmin_1.310_all.deb

Configure Shorewall. I recommend you read up on Shorewall's documentation, here or here. We are going to use basic rules, so make sure you have a good understanding of the firewall before deployment.

• cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/ cd /etc/shorewall
• gunzip interfaces.gz masq.gz rules.gz

Edit Shorewal's config files, change "IP_FORWARDING=Keep" to "IP_FORWARDING=On" (without quotes)

• nano –w /etc/shorewall.conf

Save and exit nano (ctrl O and ctrl X)

Edit the shorewall policy

• nano –w /etc/shorewall/policy

##################################################

#SOURCE           DEST        POLICY            LOG LEVEL   LIMIT:BURST loc         net         ACCEPT
loc   $FW   ACCEPT
loc         all         REJECT            info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW   net   ACCEPT
$FW   loc   ACCEPT
$FW         all         REJECT            info
#
# Policies for traffic originating from the Internet zone (net)
#
net         $FW         DROP        info
net         loc         DROP        info
net         all         DROP        info
# THE FOLLOWING POLICY MUST BE LAST
all         all         REJECT            info
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

Start Shorewall Firewall

• /etc/init.d/shorewall start

Get into Webmin, using another computer and a browser (ignore certificate warning). Username as root, and password is whatever you set the root password to be). Webmin is very useful to configure pretty much every aspect of this machine, so play around with it.

Now, inside Webmin, go to Server, then DHCP server, and EditConfig file. Copy and paste the following.

# Local Network
subnet 192.168.1.0 netmask 255.255.255.0 {
option netbios-name-servers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name "your.domain.here";
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
range 192.168.1.100 192.168.1.130;
}

zone ABC. {
primary 192.168.1.1;
}

host clem {
fixed-address 192.168.1.1;
}

Then, save the config file, and hit the Start Server button. Now you'll have a fully functional router with a built-in DHCP server. You should be able to connect to the internet via another computer on the subnet. Restart the firewall a couple of times, get a feel of using PuTTY. Also, try adding a firewall policy for the firewall that will allow you to connect to it from the outside.

Bonus  (If you are on a dynamic IP)

Configure the NO-IP Client.

Go to no-ip.org and open a free account with them. Add a new dynamic host. Once that is done, you'll have an address (which is easier to remember than an IP) such as myrouter.redirectme.net. If (and when) your IP changes the No-ip client will handle it. 

 

•  apt-get install no-ip
•  no-ip -C

Enter you credentials (the ones you've created in the last step) and you done. 

 Now, thanks to Webmin magic, set up a Samba server for file sharing (you might want to get a big hard drive), go wild and make it RAID. Configure and install a PROXY server, to limit internet access. Explore and configure. Test. 

Credits and where I got most of my info:

Howtoforge.com

Ubuntu.com