• Home
  • About me
  • Contact me
  • Portfolio
  • Services
How to Build an Enterprise-Class Router/Firewall for under $200 (part II)
Mar 22nd, 2007 | 2 Comments

Part I of this article here 

This is the last part of my article on how to make a linux router/firewall, and it will focus on software installation and configuration as well as possible ways to expand this appliance, such as turning it into a file server, email server, spam filter, AV filter, wireless access point, etc. 

This box is going to be Ubuntu powered – although you can install any distro you'd like -  I recommend using Dapper Drake, 6.06, because of LTS (long term support)  – it will be supported for 5 years. Go ahead and download the Ubuntu ISO of your choice here. Burn the ISO and install Ubuntu server ed (I'm not going to go into details of installing the OS, there are plenty of guides out there). We are going to be using Webman, Shorewall Firewall and the DHCP daemon.

After you've installed the OS, give root a password

  • sudo passwd root

Type a password twice (don't forget it now, and make it complex). Then, use su to become root.

  • su

Type the password to get in as root

Now, configure the NIC cards. Identify (via trial and error) which on is your eth0 and eth1. You want the gigabyte one to be on your LAN side. It is also time to determine what your internal subnet is going to be, I'm going to use 192.168.1.x. So, type

  • nano -w /etc/network/interfaces

 Delete everything on this file and start from scratch. This is assuming your eth0 card is your WAN (the one connected to your dsl or cable modem) and your IP is dynamic, and your eth1 card is your LAN card and your subnet is 192.168.1.x.

auto lo
iface lo inet lookback

auto eth0
iface eth0 inet dynamic

auto eth1
iface eht1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

If your you have a static IP, insert the correct values under eth0, following the same syntax as eth1.

To save the file in nano (the text editor), Ctrl-O and then Ctrl-X to exit nano.

Restart your networking interfaces with the following command:

  • /etc/init.d/networking restart

Next step is to edit the sources file, by enabling the additional online ones and commenting out the cd-rom sources.

  • nano -w /etc/apt/sources.list

If every step is followed, you should be able to surf the net on this box, and we can verify this by running update and upgrade

  • apt-get update
  • apt-get upgrade

DO NOT CONTINUE UNLESS YOU CAN SURF THE NET.

Now, install an SSH server so we can connect to this box via SSH (using PuTTY under Windows, download here)

  • apt-get install ssh openssh-server

Now from another computer, start PuTTY and type 192.168.1.1 into the Host name box and hit connect. Ignore the waring and login (as root) when promted. If this is successful, shutdown the computer using the following command

  • shutdown 0

Next step is to make sure that the computer can be run headless, so turn it on, get into the BIOS and disable all error reporting on startup. This is because the router/firewall is not going to have a keyboard, mouse or monitor hooked up to it (there is no need for that). Now, shut down again, disconnect everything but power and ethernet, wait for about 5 minutes and get into with via PuTTY.

Once you're in again, we need to configure hosts (using our trusty text editor Nano)

  • nano -w /etc/hosts

Erase everything and type (or copy/paste). Modify as necesary

127.0.0.1        localhost.localdomain      localhost
192.168.1.1     server1.example.com      server1

Save and exit nano (ctrl O and ctrl X)

Install additional packages

  • apt-get install libmd5-perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq openssl

Download Webmin (check for latest version, latest one as of writing of this article is 1.330)

  • wget http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.330_all.deb

Install Webmin

  • dpkg -i webmin_1.310_all.deb

Configure Shorewall. I recommend you read up on Shorewall's documentation, here or here. We are going to use basic rules, so make sure you have a good understanding of the firewall before deployment.

  • cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/ cd /etc/shorewall
  • gunzip interfaces.gz masq.gz rules.gz

Edit Shorewal's config files, change "IP_FORWARDING=Keep" to "IP_FORWARDING=On" (without quotes)

  • nano –w /etc/shorewall.conf

Save and exit nano (ctrl O and ctrl X)

Edit the shorewall policy

  • nano –w /etc/shorewall/policy

##################################################

#SOURCE           DEST        POLICY            LOG LEVEL   LIMIT:BURST loc         net         ACCEPT
loc   $FW   ACCEPT
loc         all         REJECT            info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW   net   ACCEPT
$FW   loc   ACCEPT
$FW         all         REJECT            info
#
# Policies for traffic originating from the Internet zone (net)
#
net         $FW         DROP        info
net         loc         DROP        info
net         all         DROP        info
# THE FOLLOWING POLICY MUST BE LAST
all         all         REJECT            info
#LAST LINE — ADD YOUR ENTRIES ABOVE THIS LINE — DO NOT REMOVE

Start Shorewall Firewall

  • /etc/init.d/shorewall start

Get into Webmin, using another computer and a browser (ignore certificate warning). Username as root, and password is whatever you set the root password to be). Webmin is very useful to configure pretty much every aspect of this machine, so play around with it.

Now, inside Webmin, go to Server, then DHCP server, and EditConfig file. Copy and paste the following.

# Local Network
subnet 192.168.1.0 netmask 255.255.255.0 {
option netbios-name-servers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name "your.domain.here";
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
range 192.168.1.100 192.168.1.130;
}

zone ABC. {
primary 192.168.1.1;
}

host clem {
fixed-address 192.168.1.1;
}

Then, save the config file, and hit the Start Server button. Now you'll have a fully functional router with a built-in DHCP server. You should be able to connect to the internet via another computer on the subnet. Restart the firewall a couple of times, get a feel of using PuTTY. Also, try adding a firewall policy for the firewall that will allow you to connect to it from the outside.

Bonus  (If you are on a dynamic IP)

Configure the NO-IP Client.

Go to no-ip.org and open a free account with them. Add a new dynamic host. Once that is done, you'll have an address (which is easier to remember than an IP) such as myrouter.redirectme.net. If (and when) your IP changes the No-ip client will handle it. 

 

  •  apt-get install no-ip
  •  no-ip -C

Enter you credentials (the ones you've created in the last step) and you done. 

 Now, thanks to Webmin magic, set up a Samba server for file sharing (you might want to get a big hard drive), go wild and make it RAID. Configure and install a PROXY server, to limit internet access. Explore and configure. Test. 

Credits and where I got most of my info:

Howtoforge.com

Ubuntu.com

 

 

 

 

This entry was written by J2 and posted on March 22, 2007 at 5:09 pm and filed under PC. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.
  • Sponsors

  • Sponsors

  • 2 Comments

    1. ipcopuser
      Posted March 23, 2007 at 6:42 am | Permalink

      Or just use ipcop which is also free, but is made for this sort of thing

    2. Thorin
      Posted March 29, 2007 at 8:54 am | Permalink

      I hope nano has spellcheck.

      I went with m0n0wall instead.

    Post a Comment

    Your email is never published nor shared. Required fields are marked *

    *
    *

    • About Me

      picture-of-julian-meloHi and thanks for visiting my site. My name is Jose Julian Melo, I’m a web developer, technology enthusiast and blogger. I specialize in the Wordpress, utilizing it not only as a blogging platform but also using its CMS (content management system) capabilities. I am available for hire for your next web project [Read More]
    • My Other Sites

      Green Day Breakdown

      R/C Blog

      Tumblr

    • Socialize!

      addrofacebook Subscribe to my RSS Feed Follow me on Twitter Watch my YouTube Videos

    • Join The Mailing List

      If you like this site and want to receive updates via email, sign up for my mailing list. Don't worry, I hate spam and you can unsubscribe whenever you want.
      Name:
      Email:
    • Recommendations:

      125x125-2generic-backup-plan-125x125
    • Recent Tweets

      • In Canada eh! Lets see what their *cough* healthcare is all aboot. 5 hours ago
      • I'm at U.S. / Canada Border station Niagara. http://4sq.com/cxV0I3 5 hours ago
      • I'm at Corning Museum of Glass (One Museum Way, Corning). http://4sq.com/dxzkv6 22 hours ago
      • Even the Amish like to get their chocolate fix. Saw a big Amish crowd here in Hershey PA 2010/03/20
      • In Hershey, central PA, seeing how they recruit future chocoholics that then go to choco-rehab. 2010/03/20

  • Categories

    • Design
    • Featured Articles
    • IPhone
    • Music
    • PC
    • Ranting
    • Videos
    • Web
    • Whatev…
    • WordPress.
  • Recent Comments

    • Johny: Very good idea. People don’t realize that there are still a lot of people that will pay 200 for the 3g
    • Ryan: I woke up this morningand mine is uvu whatever is huge. Plus I am getting married in a couple of hours
    • dextaboy: Used AVG at home and work for years but latest version could not be more different. besides a few conflicts...
    • alex: My AVG went tits up when i got it (3rd Jan 09) I ended up using Windows Defender for it. I now think AVG is a...
    • trench: really good post. Im trying my luck with a contest but its been slow going thus far!
  • Recent Posts

    • New Redesign of my Blog
    • Updated My Portfolio
    • Upgrade from a 3G to 3GS Iphone for $200 NOW
    • Cheap Security Certificates from Dreamhost
    • Brand New Portfolio Page
  • Copyright © 2010 JJMelo.com | Powered by WordPress | Theme by JJMelo based on Sandbox