# Want to setup a router/firewall box

## sud0x

Hey guys,

I'm about to move into an apartment with a few of my college buddies and we all have at least 1 computer. Since I have a pretty decent extra computer (2 GHz AMD system) I decided it would be alot more fun and educational for me to use it as our router and firewall for our Cable Internet that we'll need to all share. I have read and searched alot in the forums for the answer but i'm still overwhelmed with all the information that is on hand. Here is what I thought would be a good setup:

The AMD box will have gentoo on it and will have 2 NIC cards... 1 for in the incoming broadband and the other NIC will be connected to a network hub/switch. Then our computers will hook up to the hub/switch (8 port or something) from there.

Does this sound good so far? I also want to be able to have IP addresses for each machine on the internal network... preferebly I can assign them myself inside the AMD Box. My goal is for my friend's Windows Boxes to be able to plug in and get net access with minimal configuration.

I've heard shorewall is a good firewall app to use so I guess I can go with that. But what i'm basically posting about is this...

1. Am I in the right direction as in terms of how I want things physically setup?

2. What do I need to read to be able to do this router configuration?

Has anyone done this before and is it a common setup?

----------

## franoculator

You've got the right idea!!!

Install iptables and build it in the kernel.  Here is my router script:

```

#!/bin/sh

### IPTABLES NAT SCRIPT ###

# Modify, steal, plunder, pillage.

# What the hell do I care?

# OSS makes it better...

# Detect external IP address

EXTIP=`NETWORKDEVICES=$(ifconfig eth1  |egrep -v "^     |^$"|awk '{print $1}')

for INTERFACE in ${NETWORKDEVICES}; do

echo $(/sbin/ifconfig $INTERFACE | grep inet | \

cut -d : -f 2| cut -d \  -f 1)

done`

# Insert kernel modules

modprobe ipt_state

# Binary Path

IPTABLES=/sbin/iptables

echo "***   External IP Address: $EXTIP"

# Specify Interface Roles

EXTIF="eth1"

INTIF="eth0"

echo "***   External Interface:  $EXTIF"

echo "***   Internal Interface:  $INTIF"

# Allow port forwarding

echo "***   Enabling Forwarding..."

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT

$IPTABLES -P FORWARD ACCEPT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -F FORWARD

$IPTABLES -F OUTPUT

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t nat -F PREROUTING

$IPTABLES -t nat -F POSTROUTING

$IPTABLES -t nat -F OUTPUT

echo "***   FWD: Allow all connections OUT and only existing and related ones IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j  ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

echo "***   Enabling NAT (MASQUERADE) functionality on $EXTIF"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Open specified ports here...

echo "***   Forwarding Port 22 (ssh) traffic to morpheus"

$IPTABLES -A INPUT -i $EXTIF -p TCP --destination-port 22 -j ACCEPT

$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 22 -j DNAT --to-destination 192.168.1.2:22 
```

That takes care of the NAT, and gives you an example of port forwarding.  Just install a dhcpd, and you should be good go!

----------

## franoculator

I should also mention that you can run this on a less powerful machine than you are thinking about.  My router is a dual proc sparc 100 mhz box with 128 megs of ram.   Getting gentoo on that puppy was rough, but it works great now.

----------

## zeek

 *sud0x wrote:*   

> I've heard shorewall is a good firewall app to use so I guess I can go with that.

 

All linux firewalling is done by Iptables, shorewall is one of many frontend configs to Iptables and a good choice.

The commands that shorewall gives to Iptables are a lot smarter than a home brewed Iptables bash script.  It is also more complete and handles things like port 113 (AUTH) properly.

Your plan sounds solid, have fun making it work!

----------

## sud0x

So does anyone know what I should read to learn how to assign IP addresses to all the CPUs plugged into the 8 port switch? I want to have the 8 port switch plugged into another NIC card on my server computer. But how do you get the server to reconize that there is something plugged into the switch?

What should I read first? The firewall stuff could come later. But I want to be able to setup this network soon. Thanks.

----------

## kpack

Look at dnsmasq for serving up ip addresses and providing local DNS and DNS caching:

http://thekelleys.org.uk/dnsmasq/doc.html

----------

## Deebster

Can you scrape up an old machine between you?  A two gig machine is rediculous overkill for a router!  I'm sure you can make far better use of it than that.

If not, I've got an old machine of perfect router spec - want to swap?  :Wink: 

----------

## Griz

I'm looking at doing something similar but would like to know if the firewall box can also be used as a file/print/web server for the internal network and web server to the internet?

----------

## u2mike

Why not, I have mine setup as a webserver, email server, print server, firewall, spam filter and virus scan for email, as well as a router.

----------

## equilibrium

I have a celeron 466 setup as a firewall/router with squid proxy etc using a custom iptables script with SSHD running for LAN connection only. A 2ghz would be a bit overkill, but I guess you could always run it as a server etc  :Very Happy: 

 I have a little how-to on my site but haven't got round to posting my iptables script yet

http://eq.equk.co.uk/page.php?page=firewall

I've not yet put up the squid / snort etc how-to yet either  :Sad: 

my firewall spec:

CPU: Intel(R) Celeron (Mendocino) 466Mhz

RAM: 128Mb PC-133

GPU: GeForce4 MX 440-SE

MOBO: Intel Corp. 440BX

HDD: Seagate 10Gb

LAN: 2x SiS900 10/100

----------

## lagrima

for the most basic of basics this tutorial helped me lots not to complicated syntax from the author of the document and easy to follow.  i got this from a fellow gentoo er from one of the posts in here also.

http://gentoo-wiki.com/HOWTO_setup_a_home-server

enjoy, hope that helps

----------

## wolfgangVH

 *lagrima wrote:*   

> for the most basic of basics this tutorial helped me lots not to complicated syntax from the author of the document and easy to follow.  i got this from a fellow gentoo er from one of the posts in here also.
> 
> http://gentoo-wiki.com/HOWTO_setup_a_home-server
> 
> enjoy, hope that helps

 

I couldn't get squid to work from that.  I don't really understand why I need it anyway, maybe you could explain real quick.  :Wink: 

If there's a good reason, I will post my config, or start another thread.  I don't understand why just the plain firewall is not enough though.

I did however get the firewall working with shorewall.  I've got internet on my other pcs now, cool!

----------

## davidblewett

Squid is great to reduce the amount of traffic with the Internet. What I do is sshd running on the router, as well as courier-mta and squid. I then can login via public-key authentication to sshd, then forward the IMAP, SMTP and HTTP local ports to the routers internal network IP.  I don't have the other servers listen on the Internet IP. This allows me to read and send mail, as well as surf the web, all through a secure SSH session.  My download speed at the local machine is limited by my cable ISP's upload limit, so that's not the greatest, but it is a good way to get around any proxy/content filtering/port blocking going on where I am connecting from.

----------

