IT Consulting Los Angeles Woodland Hills Tech Support Small Business Computer Networking Server Setup Microsoft Certified Partner California Company Network
Click here to Check for Security Risks


 
FOR MORE INFORMATION
EMAIL US AT
OR CALL US AT (818) 789-0088
How to build a basic Linux Firewall
Disclaimer: This article is for entertainment purposes only. Castellan takes no responsibility for any damages resulting in your using any information in this article. YOU assume all risk if you make a linux firewall & ANY damages result from your actually using this information.

A checklist for quickly building a Linux Firewall, using a major linux distribution downloaded from the internet.

Cost = hardware + $50 software + 4 CDs + A few hours of time (your first time anyways). More firewalls are very easy to manage this way, with only hardware as the extra cost. In my case, I had 8 points of entry in my network (1 internet, 7 vendor / other), so I run 8 firewalls using this method. It is easy, reliable, and cheap.

Audience: Windows Admins who want a cheap firwall for their network, and have little or no linux experience, BUT are familiar with concepts like hard drive partitions, command lines, basic networking, and basic firewall concepts. This scales very easily to many firewalls, which is great in large environments.

Version: Oct 8 2004 ; created & edited with Mozilla 1.6
Author: Chris
  • Recommended Hardware: Pentium3-450mhz or greater; 256mb RAM; 10gb+ IDE HD; 2 or more NICs - a P4 box will run at less than 10% CPU, and around 80% memory, while servicing 5000 simultaneous states (equal to a LARGE corp surfing the web).
  • Checklist - write down the following information before you proceed Network Card Type & Mac Address for each network card Expected IP(s) on each interface - my interfaces have multiple IP addresses for the internet, so write down each one, along with subnet mask and default gateway Label each interface - examples include INTERNAL, EXTERNAL, and DMZ
  • download and install Fedora (Core2 as of this writing)
    • download all 4 CDs from any mirror & burn
    • disable the Redhat Firewall during the install
    • make sure to plug in & configure EVERY interface that will be DHCP - this makes sure the dhcp client package gets installed
    • install ALL the text internet tools, and ALL of the development stuff, ignore x-windows and all the X-windows apps
    • here is a page with some relevant screen shots from an actual install
  • purchase ($50) Firewall Builder for Windows, then download & install on your workstation
  • download Putty and FileZilla (to communicate with the Linux Firewalls); install both on the workstation with Firewall Builder (I put it on a terminal server myself)
  • setup Putty to connect to your server using a protocol called SSH (just like telnet, only encrypted)



  • setup a filezilla connection to your firewall



  • edit some Redhat Config Files
    • all editing done using nano as the editor, and logged in as root, using Putty SSH Client - Redhat Linux is mainly a command-prompt driven environment, so just pretend you are at a dos prompt with different DOS commands. Try out the Linux Command Directory to see a list of Linux Commands & what they do; also try the killer Linux Command Reference, which is specifically for beginners
    • /etc/sysctl.conf handles our ip forwarding setup, so change that to a 1
      [root@wall etc]# nano -w /etc/sysctl.conf
      net.ipv4.ip_forward = 1
    • /etc/rc.d/rc.local is the file that loads local scripts, so add a command to start the firewall in here - the line with the # in front is a comment, telling me what the following command will do for me
      [root@wall etc]# nano -w /etc/rc.d/rc.local
      #firewall setup
      /etc/wall.fw
    • change the default system runlevel to 3 - that way, if you did end up installing XWindows, you won't be running it by default (taking up valuable RAM in the process). Once you open the inittab file, locate the default runlevel line and modify it to look like below.
      [root@wall sysconfig]# nano -w /etc/inittab
      id:3:initdefault:
  • Copy the 3 firewall scripts over to your firewall using FileZilla, then make the scripts executable.
    chmod 0755 /etc/iptstat.sh
    {do the above for the other 2 scripts}
  • install a couple of programs onto the firewall
    • copy over the Fedora Core 2 RPM packages to the firewall using Filezilla
    • install all of the rpms on the firewall using the rpm command, like this (linuxconf is the one that requires a slightly different command)
      [root@wall chris]# rpm -ivh iptstate-1.3-0.1.fc2.dag.i386.rpm
      [root@wall root]# rpm -ivh --nodeps linuxconf-1.33r4-1.i386.rpm
  • using linuxconf (installed in the last step), set up any additional IP addresses you need on the external interface - most business customers have a 5-IP block from their DSL provider - in Linux, these end up being eth1:0, eth1:1, etc.... not just eth0 and eth1
    [root@wall etc]# linuxconf
  • reboot the firewall to setup all of this stuff we just did, using the shutdown command
    [root@wall chris]# shutdown -r now
  • setup your firewall configuration file, using Firewall Builder - this is its own page, and you should really read the FWBuilder DOCS and howtos for detailed information on using Firewall Builder to make a firewall script. You can have multiple DMZs, multiple interfaces, multiple IP addresses, and more, all setup using a Checkpoint-1 type of interface.
  • to use the FWBuilder program to push policy to your remote firewalls, you need to do 2 things:
    • each firewall should allow SSH from the IP address of your firewall administration computer (the one with fwbuilder on it)
    • you need to tell FWBuilder where 2 key putty files reside on your PC - go to the Edit | Preferences menu



  • take one last look at ALL of your config files that you have modified, make sure you haven't done anything stupid
  • reboot the firewall & start surfing
  • add a DNS entry for your firewall to your DNS server - in my case, my Windows 2003 DNS server primary AD zone is where I put an entry
  • here are some commands to look up and try on the firewall via putty. 3 of them are the scripts that we copied over earlier, and one of them is a program we installed from our RPM packages. The iptables commands are examples of command switches you can use with IPTables for showing what is going on with the firewall.
    • fwlogwatcher used to monitor firewall logs in real time
    • iptstate monitor state tops real time with sorting
    • iptstate.sh - show current filter & QOS stats
    • iptstate_nat.pl - show current filter NAT table
    • iptreset.sh - reset the firewall to an accept all policy - useful when walking a non-techie thru remote firewall troubleshooting - it kills NAT, but since your external (internet) interfaces are online, you can easily SSH to the firewall, or use FileZilla to copy over a new script & execute the script
    • iptables -L -n -v - show details about the packet filter tables
    • iptables -t nat -L -n -v - show details about nat tables
    • iptables -t mangle -L -n -v - show details about mangle tables
    • /etc/rc.d/init.d/network restart - restart the network interfaces on the firewall
  • you can scan your firewall (from the outside) to make sure that the config looks correct, using any of several websites, like Sygate and UnixCircle. If you are not a firewall guru, you should scan every firewall you install. This way, you can know that only allowed ports are accessible from the internet.
For more comprehensive coverage of IP Tables and using the linux command line, check out the following sites. I recommend making a local copy of these sites, so you can reference them while you are NOT online (example: you messed up your firewall).

For more help, try using the Fedora IRC and email lists. These 2 sources of user help are your best way to get help on any Linux topic.

Intro to IPTables
Cutter - a utility (you have to compile it, which is an easy task BUT requires a bit of knowledge) to drop any connection on the firewall
IPtables Homepage - the home for netfilter and IPTables, which is the combo that does all the packet stuff on Linux
Linux RUTE - the is considered the standard "beginners" guide to learning Linux. It assumes you know the basics of computers, of course.
IPTables Firewall Links - Linux Gurus have setup a nice page linking you to a zillion linux firewall documents.
Linux Firewalls, 2nd Ed - ISBN: 0735710996 - a great book on Linux Firewalls - drop by Amazon or Bookpool and buy this on, on your company's dime, of course.

2003 Server - Alerts - Business Answers - Anti Virus / Backup - Bigger - Computer Associates - Clients - Contact Us / Free Consultation - Dell - Desktop Support - Enterprise - Exchange Server - How To - HP - Microsoft Gold Certified Partner - Networking Solutions - Linux Firewall - Microsoft - Mission - MRTG - Networking - Tech News - Equipment Leasing - Philosophy - Security - Small Business - Spam Filtering - Symantec - Testimonials - Web Design - Windows Server - SpywareToolkit - Sitemap

Design and Contents Copyright © 2016 Castellan, Inc. All rights reserved.

Website Design by AVETAR Interactive

Microsoft Certified Partner in Los Angeles - San Fernando Valley Microsoft Certified Partner - Microsoft Business Solution Partner