How to Build a Basic Linux Firewall

Disclaimer: This article is for entertainment purposes only. Castellan takes no responsibility for any damages resulting in your using any information in this article. YOU assume all risk if you make a linux firewall & ANY damages result from your actually using this information.

A checklist for quickly building a Linux Firewall, using a major linux distribution downloaded from the internet. 

Cost = hardware + $50 software + 4 CDs + A few hours of time (your first time anyways).  More firewalls are very easy to manage this way, with only hardware as the extra cost.  In my case, I had 8 points of entry in my network (1 internet, 7 vendor / other), so I run 8 firewalls using this method.  It is easy, reliable, and cheap.

Audience: Windows Admins who want a cheap firwall for their network, and have little or no linux experience, BUT are familiar with concepts like hard drive partitions, command lines, basic networking, and basic firewall concepts.  This scales very easily to many firewalls, which is great in large environments.

Version: Oct 8 2004 ; created & edited with Mozilla 1.6
Author: Chris

• Recommended Hardware: Pentium3-450mhz or greater; 256mb RAM; 10gb+ IDE HD; 2 or more NICs - a P4 box will run at less than 10% CPU, and around 80% memory, while servicing 5000 simultaenous states (equal to a LARGE corp surfing the web).
  
• Checklist - write down the following information before you proceed
  Network Card Type & Mac Address for each network card
  Expected IP(s) on each interface - my interfaces have multiple IP addresses for the internet, so write down each one, along with subnet mask and default gateway
  Label each interface - examples include INTERNAL, EXTERNAL, and DMZ
  
• download and install Fedora (Core2 as of this writing)
  • download all 4 CDs from any mirror & burn
    
  • disable the Redhat Firewall during the install
    
  • make sure to plug in & configure EVERY interface that will be DHCP - this makes sure the dhcp client package gets installed
    
  • install ALL the text internet tools, and ALL of the development stuff, ignore x-windows and all the X-windows apps
  • here is a page with some relevant screen shots from an actual install
    
• purchase ($50) Firewall Builder for Windows, then download & install on your workstation
  
• download Putty and FileZilla (to communicate with the Linux Firewalls); install both on the workstation with Firewall Builder (I put it on a terminal server myself)
• setup Putty to connect to your server using a protocol called SSH (just like telnet, only encrypted)
  
  
• setup a filezilla connection to your firewall
  
  
• edit some Redhat Config Files
  • all editing done using nano as the editor, and logged in as root, using Putty SSH Client - Redhat Linux is mainly a command-prompt driven environment, so just pretend you are at a dos prompt with different DOS commands.  Try out the Linux Command Directory to see a list of Linux Commands & what they do; also try the killer Linux Command Reference, which is specifically for beginners
    
  • /etc/sysctl.conf handles our ip forwarding setup, so change that to a 1
    [root@wall etc]# nano -w /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    
  • /etc/rc.d/rc.local is the file that loads local scripts, so add a command to start the firewall in here - the line with the # in front is a comment, telling me what the following command will do for me
    [root@wall etc]# nano -w /etc/rc.d/rc.local
    #firewall setup
    /etc/wall.fw
    
  • change the default system runlevel to 3 - that way, if you did end up installing XWindows, you won't be running it by default (taking up valuable RAM in the process).  Once you open the inittab file, locate the default runlevel line and modify it to look like below.
    [root@wall sysconfig]# nano -w /etc/inittab
    id:3:initdefault:
    
• Copy the 3 firewall scripts over to your firewall using FileZilla, then make the scripts executable.
  chmod 0755 /etc/iptstat.sh
  {do the above for the other 2 scripts}
• install a couple of programs onto the firewall
  • copy over the Fedora Core 2 RPM packages to the firewall using Filezilla
  • install all of the rpms on the firewall using the rpm command, like this (linuxconf is the one that requires a slightly different command)
    [root@wall chris]# rpm -ivh iptstate-1.3-0.1.fc2.dag.i386.rpm
    [root@wall root]# rpm -ivh --nodeps linuxconf-1.33r4-1.i386.rpm
    
• using linuxconf (installed in the last step), set up any additional IP addresses you need on the external interface - most business customers have a 5-IP block from their DSL provider - in Linux, these end up being eth1:0, eth1:1, etc.... not just eth0 and eth1
  [root@wall etc]# linuxconf
  
• reboot the firewall to setup all of this stuff we just did, using the shutdown command
  [root@wall chris]# shutdown -r now
  
• setup your firewall configuration file, using Firewall Builder - this is its own page, and you should really read the FWBuilder DOCS and howtos for detailed information on using Firewall Builder to make a firewall script.  You can have multiple DMZs, multiple interfaces, multiple IP addreses, and more, all setup using a Checkpoint-1 type of interface.
• to use the FWBuilder program to push policy to your remote firewalls, you need to do 2 things:
• each firewall should allow SSH from the IP address of your firewall administration computer (the one with fwbuilder on it)
• you need to tell FWBuilder where 2 key putty files reside on your PC - go to the Edit | Preferences menu
  
  
• take one last look at ALL of your config files that you have modified, make sure you haven't done anything stupid
• reboot the firewall & start surfing
• add a DNS entry for your firewall to your DNS server - in my case, my Windows 2003 DNS server primary AD zone is where I put an entry
  
• here are some commands to look up and try on the firewall via putty.  3 of them are the scripts that we copied over earlier, and one of them is a program we installed from our RPM packages.  The iptables commands are examples of command switches you can use with IPTables for showing what is going on with the firewall.
  
  • fwlogwatcher used to monitor firewall logs in real time
  • iptstate monitor state tops real time with sorting
  • iptstate.sh - show current filter & QOS stats
  • iptstate_nat.pl - show current filter NAT table
  • iptreset.sh - reset the firewall to an accept all policy - useful when walking a non-techie thru remote firewall troubleshooting - it kills NAT, but since your external (internet) interfaces are online, you can easily SSH to the firewall, or use FileZilla to copy over a new script & execute the script
    
  • iptables -L -n -v - show details about the packet filter tables
  • iptables -t nat -L -n -v - show details about nat tables
  • iptables -t mangle -L -n -v - show details about mangle tables
  • /etc/rc.d/init.d/network restart - restart the network interfaces on the firewall
• you can scan your firewall (from the outside) to make sure that the config looks correct, using any of several websites, like Sygate and UnixCircle.  If you are not a firewall guru, you should scan every firewall you install.  This way, you can know that only allowed ports are accessable from the internet.
  

For more information email us at info@castellan.net or call us at (818) 789-0088.