Author: Aditya Nag
I used Red Hat Linux 9 as the distribution for this exercise, but the instructions should work equally well for most Red Hat-derived distros, and, with little or no modification, for other distros as well.
Before you start, make sure you know the following things about your network setup:
1. You ISP-assigned static IP address, if you have one.
2. The IP addresses of the DNS servers of your ISP.
Install the hardware and operating system
To run a gateway you need two Ethernet cards in the gateway server. One should be connected
to your outgoing Internet connection, while the other is plugged into your local network. The hardware requirements are minimal: a Celeron processor with 128MB of RAM and an 8GB hard drive will suffice in a pinch, though of course anything newer is better.
Install your distro of choice on the server, and make sure you install all the server
components, including Domain Name Server (DNS), Dynamic Host Control Protocol (DHCP), and iptables. You can install more packages, depending on what you want to do with your computer.
Once the operating system is installed, make sure your Internet connection is working by
setting it up according to your ISP’s instructions. I will assume that you have the Internet connection up and running on eth0 (the first network card), and you can browse the Internet from the server.
Make sure that you have set up the IP address for the network card connected to your internal network by issuing the following command as root:
ifconfig eth1 10.10.0.1 netmask 255.255.0.0
Setting up DHCP
Next we need to configure DHCP, a service that assigns IP addresses to hosts based on a set of rules. DHCP simplifies network administration tremendously, since you do not have to go to every client and enter the network settings individually.
Log in as root, and edit the file /etc/dhcpd.conf to include the following:
subnet 10.10.0.0 netmask 255.255.255.0 { # --- default gateway option routers 10.10.0.1; option subnet-mask 255.255.255.0; option broadcast-address 10.10.0.255; option domain-name-servers 10.10.0.1; range 10.10.0.2 10.10.0.254; default-lease-time 21600; max-lease-time 43200; }
Now start the DHCP server on the network card connected to the internal network by issuing the command:
/usr/sbin/dhcpd eth1
To make sure DHCP starts up every time, add the line above to the end of /etc/rc.d/rc.local.
You can test that DHCP is working by plugging a client into the network and setting it to obtain an IP address automatically. If it gets an IP address in the range 10.10.0.2 to 10.10.0.254 as specified by the range
directive, then it’s working correctly.
Setting up DNS
Next we’ll set up DNS, which is responsible for translating numeric IP addresses like 64.233.161.99 to more readable names like www.google.com. Setting up a DNS server is generally considered a complex task, and rightly so, but for our purposes, all you have to do is add a few lines to the /etc/named.conf file.
In your named.conf file, inside the opening section called options
, insert:
forward first; forwarders { <Insert IP address of ISP's DNS server>; };
MY ISP’s DNS server is 202.78.167.25, so my configuration looks like this:
forward first; forwarders { 202.78.167.25; };
Start the DNS server by issuing the command service named start
. To make sure it starts every time, type the following command.
chkconfig --level 345 named on
Iptables Setup
Iptables is the last package you need to set up. Iptables is a packet filter for Linux. It acts as a firewall, effectively protecting your system from the rest of the network. Iptables is a very complex tool, but in this simple setup, we will be concentrating on getting it to work as a network gateway. All clients on the network should transparently and easily be able to access the network, and all Internet programs, such as instant messengers, FTP clients, and IRC programs, should work without any further configuration.
The first step is to enable IP forwarding. To do this, add the following line to the file /etc/sysctl.conf:
net.ipv4.ip_forward = 1
This ensures IP forwarding starts every time you reboot the machine. To start it without rebooting, type the following command echo 1 > /proc/sys/net/ipv4/ip_forward
.
Next, enable Source Network Address Translation (SNAT) so that your client machines can use the
Internet transparently. Source NAT is specified using -j SNAT
, and the --to-source
option specifies an IP address.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
where 1.2.3.4 is the static IP address your ISP assigned you. If you don’t have a static IP address, you can use the following command
instead:
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
You can change eth0 to ppp0 if you are using DSL. (Or ppp1, 2, etc.)
To get at least a minimum of security add the following lines:
iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0
iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0
Finally, issue the following command so that everything is saved:
iptables-save > /etc/sysconfig/iptables
Once the server is fully configured, all you need do is set up each client to use DHCP to get its address from the network.
Now that you’ve successfully set up a gateway machine, I should tell you that there are many drawbacks to this kind of setup. The firewall is only dropping invalid packets, and while this does provide some security, a dedicated cracker could get in. Also, it is difficult to control anything any program you might want to block. The advantage, however, is that it’s a snap to set up.
I suggest you visit the Netfilter documentation page for links to many good tutorials on the subject of security and iptables, including one very comprehensive yet easy to understand tutorial.
Aditya Nag is a law student at the National Law University, Jodhpur, India, and has been a Linux user since 1997.