First you need the network tools. These are the programs that you use to configure linux network devices. These tools allow you to assign addresses to devices and configure routes for examples. Most modern linux distributions are supplied with the network tools, so if you've installed from a distributiom and not installed the network tools, this is the time to install them. The sources/packages can be found on any popular Linux distribution or at ftp://ftp.inka.de. Be sure to pick up the latest version that most closely matches your kerel.
Second, we need the ipfwadm command. The latest version of this command can be obtained from: ftp://ftp.xos.nl. Again there's a number of versions available. Be sure to pick up the latest version that most closely matches your kerel.
As of 2.1.102, the IP firewalling code has been replaced; ipfwadm will no longer work. You need to obtain "ipchains," available from http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html, and use that instead of ipfwadm.
Then you have to recompille your kernel and assure yourself that the following options are entered:
# Loadable module support
#
CONFIG_MODULES=y
# General setup
#
CONFIG_NET=y
# Networking options
#
CONFIG_IP_MASQUERADE=y
CONFIG_IP_ALIAS=y
CONFIG_FIREWALL=y
CONFIG_FILTER=y
CONFIG_INET=y
In most cases, the server's second task is routing packages trough your network and Internet. So mostly, you already have an IP-address for this machine when you are hooking up to the Internet. Mostly, the IP-address of a router is 10.88.88.1. So, the last 8 bits: 00000001. Even if you've already set an IP address to your network interface (eth0) which is different from one ending with .1, it is possible to create an alias for that IP-address using the following commands
/sbin/ifconfig eth0:0 192.168.0.1
/sbin/ifconfig eth0:0 netmask 255.255.255.0
/sbin/ifconfig eth0:0 broadcast 192.168.0.255
/sbin/route add -host 192.168.0.1 eth0:0
The first command sets the actual IP-address. The following 2 set the netmask and broadcast address. The last command sets the route for the device eth0:0. More info about this subject can be found in the IP-Alias mini-HOWTO.
Now we have to start the IP-forwarding. There are 2 possibilities, the first one is that you start your routing while booting the server. The second one is that you start your routing when this feature is actually wanted. I advice you use the second one, so you can make a script which starts the router.
It depends on your distribution in which file you have to make changes. In RedHat the network configuration can be found in /etc/sysconfig/network. Edit this file with your editor and make sure the next entry is added: FORWARD_IPV4=true.
Put the following in your router-script
value=1
message="Enabling IPv4 packet forwarding."
if [ $value != `cat /proc/sys/net/ipv4/ip_forward` ]; then
echo $message
echo "$value" > /proc/sys/net/ipv4/ip_forward
fi
This script checks if IPv4 packet forwarding is started, if not, it starts the packet forwarding.
I most cases, you won't allow everybody in your company to surf on the Internet. Some departements have nothing to do on the Internet and they have to be rejected while trying to access the Internet. This can be achieved very simple. You have to set-up a masquerading host so that your computers can access the Internet with only one IP-address, because in most cases you will only have one IP address (we are talking about small company's). While setting up our masquerading host, you can allow everybody on your network, but you can also allow only some computers.
First you have to flush the entire forwarding table. Put the following lines in your router script.
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -f
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
In my example, I want to allow the hosts 192.168.0.10 and 192.168.0.30 on the Internet. So we put the following lines in your script file:
/sbin/ipfwadm -F -a m -S 192.168.0.10/32 -D 0.0.0.0/0
/sbin/ipfwadm -F -a m -S 192.168.0.30/32 -D 0.0.0.0/0
From now on, these. hosts can access the Internet as if they are the router (they have the same IP-address). It's also possible to allow an entire network for masquerading, the following command:
/sbin/ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
allows all computers on the 192.168.0.0 network to connect to the router and surf on the Internet.
Off course security isn't that high. I would suggest that you edit your /etc/hosts.deny and /etc/hosts.allow in the following way:
/etc/hosts.allow
ALL: LOCAL, 192.168.0
/etc/hosts.deny
ALL: ALL
In this way nobody will be allowed to access your router, unless they are from the 192.168.0 network, or LOCAL. LOCAL means that the name of the PC has no dot. Ex: if the host nessie (10.88.88.10) is listed in /etc/hosts, it will be handled as being local.
More information about securing your systems with ipfwadm can be found in the Firewall-HOWTO.
Some protocols have to be enabled seperatly for masquerading. When you put the following lines in your router script, it will be possible for your router to masquerade these protocols.
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_vdolive
/sbin/modprobe ip_masq_quake
More information about Masquerading hosts can be found in the IP-Masquerade mini-HOWTO. More information about firewalls can be found in the Firewall-HOWTO.