Firewall Router Answers

**kpzani** · 03-24-2004

This post is intended to help some of the people on the Chat forums.
To use Linux as a router you need two nics. we will call them ethX and ethN, where X is external and N is internal - yours will be called eth0 and eth1. if you have a PPP connection like ADSL just ignore the bits about ethX.

ethN should be physically cabled into th LAN and have a sensible IP address - off a nonroutable range such as 192.168.10.1 (255.255.255.0). Cable this up and set all other pcs on the lan to have similar ips (192.168.10.2) and the same subnet. Make sure you can ping some other the other computers and they can ping you.

Now ethX is more complicated. Unplug ethN and plug in ethX - this should be cabled into some internet connectivity device. a cable modem or ADSL modem. Unless you have purchased a static IP from your ISP set this device to obtain all its inforation (IP address etc) from DHCP.

Activate the NIC and check that you can surf the net. try pinging www.google.com.
(if you use a ppp connection then check you can dial out and surf the web).

At this point we know that both our nics are fully functional and the two halves of the router work. ie. we can connect to the pcs on the lan - and we can talk to the internet. now to connect these things together.

Now we are going to use firestarter instead of the standard iptables - as its pretty much the same thing and firestarter has a pretty GUI.
Download and install firestarter - http://firestarter.sourceforge.net/

Now you need to disable iptables - in fedora i select system settings \ server settings \ services from the main menu. then remove the tick next to iptables and click save - now it won't run on boot. and with iptables selected click stop - to terminate the daemon.
your distro may have other methods of starting and stopping daemons.

Run firestarter - from command line or from the GUI.
If the wizard hasn't launched then start it.
Follow the wizard through and finish.
1.click forward
2. choose extX or PPP0 click forward
3. Enable NAT - choose extN - auto detect settings click forward
4. the rest of the defaults should be fine.

the firewall should now work. (click start)
using your favourite text editor check that the file /etc/sysctl.conf contains the line
net.ipv4.ip_forward=1 and that it is not commented out. This will activate ip routing - allows data to be sent across your NICs. Most distros seem to have this on by default but just in case....

Now using the service manager (or however you like) set the firestarter daemon to start on boot (Tick it & Save).

And you're done.
Now on each of your other clients set the default gateway address = ip addess of ethN e.g. 192.168.10.1. and set the dns server addresses = the ones from your isp.

Or set dns server address = ethN and install BIND on your system. The default BIND configuration will work out of the box and provides a caching only nameserver setup.

If you have any questions please post them here. But can you make sure that you have tried to isolate the problem and post details of your problem solving quest.

good luck

Kris

**loft306** · 03-24-2004

Hey kpzani ... did anyone ever tell u should write tut's this is the easiest tut that i have ever read thanks for putting it up for all of us.

And i should have the net up in a day or 2.....depending on how long i sleep! (48 hours eyes open... lol what u can do when u have a real chair)
and thnx again for the other thing.

**kpzani** · 03-24-2004

Among other things I'm an IT trainer. so I have some experience of writing help files and manuals.
<JACK type="all trades">kpzani</JACK>

**loft306** · 03-25-2004

<JACK type="all trades">kpzani</JACK>

That last part resembles me to!

**loft306** · 03-26-2004

Ok i got me a lan and a wan and almost everything pings everything...one lin box dosnt ping the win box....but ill get that.... and i cant ping the wan from the lan yet (xcept the box that is the router ofcourse)my only Q is what machine dose bind get installed on...is it the router or the clients?..... i'm thinking the router...but i'll wait for the ansawer. thnx

**Opnosforatou** · 03-26-2004

Depends I run my BIND on my firewall/router/webserver/DHCP server.

**loft306** · 03-26-2004

Ok i got bind on the router box but im at a loss on how to config the named.conf...do i just uncomment the first couple of lines it says to uncomment.....and change nothing ...or do i have to put the ip of the internal nic somewhere?

Still looking for a readme.....

options {
directory "/var/bind";

// uncomment the following lines to turn on DNS forwarding,
// and change the forwarind ip address(es) :
//forward first;
// forwarders {
// 123.123.123.123
// 123,123.123.123;
// };

listen-on-v6 { none; };
listen-on { 127.0.0.1; };

// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};

// if you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/var/run/named/named.pid";
};

zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};

zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};

is the area in red the area that i uncomment and put the lan nic's ip adress? or do i have to change the listen on? ......im just lost!

**kpzani** · 03-26-2004

your bind config should look something like this:

Code:

// generated by named-bootconf.pl

options &#123;
	directory "/var/named";
&#125;;

controls &#123;
	inet 127.0.0.1 allow &#123; localhost; &#125; keys &#123; rndckey; &#125;;
&#125;;

zone "." IN &#123;
	type hint;
	file "named.ca";
&#125;;

zone "localhost" IN &#123;
	type master;
	file "localhost.zone";
	allow-update &#123; none; &#125;;
&#125;;

zone "0.0.127.in-addr.arpa" IN &#123;
	type master;
	file "named.local";
	allow-update &#123; none; &#125;;
&#125;;

include "/etc/rndc.key";

so along with this you will need a valid key file in /etc/rndc.key - DUNNO WHAT THIS DOES

named.custom =

Code:

zone  "." &#123; 
	type hint; 
	file  "named.ca";
&#125;;

options &#123;
        directory "/var/named/";
&#125;;

/var/named/lnamed.ca
contains a list of all the root servers you can change this if you like to point to root.hints or whatever it is called in your distro.

/var/named/named.local

Code:

 $TTL	86400
@       IN      SOA     localhost. root.localhost.  &#40;
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 &#41;    ; Minimum
              IN      NS      localhost.

1       IN      PTR     localhost.

/var/named/localhost.zone

Code:

 $TTL	86400
$ORIGIN localhost.
@			1D IN SOA	@ root &#40;
					42		; serial &#40;d. adams&#41;
					3H		; refresh
					15M		; retry
					1W		; expiry
					1D &#41;		; minimum

			1D IN NS	@
			1D IN A		127.0.0.1

If you need help with specific parts of this then post back. for what you're doing you don't need to understand it. so don't worry about it.

**nomar** · 03-26-2004

Just to note:

Only in Redhat/Fedora you need to disable the iptables service.

This service sets some iptable rules (or so I believe) in order to act as a firewall.

If you run another distro, you only need disable any other firewall service that you are already running.

Hope this helps.

Nice how-to otherwise Mr Zani.

**loft306** · 03-27-2004

ok i got the bind con figured on my gentoo box i added the section in to the named.conf

Code:

zone "taz" &#123;                             
type master;
file "/etc/bind/taz.fwd";
&#125;;

named.conf

Code:

 tions &#123;
        directory "/var/bind";

        // uncomment the following lines to turn on DNS forwarding,
        // and change the forwarind ip address&#40;es&#41; &#58;
        //forward first;
         //forwarders &#123;
        //        192.168.10.1
        //      123.123.123.123;
        //&#125;;

        listen-on-v6 &#123; none; &#125;;
        //listen-on &#123; 127.0.0.1; &#125;;                   ##<--And i commented this out and the server worked 

        // to allow only specific hosts to use the DNS server&#58;
        //allow-query &#123;
        //      127.0.0.1;
        //&#125;;

        // if you have problems and are behind a firewall&#58;
        query-source address * port 53;
        pid-file "/var/run/named/named.pid";
&#125;;


zone "." IN &#123;
        type hint;
        file "named.ca";
&#125;;

zone "localhost" IN &#123;
        type master;
        file "pri/localhost.zone";
        allow-update &#123; none; &#125;;
        notify no;
&#125;;

zone "127.in-addr.arpa" IN &#123;
        type master;
        file "pri/127.zone";
        allow-update &#123; none; &#125;;
        notify no;
&#125;;

zone "taz" &#123;                             
type master;
file "/etc/bind/taz.fwd";
&#125;;

and created this file /etc/bind/taz.fwd and placed this in it it is my zone file

taz.fwd

Code:

$ttl 38400
taz. IN SOA ns.taz. karrot-x.karrot-x.net &#40;
2003120301
10800
3600
604800
38400 &#41;
taz. IN NS ns.taz.
ns.taz. IN A 192.168.10.1
taz. IN A 10.10.10.42
ping.taz. IN A 10.10.10.42
pong.taz. IN A 10.10.10.41
www.taz. IN A 192.168.10.1
ftp.taz. IN A 192.168.10.1

taz being the name of my box/domain and we have a fully functional bind dns server

Thread Tools

Display

Firewall Router Answers

IT trainer

Re: IT trainer

answers

Posting Permissions