Enter the Mini-ITX.com online store

Projects

September 05, 2017
Choosing the right DC-DC PSU

August 27, 2015
AMD's Project Quantum

August 13, 2015
The Redstone PC is the ultimate Mini-ITX Minecraft Machine

October 09, 2014
The "Restomod TV"

April 09, 2013
Installing NAS4Free

February 28, 2013
Building an XBMC 12 Home Theatre PC

January 25, 2011
XBMC Guide updated to version 10.0

August 06, 2010
Building a Green PC

February 15, 2010
Building an ION powered HTPC with XBMC

October 10, 2008
The "Cambridge Autonomous Underwater Vehicle 2008"

Mini-ITX Online Store

September 12, 2008
"Florian", the DVD burning robot

September 05, 2008
The "i-EPIA"

May 22, 2008
The "GTA-PC"

April 14, 2007
The "Digg" Case

January 19, 2007
The "ITX-Laptop"

December 07, 2006
The "Tortoise Beetle"

October 02, 2006
The "DOS Head Unit"

August 31, 2006
The "Janus Project"

August 05, 2006
The "Leela PC"

June 26, 2006
Nano-ITX in a Football

May 17, 2006
The "EPIA Alloy Mod"

April 11, 2006
Neatorama's Collection of Case Mods

February 18, 2006
The "Rundfunker"

October 24, 2005
The "ITX TV"

October 06, 2005
The K'nex-ITX

August 05, 2005
The "Waffle Iron PC"

July 21, 2005
The "Supra-Server"

July 18, 2005
The "Mega-ITX"

July 07, 2005
The "Encyclomedia"

May 25, 2005
The "Accordion ITX"

Mini-ITX Online Store

May 16, 2005
The "FileServerRouterSwitch"

May 15, 2005
The "Mini Falcon"

May 13, 2005
The "Bender PC"

May 11, 2005
The "BBC ITX B"

May 10, 2005
The "Frame"

April 20, 2005
The "Jeannie"

March 09, 2005
The "Cool Cube"

January 30, 2005
First Nano-ITX Project?

January 17, 2005
The "iGrill"

January 15, 2005
The "Gumball PC"

December 15, 2004
The "Deco Box"

December 03, 2004
The "TERA-ITX"

October 06, 2004
The "Coealacanth-PC"

September 17, 2004
The "Gramaphone-ITX-HD"

August 26, 2004
The "C1541 Disk Drive ITX"

August 25, 2004
The "SEGA-ITX"

August 13, 2004
The "Quiet Cubid"

August 06, 2004
The "BMWPC"

July 14, 2004
The "Moo Cow Moo"

July 02, 2004
The "Mini Mesh Box"

Full alphabetical archive on right hand side of page...


EPIA CL Linux Firewall/Router Project
By Mini-ITX.com - Posted on October 13, 2003

Introduction

The EPIA CL has 2 Network Interfaces on board, making it ideal for use as a basic Two-Interface Firewall, in combination with an ADSL or Cable Modem. The idea is that all internet traffic is piped through one NIC and into the EPIA CL, and allowed through the other NIC onto the local network only if the firewall allows it. We'll also be allocating IP addresses with a DHCP server, sharing our internet connection with other machines and running a local DNS server to resolve domain names. The OS chosen will of course be Linux - all of these features are available out of the box. We chose Shorewall to configure the firewall built into the Linux kernel.

This guide will also apply to any EPIA with an additional NIC on a PCI card. The advantage of using the EPIA CL is the PCI slot is kept free, and a smaller enclosure can be chosen - our fanless EPIA CL 6000 fits into a wee Cubid 3688 case and runs in near silence.

Contents

  1. Install Linux
  2. Configure and test modem
  3. Installing Shorewall
  4. Configure DHCP
  5. Configure DNS
  6. Lose the GUI to save memory
  7. Some Linux Tips

Installing Linux

We chose Redhat 9 as our Linux distribution, but this guide should work with other distributions. We installed from CD, choosing a "Custom" install - we made sure we installed a web browser and at least the following servers: BIND, DHCP, DNS, and SSH. We tried to keep GUI-based tools to a minimum, though we will change the run level of our system to remove the GUI (and save memory) as a last step in our project.

The Two-Interface Firewall

The Redhat 9 installer recognises both the network interfaces of the EPIA CL as devices - these are named eth0 and eth1. We'll be connecting the internal network to eth0, and attaching an ADSL modem to eth1:

Two Interface Firewall Topology

This is a basic Two-Interface Firewall configuration.

Assign IP addresses to eth0 (fixed) and eth1 (by DHCP)

The Redhat installer allows you to assign an IP address to each network interface, or have it assigned automatically from a DHCP server. Our ADSL modem (a D-Link DSL-300G+) has a built-in DHCP server which will assign an IP address for eth1 - so we chose "assign by DHCP" for eth1. We assigned 192.168.1.1 as the fixed IP address of eth0, with a subnet mask of 255.255.255.0 - do not enter a gateway address.

Configuring and testing the Modem

EPIA CL

The DSL-300G+ is an inexpensive "always on" ADSL modem with an ethernet port but no firewall features - ideal for our purposes. If we had cable, we would have used a similar cable modem. We connected the modem and EPIA CL together at eth1 (see above picture). We connected to the modem by web browser using its preset IP (http://192.168.0.1 for ours) and entered the username and password for our ISP. In the UK, we have PPPoA encapsulation and CHAPS authentication. Then we connected up to our ADSL socket and reset the modem. A flickering ADSL LED showed we had connected to our ISP.

The rest of the install was conducted in glorious text mode. We only had Windows PCs on our network, so we downloaded PuTTY (a secure shell client) and connected to the EPIA CL using the IP we assigned to eth0. We logged in using the username and password we chose in the install process, and then switched to root using the su - command.

These are the results of route after we connected to our ISP (where 12.34.56.78 is the IP address assigned to us by our ISP):

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
12.34.56.0  * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0   * 255.0.0.0 U 0 0 0 lo
default     12.34.56.67 0.0.0.0 UG 0 0 0 eth

We checked the DHCP server in our ADSL modem had allocated the DNS of our ISP by typing cat /etc/resolv.conf:

; generated by /sbin/dhclient-script
nameserver 56.78.90.12

...where 56.78.90.12 is the IP address of our ISP's primary DNS server.

Installing Shorewall

We chose Shorewall, a high-level tool for configuring the Linux 2.4/2.5 firewall subsystem included in the standard Linux kernel.

In text mode, we changed to an appropriate directory (e.g. cd /root) and downloaded Shorewall with the command:

wget http://url/of/file/shorewall-version.tgz

...where the actual URL is of the most recent shorewall tarball (tgz).

Once downloaded, we unpacked the tarball we downloaded (tar zxvf shorewall-1.4.6c.tgz), changed to the shorewall directory (cd shorewall-1.4.6c), and installed shorewall by typing ./install.sh

More installation instructions at shorewall.net

Configuring Shorewall

Once installed, Shorewall needs to be configured. This involves adding a few lines to configuration files located in /etc/shorewall. These are the lines we changed (using vi):

Additions to /etc/shorewall/interfaces:

####################################
#ZONE INTERFACE BROADCAST OPTIONS

net eth1 detect dhcp,routefilter,blacklist
loc eth0 detect routestopped

We commented out dmz in /etc/shorewall/zones:

###################################
#ZONE DISPLAY COMMENTS
net   Net     Internet
loc   Local   Local networks
#dmz  DMZ     Demilitarized zone

Additions to /etc/shorewall/policy:

###################################
#SOURCE DEST POLICY LOG LIMIT:BURST
#                   LEVEL
loc     net  ACCEPT
loc     fw   ACCEPT
fw      loc  ACCEPT
fw      net  ACCEPT
net     all  DROP   info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all     all  REJECT info
#LAST LINE -- DO NOT REMOVE

Additions to /etc/shorewall/masq:

####################
#INTERFACE SUBNET ADDRESS
eth1       eth0

These are the most basic options. Shorewall is capable of much more, but that is beyond the scope of this project. We checked our changes using shorewall check. Shorewall won't start until we remove the startup_disabled file - rm /etc/shorewall/startup_disabled - then we can type shorewall start.

Testing Shorewall

Our firewall won't dish out IP addresses or resolve URLs yet, but we can still test it is routing traffic on another machine. We assigned an IP address to a local machine (e.g. 192.168.1.50), with a gateway of 192.168.1.1 (our EPIA CL) and used our ISP's name servers as the defaults.

Configuring DHCP

We're going to use our EPIA CL to dish out IP addresses using the built in DHCP server. We edited our /etc/dhcpd.conf file to look like this:

ddns-update-style ad-hoc;
allow bootp;
allow booting;
option time-servers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name "ourdomain.com";
option broadcast-address 192.168.1.1;
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
       range 192.168.1.100 192.168.1.120;
}

This configuration allocates IP addresses in the range 192.168.1.100 to 120. The command service dhcpd start starts the server. We tested this on a Windows box using ipconfig /renew - this should pick up a new IP from the DHCP server (make sure the box is set to obtain an IP address automatically). We chose the domain "ourdomain.com" to describe our internal network - but you can put anything you like here. If you own a domain, you could map machines on your network to subnets of this.

Allocating a fixed IP by DHCP

To allocate a fixed IP by DHCP (e.g. a games machine that requires ports forwarded to it consistently) we could have used something like this in place of the last 3 lines (where 00:B1:E0:B1:9B:90 is the MAC address of our games machine, determined by ipconfig /all on a Windows box) :

subnet 192.168.1.0 netmask 255.255.255.0 {
       range 192.168.1.102 192.168.1.120;
       #allocate a fixed IP by DHCP
       host epia800.ourdomain.com {
          hardware ethernet 00:B1:E0:B1:9B:90;
          fixed-address 192.168.1.100;
       }
}

Configuring DNS Server

We created a zone file (we named ours "ourdomain.com.hosts") to describe our internal network (called ourdomain.com in this example). We then made a pointer to it in the file /etc/named.conf :

zone "ourdomain.com" {
      type master;
      file "/var/named/ourdomain.com.hosts";
};


This is the contents of our /var/named/ourdomain.com.hosts :

$ttl 38400
ourdomain.com. IN SOA firewall.ourdomain.com. firewall.ourdomain.com. (
      1031361928 ; se = serial number
      10800      ; ref = refresh
      3600       ; ret = update retry
      604800     ; ex = expiry
      38400      ; min = minimum
      )
ourdomain.com. IN NS firewall.ourdomain.com.
epia800.ourdomain.com. IN A 192.168.1.100
firewall.ourdomain.com. IN A 192.168.1.1

Don't forget the "." after each name. The last two lines in our zone file define the host name to IP address translation for our local machines.

Our firewall uses the ISP's DNS to resolve host names, so we added some entries in /etc/hosts/ to make things easier (so we'll be able to ping local machines by name from the firewall for instance):

127.0.0.1 localhost.localdomain localhost
127.0.0.1 firewall.ourdomain.com firewall
192.168.1.100 epia800 epia800.ourdomain.com
192.168.1.1 firewall firewall.ourdomain.com

We started the DNS server with service named start. With our name server in place we should be able to connect any machine to the network, have the firewall allocate an IP address, and start surfing.

Lose the GUI

Once we are satisfied everything is working, it's time to lose the GUI and save some memory. Our machine will be running 24/7, and we can start the GUI again at any point when we need it (startx or init 5). We changed to run level 3 (by typing init 3) and made sure the important services - named, dhcpd, shorewall, ssh - were set to startup at boot (setup). Finally we changed the default run level from 5 to 3 by changing the appropriate line in /etc/inittab :

id:3:initdefault:

Our memory usage with a GUI was 190MB (top -d 3, then when you are done, q to give you your prompt back).

After restarting (shutdown -r now) this was reduced to just 50MB - and this wasn't even a particularly optimised system.

Some Linux Tips

If something isn't working, type tail -f /var/log/messages to view error messages in real time, then connect to the machine on another session, run the offending command again and monitor the output.

Most of these configurations can be performed through a web interface from another machine using webmin...



Board Finder
Case Finder
Mini PC Finder