EPIA CL Linux Firewall/Router Project
By Mini-ITX.com -
Posted on October 13, 2003
Introduction
The EPIA CL has 2 Network Interfaces on board, making it
ideal for use as a basic Two-Interface
Firewall, in combination with an ADSL or Cable Modem. The idea is that
all internet traffic is piped through one NIC and into the EPIA CL, and
allowed
through the other NIC
onto
the local network only if the firewall allows it. We'll also be allocating
IP addresses with a DHCP server, sharing our internet connection with other
machines and running a local DNS server to resolve domain names. The OS chosen
will of
course
be
Linux
- all
of
these features are available out of the box. We chose Shorewall to configure
the firewall built into the Linux kernel.
This guide will also apply to any
EPIA with an additional NIC on a PCI card. The advantage of using the EPIA
CL is the PCI slot is kept free, and a smaller enclosure can be chosen
- our fanless EPIA CL 6000 fits into a wee Cubid 3688 case and runs in near
silence.
Contents
- Install Linux
- Configure
and test modem
- Installing
Shorewall
- Configure
DHCP
- Configure
DNS
- Lose
the GUI to save memory
- Some Linux Tips
Installing Linux
We chose Redhat 9 as our Linux distribution, but this guide
should work with other distributions. We installed
from CD, choosing a "Custom" install - we made sure we installed
a web browser and at least the following servers: BIND, DHCP, DNS, and SSH.
We tried
to keep GUI-based tools to a minimum, though we will change the run level
of our system to remove the GUI (and save memory) as a last step in our
project.
The Two-Interface Firewall
The Redhat 9 installer recognises
both the network interfaces of the EPIA CL as devices - these are named
eth0 and eth1. We'll be connecting
the internal network to eth0, and attaching an ADSL modem to eth1:
This is a basic Two-Interface
Firewall configuration.
Assign IP addresses to eth0 (fixed) and eth1 (by DHCP)
The Redhat installer allows you to assign an IP address
to each network interface, or have it assigned automatically from a DHCP
server. Our ADSL modem (a D-Link DSL-300G+) has a built-in DHCP server which
will assign an IP address for eth1 - so we chose "assign by DHCP" for
eth1. We assigned 192.168.1.1 as the fixed IP address of eth0, with a subnet
mask
of 255.255.255.0 - do not enter a gateway address.
Configuring and testing
the Modem
The DSL-300G+ is an inexpensive "always on" ADSL
modem with an ethernet port but no firewall features - ideal for our
purposes. If we
had cable, we would have used a similar cable modem. We connected
the modem and EPIA CL together at eth1 (see above picture).
We connected to the modem by web browser using its preset IP (http://192.168.0.1
for ours) and entered the username and password for our ISP. In the UK,
we have PPPoA encapsulation and CHAPS authentication. Then we connected
up to our ADSL socket and reset the modem. A flickering ADSL LED showed
we had connected to our ISP.
The rest of the install was conducted in glorious text mode.
We only had Windows PCs on our network, so we downloaded PuTTY
(a secure shell client) and connected to the EPIA CL using the IP we
assigned to eth0. We logged in using the username and password we chose in
the install process, and then switched to root using the su
- command.
These are the results of route after
we connected to our ISP (where 12.34.56.78
is the IP address assigned to us by our ISP):
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
12.34.56.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 12.34.56.67 0.0.0.0 UG 0 0 0 eth
We checked the DHCP server in our ADSL modem had allocated
the DNS of our ISP by typing cat /etc/resolv.conf:
; generated by /sbin/dhclient-script
nameserver 56.78.90.12
...where 56.78.90.12 is
the IP address of our ISP's primary DNS server.
Installing Shorewall
We chose Shorewall,
a high-level tool for configuring the Linux 2.4/2.5 firewall subsystem
included in the standard Linux kernel.
In text mode, we changed to an appropriate directory (e.g.
cd /root) and downloaded Shorewall with the command:
wget http://url/of/file/shorewall-version.tgz
...where the actual URL is of the most recent
shorewall tarball (tgz). Once downloaded, we unpacked
the tarball we downloaded (tar zxvf shorewall-1.4.6c.tgz),
changed to the shorewall directory (cd shorewall-1.4.6c),
and installed shorewall by typing ./install.sh
More installation instructions at shorewall.net
Configuring Shorewall
Once installed, Shorewall needs to be configured. This
involves adding a few lines to configuration files located
in /etc/shorewall. These are the lines we changed
(using vi):
Additions to /etc/shorewall/interfaces:
####################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect dhcp,routefilter,blacklist
loc eth0 detect routestopped
We commented out dmz in /etc/shorewall/zones:
###################################
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
#dmz DMZ Demilitarized zone
Additions to /etc/shorewall/policy:
###################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
loc fw ACCEPT
fw loc ACCEPT
fw net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE
Additions to /etc/shorewall/masq:
####################
#INTERFACE SUBNET ADDRESS
eth1 eth0
These are the most basic options. Shorewall is capable of much
more, but that is beyond the scope of this project. We checked our changes
using shorewall check. Shorewall won't start until
we remove the startup_disabled file - rm
/etc/shorewall/startup_disabled - then we can type shorewall
start.
Testing Shorewall
Our firewall won't dish out IP addresses or resolve URLs yet,
but we can still test it is routing traffic on another machine. We assigned
an IP address to a local machine (e.g. 192.168.1.50), with a gateway of 192.168.1.1
(our
EPIA
CL) and used our ISP's name servers as the defaults.
Configuring DHCP
We're going to use our EPIA CL to dish out IP addresses using
the built in DHCP server. We edited our /etc/dhcpd.conf file to look like this: ddns-update-style ad-hoc;
allow bootp;
allow booting;
option time-servers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name "ourdomain.com";
option broadcast-address 192.168.1.1;
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.120;
}
This configuration allocates IP addresses in the range 192.168.1.100
to 120. The command service dhcpd start starts
the server. We tested this on a Windows box using ipconfig
/renew - this should pick up a new IP from the DHCP server (make
sure the box is set to obtain an IP address automatically). We chose the
domain "ourdomain.com" to describe our internal network - but you can put
anything you like here. If you own a domain, you could map machines on your
network to subnets of this.
Allocating a fixed IP by DHCP
To allocate a fixed IP by DHCP
(e.g. a games machine that requires ports forwarded to it consistently)
we could
have used
something
like this in place of the last 3 lines (where 00:B1:E0:B1:9B:90 is
the MAC address of our games machine, determined by ipconfig
/all on a Windows
box) : subnet 192.168.1.0
netmask 255.255.255.0 {
range 192.168.1.102 192.168.1.120;
#allocate a fixed IP by DHCP
host
epia800.ourdomain.com {
hardware ethernet 00:B1:E0:B1:9B:90;
fixed-address 192.168.1.100;
}
}
Configuring DNS Server
We created a zone
file (we named ours "ourdomain.com.hosts")
to describe our internal network (called ourdomain.com in this example).
We
then made a
pointer
to it in the
file /etc/named.conf : zone "ourdomain.com" {
type master;
file "/var/named/ourdomain.com.hosts";
};
This is the contents of our /var/named/ourdomain.com.hosts :
$ttl 38400
ourdomain.com. IN SOA firewall.ourdomain.com. firewall.ourdomain.com.
(
1031361928 ; se = serial number
10800 ; ref = refresh
3600 ; ret = update retry
604800 ; ex = expiry
38400 ; min = minimum
)
ourdomain.com. IN NS firewall.ourdomain.com.
epia800.ourdomain.com. IN A 192.168.1.100
firewall.ourdomain.com. IN A 192.168.1.1
Don't forget the "." after each name.
The last two lines in our zone file define the host name to IP address
translation for our local machines.
Our firewall uses the ISP's DNS to resolve host names, so
we added some entries in /etc/hosts/ to make
things easier (so we'll be able to ping local machines by name from the firewall
for instance):
127.0.0.1 localhost.localdomain localhost
127.0.0.1 firewall.ourdomain.com firewall
192.168.1.100 epia800 epia800.ourdomain.com
192.168.1.1 firewall firewall.ourdomain.com
We started the DNS server with service
named start.
With our name server in place we should be able to connect any machine
to the
network,
have the firewall allocate an IP address, and start surfing.
Lose the GUI
Once we are satisfied everything is working, it's time to
lose the GUI and save some memory. Our machine will be running 24/7, and
we can start the GUI again at any point when we need it (startx or init
5). We changed to run level 3 (by typing init
3) and made sure the important services - named,
dhcpd, shorewall, ssh - were set to startup at boot (setup).
Finally we changed the default run level from 5 to 3 by changing the appropriate
line in /etc/inittab :
id:3:initdefault:
Our
memory usage with a GUI was 190MB (top -d 3,
then when you are done, q to give you your prompt
back).
After restarting
(shutdown
-r now)
this was reduced to just 50MB - and this wasn't even a particularly optimised
system.
Some Linux Tips
If something isn't working, type tail
-f /var/log/messages to view error messages in real time, then
connect to the machine on another session, run the offending command
again and monitor the output.
Most of these configurations can be performed through a web
interface from another machine using webmin...
|