[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

setting up a Linux firewall (was Re: Tonight's O'Fallon meeting)



On Thu, Mar 07, 2002 at 08:07:23AM -0600, Steve wrote:
> Having only played with the workstation setup this would be new to me,
> but probably something I need to figure out anyway. Some boxes would
> be setup with a static connection to the outside world but most would
> be on a LAN DHCP server. I would also need a DMZ and IPfiltering.

Actually, this couldn't be easier...

Just configure each of the interfaces as you normally would if that
were the only interface on the system either during the install, with
netcfg, or by editing /etc/sysconfig/network-scripts/ifcfg-* directly.
Since this system will be the gateway/router, you'll need to set the
addresses of the interfaces statically.

Once you've done that, grab

    http://www.silug.org/pub/steve/genfw/genfw-1.22.tar.gz

or whatever is the latest in that directory, untar it, cd into the
directory it creates, and run "make install".  (When I get time, I'll
build an rpm to make it even simpler.)

I should note that I am assuming you'll be running Red Hat 7.x.
Anything else will require anything from installing by hand to major
hacking.  Fixing that is on my todo list, but it isn't very high up at
the moment, so don't hold your breath.  :-)

Now you just need to build /etc/sysconfig/rules.  "man genfw" for more
information about that.  It's pretty simple.  For example, if you had
eth0 configured on your internal network, and eth1 connected to your
outside internet connection, you'd just need to have something like
this:

    int eth0 trusted nat
    out eth1

At this point, you should make sure the Red Hat installer's firewall
setup won't conflict with your new setup.  Just "rmmod ipchains" and
"chkconfig --level 2345 ipchains off" to be sure.  You should probably
also "chkconfig --level 2345 iptables off", just to be safe.

Once you've done that, run "service firewall start".  Then edit
/etc/sysctl.conf and change this line:

    net.ipv4.ip_forward = 0

to

    net.ipv4.ip_forward = 1

and run "sysctl -p" to turn on IP forwarding.

That all there is to it.  At this point everything should just work,
and it should also work properly when the system is rebooted.

Steve
-- 
steve@silug.org           | Southern Illinois Linux Users Group
(618)398-7360             | See web site for meeting details.
Steven Pritchard          | http://www.silug.org/

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.