|
|
Installing and configuring Linux Firewall and Masquerading
for home, office and pleasure
I decided to put a firewall in front of my home computers. I want to use
only one IP address from my Internet Provider, and yet make sure
that my kids can browse the net when I work. It works great for me.
I give here a detailed surmon on how I compiled the kernel, how I installed
everything, etc. It is not intended as a bluprint to follow, but rather as
an example. You will still have to read other stuff which I reference in the
pages below. When you save files, rename them by skipping ".txt"
extension.
- mysetup -- this file contains
the log of my installation, configuration, and testing. It is long, but
I hope that when you read it, it will "take fear" from doing this, since
it is not that difficult, it only takes some time. And if you fail, you
will learn from it {:-)} and the next time it will be easier. My advice is:
use some PC which you do not care if you loose all of your data on it.
- config -- this is a file
needed to configure your kernel before compilation. Read about it in
mysetup, but in short,
you copy it to /usr/src/linux-2.4/.config and start from
make oldmenu before attempting to make/compile kernel.
- flushfw -- this is script
to stop the running netfilter. It flushes all chaines, restores kernel
flags, and removes the iptables modules. Use before you run the
starrfw script. Put it
/usr/sbin/flushfw since the iptables-jkl expects it
there. You need to make it executable by root so change its permissions
to 700.
- startfw -- this is a script
which start netfilter. It loads the necessary modules into kernel and
then adds up the rules to chains, so the machine runs as a firewall and
masquerading host. There is a lot of comments in the script, so read them.
You need to save it as /usr/sbin/startfw since this is where
the boot-up script iptables-jkl thinks it is. Change its
permissions to 700 and ownership to root.
- iptables-jkl -- this is
a script which starts netfilter automatically at boot up. You need to
save it as /etc/rc.d/init.d/iptables-jkl and change its permissions
to 700 so root can run it.
- iplisting -- this script
lists the iptables and chains currently running in the kernel.
Put it as root to /usr/sbin/iplisting and change its permissions
to 700.
- stoplan -- this script
cuts the computer on local LAN from accessing the Internet.
I do it to my kids when they had too much. Use it as:
stoplan 5
to stop a computer which has a LAN address 192.168.0.5. Put it in the
/usr/sbin/stoplan or wherever in the path.
I am also using crontab to controll the hours when they can
access the Internet. My crontab is like:
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.11668 installed on Sun Dec 2 10:28:46 2001)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
45 18 * * * /usr/sbin/restartlan 4
47 18 * * * /usr/sbin/restartlan 6
15 20 * * * /usr/sbin/stoplan 4
16 20 * * * /usr/sbin/stoplan 6
50 15 * * * /usr/sbin/restartlan 3
10 17 * * * /usr/sbin/stoplan 3
25 20 * * * /usr/sbin/restartlan 3
10 21 * * * /usr/sbin/stoplan 3
- restartlan -- this script
resumes Internet connection for the computer disconnected with
stoplan. Look above. Use it as:
restartlan 5
to resume connection for the computer which has a LAN address 192.168.0.5
and was stoped with stoplan 5 before. Put it in the
/usr/sbin/restartlan or wherever in the PATH.
Please help me fix the bugs and problmes which you see with these files,
so they are useful. Just send me e-mail to jkl@ccl.net
Thanks
Jan Labanowski, jkl@ccl.net
|
