CCL Home Page
Up Directory CCL home_lan

Installing and configuring Linux Firewall and Masquerading

for home, office and pleasure

by Jan K. Labanowski, jkl@ccl.net


Location: http://www.ccl.net/cca/software/UNIX/netfilter/home_lan

I decided to put a firewall in front of my home computers. I want to use only one IP address from my Internet Provider, and yet make sure that my kids can browse the net when I work. It works great for me. I give here a detailed surmon on how I compiled the kernel, how I installed everything, etc. It is not intended as a bluprint to follow, but rather as an example. You will still have to read other stuff which I reference in the pages below. When you save files, rename them by skipping ".txt" extension.
  • mysetup -- this file contains the log of my installation, configuration, and testing. It is long, but I hope that when you read it, it will "take fear" from doing this, since it is not that difficult, it only takes some time. And if you fail, you will learn from it {:-)} and the next time it will be easier. My advice is: use some PC which you do not care if you loose all of your data on it.


  • config -- this is a file needed to configure your kernel before compilation. Read about it in mysetup, but in short, you copy it to /usr/src/linux-2.4/.config and start from make oldmenu before attempting to make/compile kernel.


  • flushfw -- this is script to stop the running netfilter. It flushes all chaines, restores kernel flags, and removes the iptables modules. Use before you run the starrfw script. Put it /usr/sbin/flushfw since the iptables-jkl expects it there. You need to make it executable by root so change its permissions to 700.

  • startfw -- this is a script which start netfilter. It loads the necessary modules into kernel and then adds up the rules to chains, so the machine runs as a firewall and masquerading host. There is a lot of comments in the script, so read them. You need to save it as /usr/sbin/startfw since this is where the boot-up script iptables-jkl thinks it is. Change its permissions to 700 and ownership to root.


  • iptables-jkl -- this is a script which starts netfilter automatically at boot up. You need to save it as /etc/rc.d/init.d/iptables-jkl and change its permissions to 700 so root can run it.


  • iplisting -- this script lists the iptables and chains currently running in the kernel. Put it as root to /usr/sbin/iplisting and change its permissions to 700.


  • stoplan -- this script cuts the computer on local LAN from accessing the Internet. I do it to my kids when they had too much. Use it as:
    stoplan 5
    to stop a computer which has a LAN address 192.168.0.5. Put it in the /usr/sbin/stoplan or wherever in the path. I am also using crontab to controll the hours when they can access the Internet. My crontab is like:
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/tmp/crontab.11668 installed on Sun Dec  2 10:28:46 2001)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    45 18 * * * /usr/sbin/restartlan 4
    47 18 * * * /usr/sbin/restartlan 6
    15 20 * * * /usr/sbin/stoplan 4
    16 20 * * * /usr/sbin/stoplan 6
    50 15 * * * /usr/sbin/restartlan 3
    10 17 * * * /usr/sbin/stoplan 3
    25 20 * * * /usr/sbin/restartlan 3
    10 21 * * * /usr/sbin/stoplan 3
    


  • restartlan -- this script resumes Internet connection for the computer disconnected with stoplan. Look above. Use it as:
    restartlan 5
    to resume connection for the computer which has a LAN address 192.168.0.5 and was stoped with stoplan 5 before. Put it in the /usr/sbin/restartlan or wherever in the PATH.

Please help me fix the bugs and problmes which you see with these files, so they are useful. Just send me e-mail to jkl@ccl.net

Thanks
Jan Labanowski, jkl@ccl.net
Modified: Fri Dec 14 20:17:10 2001 GMT
Page accessed 829 times since Thu Apr 11 22:19:26 2002 GMT