blueoakdb_name
Database_Engineering
How to Build a RedHat Firewall/Gateway Server

Table of Contents

Background

There are many solutions out in the market to share a single ISP network connection. The following details how to setup an (old) PC to act as your firewall/gateway machine using Linux packaged by Redhat (version 7.3) In addition to providing firewall/gateway services, the server will also provide:

  • Disk/File sharing among the computers behind the firewall using Samba. This affords your networked Windows machines to browse the Network Neighborhood and see the firewall's drive(s) as (a) network drive(s).
  • An apache web server - using the file sharing capability, users will be able to edit the web pages locally.
  • A DNS cache-only server
  • A time server - Using NTP, the server will be kept on time and users behind the firewall can get their time from it. Microsoft users might wish to use Dimension's 4 freeware: http://www.thinkman.com/dimension4
  • Email server - Once you purchase your own domain, you'll be able to send and receive email.

The savvy readers will note that these instructions, although have a Redhat slant, are usable on any packaged version of Linux.

How to Use These Instructions

We purposely listed out everything in one monster web page so you can print it out and write notes while you do your install and configuration.

Additionally, if you have more than one machine, view this web page on another machine and login to the firewall/gateway machine. Now you'll be able to cut and paste from the web page to the firewall/gateway machine.

Satisfied Users

"Works like a charm...the only time my Linux gateway (Dell Latitude notebook) died was when someone vacuuming the corner of my loft unplugged the power adapter. I don't touch my Linux Gateway for months at a time ... it's much more like an appliance in terms of maintenance than another crash-oriented PC."

G Ching, Board Member, Magnolia Road Internet Cooperative

User Requirements

These instructions assume that the gentle reader has some background with either configuring Linux machines or a System Administration bent. Or perhaps just bent!

Hardware Requirements

Linux is extremely efficient. Very little hardware is required to drive the firewall/gateway. The following are the minimum requirements:

  • Pentium II @ 233Mhz - although a slower processor will probably be fine.
  • 2G drive - a smaller drive may be used but using a 2G drive provides some extra headroom for web pages and disk-to-disk backups.
  • 64MB of memory - ideally, the more memory the better.
  • Slots for two NICs - wired and/or wireless, makes no difference!:
    • Tower installs - two free PCI slots
    • Laptop installs - two free PCMCIA slots
  • Video card
Additionally, you'll need ethernet cables and NIC's We assume you know what to buy based on whether the install is a laptop or tower install.

Some folks have setup laptops as their firewall/gateway machines. This is a superior solution since the machine has a built-in UPS and it's compact.

Installation Prerequisites

The following are installation prerequisites:

  • Install both NICs.
  • In the BIOS, set the time and date.
  • External IP information - from your ISP, you'll need to know if your external IP will be served via DHCP or whether it is a static IP. If it's a static IP, you'll need the following information:
    • The static IP
    • The IP of the gateway
    • The IP's of the DNS - ideally more than two.
    If you use DHCP with PPP, you'll need to ensure that the firewall script is called after you setup your ISP connection.
  • Internal IP information - you should use a non-routable IP address for your internal network. Examples are 10.0.0.0 through 10.255.255.255, 172.16.0.0 through 172.31.255.255 or 192.168.0.0 through 192.168.255.255 This document uses 10.0.1.x:
    • Internal NIC: 10.0.1.1
    • Netmask: 255.255.255.0
    • Network: 10.0.1.0
    • Broadcast: 10.0.1.255

Installing Linux

The following steps follow the Redhat Installer:

  1. Boot linux and navigate through the menus until you're asked for the Installation Type
  2. Installation Type
    • Select Custom
  3. Disk Partitioning Setup
    • Select Have the installer automatically partition for you
  4. Automatic Partitioning
    • Select Remove all partitions on this system
    • Select Review (allows you to see and change the automatic partitioning results)
    • Select Yes to any warnings.
    • When presented the list of partitions for review, delete the /boot partition.
  5. Disk Setup
    • Select Next after making any customizations or accept the setup as-is.
  6. Boot Loader Configuration
    • Select Use GRUB as the boot loader
    • Install Boot Loader record on ... Master Boot Record (MBR)
  7. Boot Loader Password Configuration
    • Select Next unless you wish to enter a password for GRUB first.
  8. Network Configuration
    • Tower installations - select any card to be the internal network.
    • Laptop installations - in my experience, the bottom PCMCIA is eth0 and the top PCMCIA is eth1
    • For the internal NIC:
      • Do not select Configure using DHCP
      • Select Activate on boot
      • Enter IP Address: 10.0.1.1
      • Enter Netmask: 255.255.255.0
      • Enter Network: 10.0.1.0
      • Enter Broadcast: 10.0.1.255
    • For the host information - only valid when your ISP has assigned you a static IP.
      • Enter Hostname: mymachine.mydomain
      • Enter Gateway: ISP assigned gateway IP value
      • Enter Primary DNS: 10.0.1.1
    • For the external NIC:
      • Enter the IP information provided to you by your ISP.
  9. Firewall Configuration
    • Select No firewall since we'll be configuring our own.
  10. Additional Language Support - select any additional languages you may require. For most US installations, no more are required.
  11. Time Zone Selection
    • Select Location tab
      • Select Your geographic area
      • Do not select System clock uses UTC
    • Select UTC Offset tab
      • Select UTC timezone
      • Select Use Daylight Saving Time (US only) - if you're in the US. :)
  12. Account Configuration - create at least one user account and set root's password.
  13. Authentication Configuration
    • Select Enable MD5 passwords
    • Select Enable shadow passwords
  14. Package Group Selection - to save space, we don't install X
    • If you have a laptop, do not select Laptop Support
    • Select Network Support
    • Select Windows File Server
    • Select Anonymous FTP Server
    • Select Web Server - if you plan on having your own web server.
    • Select Router/Firewall
    • Select DNS Name Server
    • Select Network Managed Workstation
    • Optional - Select Emacs
    • Select Utilities
    • Select Select individual packages
  15. Individual Package Selection
    • Select System Environment -> Daemons
      • Select ntp
      • Unselect squid
    • Accept any package dependencies
  16. Assuming all is well, the installer will now install the packages.
  17. Boot Disk Creation either create one now or after installing the latest patches to your machine.
  18. Done!
Configuration
  • Download and Unpack the Configuration Files

    1. Download the configuration files to /usr/tmp:

      firewall-gw.tar.gz [670K]

    2. Verify the contents of the tar file:

      # md5sum firewall-gw.tar.gz
      7ab4cf948bb12cfe4b189b238e492678 firewall-gw.tar.gz

    3. Unpack the tar file for subsequent use below:

      cd /usr/tmp

      # Unpack the tar file and create the
      # blueoakdb subdirectory
       tar -xvzf firewall-gw.tar.gz

  • Enabling Restricted Daemons

    su -
    cd /etc/xinetd.d

    edit telnet and wu-ftp

    • Change

      disable = no

    • Add

      only_from = 10.0.1.0

    • Delete

      nice = 10

    # Restart the daemons
     /etc/init.d/xinetd reload

  • Shutting Down Unnecessary Daemons - As a matter of course, I shutdown the following daemons:

    su -
    chkconfig --levels 2345 netfs       off
    chkconfig --levels 2345 ipchains    off
    # Replace 'iptables' with the 'firewall' script
     chkconfig --levels 2345 iptables    off
    chkconfig --levels 2345 portmap     off
    chkconfig --levels 2345 autofs      off
    chkconfig --levels 2345 nfslock     off
    chkconfig --levels 2345 isdn        off
    chkconfig --levels 2345 ip6tables   off
    chkconfig --levels 2345 apmd        off

  • Setting date/time

    su -
    date

    # If the date/time is not correct, set it
     hwclock --set --date='Thu Oct 3 2:44:34 PM MDT 2002'

    # Sync the system's date with the hardware clock
     hwclock --hctosys

  • Setting up the Time Daemon - NTP

    su -
    cd /etc

    # Unpack the NTP tar ball
     tar -xvf /usr/tmp/blueoakdb/ntp.tar

    # Ensure that the daemon starts at bootup
     chkconfig ntpd on

    # Start the daemon
     /etc/init.d/ntpd start

    # Wait for a few minutes and see if your
    # machine synchronizes
     ntptrace
    localhost.localdomain: stratum 2, ...
    time-B.timefreq.bldrdoc.gov: stratum 1, ...

  • Firewall

    1. Tailoring the Script

      /usr/tmp/blueoakdb/firewall

      The firewall script will need to be tailored to your environment. Specifically, the IP addresses of your internal and external NICs need to be configured. If there are any additional requirements in your environment such as port forwarding or exceptions (pinholes) to blocked ports, these can also be done at this time (or later).

      Edit the firewall script changing the following sections based on your needs:

      1. Mandatory - external and internal IP configuration - see the following two sections:

        # Local Area Network configuration.

        # Internet Configuration.

      2. Optional - pinholes - see the following section:

        # Excpetions to the 'block port' list below

      3. Optional - modify list of blocked ports - see the following section:

        # Block ports

      4. Optional - port forwarding - see the following section:

        # Port forwarding

    2. ssh consideration

      If you plan on leaving port 22 open, you might want to ensure that root cannot login via ssh:

      su -
      cd /etc/ssh

      edit sshd_config

      PermitRootLogin no
      # Restart the daemon
       /etc/init.d/sshd restart

    3. Installing the Script

      su -
      cd /etc/init.d
      cp /usr/tmp/blueoakdb/firewall .

      # Add the daemon to be started at bootup
       chkconfig --add firewall

      # Ensure that it starts on bootup
       chkconfig firewall on

      # Start the daemon
       /etc/init.d/firewall

  • File Sharing - Samba

    Samba will be used to network share (windows parlance) two directories:

    • www - the location of your web pages.

    • backup - a scratch area where files may be saved and/or shared by all the LAN users.

    1. Tailoring the Configuration File

      /usr/tmp/blueoakdb/smb.conf

      Typically, only two parameters need to be changed to reflect your local LAN:

      1. Set server string to a descriptive name for your firewall machine. This value will be displayed on your windows machines when they issue a Network Neighborhood and view the results as Details.

      2. Set workgroup to your windows workgroup setting. I leave mine as WORKGROUP.

    2. Installing the Configuration File

      su -
      cd /etc/samba
      cp /usr/tmp/blueoakdb/smb.conf .

      # Create the backup directory
       mkdir /home/backup
      chown nobody.nobody /home/backup

      # Ensure that it starts up on bootup
       chkconfig smb on

      # Start the daemon
       /etc/init.d/smb start

  • Web Server

    su -

    # Create web page home directory - maps to
    # smb.conf file
     mkdir /home/httpd

    # Seed the directory with the default apache
    # pages
     cp -rad /var/www/html /home/httpd

    # Set the ownership to apache
     chown -R apache.apache /home/httpd

    # Copy the correct config file:
    #
    # Hint: Redhat 7.x and below uses Apache 1.x
    #       Redhat 9.x and above uses Apache 2.x
    #
    # Apache 1.x:
     cp /usr/tmp/blueoakdb/httpd1.x.conf /etc/httpd/conf/httpd.conf
    # Apache 2.x:
     cp /usr/tmp/blueoakdb/httpd2.x.conf /etc/httpd/conf/httpd.conf

    # Ensure that it starts up on bootup
     chkconfig httpd on

    # Start the daemon
     /etc/init.d/httpd start

  • DNS cache-only Server

    1. Tailoring the Configuration File

      /usr/tmp/blueoakdb/named.conf

      • Replace xx.xx.xx.xx and yy.yy.yy.yy with the DNS values supplied by your ISP. Add as many DNS values as you would like following the syntax in the file.

    2. Installing the Configuration File

      su -

      cp /usr/tmp/blueoakdb/named.conf /etc

      # Ensure that it starts up on bootup
       chkconfig named on

      # Start the daemon
       /etc/init.d/named start

      # Ensure that the following line is in
      # /etc/resolv.conf:
      #
      #    nameserver 10.0.1.1
      #

  • Setting up sendmail

    • To minimize spam, see www.ordb.org

    • Ensure that /etc/mail/access is configured correctly (RELAY your domain) and a Make is run to recreate the DBM files.

    • In the /etc/sendmail.cf file, you may have to change the entire string $w.Foo.COM to your domain name (e.g. mydomain.com)

  • Qpopper

    Qpopper is used to pop mail from the server to your local machine(s). Use http://www.rpmfind.net/linux/RPM/ to retrieve the latest version of qpopper and also download dracd For convenience the latest versions, as of this writing, of both RPMs are supplied in the tar file:

    dracd-1.10-5.i386.rpm
    qpopper-4.0.1-1.i386.rpm

    Ensure that openssl and glibc are installed and if they're not, download and install them:

    rpm -q openssl glibc

    • Installation and Configuration

      We'll assume that the latest versions of the RPMs are in /usr/tmp/blueoakdb:

      su -
      # Install dracd
       rpm -Uvh /usr/tmp/blueoakdb/dracd*rpm

      # Install qpopper - it will fail on two
      # dependencies:
      #
      # * libcyrpto.so
      # * libssl.so
      #
       rpm -Uvh /usr/tmp/blueoakdb/qpopper*rpm

      # Force the install
       rpm -Uvh --nodeps /usr/tmp/blueoakdb/qpopper*rpm

      # symlink the failed dependencies - note that
      # we're linking to .so.2 but this could
      # have been .3, .4 Find the latest library
      # on your machine.
       cd /lib
      ln -s libssl.so.2 libssl.so.0
      ln -s libcrypto.so.2 libcrypto.so.0

      cd /etc/xinetd.d
      Edit pop3 and add the following lines:

      port = 110
      only_from = 10.0.1.0
      log_on_failure += USERID
      log_on_failure += ATTEMPT
      log_on_failure += RECORD
      # Switch on supporting daemons
       chkconfig portmap on
      chkconfig dracd on

      # Set access permission on portmap
       Edit /etc/hosts.allow and add the following line:
      portmap: localhost
      Edit /etc/hosts.deny and add the following line:
      portmap: ALL
      # Start the daemons
       /etc/init.d/portmap start
      /etc/init.d/dracd start

      # Kick xinetd to reload pop changes
       /etc/init.d/xinetd reload

After Installing and Configuring

The firewall machine requires periodic maintenance. As it is, Linux itself doesn't require daily or weekly reboots. Let it run. We've had busy server machines run for months on end without reboots.

You do need to ensure that critical updates are applied. Below are some minimal data that you'll require in order to maintain your machine.

  1. Create a free Redhat account for software update notifications:
  2. Upload your firewall's configuration to the new account:

    su -
    rhn_register --nox

  3. Configure up2date to not skip kernel packages:

    su -
    up2date --configure

    Clear out the setting for pkgSkipList

  4. First time installations should check for any updated packages:

    su -
    up2date --nox -u

Comments

Please email us your comments.



USA, © 2003 - 2005 Blueoak Database Engineering, LLC. All Rights Reserved. 
Canada, © 2003 - 2005 Blueoak Database Engineering, Inc. All Rights Reserved.