Linux As Your Internet Gateway

Grabber Softwares : Enhance Your Computing

Linux As Your Internet Gateway

Installing a secure gateway for your network to access the Internet

Apart from all the conventional tasks of delivering mail, hosting Web pages, and serving as a file and print server for your LAN, Linux makes ideal gateway to connect your network to the Internet.

If you have a single dial-up connection that you wish to share between several users, you can set up a single Linux server to perform IP Masquerading. IP Masquerading fools a remote host on the Internet (say a Web server your client machines are trying to connect to) into believing it is talking to only a single machine, the publicly accessible server that has a direct link to the Internet.

The concept is simple. All clients on the internal LAN, which have no direct link to the Internet, are configured to use the Linux server as their gateway. In Win 95 this is as simple as going into the network properties of the network adapter, and entering the IP address of the gateway machine. If your server is additionally configured for DHCP, then the gateway address is automatically updated.

When a client makes a request to a host which is not on the local network, the gateway, based on a strict set of rules, passes it on to the outside, in this case, the Internet. As each TCP/IP packet arrives from the client, the server replaces the client’s IP address with its own external (Internet) address, and changes the port number with a random unused value. The packet is then passed on to the remote host, which replies to the sender based on the changed IP address and port number. Packets arriving at the host are then substituted with the client’s IP address based on their port number, and forwarded to the clients.

To the clients, this process is completely transparent, and makes it appear as if it is directly connected to the Internet.

Your kernel needs to be configured to support IP masquerading, IP forwarding and Network Firewalls. Red Hat Linux uses a modular kernel which allows you to enable these features without having to recompile. Support for IP masquerading and firewalling is already built into the default kernel.

To enable IP forwarding, you will have to edit the file
/etc/sysconfig/network

Change the line that says:

FORWARD_IPV4=no to (quite obviously)
FORWARD_IPV4 =yes

You can also enable this using the network configuration tool. (Try netcfg & in X)

Certain programs, such as CuSeeME, the Quake clients and some others, require special modules to be loaded at boot time to work correctly. You can edit the file /etc/rc.d/rc.fw to add support for any specific software you need. The pcqupdt script by default installs support for various packages, such as RealAudio and Irc.

To add additional support as modules become available, copy the module into the /lib/modules/2.0.3X/ipv4/ directory, and add the line /sbin/modprobe modulename.o
to the /etc/rc.d/rc.fw file

Allowing your internal network to access the Internet also sets up a security hole. To ensure that remote machines cannot gain access to your network via the gateway, you need to set up a firewall. The pcqupdt script automatically installs a basic firewall using the ipfwadm package.

The script is run at boot time in the rc.fw file to setup a set of default rules for both incoming and outgoing packets.

We start by flushing all existing rules for Firewalls (-F) /sbin/ipfwadm -F -f

Setup a default policy of deny /sbin/ipfwadm
-F -p deny

The last line requires a bit more explanation.

/sbin/ipfwadm -F -a accept m -S 192.168.1.0/24 -D 0.0.0.0/0

This adds (-a) a forwarding rule (-F) to the source network (-S) 192.168.1.0, to the destination 0.0.0.0 ( any address). The m parameter turns on masquerading on all packets to make it appear as if they originate from the gateway, and the parameter x, in this case, 24, is determined by the network class from the table below.

Netmask                X             Class
255.0.0.0                8             Class A
255.255.0.0           16             Class B
255.255.255.0        24            Class C
255.255.255.255    32             Point-to-Point

If you wish to allow only a certain machine (in this case 192.168.1.123), access to the Internet, you could instead add the rule /sbin/ipfwadm -F -a m -S 192.168.1.123/32 -D 0.0.0.0/0

You can set up further rules to block access to certain sites and log traffic etc. The following rule denies and logs traffic attempting to go to the site 207.9.12.47 ipfwadm -I -a reject -S 192.168.1.0/24 -D 207.9.12.47/32 -o.

Different levels of security are implemented by firewalls and proxies. A well configured firewall is secure enough for most common environments where traffic control is of the main importance.