Lesson 12

Router/Gateway with Redhat 9.0

by Art Ross
art.ross@toast.net

Introduction:

This mini HOWTO presents the methods I used to setup a Linux box as a router between a private home network (192.168.1.0/255.255.255.0) and an ISP with a dynamic IP number assigned at the time a dialup connection is established. My home network contains client machines running several varieties of Windows and Linux. I've tried to provide explanations for the setup of all my client machines.

I'm assuming

a ppp0 interface has been made for a Linux compatible 56K modem and successfully configured for a connection to your ISP. At some point in this setup, the type of connection you have, static or dynamic, will require slightly different steps. These differences can be found in scripts obtained through links in the IP Masquerading HOWTO.
an eth0 interface has been for a 192.168.1.0/24 network.
at this point if you execute the 'route' command you'll observe a routing table that will show the ppp0, eth0 and lo interfaces established. There will be nothing refering to a gateway.

Reference the Hardware HOWTO to address general hardware compatiblity issues.

If your struggling with your modem some handy references are

Next Steps:

A ppp0 and eth0 interface have been configured. We now will build our router/gateway from this point.

Let's setup the gateway. Go to Main Menu --> System Settings --> Network. Highlight the ppp0 interface line in the bottom of the window that opens. Click on the 'Deactivate' button at the top.
While the ppp0 interface is highlighted click on the edit button at the top of the window. Another window will open pretaining to the ppp0 interface definition.
At the top of this new window are several tabs. Click on the 'Advanced' button. This is where it happens. Notice a line kinda' towards the top, that says something like "Make this connection the default gateway". All you need to do is click in the box to the immediate left of this line.
Click OK at the bottom of tyhe window. This will return you to the window having the ppp0 line highlighted. Click the 'Activate' button. Once the interface is activated, click 'File' at the top of this window, select 'Save'. Then, select 'File' again and this time select 'Quit'.
Now as the superuser, execute the route command from a shell prompt. See the default gateway for the ppp0 interface? It should be the last line of the routing table.

Now we need to turn to a new level of configuration. Let's begin by adding the FORWARD_IPV4=yes to the /etc/sysconfig/network file and make the following change to the /etc/sysctl.conf file; change the line "net.ipv4.ip_forward = 0" to "net.ipv4.ip_forward = 1". Our next steps will require us to acquire a couple of files. They can be found by refering to the IP-Masquerading-HOWTO. In chapter 3 section 4 there is a link to the files we need. It's the firewall examples directory. I've included it in this document to expedite finding it. There are three files we'll need for the 2.4.x kernel included in Redhat 9.0. They are firewall-2.4, rc.firewall-2.4 and rc.firewall-2.4-stronger. While following the excellent instructions of section 3.4.1 and that contained in the files you'll be able to setup your Redhat 9.0 firewall. The first approach uses rc.firewall-2.4 coupled with firewall-2.4. This is a great way to learn the process and identify any problems your system might have before tackling the more robust firewall supported by rc.firewall-2.4-stronger. The second method uses the rc.firewall-2.4-stronger file and some modifications to the /etc/ppp/ip-up file and the creation of a /etc/ppp/ip-up.local file.

Simple Firewall but not real secure

Let me provide some more detail to assist the reader with the two processes. Let's start with the simple firewall that has some vunerabilities. The first file you'll need is my version of the rc.firewall-2.4 ruleset for the 2.4.x kernels and must be saved as /etc/rc.d/rc.firewall-2.4. Make this file executable by typing in 'chmod 700 /etc/rc.d/rc.firewall-2.4. Now the firewall ruleset is ready, you need to let it run after every reboot. You could either do this by running it by hand everytime (such a pain) or add it to the boot scripts. I'm covering the two methods below.

There are two ways to automatically load things in Redhat; 1) /etc/rc.d/rc.local or 2) an init script in /etc/rc.d/init.d. The first method is the easiest. All you have to do is add this line:

echo "Loading the rc.firewall ruleset.."
/etc/rc.d/rc.firewall-2.4

to the end of the /etc/rc.d/rc.local file and thats it (as described earlier in the HOWTO).

The problem with this approach is that the firewall isn't executed until the last stages of booting. The preferred approach is to have the firewall loaded just after the networking subsystem is loaded. To do this, copy the firewall-2.4 file into the /etc/rc.d/init.d directory. With this script in place, run the command:

chkconfig --level=345 firewall-2.4 on

This command makes the firwall-2.4 script get executed for runlevels 3, 4, and 5 at boot time. Now let's set the permissions to permit the script to be executable by the command;

chmod 755 firewall-2.4

Keep in mind this process is very complex and could be confusing at times. That's why I've provided the three script files to help the novice. To activate these changes, restart the network script using the command, '/etc/rc.d/init.d/network restart'.

More secure firewall approach

In this approach the simple firewall must be eliminated. This is accomplished by deleting the /etc/rc.d/rc.firewall-2.4 and /etc/rc.d/init.d/firewall-2.4 scripts from your system. Why would we want to take this type of action. Well, the simple firewall approach doesn't become active immediately after the ppp0 interface is activated. This leaves your system vulnerable to an intrusion for a brief period. In an extremely hostile environment this cannot be permitted. This is why one needs to incorporate a stronger firewall using the rc.firewall-2.4-stronger. Let's get started.

First, assure that the FORWARD_IPV4=true line exists in the /etc/sysconfig/network file. Second you'll need to download the rc.firewall-2.4-stronger script from thefirewall example directory or use my example rc.firewall-2.4-stronger. I saved the file as /etc/rc.d/rc.firewall. I'd like to identify the changes I made to the rc.firewall-2.4-stronger script to assist you in formulating your own. The changes I made are;

IPTABLES=/sbin/iptables was uncommented
IPTABLES=/usr/local/sbin/iptables was commented
EXTIF="ppp0" for my external interface
INTIF="eth0" for my internal interface
INTIP="192.168.1.2/24" for my internal interface IP address. The network line appears just above this line. You may have to change both of these lines for your internal network and interface IP. My internal network doesn't use DHCP. If you are then you'll have to review the appropriate changes to meet these different requirements.
Since my external interface is a dynamic IP assigned through ppp0, it is necessary for some additional changes. I basically followed the instructions in the rc.firewall-2.4-stronger script file. For your reference, I've included the approach I used. If you aren't already aware, the /etc/ppp/ip-up script is always run when a PPP connection comes up. Because of this, we can make the ruleset go and get the new PPP IP address and update the strong firewall ruleset. If the /etc/ppp/ip-up file already exists, you should edit it and add a line containing "/etc/rc.d/rc.firewall" near the end of the file. When I examined my /etc/ppp/ip-up script file, there was a recommendation not to modify this file. Instead, the instructions directed me to at the /etc/rc.d/rc.firewall line to a /etc/ppp/ip-up.local script file that would be called by the /etc/ppp/ip-up script. I've included links to my files as examples for the reader. One last item to complete this procedure. The /etc/ppp/ip-up.local file needs to be made executable. I accomplished with the command; chmod 755 /etc/ppp/ip-up.local.
To activate these changes, restart the network with the command; /etc/rc.d/init.d/network restart. There we have a working firewall that starts as soon as the ppp0 interface is assigned an IP. What about that??