11.3. Configuring a Linux GatewayOne popular use for Linux is as a gateway between networks. The software associated with the gateway is fairly simple. In fact, it can be loaded from permanent media, such as a CD. That technique prevents crackers from breaking into the gateway and thus breaking the security barrier, or firewall, commonly configured between networks. Configuring a Linux gateway normally requires three basic administrative steps:
The only thing you absolutely need to do is configure IP forwarding. It is disabled by default. For this annoyance, I assume you're configuring a computer with two network cards, and each card is connected to a different network. There are many excellent firewall configuration tools, but this annoyance shows you how to configure the system by hand. If you use the tools, you'll overwrite the configuration files that you may create as you review this annoyance. 11.3.1. IP ForwardingLinux normally disables IP forwarding between network cards, and it is disabled in the default configurations of our preferred distributions. The way you activate IP forwarding depends on whether you've configured an IPv4 or IPv6 network. Here, I assume that your system supports the /proc filesystem with kernel settings, along with the sysctl program to access kernel switches. Your system meets these requirements if you have a /proc directory and an /etc/sysctl.conf file. If there are problems, you'll want to make sure the appropriate settings are active in your kernel. Specifically, you should see the following settings in the active config-* file in the /boot directory: CONFIG_PROC_FS=y CONFIG_SYSCTL=y If these settings don't reflect what you need, you can't just edit this configuration file. In that case, you'll need to recompile the kernel, as described in the "Recompiling the Kernel" annoyance in Chapter 7. 11.3.1.1. Forwarding on an IPv4 networkTo activate forwarding on an IPv4 network, you'll need to toggle the ip_forward setting in the appropriate kernel configuration directory. The simplest way to do so is with the following command: echo "1" > /proc/sys/net/ipv4/ip_forward To make sure forwarding is turned on the next time you boot your computer, open /etc/sysctl.conf and add the following directive: net.ipv4.ip_forward = 1 11.3.1.2. Forwarding on an IPv6 networkTo activate forwarding on an IPv6 network, you'll need to toggle the forwarding setting in the appropriate kernel configuration directory. The simplest way to do so is with the following command: echo "1" > /proc/sys/net/ipv6/conf/all/forwarding To make sure forwarding is turned on the next time you boot your computer, open /etc/sysctl.conf and add the following directive: net.ipv6.conf.all.forwarding = 1 This assumes you've installed all other components required to configure an IPv6 network. For more information, see the related HOWTO written by Peter Bieringer at http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/. 11.3.2. IP MasqueradingWhen you have one IP address on the Internet for your network, you need to find a way to share it with all the computers on your network. The standard is with IP masquerading. Once configured, your gateway substitutes the IP address of the network interface card it uses to reach the Internet for the address of any computer on your network that requests data from the Internet. Naturally, IP masquerading assumes you've activated IP forwarding, as I described in the previous section. The current standard for configuring IP address translation on a gateway is iptables, the same command used to erect firewalls. Here you use it to alter network packets with Network Address Translation, specifically with the iptables -t nat command. As an example, if your Internet connection uses a device named wlan0 and your LAN uses IP addresses on the 10.11.12.0/16 private network, the command you need is: iptables -t nat -A POSTROUTING -s 10.11.12.0/16 -o wlan0 -j MASQUERADE As described earlier, this command uses Network Address Translation. It adds (-A) the rule to the end of the iptables chain. It modifies network packets as they leave the network (POSTROUTING). It specifies (-s) source IP addresses to be those from your LAN (10.11.12.0/16). It points to wlan0 as the output interface (-o). For all data that meets these standards, computers on your LAN MASQUERADE on the external network with the IP address assigned to wlan0. To save this command, you'll need to run iptables-save and send the result to a file with a command such as: iptables-save >> firewall You could save the iptables commands to the standard configuration file for the distribution, but that would risk conflicts with settings written by tools such as Red Hat's Firewall Configuration tool. If you want to make these commands part of your firewall, you'll have to modify those files manually. 11.3.3. FirewallsDetailed instructions on creating a firewall are beyond the scope of this book. However, the gateway between networks is the best place to create a firewall, so I'll mention some of the considerations for doing so. Both Red Hat/Fedora and SUSE Linux have their own firewall configuration tools. These tools are excellent and can be used to create a fairly simple firewall. You can build upon the firewall created by these tools as needed. You can start the standard Red Hat/Fedora Firewall Configuration tool with the system-config-securitylevel command. Results are saved to /etc/sysconfig/iptables. You can open the SUSE firewall tool in YaST. Results are saved to /etc/sysconfig/SUSEfirewall2. There is no standard firewall tool available for Debian. However, there are a substantial number of available options, including several excellent GUI tools. In addition, a number of third-party firewall generators are available online. As is standard with open source software, neither I nor O'Reilly endorses any of these systems (or anything else in the book). For more information, see the related annoyance "My Firewall Blocks My Internet Access," in Chapter 8. |