Linux Internet Sharing and Firewall How-To

This How-to covers the setup and configuration of a Linux 'server' providing internet sharing and a stealth firewall to one or more computers, regardless of what OS, using kernel version 2.2.x or higher (ipmasq modules). My personal preference in setting up the firewall will require downloading a program call 'PMFirewall' which is available for free on the web and everyone I know that has tried it agrees that it is the best firewall for Linux (far easier, faster, and probably better than one we can write ourselves). I will also assume that you have a computer setup with Linux that has a working internet connection. I will use a DHCP cablemodem for example, but most DSL and dial-up connections should work fine assuming you substitute the right device (modem/NIC) and protocol (PPP, PPPoE, etc....). For other propietary cable modems that don't work with this exact setup can be correctly configured with information from Linuxdoc Cablemodem Specifics. So let's get on with the fun!

***********Configuring the Linux (Server) Computer***********
Ok, first step, start your internet connection and browse around a couple of sites. If you can't do this, fix the internet connection before going on.....this won't work if your internet doesn't! Next, turn off your computer and install a network card for your own private LAN. Before you buy one, check the hardware compatibility list and better yet a newsgroup for your particular distro, so you can install a 'NIC' that won't be a pain to get to work (I prefer ne2k-pci's myself). Once the NIC (network card) is installed, restart the computer. Log in as 'root' user and open a console box. Let's see if the card was autoconfigured. Type 'ifconfig' and press enter. If you're using a modem for internet, the NIC will be labled 'eth0'; if you are using a NIC for the internet, the LAN NIC should be labeled 'eth1'. If the proper 'eth' showed up, it should be setup right, if it did not show up, you will need to use the proper program to load the module (driver) for the card. These programs vary from distro to distro, a couple could be 'linux.conf', 'mod.conf', or simply "insmod 'your module'". Run 'ifconfig' again to see if the NIC has been setup. If your still having problems, a newsgroup for your distro will probably be helpful in getting the NIC to help.
Now it is time to enter your LAN's ip address. In Corel, you should be able to do this in the 'ControlCenter/Network/TCP/IP' and select your LAN's NIC card. In Red Hat and Mandrake, you should be able to do this from 'linux.conf' and your NIC card's adapter setup. There are several different ip addresses you can use, and what I am using for this How-To just an example that is commonly used.
ip address 192.168.0.1
netmask 255.255.255.0
gateway 192.168.0.0 (if needed)
broadcast 192.168.0.255 (if needed)
This setup is for using static ip's on your private LAN, which will be easier to setup and maintain on a small LAN. Re-start your computer to set the ip configuration to the card. Once again, open a console box and enter 'ifconfig'. Pick your LAN's NIC card from the list and check that the ip configuration is working properly.

************Setting up Windows Client Computers***********
Now it is time to configure the other computers on your LAN for internet sharing. You will need to install a NIC card on your client computers to connect to your 'server'. On Linux computers, you will set up the NIC card in the same application you just used to set the ip configuration for you LAN NIC card on the server. On Windows computers, you will need to open the 'Control Panel' and then open the 'Network' applet. Under the box titled 'Primary Network logon', select 'Client for Microsoft Networks'. If 'Client' is not available, you can add it by clicking on the 'Add' button, double-clicking 'Client', choosing 'Microsoft' on the left and 'Client for Microsoft Networks' on the right side of the page. Click the 'OK' button and now you should be able to select it as an option.
Next, you will select 'TCP/IP' for your NIC card from the list of installed network components, select it, and choose 'Properties'.

Under the 'IP Address' tab, select 'Specify an IP Address' and enter:
IP Address 192.168.0.2 (just keep adding one for each comp)
Subnet Mask 255.255.255.0
Under the 'WINS Configuration' tab, select 'disable WINS Resolution'
Under the 'Gateway' tab, and the ip address of your server (192.168.0.1) and click the 'add' button.
Under the 'DNS Configuration' tab, select 'Enable DNS' and enter:
Host: the share name of your computer ("client" for example)
Domain: leave this one blank
DNS Server Search Order: add the ip addresses of your ISP's DNS servers.
Under the 'Bindings' tab, checkmark 'Client for Microsoft Networks'.
Under the 'Advanced' and 'NetBIOS' tabs, leave them alone, they should be fine by default. Now click the 'OK' button, and select the 'Identification' tab. On this page you enter a name for your computer (use the same name you just used on the DNS Configuration page) and enter a workgroup name (like HOME or NETWORK or anything else you can think of). Now click the 'OK' button on the bottom of the screen and Windows may prompt you for the Windows CD and will definately ask you to restart your computer-do it now!
After your computer has restarted, right-click the 'Internet Explorer' icon and choose 'Properties' from the list. In the properties box, click the 'Connections' tab and pick 'Never dial a connection', then click the 'LAN settings' button. In this box select only the 'Automatically detect settings' box, then click 'OK' on all the pages to set this configuration. Your Windows box should now be set to share the internet with the Linux server. You should now be able to ping the two computers from each other. So let's finish the setup on the Linux box and get both of them on the internet.

***********Installing IPMASQ**********
Now that you have both an internet connection and your LAN side NIC card working, we're down to the easy part! Open a 'find files' application and do a search for '*ipmasq*' on the '/' folder. If you have it installed, skip to the next step, otherwise install the modules from your Linux cd or your distro's update site. Next, open a console box, maximize the window, and enter 'modconf'. Select the option for 'network cards and protocols', and then select 'ipv_4'. You should now see roughly six modules that begin with 'ip' (I always install all of them...it is easier than needing one of them later and not having it compiled in the kernel), install all of them one at a time. Once you have installed all of the modules, restart your computer, and if you start in 'expert mode', or like boot mode for your distro, watch for the modules to load. If there has been any problems loading modules, you should be able to find them after logging in by opening a console box and entering 'dmesg'.

You should now be to get both computers on the internet, so start the 'Internet Explorer' on the Windows computer (I mean 'client' computer....oops) and see if it is working. The first page could take a minute or two to detect the settings. If it is working, congratulations on configuring you first router....feels good doesn't it??? If it is not working, go back and check all the setup that has been done, because something has not been setup properly.

*************Firewall************
The final, and easiest, part of this install is to download and install the 'PMFirewall' program from http://www.pointman.org/PMFirewall/ and then run the 'install.sh' program from the download. Remember the "outerif" (external) is eth0 for a NIC or ppp0 for a dialup modem.

*I have been informed that there are some additional steps for getting PMFirewall configured correctly for a dial-up connection. If you are using dial-up, you will need to use the "Note" posted below to use PMFirewall (Thanks Don!).*

The rest of the setup questions are extremely easy to answer, and after the install has completed, I would suggest restarting your computer. You should see PMFirewall load, but if you didn't, open a console box and type 'lsmod' and pmfirewall should be on the list if installed correctly. If it was on the list, congratulations again, you should have a secure, completely functional firewall running now.

Have fun, and I hope this has helped you!
Until next time,

~Guitarlynn



 *************NOTES FOR PPP (DIAL-UP) USERS********************

On review of this How-To by my good friend Donald Spoon, he has contributed a some additional steps to configure your system for PMFirewall to work correctly with the Dial-On-Demand option. This is based on Corel Linux 1.0-1.2 (Debian), so you may have to make a little homework to accomplish the same thing in a different distro.
Thank-you Donald and Ernie DeVries for the excellent help on this setup!!!
~Guitarlynn.

Here are the steps: (All files from Debian "stable"or "potato") NOTE: Actual file numbers may have changed since the date of this writing. If the Number is higher, then it is "safe".

1 Using Corel Update (or "apt-get"), upgrade to ppp 2.3.11-1.4, pppconfig 2.0.5, and ADD libpam-pwdb 0.72-7 (latter MOST important!!!- see CAUTION & NOTE below!!) This took about an hour on my 28K connection. During the process glibc 2.1 + a bunch of other packages were installed to meet dependencies. I have NOT seen any adverse effects here to date.

CAUTION CLOS 1.0 and 1.1 ONLY: If you don't get & install libpam-pwdb, you will have one heck of a time getting back into KDE after you reboot!!
It CAN be done. Text console logins work OK, but the KDM login WILL NOT WORK without this package. I would make sure this package is installed before ANY reboot. It winds up in /lib/security as the "pam_pwdb.so" file. If that is there, then you have it installed OK.

NOTE: CLOS 1.2 ONLY: I have one report that installing libpam-pwdb on CLOS 1.2 really wrecked the system. Corel has changed the way it does authentication in CLOS 1.2 so this may NOT be necessary. I would suggest NOT installing this package on CLOS 1.2 systems and see what happens.

2. After all is done, run the new pppconfig & fill in the blanks. It even autodetects your modem now... really neat! Select "advanced options" to get to the "demand" option menu. Leave the provider ID as "provider". You might want to enter some value in the "idle" option. I use 500, but youcan use lower if you want.

3.a CLOS 1.0 ONLY: Disable local "defaultroute" in /etc/init.d/network by commenting it out. This is the same as the local "gateway".

3.b CLOS 1.1 & 1.2 ONLY: Disable the local "gateway" or "defaulteroute" by removing any numbers in "Control Center"-"Network"-"TCP/IP"-"IP Address"- "Default Gateway" menu box, then check "apply".

4. Change /etc/ppp/no_ppp_on_boot to /etc/ppp/ppp_on_boot with the following command:
"mv /etc/ppp/no_ppp_on_boot /etc/ppp/ppp_on_boot".

NOTE: In the most recent version of PPP from Debian "stable" this file can be made executable. I suggest you do this, and the instructions are contained in the file. Just open it with a text editor and follow the directions. You will have to remove two # marks on the first line.

5. Check /etc/resolv.conf. PPPCONFIG should have changed this already. I added a "domain" line that pppconfig didn't add. Here is my /etc/resolv.conf file as an example:

domain [HOSTNAME].[ISP DOMAIN].com
nameserver [DNS SERVER #1 IP#]
nameserver [DNS SERVER #2 IP#]

6. Reboot the computer, check if "/usr/sbin/pppd call provider" is a running process, and you should be able to kick off the modem by doing a ping, traceroute, or clicking on Netscape.

7. The setup for using PMFirewall with a dial-up modem needs some expansion. The problem is that NEITHER the "ppp0" external interface nor the "defaultroute" exist until the ppp link is established, and therefore PMFirewall cannot be started before the link comes up. If you do, you will get a bunch of error messages. Fortunatly, this can be "fixed" with a small script in /etc/ppp/ip-up.d/ that starts (or restarts) PMFirewall. All of the script files in /etc/ppp/ip-up.d/ are run AFTER the PPP link is established, and this is THE perfect place to start it. Here is my script file that I used:

#!/bin/sh
/usr/local/pmfirewall/pmfirewall restart

Just make sure it is executable with a "chmod 755 pmfirewall" command after you save it as /etc/ppp/ip-up.d/pmfirewall.
Now go back up to the paragraph the reference to this note was in and finish installing and configuring PMFirewall!
**********************END OF NOTE******************************

| copyright 2000 | Contact Guitarlynn |