As set up a simple gateway with Linux Debian | ...::: Guatewireless.org ::::..

When a company has a broadband connection to the Internet and are looking to share the connection between the different offices, often is thought to be necessary to buy a team of dedicated firewall, which is a mistake. In this article show that with the minimum investment and using Debian Linux can offer better services to our network by purchasing a computer firewall.

The acquisition of such hardware may be too expensive for many companies in Guatemala, in contrast to using a dedicated machine with a Linux Debian installed and serving as a gateway for the LAN, offers many benefits when compared against a team of dedicated firewall. To begin with, is much more flexible and it allows us to offer many extra services to our network.

To run a gateway (gateway) is required to Debian machine with two network cards, and that the external card can rutear correctly to the ISP. (See article)

On this occasion, we will take the network interface eth0 to serve directly to the internal network, this card will have a class C IP address more or less like this: 192.168.1.1, which will be used as the default gateway for our domestic machines . This leaves the eth1 to address outside of the machine.

For such a machine function as a gateway and routing the packets from our LAN to the outside world and back, we need to have enabled bit of IP forwarding, in addition to the necessary rules so that it can route packets. This is done via iptables.

Basically we need to have three sets of rules:

Refuse incoming connections to eth1 (the external network interface)
Allow outgoing packets from our LAN via eth0
Allow connections set back.

To this end we created the following script:

File: 00-firewall

  # Published under the GPL by www.guatewireless.org 
  #! / bin / sh 

  PATH = / usr / sbin: / sbin: / bin: / usr / bin 

 # 
  # Erasing all existing rules. 
 # 
  iptables-F 
  iptables-t nat-F 
  iptables-t mangle-F 
  iptables-X 

  # Always accept traffic from loopback 
  iptables-A INPUT-i lo-j ACCEPT 

  # Allow established connections, and those that do not come from outside. 
  iptables-A INPUT-m state - state ESTABLISHED, RELATED-j ACCEPT 
  iptables-A INPUT-m state - state NEW-i!  eth1-j ACCEPT 
  iptables-A FORWARD-i eth1-o eth0-m state - state ESTABLISHED, RELATED-j ACCEPT 

  # Allow outbound connections from inside the LAN. 
  iptables-A FORWARD-i eth0-o eth1-j ACCEPT 

  # Mask. 
  iptables-t nat-A POSTROUTING-o eth1-j MASQUERADE 

  # Do not forward outside to inside. 
  iptables-A FORWARD-i eth1-o eth1-j REJECT 

  # Enable routing. 
  echo 1> / proc/sys/net/ipv4/ip_forward

We need to run this script to boot the system and as soon as the network interfaces are lifted. For this purpose can be saved in the directory / etc / network / if-up.d /. Everything that is in that directory is executed when an interface is lifted, if the file is executable.

Because the contents of the directory are executed in order, appointed the 00-firewall script.

This will provide us with a basic gateway. Now any machine within the LAN must be able to access the Internet, while the gateway remains secure.

Now we must think about adding extra services for our LAN, from the gateway clear. There are a couple of interesting things that can be added to make life easier, for example, instead of allocating a fixed IP address to each computer within the LAN, we can use a dynamic allocation using DHCP.

Likewise we can install a local name server, I can recognize our machines on the internal network.

An excellent package that is dnsmasq. Which can be installed via apt-get and is configured via a simple file / etc / dnsmasq.conf.

Once this software package running this, we can see that the client machines can find any host on the network that this included in the file / etc / hosts inside the server. With the above can appoint aliases with the machines on the network and will be resolved easily.

For example, to install a proxy server at the gateway can create a name:

file: / etc / hosts

 # 
  127.0.0.1 localhost 

 # 
  # Local machines. 
 # 
  192.168.1.1 gateway proxy gateway.guatewireless.net proxy.guatewireless.net

This will give the new name for the proxy machine formerly known as prince, I say gateway .-

".. That's all folks ..."

Popularity: 19% [?]

on 07 Aug 2008 at 10:53 am # Ever

Hello.

I want to thank your article and bother with a question in relation to this paragraph in your article "How to configure a simple gateway with Linux Debian":

"Now any machine within the LAN must be able to access the Internet, while the gateway remains secure."

and internet access but I lost the part or not understood, how to restrict access to pages, sites or domains, such as what else are hitting me rapidshare, youtube, etc..

greetings from Mexicali

[Reply]

fher98 replied on August 7th, 2008:

@ Ever: The article does not talk about how to restrict websites. But for that purpose you can use any Web content filtering. I can recommend DansGuardian.

on 07 Aug 2008 at 11:06 am # Ever

thank you for this article

but I left a doubt as to lock the user pages, for example rapidshare, youtube, porn, etc..

on 17 Oct 2008 at 11:09 am # Mey

The gateway performs NAT between computers on the LAN and the router from your ISP. To do with control of navigation should be the first to mount a proxy (squid could be on the same gateway Debian) and then some filtering software (such as DansGuardian).
Greetings .-

...::: Guatewireless.org ::::..

4 comments to "How to configure a simple gateway with Linux Debian"

Your opinions, questions and links to this article are welcome ;-)

Translations

Related articles

Search

Info

Best Sites

Most popular

Content

File

Syndicate