If you’re trying to set up a home network, you probably want to set up a permiter facing computer connected to your DSL/Cable modem, and then put all of your computers behind that firewall box to keep them safe. This tutorialwill show you how to use a single external connection on the gateway computer (using Iptables firewall), and a second internal connection on the same box so you can connect the computers on the inside of your home/office to it, and automatically give them IP’s when you hook them up (using DHCP server). Iptables can be very complicated, we will only configure a basic firewall, you can add more security later without breaking things. In Linux there are many ways to do this, this one is hopefully simple enough and will teach you the basics. I did this on a CentOS 6 box, though it would work on Debian variants with only slight modifications. During this tutorial I’m logged in as root, which you should generally NOT do, but it makes the tutorial simpler, but if you prefer to do it more securely, add “sudo” before each command and it will work.
The computers on the inside of your office will also be able to talk to each other, so you can hook up printers, computers and share network connections through the switch as well. You can also set up things on your Gateway server box later like a network backup drive for all your computers using Samba relatively simply. There’s a lot of expandability in this setup, but we’ll keep it simple for now.
The first thing to do on your Gateway server is configure and enable Iptables, the default firewall that comes with CentOS. We will tell it to allow outbound traffic from your eth1 interface to the internet. You have to add an Iptables entry, save it and restart Iptables.
Step 1. Add 2 Network cards to the Linux box
Step 2. Verify the Network cards, check if they installed properly or not
Step 3. Configure eth0 for Internet with a Public (External network or Internet)
# vi /etc/sysconfig/network-scripts/ifcfg-eth0 |
DEVICE = eth 0 BOOTPROTO = static HWADDR = 00 : 0 c : 29 : d 2 : c 2 : 75 IPADDR = 192.1 68.1 . 10 BROADCAST = 192.1 68.1 . 255 NETMASK = 255.2 55.2 55.0 NETWORK = 192.1 68.1 . 0 GATEWAY = 192.1 68.1 . 1 DNS 1 = 8.8 . 8.8 DNS 2 = 8.8 . 4.4 ONBOOT = yes TYPE = Ethernet USERCTL = no IPV 6 INIT = no PEERDNS = yes |
Step 4. Configure eth1 for LAN with a Private IP (Internal private network)
# vi /etc/sysconfig/network-scripts/ifcfg-eth1 |
DEVICE = eth 1 BOOTPROTO = static HWADDR = 00 : 0 c : 29 : d 2 : c 2 : 7 f IPADDR = 192.1 68.1 0.1 BROADCAST = 192.1 68.1 0.2 55 NETMASK = 255.2 55.2 55.0 NETWORK = 192.1 68.1 0.0 GATEWAY = 192.1 68.1 . 10 # Enter Ip of eth0 ONBOOT = yes TYPE = Ethernet USERCTL = no IPV 6 INIT = no PEERDNS = yes |
If you get error can’t bringing up interface eth1, and type:
# service NetworkManager stop # chkconfig NetworkManager off # service network start # chkconfig network on |
Step 5. Host Configuration (Optional)
# vi /etc/hosts 127.0 . 0.1 nat localhost.localdomain localhost |
Step 6. Gateway Configuration
# vi /etc/sysconfig/network |
NETWORKING = yes HOSTNAME = nat GATEWAY = 192.1 68.1 . 1 # Internet Gateway, provided by the ISP |
Step 7. DNS Configuration
# vi /etc/resolv.conf |
nameserver 8.8 . 8.8 # Primary DNS Server provided by the ISP nameserver 8.8 . 4.4 # Secondary DNS Server provided by the ISP |
Step 8. Configure DHCP server to give out the IP’s to the computers on the inside of the LAN
We do that by installing the DHCP server like this:
# yum install dhcp |
# vi /etc/dhcp/dhcpd.conf |
option domain - name "vjetnamnet.com" ; option domain - name - servers 8.8 . 8.8 , 8.8 . 4.4 ; default - lease - time 600 ; max - lease - time 7200 ; ddns - update - style none; authoritative; subnet 192.1 68.1 0.0 netmask 255.2 55.2 55.0 { range dynamic - bootp 192.1 68.1 0.1 0 192.1 68.1 0.2 0 ; option broadcast - address 192.1 68.1 0.2 55 ; option routers 192.1 68.1 0.1 ; } |
Step 9. NAT configuration with IP Tables
First of all you have to flush and delete existing firewall rules. So flush rules by typing in terminal:
# iptables -F # iptables -t nat -F # iptables -t mangle -F |
Now delete these chains:
# iptables -X # iptables -t nat -X # iptables -t mangle -X |
Set up IP FORWARDing and Masquerading
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # iptables -A FORWARD -i eth1 -j ACCEPT |
Enables packet forwarding by kernel (save this setting in /etc/sysctl.conf file)
# echo 1 > /proc/sys/net/ipv4/ip_forward |
and edit to make the change permanent
# vi /etc/sysctl.conf net.ipv 4. ip_forward = 1 |
Apply the configuration
# service iptables save # service iptables restart |
Check if iptables is set to start during boot up
# chkconfig --list iptables |
Step 10. Testing
Ping the Gateway of the network from client system:
# ping 192.168.10.1 |
Try it on your client systems:
# ping google.com |
Configuring PCs on the network (Clients)
All PC’s on the private office network should set their “gateway” to be the local private network IP address of the Linux gateway computer.
The DNS should be set to that of the ISP on the internet.