The purpose of this section is to introduce you the concept of internet firewalls and the concept of sharing your internet connection with other computers on your home or office network. Please note that the rules discussed here are for kernel 2.0.x , standard on RedHat 5.x and older distros. If you would like to use kernel 2.2 there is a new firewall tool called ipchains and a link to a sample script below in the section on Kernel 2.2.
A firewall is basically a computer that acts as a guardian for your computer network. In the simplest form it consists of a computer with two network interfaces, one interface is considered part of your internal or trusted network, while the other interface is the one that is reachable from an outside source in our case the internet. The first goal of a firewall is to set up rules for the external interface that block unwanted traffic or service requests from being passed through to your internal network. The second goal is to allow your internal network to make requests from external networks. Usually these requests consist of http requests, ftp requests, and pop requests which are used to get mail from an external server.
Rules are defined in scripts that are called upon startup or in our case when you make a ppp connection to the internet through a dialup account. In general you might have a script called firewall.rules in which commands are found that establish what types of requests can be made from both your internal and external network. With the current shipping distributions of linux such as RedHat, the linux kernel can take these commands and translate them into what is defined as a firewall. This process is done through the use of the ipfwadm command. The syntax is as follows:
ipfwadm -switch -options
The switch is used to define whether the rule is for inputs, outputs, or forwarding. Following this logic a command of ipfwadm -I -options defines input rules, ipfwadm -O -options defines output rules, ipfwadm -F -options defines forwarding rules. As a general rule you might have these three commands first in your ppprules script:
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny
The -p options says here is the default policy for this firewall, in this case you are denying any packets from passing into or out of your network, you are also not forwarding any packets from your internal network to the outside. You can then enter the rest of your commands which define just exactly what is allowed to pass into and out of your network. Since seeing what an actual firewall script looks like is very helpful below you will find a link to an actual firewall script. The script here is available by courtesy of Paul G. Sery author of the Linux Network Toolkit. his script is derived from a paper written by John Vos and Willy Konijinenberg of X/OS Experts in Open Systems BV, that can be found at www.xos.nl . This script demonstrates how to build a relatively secure firewall for you home or small office. If you read the man page for ipfwadm (type man ipfwadm) you will see that these scripts abide by the rules for ipfwadm. I am not and do not claim to be an expert on this topic. For this page's intended audience simply running these "canned" scripts will serve you well. Once you become familiar with linux you can then build your own script if you feel it necessary. If you are considering using a firewall to protect potentially sensitive information then i suggest you either become and expert on the topic through experimentation or hire a professional to help you. Note you need to make this script executable upon download, so type chmod +x firewall.rules to make it so. If you just want root to be able to do this type chmod u+x firewall.rules. Shift click to download.
Sharing your internet connection with the rest of your network
The other goal of this page is to tell you how to share you single dialup connection with the rest of your network. This is referred to as IP MASQUERADING or NETWORK ADDRESS TRANSLATION N.A.T. for short. This can also be accomplished with the ipfwadm command. First you must tell your internal network card to forward packets that do not belong on your network. This is done by checking the Network Packet Forwarding box in RedHat's Network Configurator. Note that this can also be done manually by editing the /etc/sysconfig/network file and setting FORWARD_IPV4=yes. You will need to reboot for the forwarding to take effect. Now your computer we'll say 192.168.1.1 is the GATEWAY to the internet for all of your other machines. On your other machines' TCP/IP setting you should point to 192.168.1.1 as the gateway to the internet. After doing this establishing an ip address that will be shared with the rest of your network is as simple as entering the following commands:
ipfwadm -F -p deny
ipfwadm -F -a m -S your network number -D 0.0.0.0/0
Say your connected internal network number is 192.168.1.0 that address would be substituted above. As root at a terminal type ipfwadm -F -p deny , then ipfwadm -F -a m -S 192.168.1.0 -D 0.0.0.0/0 . At your other computers you should now be able to browse the internet. If you want this to put these rules into a script called ipmasq I have made a script below that does not make a firewall but enables Ip masquerading. Note that although it is good practice to use a firewall it is not absolutely necessary hence this script.
Kernel 2.2 and simple ip masquerading
With the advent of the kernel 2.2 series the ipfwadm tool is no longer used and has been replaced by the ipchains tool. Basically the commands are incompatible with each other and you must not use ipfwadm rules with ipchains. Below please find a few simple lines that will let you use your kernel 2.2 system act as a gateway for all of your computers on your network. I suggest you put these commands in a script in your /root directory called whatever you want and make it executable. So after making a script called ipmasq or whatever type chmod +x ipmasq after saving it. Below are the rules based on a Class A network like 10.0.0.0 .
ipchains -P forward DENY
ipchains -A forward -s 10.0.0.0/255.0.0.0 -j MASQ
While this gives you a masquerading it is not a true firewall,
for that download the script found here
. It is a full firewall courtesy of the folks at nerdherd.net. Make sure
and chmod +x it before you try and use it. Also I created a script
to "flush" the rules when your internet connection goes down, you do not
necessarily need it , but it can be found here.
Having your firewall and ip masquerading script launch automatically upon dialup
The way this is accomplished is by putting a command that executes your script in the /etc/ppp/ip.up.local script. You will note that you should create a /etc/ppp/ip.up.local script as per the instructions in the ip.up script. In this script put the command exec /firewall.rules or whatever your script is called before the exit. I have also just stuck my command in the actual ip.up script with no ill effects but that is not the "correct" way of doing things. Note that if your script is in /root put exec /root/firewall.rules. Now when you click activate ppp0 in RedHat's Network Configuration program this script will be executed upon a dialup connection and allow for a firewall to start that allows for ip masquerading. Remember that you can also initiate a dialup connection by typing ifup ppp0 at the command line which also launches the script.