Linux Firewalling - UPDATED - DNS issues?

DeepSparklePupa · Apr 22, 2002

Hi All!

I'm a gamer (EE, RtCW) that lives within the confines of a surfing and emailing wife who uses the same machine. Obviously, when I make a move to tweak a machine, I need to be certain that I don't screw up and get the lovely wife mad because of a day's downtime. It is under this backdrop that I undertake my most significant change in system specs *ever*....

A friend of mine just handed me an old Dell PowerEdge 1300 with dual PIII500s and three 9gb SCSI drives. I'm going to turn it into a RtCW, Roger Wilco and Web server, sharing a single cable modem connection to the internet with my (and my wife's) single machine. However, I heard my beloved Zone Alarm firewalling will not work properly on a network, and I refuse to spend money. ;-) So, I am left with installing Redhat on my old T-bird 700 and put it out in front of my gaming machine and new server as a firewall and gateway server.

FWIW, I have nearly zero experience with Linux, but am a handy programmer.

So, my Redhat version is 5.2, using the 2.0.26 kernel. I understand that I should upgrade to the 2.2 kernel and use IPCHAINS to masquerade my networked machines. My question is, what methodology would you suggest that I use to install the firewall with the least amount of down time. This is the course that I anticipate taking:
(1) Configure the firewall with two Ethernet Pro 100 NIC, but leave the system off the network during initial installation. AT&T provides connectivity to a NIC based on it's MAC address. When I call AT&T to connect to my firewall, I want to be damned sure it will work and it ready to go. So, for the initial install, my gaming rig will remain on the network and "active".
(2) upgrade to the 2.2.19 kernel. With the gaming rig online, I should have little trouble pulling down files, burning them to CD, and installing them to the firewall
(3) Configure the IPCHAINS script.
(4) Wire it up and call AT&T.

I don't want to use the NIC card that AT&T currently provides service to, as it is a 3Com card that I've read experiences crappazola performance in Linux. I suppose I could *test* connectivity with the 3Com card, before calling to switch over, but what the heck - AT&T reps need to earn their pay somehow. ;-)

Does this plan of action make sense? Are there any pitfalls I should be aware of?

Is there a place that will throw me a welcome to Linux party?

-DSP

Buddha Bart · Apr 22, 2002

So there's 3 PC's involved here?

1.) Dell PowerEdge
2.) Athlon 700
3.) Unspecified but keeps-the-woman-happy desktop

right?

My first instinct would be, just run linux on the PowerEdge, and have that share the connection to the cable modem. If your games can't serve from linux (or you don't feel like learning how to set it up) you can always just use windows ICS to maintain the connection.

Why not setup the athlon as a desktop system for the lady, that way you can mutz with your all you like?

Or you could always buy one of those cable/dsl routers

bart

thornc · Apr 22, 2002

SmoothWall shoudl solve your problems!!

Just download the 20MB iso install read the INSTALL documentation and FAQ and that should be enough!
After you liked it so much, just get a normal machine to learn linux!!!

DeepSparklePupa · Apr 22, 2002

Ah, bart - yes. There are three PC's, but alas only one workstation with a 4-port KVM. I could easily set up a 2nd workstation with the old t-bird, but it wouldn't fit in aesthetically with the rest of the house. (i.e., I'm allowed to put a PC where no one can see it).

The third, undefined machine is desribed in "my rigs".

Not surprisingly, my first inclination was to put Linux on the Poweredge and allow it to serve as firewall/web server/RtCW/Roger Wilco host, etc. I understand that the risk of a security breach increases significantly with each application that runs on a firewall, however. Thus, I am in my current frame of mind: Dedicate the unused t-bird to firewalling and run the PowerEdge as a client underneath it serving all those "fun" apps on Win2K Server.

Thorn, I spotted those cookie-cutter firewall distributions, and even investigated the ol' floppy-running-Linux firewall system (called a micro-distribution). If I used one of those, though, I wouldn't get the experience of building my own - wouldn't really be able to call it "my firewall" - and probably suffer performance issues in the sack because of the implied decrease in my manhood. ;-)

-DSP

manly · Apr 22, 2002

The version of Red Hat that you have is too ancient. Here's an analogy of what you're trying to do. You're trying to take the original Win95 retail and upgrade it manually to Win98SE. While it's theoretically possible with Linux (and not possible with Winblows), it ain't gonna happen.

So the best thing you can do is get an up-to-date version of Linux. Red Hat starting with version 7.1 or later has built-in firewalling scripts.

Honestly, I would recommend SuSE but you refuse to spend a dime.

You can install SuSE for free over FTP though, but you can't download ISOs. SuSE has been shipping highly-functional, well-supported firewall scripts for ages now. You simply configure settings in a text file and start the filewall and it installs the proper ipchains (or iptables) rules. In general, I feel this convenience is indicative of SuSE as a whole. They build tools to make it easier to administrate the system.

Even a micro-distribution firewall as suggested will work fine. I just realized you're dedicating an Athlon 700 just for packet filtering and NAT, which is overkill. But that's the luxury some of us have these days with cheap CPU cycles.

You have all the tools and interest to pull this off. But honestly, besides the education factor, instead of having a dedicated machine just for packet filtering, I'd get a cheap SOHO broadband router. They're about $40 these days, give or take. You gain a lot in simplicity (hardware routers are plug & play); although with Linux, you can customize more advanced rules if necessary.

Finally, if you're gonna go through with this, study up!

Barnaby W. Füi · Apr 22, 2002

you want 2.4 and iptables, not 2.2 and ipchains, thats old hat

EmperorRob · Apr 22, 2002

I'll second what BingBong said.

On top of that you'll have to learn Linux, there is NO way around that.

Also get ready for headaches. B/c games + firewall = work. You're going to have to make sure that you redirect all traffic properly to your game server and not block the ports it uses to communicate. So buddy, you just put about 3 jobs into 1.

My advice to you goes like this:
1. Learn a little linux and IPTABLES
2. Play with your firewall once you have it working
3. Find out what ports your game server needs to have open

Step one will take you the longest.

Iron Woode · Apr 22, 2002

A newer kernel would be better, but if you insist on using RH 5.2 then I suggest installing PMfirewall.

I have tried this combo on an old p166 and it worked great. It does the routing as well as firewalling.

give it a try.

DeepSparklePupa · Apr 23, 2002

Hey guys!

Thanks for all your support and advise. I see that most of you believe I'm setting myself up for failure by trying to pull this off by starting with the 2.0 kernel. Hmmm.... You may be quite correct!

Last night, *before* I read the forums here, I went ahead and installed Red Hat 5.2.

I then successfully compiled the 2.2.19 kernel, complete with the neccessary modules Red Hat documents on there "upgrading yet Red Hat 5.2 to the 2.2 kernel" How-To. I compiled the kernel with all the configurations recommended in Mark Grennan's Firewall How-to (http://www.tldp.org/HOWTO/Firewall-HOWTO.html). I also typed up a quick IPCHAINS firewall per his document, enabled IP forwarding, and starting pinging my neighbors.

Success, right?

Here's the thing stabbing at my neck: From the firewall box, I can ping an internal machine and an external IP address. From the internal machines, I can ping the firewall and the external NIC, but I can not ping an external address - I figure this is a problem with my firewall script. EXCEPT: When I try to browse the internet from the firewall box, Netscape hangs up and the processor comes under heavy load. Do I have one problem or two?

I suppose I couldn't hope to "get it right the first time." I also, suppose that this issue description might be far to vague to get any assistance.

I wonder, though - have I done something overly stupid that is obvious from what I've been able to describe?

Finally, I also have RH 7.0 laying around the house. I certain could install that to begin with and move forward from there. I choose the 2.2 kernel, though, because some gaming friends had told me that the 2.4 kernel hadn't yet had some "game-friendly" modules ported to it.

Thanks for all your help! hehe - I must say, I had a hell of a good time last night futzin' around with this thing.

-DSP

Barnaby W. Füi · Apr 23, 2002

<< Hey guys!

Thanks for all your support and advise. I see that most of you believe I'm setting myself up for failure by trying to pull this off by starting with the 2.0 kernel. Hmmm.... You may be quite correct! Last night, *before* I read the forums here, I went ahead and installed Red Hat 5.2.

I then successfully compiled the 2.2.19 kernel, complete with the neccessary modules Red Hat documents on there "upgrading yet Red Hat 5.2 to the 2.2 kernel" How-To. I compiled the kernel with all the configurations recommended in Mark Grennan's Firewall How-to (http://www.tldp.org/HOWTO/Firewall-HOWTO.html). I also typed up a quick IPCHAINS firewall per his document, enabled IP forwarding, and starting pinging my neighbors. Success, right?

Here's the thing stabbing at my neck: From the firewall box, I can ping an internal machine and an external IP address. From the internal machines, I can ping the firewall and the external NIC, but I can not ping an external address - I figure this is a problem with my firewall script. EXCEPT: When I try to browse the internet from the firewall box, Netscape hangs up and the processor comes under heavy load. Do I have one problem or two?

I suppose I couldn't hope to "get it right the first time." I also, suppose that this issue description might be far to vague to get any assistance. I wonder, though - have I done something overly stupid that is obvious from what I've been able to describe?

Finally, I also have RH 7.0 laying around the house. I certain could install that to begin with and move forward from there. I choose the 2.2 kernel, though, because some gaming friends had told me that the 2.4 kernel hadn't yet had some "game-friendly" modules ported to it.

Thanks for all your help! hehe - I must say, I had a hell of a good time last night futzin' around with this thing.

-DSP >>

make sure you have the gateways set up right for them. firewall's external nic's gateway should be the one from your isp, firewall's internal nic should have no gateway, internal machine should have the firewall's internal nic as its gateway.

and FWIW, my router/firewall runs 2.4/iptables and my g/f plays diablo II all day long with no problems, and i didnt have to do anything special to make it work.

mcveigh · Apr 23, 2002

dude you got the cable modem, download a new distro, the have modern tools to make this all easier, besides a multitude of updates!

EmperorRob · Apr 23, 2002

Firewall Machine
EXTERNAL_IP = <from ISP>
INTERNAL_IP = <your choice, 192.x.x.x>
GATEWAY = <from ISP>
NAMESERVERS = <from ISP>

Internal Machines
IP address = <your choice 192.x.x.x>
Gateway = INTERNAL_IP (this is from your Firewall Machine)
Nameservers = NAMESERVERS (also from your Firewall Machine)

You will have to manually set the nameservers on your internal machines. That is most likely the reason you can't ping external sites. If you can't ping external sites by their IP then you don't have the gateway on your internal machine set correctly.

Buddha Bart · Apr 24, 2002

I understand that the risk of a security breach increases significantly with each application that runs on a firewall, however

It increases with each application, but it doesnt matter if its run on the firewall machine, or on a machine behind it. Basically, open ports are open ports.
The TCP/IP (and inherantly firewalling) system is in the kernel, So before anything on the local system gets traffic, it goes through the firewalling rules. Just like before anything on a remote system. (say you're running apache, if you firewall connections from port 80, and then start trying to load your IP in a browser, apache will never even see the request).

As for your journey into linux, 2 words of advice
1.) Pick an easier distro, it'll save you a lot of headaches. You can get 'hard core' (which after 3 years of slackware i've determined is a euphimism for "stupid") later. Redhat has a huge userbase, good documentation, a heavily used package system, and just generally more likely that "somebody else already ran into this and sorted it out for you" factor.
2.) Learn the 'netstat' command and its meanings. Since you're gonna jump right into connection sharing, serving stuff, and writing your own firewall it's really important you check to see what ports are accepting connections, and that you want those ports accepting connections.

bart

Barnaby W. Füi · Apr 24, 2002

<< You can get 'hard core' (which after 3 years of slackware i've determined is a euphimism for "stupid") later. >>

maybe if you're just *using* it, theres no sense in getting "hardcore", but if you're intent on learning, its a must. i love learning stuff and plan on (hopefully) going into a career in this field, so i can never learn enough

Tanner · Apr 24, 2002

<----- downloaded Freesco Floppy Router and made his life about 100x easier!
BingBongWongFooey <----- is "hardcore"
Buddha Bart <----- is "hardcore" too

end result for me, didn't learn nuthin' 'bout no Linux, but got a GREAT CHEAP firewall really quickly!

However, this gets me NO closer to my ultimate goal of building my own CLUSTER!!!

man, I should really do that sometime

hmmm, maybe over this summer....

thornc · Apr 24, 2002

<< Thorn, I spotted those cookie-cutter firewall distributions, and even investigated the ol' floppy-running-Linux firewall system (called a micro-distribution). If I used one of those, though, I wouldn't get the experience of building my own - wouldn't really be able to call it "my firewall" - and probably suffer performance issues in the sack because of the implied decrease in my manhood. ;-) >>

ok, then you should do what everyone else says, get started learning basic linux stuff first, then learn about the kernel, then learn
tcp/ip, after that iptables. That should be enough!

Of course you could use my suggestion and set-up a already made firewall and learn from that, you could perhaps also use
the Mandrake Firewall distro, or some of those tiny mini.fit.in.a.disk distros...

Or better yet, make your own linux distro with LFS and you can say that everything is yours!!!

DeepSparklePupa · Apr 24, 2002

D'oh!!

I recieved signals last night that I'd best be watching "Darma and Greg" on the couch with the wife instead of spending another night downstairs having fun with my new project. I did not get to apply any advice given yesterday, however I'm willing to bet that my connectivity problems are related to the gateway tip from Bong and Rob. I left the external gateway blank, figuring somehow that my ISP would provide it via DHCP. Hey, don't laugh - I'm a networking newbie.

It is my intention to become "hardcore" into Linux. We're converting our systems from VAX VMS to Sun Solaris at work, so I have no choice. This firewalling project is my own personal "training project," in many ways. FWIW, I'm comfortable with the command line - just damned clueless with the network stuff. I will make it a point to research netstat and the ins and outs of port logging today.

Thanks *SO MUCH* for your help!

-DSP

DeepSparklePupa · Apr 24, 2002

Hey! I've surfed here from one of my internal machines! SUCCESS!!!

Well, almost - I still can't surf the internet from the firewall machine.

And, I have to use the DNS server installed on my Win2K machine to surf anything.

I'm getting DNS errors surfing on the firewall machine, even though it appears that my ISP is assigning a DNS server name. I'm *almost* there!! Any advice on how to resolve this current issue?

Thanks!

-DSP

Buddha Bart · Apr 25, 2002

take a peek in /etc/resolve.conf

if its got nothing, or you don't like what its got, just put it in yourself

<config file>
nameserver ip.add.of.server1
nameserver ip.add.of.server2
</configfile>

(without my little <configfile> tags, i'm just trying to show its a 2 line txt file)

bart

EmperorRob · Apr 25, 2002

You're running REdHat, right? If so these commands are very helpful. You'll have to type the absolute path however:

/etc/init.d/network stop
/etc/init.d/network start
/etc/init.d/network restart (stops and then starts again)

By default when you start your network services, linux should put your DNS server names and IPs into the /etc/resolv.conf file. From there however you will have to copy that information onto all your internal machines since they can't directly query your ISP.

You should also be very careful in your firewall rules that you don't block incoming DNS or HTTP traffic on your INPUT or FORWARD tables. I believe DNS is port 42 and HTTP is 53.

mcveigh · Apr 25, 2002

I cant remember how its supposed to read, but you are using the firewall NAT the other boxes riight?

there is a line in you dhcpd config file that tells what dns servers to give the client machines. set that up right and all should be good

TonyRic · Apr 25, 2002

DNS is port 53 and http is port 80.

Linux Firewalling - **UPDATED** - DNS issues?

Member

Diamond Member

Golden Member

Member

Lifer

Elite Member

Senior member

Elite Member

Member

Elite Member

Diamond Member

Senior member

Diamond Member

Elite Member

Diamond Member

Golden Member

Member

Member

Diamond Member

Senior member

Diamond Member

Golden Member

Linux Firewalling - UPDATED - DNS issues?