Time for configuration the server to become a router.
Type this command in the prompt.
sudo aptitude install bind9 dhcp3-server perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
Enter password for the user you created.
This installs every ting that is needed for NAT routing. Now we need to install Webmin.
First add webmin to your sources.list by typing this line
sudo nano /etc/apt/sources.list
And at the bottom of the file add those lines.
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
Download the key by typing this. sudo sucd /root
wget http://www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc You will now be able to install with the commands :
sudo apt-get update
sudo apt-get install webmin All dependencies should be resolved automatically.
Configuring the network cards
To find out what network cards you have in your system, run the command:
ifconfig -a
You might see quite a few interfaces here depending on your system, the only ones you need to worry about are the ethernet interfaces (the ones called something like ethXX). They will usually be labelled eth0 and eth1 but might be any numbers, so I will from now on refer to them as eth_BAD and eth_SAFE. eth_BAD is the internet facing adapter, eth_SAFE is the local network adapter. It is a good idea to write down which one is which because you will be referring to it often.
For me its like this.
It is important to note that if you make a mistake here you could completely disable all networking, which would cut off your access to the internet and also stop you from accessing webmin to fix the problem. If you run into difficulties, there are some commands at the end of this guide which you can use to fix the problem.
Ok, now we need to enable packet forwarding, otherwise NAT will not work. You can do this by editing the following file:
Hit ctrl+w to search, type net.ipv4.ip_forward then press enter. Make sure the line says net.ipv4.ip_forward = 1 and is uncommented. It should now look like this:
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
For me its like this.
- eth0 = eth_BAD = Internet.
- eth1 = eth_SAFE = My safe lan.
It is important to note that if you make a mistake here you could completely disable all networking, which would cut off your access to the internet and also stop you from accessing webmin to fix the problem. If you run into difficulties, there are some commands at the end of this guide which you can use to fix the problem.
Ok, now we need to enable packet forwarding, otherwise NAT will not work. You can do this by editing the following file:
sudo cp /etc/sysctl.conf /etc/sysctl.conf.bak && sudo nano /etc/sysctl.conf
Hit ctrl+w to search, type net.ipv4.ip_forward then press enter. Make sure the line says net.ipv4.ip_forward = 1 and is uncommented. It should now look like this:
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Press ctrl+o to save and ctrl+x to exit. Now reboot to turn on packet forwarding.
At this stage, your new server/gateway should be getting it's internet access through eth_BAD. If your internet doesn't work through eth_BAD, go make it work, then come back again when you have
.
You can now access Webmin from a client pc by going to the ip of your eth_bad. example https://192.168.0.100:10000. Note that it is https at the beginning and a port 10000 at the end. If you are using Firefox you will need to add a security exception. This isn't at all insecure, it is just because you are using a self signed certificate. Once you have logged in you should see a splash screen like this:
I will use 192.168.0.1/24 for the purposes of this guide. This is the standard ip range to use for local home networks. Go to the "Interfaces Activated at Boot Time" tab and click eth_SAFE to configure it if it is there already. If it isn't there already (it probably isn't) then click "Add a new interface". Enter the following details:
"Name" - eth1
"IP Address" - Make sure the "Static" radio button is checked, and enter 192.168.0.1 into the text box.
"Netmask" - Should be 255.255.255.0
"Broadcast" - 192.168.0.255
"Activate at boot?" - Set to yes
Setting up the local network
Giving eth_SAFE a static ip address is only part of what we need to do to set up a local network on that socket. We also need to provide a caching DNS server and a DHCP server to tell clients necessary information about the local network and how to resolve domain names.
Configuring DHCP
We will set up DHCP first. Go to the "Servers" tab on the left in webmin, and click "DHCP Server". In the subnets section at the top, click "Add a new subnet". Enter details as follows:
"Subnet description" - A name for your subnet, I used "Local network on eth1"
"Network address" - 192.168.0.1
"Netmask" - 255.255.255.0
"Address ranges" - this can be anything you like, 192.168.0.100 - 192.168.200 should cover it.
Leave all the other options alone and click "Create". Now a new icon should have appeared called
"Subnet mask" - 255.255.255.0
"Default routers" - 192.168.0.1
"Broadcast address" - 192.168.0.255
"DNS servers" - 192.168.0.1
At this stage, your new server/gateway should be getting it's internet access through eth_BAD. If your internet doesn't work through eth_BAD, go make it work, then come back again when you have
.You can now access Webmin from a client pc by going to the ip of your eth_bad. example https://192.168.0.100:10000. Note that it is https at the beginning and a port 10000 at the end. If you are using Firefox you will need to add a security exception. This isn't at all insecure, it is just because you are using a self signed certificate. Once you have logged in you should see a splash screen like this:
We now need to set a static ip address for our local network on eth_SAFE. On the left menu click "Networking" then
"Network Configuration".Go to "Network Interfaces" .
I will use 192.168.0.1/24 for the purposes of this guide. This is the standard ip range to use for local home networks. Go to the "Interfaces Activated at Boot Time" tab and click eth_SAFE to configure it if it is there already. If it isn't there already (it probably isn't) then click "Add a new interface". Enter the following details:
"Name" - eth1
"IP Address" - Make sure the "Static" radio button is checked, and enter 192.168.0.1 into the text box.
"Netmask" - Should be 255.255.255.0
"Broadcast" - 192.168.0.255
"Activate at boot?" - Set to yes
Then click "Create". Check the radio button next to the new interface you created and click "Apply" to activate those settings. Great! The two network interfaces are now totally configured.
Setting up the local network
Giving eth_SAFE a static ip address is only part of what we need to do to set up a local network on that socket. We also need to provide a caching DNS server and a DHCP server to tell clients necessary information about the local network and how to resolve domain names.
Configuring DHCP
We will set up DHCP first. Go to the "Servers" tab on the left in webmin, and click "DHCP Server". In the subnets section at the top, click "Add a new subnet". Enter details as follows:
"Subnet description" - A name for your subnet, I used "Local network on eth1"
"Network address" - 192.168.0.1
"Netmask" - 255.255.255.0
"Address ranges" - this can be anything you like, 192.168.0.100 - 192.168.200 should cover it.
Leave all the other options alone and click "Create". Now a new icon should have appeared called
192.168.0.0
Click this icon, you will be returned to a screen similar to the one you just left except it has some new buttons at the bottom. Click the one that says "Edit Client Options"."Subnet mask" - 255.255.255.0
"Default routers" - 192.168.0.1
"Broadcast address" - 192.168.0.255
"DNS servers" - 192.168.0.1
Click "Save" and then "Save" again. One last thing to do on this page - scroll down and click "Edit Network Interface". Select eth_SAFE from the list and click "Save".
The DHCP server is now set up. Click the "Start Server" button at the bottom of the page, the server should start with no errors. If it gives errors, you've done something wrong
.Ok, all done! On to...
Configuring the DNS server
The DNS server works out of the box, it doesn't actually NEED any additional configuration.
Configuring the firewall (or "Why I stopped worrying and learned to love IPtables")
Setting up ip masquerading (routing)
Now we get to the "fun" part where we dive into iptables. From now on you can completely screw up your networking if you aren't careful, so make sure you know how to recover if it all goes horrible wrong.
On the left hand side, click "Linux Firewall". Check the radio button for "Do network address translation on external interface" and select eth_BAD as the interface to do it on. Check the box "Enable firewall at boot time" and click "Setup Firewall". Click "Apply Configuration".
SCREENSHOT: Setting up the firewall
Setting up the firewall
At this point your server is configured as a working router/dns/dhcp server. It should work ok in this setup for everything you need it to do but it isn't properly secured. We need to define some rules that say who can make connections to our pc. We don't want just anybody from the big bad internet tapping into our home file shares for example. We do this by using iptables filtering.
The linux firewall works with three IP tables: MANGLE, PREROUTING and FILTER. The actual firewalling bit is done with FILTER, so in the top of "Linux Firewall" section of webmin, change the IPtable drop down box from
"Network address translation (nat)" to the
"Packet Filtering (filter)" IPtable.
SCREENSHOT: IPtables FILTER table
There are three "chains" listed here. Each chain defines what to do with a packet depending on where it is going. The three chains here are INPUT, FORWARD and OUTPUT. For each chain you can add rules that tell the firewall what to do for packets that meet certain defined criteria.
To add a rule, just click the "Add Rule" button and fill in the packet criteria and action to take as necessary.
Here is the bare minimum of rules that you NEED for your network to function properly:
Incoming packets (INPUT) - Only applies to packets addressed to this host
Accept if protocol is ICMP (note: This allows your server to respond to pings. It isn't strictly necessary, but it doesn't really pose a security risk and makes network troubleshooting a LOT easier. If you're extremely paranoid, feel free not to bother with this option)
Accept If protocol is TCP and destination port is 22
Accept If protocol is TCP and destination port is 80
Accept If protocol is TCP and destination port is 10000 (note: This is a bad idea after which it opens webmin against the menacing internet but I'll keep this rule in order to continue configuring the router on eth_bad.)
Accept If input interface is lo
Accept If input interface is eth1
Accept If input interface is eth1 and state of connection is ESTABLISHED,RELATED
Forwarded packets (FORWARD) - Only applies to packets passed through this host
Accept if input interface is eth_SAFE and output interface is eth_BAD
Accept if input interface is eth_BAD and output interface is eth_SAFE and state of connection is ESTABLISHED,RELATED
You will probably want to blacklist all INPUT and FORWARD packets by default, then enable the ones you need. Change the default action on both INPUT and FORWARD to "Drop".
The above rules implement a very simple firewall that allows absolutely nothing in from the outside world unless it is part of an established connection. It also assumes the internal network is completely trusted and allows unfettered access to the server and outside world from the internal network. This is the default setting for pretty much every NAT device ever.
At this point you are effectively finished. You can just leave your server as a simple router with no other rules at the point. It is very secure and will work fine for most purposes.
