Configuring Network Interface Cards on Debian
You have installed Debian Linux on your firewall box, so you're ready to configure your network interface cards.
In Debian, you'll edit /etc/network/interfaces and /etc/iftab. /etc/iftab is part of the ifrename package.
First, configure the LAN NIC with a static IP address appropriate for your private addressing scheme. Don't use DHCP to assign the LAN address. Configure the WAN interface with the account information given to you by your ISP. These examples show you how to set a static local IP address and a dynamic external address.
Do not connect the WAN interface yet.
In this example, eth0 is the LAN interface, and eth1 is the WAN interface:
##/etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback #lan interface auto eth0 iface eth0 inet static address 192.168.1.26 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 #wan interface auto eth1 iface eth1 inet dhcp
If your WAN address is a static public routable IP address, configure the WAN interface using the information supplied by your ISP. This should include your ISP's gateway address, and your static IP address and netmask, like this:
auto eth1 iface eth1 inet static address 184.108.40.206 netmask 255.255.255.0 gateway 220.127.116.11
Then, add your ISP's DNS servers to /etc/resolv.conf (don't do this for a DHCP WAN address):
##/etc/resolv.conf nameserver 18.104.22.168 nameserver 22.214.171.124
There is one more step just for Debian: nail down the interface names with ifrename. First, find the MAC addresses of your interfaces with ifconfig -a:
$ ifconfig -a eth0 Link encap:Ethernet HWaddr 00:0B:6A:EF:7E:8D [...]
The MAC address is the HWaddr. Enter your two MAC addresses and interface names in /etc/iftab:
##/etc/iftab eth0 mac 11:22:33:44:55:66 eth1 mac aa:bb:cc:dd:ee:ff
If /etc/iftab does not exist, you must create it.
The LAN address of your firewall is the gateway address you'll be setting on all of your LAN PCs, so don't complicate your life by using a dynamically assigned address.
Using ifrename is the easiest way to make sure your network cards keep the correct configurations on Debian systems. Usually, interfaces will come up in the same order, and the kernel will assign them the same names, but sometimes this can change (e.g., after a kernel upgrade or adding another network card). Your nice Linux firewall won't work with the network interfaces mixed up, so it is best to nail them down. An additional bonus is you can easily name your interfaces anything you want with ifrename. You might give them descriptive names like "lan" and "wan," instead of eth0 and eth1.
Routers typically run headless, without a keyboard or monitor. If your Ethernetworking gets all goofed up, and you cannot log in to your router, the serial console will save the day.
Start the NIC when ifup -a is run, typically in boot scripts. Interfaces are brought up in the order they are listed. You may bring interfaces up and down manually with ifup and ifdown, like ifdown eth0 and ifup eth0.
Name of the interface.
The name of the address family; inet = IPv4. Other choices are ipx and inet6.
The name of the method used to configure the interface, either static or dhcp. Other choices are manual, bootp, ppp, and wvdial. manual lets you pass in configurations using scripts, or with the up and down commands. bootp receives configurations from a remote boot server, and ppp and wvdial are for modems.
In this tutorial:
- Building a Linux Firewall
- Iptables and NAT, SNAT, and DNAT
- Assembling a Linux Firewall Box
- Configuring Network Interface Cards on Debian
- Configuring Network Interface Cards on Fedora
- Identifying Which NIC Is Which
- Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
- Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
- Displaying the Status of Your Firewall
- Turning an iptables Firewall Off
- Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
- Testing Your Firewall
- Configuring the Firewall for Remote SSH Administration
- Allowing Remote SSH Through a NAT Firewall
- Multiple SSH Host Keys Past NAT
- Running Public Services on Private IP Addresses
- Setting Up a Single-Host Firewall
- Setting Up a Server Firewall
- Configuring iptables Logging
- Writing Egress Rules