Configuring Network Interface Cards on Fedora
You have installed Fedora Linux on your firewall box, and now you're ready to give your network interface cards their final, working configurations.
Fedora gives each network interface a separate configuration file. You'll be editing /etc/ sysconfig/network-scripts/ifcfg-eth0 and /etc/sysconfig/network-scripts/ifcfg-eth1.
First, configure the LAN interface with a static IP address appropriate for your private addressing scheme. Don't use DHCP to assign the LAN address.
Configure the WAN interface with the account information given to you by your ISP. These examples show how to set a static local IP address and a dynamic external IP address.
Do not connect the WAN interface yet.
In this example, eth0 is the LAN interface and eth1 is the WAN interface:
##/etc/sysconfig/network-scripts/ifcfg-eth0 #use your own MAC address and LAN addresses DEVICE=eth0 HWADDR=11:22:33:44:55:66 BOOTPROTO=none ONBOOT=yes NETMASK=255.255.255.0 IPADDR=192.168.1.23 NETWORK=192.168.1.0 USERCTL=no ##/etc/sysconfig/network-scripts/ifcfg-eth1 #use your real MAC address DEVICE=eth1 HWADDR=AA:BB:CC:DD:EE:FF BOOTPROTO=dhcp USERCTL=no
How do you get the MAC addresses and interface names? Run ifconfig -a:
$ ifconfig -a eth0 Link encap:Ethernet HWaddr 00:0B:6A:EF:7E:8D [...]
And that's all you need to do, because you'll get all your WAN configurations from your ISP's DHCP server.
If your WAN address is a static IP address, configure the WAN NIC the same way as the LAN address using the information supplied by your ISP. This should include your ISP's gateway address, and your static IP address and netmask. Then, add your ISP's DNS servers to /etc/resolv.conf:
##/etc/resolv.conf nameserver 126.96.36.199 nameserver 188.8.131.52
Restart networking or reboot, and you're ready for the next steps.
The LAN IP address of your firewall is the gateway address you'll be setting on all of your LAN PCs, so don't complicate your life by using a dynamically assigned address.
Routers typically run headless, without a keyboard or monitor. If your Ethernetworking gets all goofed up, the serial console will save the day.
Every Linux distribution comes with a number of graphical network configuration tools. Feel free to use these, though it's always good to understand the underlying text configuration files and scripts.
When you have two NICs on a Linux box, they are usually brought up in the same order on boot, and given the same names (e.g., eth0, eth1, etc.). But sometimes, the order is reversed, which will render your nice firewall box useless, so binding the device names to their MAC addresses ensures that the configurations always stay put. That's what the DEVICE directive is for.
You can even give your interfaces names of your own choosing, like "lan" and "wan." You may also rename the configuration file to help you remember, like /etc/sysconfig/ network-scripts/ifcfg-lan. You must use "ifcfg" in the filename, or it won't work.
This is what the configuration options mean:
Name of the physical device.
The real MAC address of the NIC. Don't confuse this with MACADDR, because MACADDR assigns a new MAC address, overriding the existing one. Why would you want to change a MAC address? There aren't many legitimate reasons, though it is a good reminder to see how easy it is to spoof a MAC address, and why you should not rely on MAC addresses as secure identifiers.
Boot protocol, which is none, dhcp, or bootp.
Bring the NIC up at boot, yes or no.
Address mask for your network. Unfortunately, CIDR addressing is not yet supported.
The IP address that you choose for the NIC.
Allow unprivileged users to control the NIC, yes or no.
Broadcast addresses are automatically calculated with ifcalc, so it's not necessary to specify them.
In this tutorial:
- Building a Linux Firewall
- Iptables and NAT, SNAT, and DNAT
- Assembling a Linux Firewall Box
- Configuring Network Interface Cards on Debian
- Configuring Network Interface Cards on Fedora
- Identifying Which NIC Is Which
- Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
- Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
- Displaying the Status of Your Firewall
- Turning an iptables Firewall Off
- Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
- Testing Your Firewall
- Configuring the Firewall for Remote SSH Administration
- Allowing Remote SSH Through a NAT Firewall
- Multiple SSH Host Keys Past NAT
- Running Public Services on Private IP Addresses
- Setting Up a Single-Host Firewall
- Setting Up a Server Firewall
- Configuring iptables Logging
- Writing Egress Rules