Networking / Beginners

Assembling a Linux Firewall Box

You want to build your own Internet firewall box for your cable or DSL Internet line, on ordinary x86 hardware, using your favorite Linux distribution. You want Internet connection sharing and a firewall, and you need to know what hardware components to use. You already have installation disks, or some other method of installing the operating system.

The Linux distribution you want to use determines your hardware requirements. Some distributions require more horsepower than others, so don't assume you can use some feeble old antique PC without checking. This tutorial's Introduction lists a number of specialized firewall distributions.

You'll need these items to build and set up your firewall box:

  • A PC with at least two Ethernet interfaces
  • A second PC and a crossover cable for testing

You'll connect only the LAN interface until your firewall has been installed and configured.

Go ahead and install your chosen Linux distribution, this tutorial to configure your network interfaces and firewall.

Install net-tools and Nmap because you will use them a lot in this tutorial. They should also be installed on a second PC for testing. Debian users will also need to install the ifrename package.

Repurposing old PCs saves money and keeps them out of landfills. They can be customized any way you like. They also make dandy test-and-practice boxes. The drawbacks are size, noise, power consumption, and the fact that they may not be reliable, just from being old.

Cabling

Youngsters may not remember the olden days before auto-detecting MDI/MDI-X (medium-dependent interface/crossover ports) on Ethernet switches, and even some network interface cards, though these are rare. Back in the bad old days, network admins had to deal with two types of Ethernet cabling: straight cables and crossover cables. Straight cables connected PCs to hubs and switches, and crossover cables were for PC-to-PC and hub-to-hub or switch-to-switch connections. In these modern times, we still need crossover cables for PC-to-PC connections (with rare exceptions), but most hubs and switches can use either one.

Network interfaces

Ordinary Fast Ethernet interfaces are easiest, both PCI and onboard. You may use ISA NICs, if that's all you have. But that puts a greater load on the CPU, and the ISA bus is very slow, around 8 Mb per second. This is still faster than the typical cable or DSL Internet line, so use it as your WAN interface. (Yes, you can find 100BaseTX ISA network cards, which is silly, because they'll still be limited by the ISA bus speed.)

Don't use wireless interfaces unless you are a wireless guru. Wireless interfaces need special handling, so I recommend sticking with plain old wired Ethernet until you have your firewall running satisfactorily.

[Previous] [Contents] [Next]

In this tutorial:

  1. Building a Linux Firewall
  2. Iptables and NAT, SNAT, and DNAT
  3. iptables
  4. Assembling a Linux Firewall Box
  5. Configuring Network Interface Cards on Debian
  6. Configuring Network Interface Cards on Fedora
  7. Identifying Which NIC Is Which
  8. Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
  9. Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
  10. Displaying the Status of Your Firewall
  11. Turning an iptables Firewall Off
  12. Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
  13. Testing Your Firewall
  14. Configuring the Firewall for Remote SSH Administration
  15. Allowing Remote SSH Through a NAT Firewall
  16. Multiple SSH Host Keys Past NAT
  17. Running Public Services on Private IP Addresses
  18. Setting Up a Single-Host Firewall
  19. Setting Up a Server Firewall
  20. Configuring iptables Logging
  21. Writing Egress Rules