CentOS 5 - Home Gateway Firewall With DHCP Server For Connection Sharing

Want to support HowtoForge? Become a subscriber!
 
Submitted by unclecameron (Contact Author) (Forums) on Mon, 2008-01-21 17:23. :: CentOS

CentOS 5 - Home Gateway Firewall With DHCP Server For Connection Sharing

Version 1.0
Author: Cameron Camp <howto [at] logicalwebhost [dot] com>
Last edited: Jan. 16th, 2008

If you're trying to set up a home network, you probably want to set up a permiter facing computer connected to your DSL/Cable modem, and then put all of your computers behind that firewall box to keep them safe. This tutorial will show you how to use a single external connection on the gateway computer (using Iptables firewall), and a second internal connection on the same box so you can connect the computers on the inside of your home/office to it, and automatically give them IP's when you hook them up (using DHCP server). Iptables can be very complicated, we will only configure a basic firewall, you can add more security later without breaking things. In Linux there are many ways to do this, this one is hopefully simple enough and will teach you the basics. I did this on a CentOS 5 box, though it would work on Debian variants with only slight modifications. During this tutorial I'm logged in as root, which you should generally NOT do, but it makes the tutorial simpler, but if you prefer to do it more securely, add "sudo" before each command and it will work.

gateway_diagram2

The computers on the inside of your office will also be able to talk to each other, so you can hook up printers, computers and share network connections through the switch as well. You can also set up things on your Gateway server box later like a network backup drive for all your computers using Samba relatively simply. There's a lot of expandability in this setup, but we'll keep it simple for now.

The first thing to do on your Gateway server is configure and enable Iptables, the default firewall that comes with CentOS. We will tell it to allow outbound traffic from your eth1 interface to the internet. You have to add an Iptables entry, save it and restart Iptables.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
service iptables restart

Now we have to tell the kernel to start allowing forwarding so the rule will work:

echo 1 > /proc/sys/net/ipv4/ip_forward

This will only work until you reboot, so let's make it permanent, using your editor of choice, add the following line to /etc/sysconfig/network:

FORWARD_IPV4=YES

Now we have to set up a DHCP server to give out the IP's to the computers on the inside of the LAN. We do that by installing the DHCP server like this:

yum install dhcp

By default, there will be a sample DHCP file created that we'll edit and then replace the real one:

cd /usr/share/doc/dhcp-whateverversionyouhave/
vi dhcpd.conf.sample

You can cut/paste the one I'm using, or just edit yours to suit your needs. A word of caution, your network might be different than mine. This file will give your internal computers a range of IP's from 192.168.0.128 to 192.168.0.254 with a subnet mask of 255.255.255.0, change to suit your needs. You'll also have to make the IP information match on eth1 static IP later if you use your own values here.

ddns-update-style none; # keep it simple for now
ignore client-updates;  # here too
DHCPARGS=eth1;          # tells it what interface to listen on
subnet 192.168.0.0 netmask 255.255.255.0 {
# --- default gateway
       option routers                  192.168.0.1;   # gateway on your eth1 internal interface
       option subnet-mask              255.255.255.0; # subnet mask
       option domain-name              "example.com" # domain name given to client
       option domain-name-servers      209.242.10.10; # the IP of your ISP's nameservers you're using
       option time-offset              -18000;        # Eastern Standard Time - set to what you have
       range 192.168.0.128 192.168.0.254;             # the range of IP's your clients will get
       default-lease-time 21600;                      # how long the client's will keep the same IP
       max-lease-time 43200;
       # we want the nameserver to appear at a fixed address
       host ns {
               next-server ns1.ispserver.net;         # change to your ISP's nameservers
               hardware ethernet 00:09:5B:8E:05:67;   # hardware MAC
               fixed-address 209.242.10.10;           # your ISP's nameserver IP
      }
}

Now back up your current dhcp config file and copy the one you just made over it:

mv /etc/dhcpd.conf /etc/dhcpd.conf.old
cp dhcpd.conf.sample /etc/dhcpd.conf

Now we restart the DHCP server (after checking the configuration for errors, if there are errors, you'll find them listed in /var/log/messages) so the changes will take effect

service dhcpd configtest
service dhcpd restart

Now we have to configure the eth1 (internal) interface to match what we just did in the DHCP server, so edit the file /etc/sysconfig/network-scripts/ifcfg-eth1 so it looks something like this:

DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=10.1.10.43

You'll have to edit at least the GATEWAY IP, that's just the IP of my eth0 interface, change it be whatever your eth0 IP is, which you can find out by running:

ifconfig

It should say something like: eth0 inet addr:10.1.10.43, that's the one you want.

Next you have to tell your computer to listen for the telltale DHCP request to come across the inside network. When a client computer goes looking for a DHCP address, it sends out a blast to anyone that'll listen that has an IP address of 255.255.255.255, so you have to tell your DHCP server to listen for that IP:

route add -host 255.255.255.255 dev eth1

So now we test the setup. You should be able to go to one of the client computers, hook it up to the switch where your gateway is connected (in my case a cheap home Netgear $30 8 port switch model# FS608) and it should find an IP using your new DHCP server, and you should be able to browse the internet.

You should also set up your firewall to block more things than we've done in this tutorial to keep your internal computers safe, which you can do using the configuration tool built by running:

setup

to tell the firewall what to block. A rule of thumb is to block everything and then only allow what you need, but you can read about that elsewhere in daunting depth if you choose.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by silvertip257 (not registered) on Fri, 2009-08-21 02:47.

This tutorial needs some corrections to properly work.
My hope is that people read this comment so a few things can be corrected.

`echo 1 > /proc/sys/net/ipv4/ip_forward` won't cut it.  Once you do something like `service network restart`, the 1 in ip_forward will be a 0 again -- that is a major problem with this tutorial.

Edit sysctl.conf with `vi /etc/sysctl.conf` and change the 0 in this line to a 1:  net.ipv4.ip_forward = 0 ... from there restart networking to route traffic properly.

Unlike this article, I have two NICs - eth0 and eth1. I also added a few FORWARD rules to specify the source/destination subnets to allow and drop the rest (shown below).

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -s ! 10.0.0.0/24 -j DROP

If you're using RedHat/CentOS - any RHEL-based distro that retains the RH-Firewall-1-INPUT custom chain, you'll need to add those rules in the custom chain instead of using the boiler-plate commands I gave above. I just modified `vi /etc/sysconfig/iptables` to configure it.  Once your rules are applied either via commands or manually editing the file, save them and restart iptables.

Submitted by woo (not registered) on Mon, 2011-09-19 15:36.
This kind of half baked articles makes me sick, a firewall setup is by far nothing to be taken lightly. I advise all hobbyists to look a some dedicated distro for a firewall/dhcp/gateway solution such as pfsense, m0n0wall, etc. These run on ALIX mini-boards, and can cover even small-business needs (not to speak about power consumption!).
Submitted by Jez (not registered) on Tue, 2010-12-14 13:38.

Can I ask what IP addresses your using, ie are they the IP addresses of your ISP?

 Also do I need the MAC addresses of my ISP definately for the DHCP config?

If so how would I be able to get these so I can put them in?

Sorry just a little confused here, looks good though, will be getting a new computer and want to use a light server for my gateway and then using another as a website development test bed.

 I am fairly good with networking things though, always on aim to improve my ability within network management, should be allot of fun setting this up.

Submitted by Anonymous (not registered) on Thu, 2009-08-20 11:13.

Is there any chance of giving IP address on the diagram as an example of what going on.

For example.  eth0 - IP, Eth1 IP  - cable modem settings , DNS setting etc.

How about some info on how YOUR network IS set so then change and settings can actually be x-ref etc to suit. rather than simply stating Quote: your network might be different than mine

 Is YOUR eth0 card set to 192.168.0.1 or 184.64.87.112 ????
If YOUR Eth0 card is 192.168.0.1 and mine is 192.168.1.10 then I can simply change the setting at the appropriate places to suit.

 

Submitted by Rich (not registered) on Tue, 2009-03-10 22:28.

Hi,

 Thanks for this great tutorial, however I think there is a slight adjustment needed.

You need to add the route for which the DHCP server should listen out on before you start the it otherwise you get a fail.

Please feel free to correct me if I'm wrong.

Rich

Submitted by NicolBolas (not registered) on Sat, 2009-05-23 14:04.

Hi !

 I had no need for the route add -host command, dhcp worked out of the box.

 About the ip_forward beeing permanent, it seems more reliable to edit /etc/sysctl.conf as the /etc/sysconfig/network didn't work for me.

 At last, maybe a DNS cache would be a good thing to add to this tutorial. With DNS filtering beeing deployed by a growing number of ISP, beeing able to aggregate answers from public DNS may be better than relying sollely on your ISP' DNS to handle every requests. It's also way faster on high lantency connections.

Submitted by Chaos Inc. (not registered) on Sun, 2009-06-14 15:37.

Now this is awesome! Easy to follow through! I am planning on building a CentOS server for a specialized WAP based portal. Will try to post the results asap.

Cheers

Submitted by troi (not registered) on Thu, 2010-10-28 07:47.

Hi,

I tried your setup but instead of modem connection to my eth0, i used a load balancer router.

I have 2 internet connection and it goes to a load balancer and gateway IP becomes 192.168.0.1 and I set my eth0 and eth1 to the ff IP:

eth0 - 192.168.0.255 , eth1 - 192.168.2.1

eth1 goes to our main switch.

set sysctl.conf - net.ipv4.ip_forward = 1

dhcpd.conf to the following 

-----------------------

ddns-update-style interim;
ignore client-updates;
DHCPARGS=eth1;
subnet 192.168.2.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                       192.168.0.1;
        option subnet-mask              255.255.255.0;

        option nis-domain                   "static.pldt.net";
        option domain-name              "static.pldt.net";
        option domain-name-servers      58.69.254.3, 58.69.254.8;

          option time-offset                      -18000; # Eastern Standard Time
#       option ntp-servers                      192.168.1.1;
#       option netbios-name-servers     192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.2.100 192.168.2.254;
        default-lease-time 21600;
        max-lease-time 43200;

        # we want the nameserver to appear at a fixed address
        host ns {
                next-server static.pldt.net;
                hardware ethernet 1C:BD:B9:80:07:6E;
                fixed-address 58.69.254.8, 58.69.254.3;
        }
}

 --------------

eth0 and eth1 are al static IP

is it possible to route internet connection this way?

my server is getting internet access but routing at eth1 is not.

any help will be greatly appreciate.

Thanks