Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment 

Includes: Shorewall, NAT, Caching NameServer, DHCP Server, VPN Server, Webmin, Munin, Apache (SSL enabled), Squirrelmail, Postfix setup with virtual domains, courier imap imaps pop3 pop3s, sasl authentication for road warriors, MailScanner as a wrapper for SpamAssassin, Razor, ClamAV, etc. Samba installed, not configured.

Needs very little maintenance and is extendable beyond your wildest imagination. All depending on the hardware used, of course.

This is a COPY&PASTE howto. For info use the net. I did... However, contributions and suggestions are allways welcome! I know this can be done better, so feel free.

If anyone of you can find the time to add a good install and config for snort AND snortsam, including a comprehensive control panel, I would be very grateful.

Scope: creating a firewall/(mail)gateway for a small network (say 10 to 15 users or so on a PIII 450MHz, 512 MB ram and two identical network interface cards, broadband connection, fully featured, for a bussines environment. Better specs of your hardware (notably the amount of ram) will improve the performance of your server significantly. The specs mentioned ar a bare minimum for not so demanding customers, yust to indicate that if you really want, it can be done indeed (need to do some tweaking afterwards though).

Expected audience: (beginning) sysop.

This tuto leads towards a solid 'ready to go' sytem. The fun part, I think, (tweaking and tuning etc.) starts when you are done. You may wish to inspect your logs to find clues as to where the tuning should start. Munin might tell you a lot as well.

Have Fun!

First, do a clean install using Ubuntu-Server 6.10. During installation, proper settings for eth0 will be detected automatically. If this fails, change your network cables and try again. There is a very small chance that your ISP does not run a DHCP server (never seen that happen), or it just might be down (seen that quite a few times, also they may screw up their DNS every now and then), in which case you are on your one, best to wait till they are done fixing it.

So we start out with a DHCP assigned address for eth0. This is just an easy way to figure out which NIC is actually eth0. If you already know which is which you better start out with a static address for eth0. If your ISP isn't crappy, you have the proper settings for it.

Now proceed and accept all defaults (but you may want to do your own partitioning) At the end of the process you will be asked if you want to install extra packages. Select "LAMP" and finish.

Now login as the new user you just created and do:

sudo passwd

Now enter your password again. Next enter the new password for user "root" and confirm. So we dropped the nasty sudo experience (bit strange on a server, isn’t it?) Now logout and login again as root with the new root password.


apt-get install vim

Using vim (or your favorite editor) edit /etc/apt/sources.list Comment out the cd repository. Next add "universe" (without the quotes) to all lines that aren't commented out. Save the file.

Now do:

apt-get update

apt-get install openssh-server

Edit /etc/network/interfaces and add the following at the bottom:

auto eth1
iface eth1 inet static

Note that the rest of this tuto assumes that you actually make the settings for eth1 as shown.

My full/etc/network/interfaces looks like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static

As you can see my eth0 gets its settings using DHCP.

Save the file. Next do:

/etc/init.d/networking restart

You can do the rest of this tuto from your workstation, either linux or the other one (must have putty), so you can actually copy and paste. Just login to as root and get on with it.

Make sure that the network settings of your workstation match the settings of your server's eth1

If you are confused here, first configure and start your DHCP server as shown in this article (page 9), and let your workstation detect the proper settings automatically.

Share this page:

5 Comment(s)

Add comment


From: Chris Angelico at: 2011-02-25 05:28:11

You suggest in this howto that users 'sudo passwd' and then log in as root. There's an easier way, in the versions of Ubuntu that I've used: just use 'sudo -i'. It'll create an "initial login" system, which will give you bash and everything you need. Less fiddling, more safety.

From: at: 2007-01-30 17:28:02

Before this command can be done, you need to install mysql-server

apt-get install mysql-server-5.0

Now do:

mysqladmin -u root password yourrootsqlpassword ##USE A REAL PASSWORD HERE!

After this is done, then you can run the next command


From: at: 2007-04-20 18:26:55

If the steps are followed and you install LAMP , it includes the installation of mysql.

From: at: 2007-04-20 18:34:47

This really doesn't have to happen. Later on this guide we compile dcc.


cd /root


gunzip dcc.tar.Z

tar -xvf dcc.tar

cd dcc-1.3.45     ##or whatever version is current.



make install


Simply add to the ./configure line  --bindir=/usr/bin , it should look like this:

./configure --bindir=/usr/bin

and everything should be fine. 





From: at: 2007-06-08 08:38:09

Sorry, I was not understandable and choose wrong place to comment.

A. When I wrote /etc/shorewall/rules exactly  as written here (Page 10, up to words:

To comlete this step, do:

/etc/init.d/shorewall restart)

- I couldn't establish connection to my VPN-server.

I had to add new zone "vpn" in such a way: in /etc/shorewall/interfaces before the last line:

vpn ppp0


/etc/shorewall/zones before the last line:

vpn ipv4


/etc/shorewall/policy before the last line:

##### for VPN

vpn loc ACCEPT


loc vpn ACCEPT


and modify in /etc/shorewall/rules the line:

DNAT net loc: tcp 1723

to the line: 

DNAT net $FW: tcp 1723

After all that the connection to VPN-server started properly .

B. When I wrote in /etc/shorewall/rules first to other rules

LOG:warning:L2    net     loc:    47 

I found nothing in kern.log           

So I wonder, is protocol 47 necessary here in /etc/shorewall/rules ?

I hope, my comments help you to improve your brilliant HowTo