"the site for those who crave disappointment"

Sponsored Links

Build a Firewall with Linux

27th Oct 2005, 21:23:22

By James Stocks

I was using a Cisco 827 to separate my network from the internet, but being just a router, it didn't offer firewalling capabilities. My main objectives were to have a flexible and secure firewall that cost nothing.

This guide, like the rest of my site, is really just my own installation notes that I've made public just incase they will help someone else. I am a Mac OS X user most of the time and far from a Linux guru! There are probably much better guides that you could follow.

You will need...

The estimated cost of this project is £0

Download and Install

Get the Network Install ISO. Burn it to a CD with disk utility and boot your PC with it.

When you get the boot screen, just hit enter.

Initial Boot Screen

The Debian installer is not pretty, but it's easy to use and it works. Select the language and keyboard settings that you want:

Language Selection

Choose a hostname for your firewall, use lower case.

Hostname Selection

If you don't have a domain, just use 'local'.

Choose a Domain Name

Erase the whole disk. This will delete all your data, but that's probably what you want in this situation.

Partition the Disk

Put all the files in one partition.

Partition the Disk

Choosing finish applies the changes.

Partition the Disk

Last chance, choose yes to continue.

Partition the Disk

There is a bit of a wait while the base system is installed. On my Athlon, this took just the right amount of time to make some coffee.

Install the Base System

The installer asks if you want to use GRUB to boot Debian, say yes.

Install GRUB

Take the CD out and press enter to reboot.

Reboot to Finish Installing

If all goes well, you'll see the welcome screen.

Installation Continues

Asks if your clock is set to GMT. It probably isn't.

Is your Clock GMT?

Choose your timezone.

What is your Time Zone?

Choose a nice long, strong root password, enter it again when asked to confirm.

Root Password

Enter your full name.

Full Name

Pick a username. Pick a non dictionary hard to guess word (choose a better one than stocksy).


Pick a nice strong password that's hard to guess or brute force but easy remember. Confirm it when asked.

You're asked if you have another CD. I didn't so I said no.

Add another Debian CD

It asks if you want to add more sources to APT. You do, so say 'Yes'.

APT Sources

Choose http, because it is easy.

HTTP is the easiest usually

Choose your country, or one near you.

Country Selection

Choose the mirror you want to use. is usually a good choice. Do not be put off by the ftp part, it will actually use http.

Mirror Selection

If you have a proxy, this is where to specify it. If you need to authenticate to it, do it like this http://user:pass@hostname:port


If it pleases you, add more sources. I didn't want to, so I chose no.

Add APT Sources

Security updates. You want those.

Security Updates

Don't select any extra packages, we just want the base system. You can very easily add extra packages afterwards as you need them.

Package Selection

APT downloads and installs all the necessary packages for you. On my connection, this took about 3 minutes, but your experience may differ!

APT in action

I didn't care, so I just chose the default.

Wordlist what?

You will want to disable SSH1 as the installer suggests, so say yes.

SSH Protocol 2

Say yes you want to use SUID.


I wanted to be able to SSH to my firewall since it has no screen or keyboard, so I said yes.


The MTA is in charge of email for your system. You might want to be able to use logwatch or snort to email you reports, so it's worth setting up. Say that you don't want a split config.

Configure Exim

I already have a mail server, so I chose to use a smarthost (a smarthost is a mail server that sends mail on your behalf). If you don't have a mail server, or dont want email, just choose 'local delivery only'. (You'll miss out the next few steps.)

Configure Exim

Choose a hostname that you want your mail to come from. It doesn't really matter what you choose.

Configure Exim

Use, since you proably don't want your firewall to receive email from other hosts.

Configure Exim

Accept the default for mail destinations - you don't want to receive email.

Configure Exim

You don't want to relay mail for anyone else

Configure Exim

Finally, enter the IP or hostname of your smarthost

Configure Exim

Accept the default.

Configure Exim

Hooray, Debian is installed! When you press enter, you'll be asked to log in without any of that rebooting nonsense.




Behold the exciting login screen. Log in as root (just this once!). When you enter a password it does not echo (show up on the screen).

Welcome to Debian

I prefer to use vi when I edit text. If you're used to pico, just use nano which works the same. Be sure to invoke it as nano -w to stop it from inserting extra line breaks. The version of vi on your new Debian system is a bit different to the vim on OS X, so lets install vim. Type:

apt-get install vim

Answer 'y' when asked if you want to continue.

You just used APT to install vim. APT is the tool that is used to manage (de)installation of software packages on the system and also for upgrading to new releases of Debian.

Update the list of packages that are available for installation:

apt-get update

Update all of the currently installed packages to the newest stable version:

apt-get upgrade

Install a new package:

apt-get install [package]

Remove an installed package:

apt-get remove [package]

/etc/apt/sources.list controls what packages are available and from where. By default it downloads 'stable' packages, but I prefer to have it retrieve a specific distribution so that I can control when to upgrade when a new release comes out. The actual packages downloaded are the same, this is just a 'housekeeping' thing I guess. I do this by replacing every occurence of stable with sarge in /etc/apt/sources.list. In vi, I do this by typing:

:% s/stable/sarge/g

Also, remove any lines starting deb cdrom. Remember to do an apt-get update afterwards.

This is my sources.list:

deb stable main non-free
deb-src stable main non-free
deb stable/updates main non-free

So we don't need to log in as root, let's install sudo. You guessed it,

apt-get install sudo

Now, type visudo - this is a binary especially for editing sudoers. Add yourusername ALL=(ALL) ALL to the file so that it's like this:

# /etc/sudoers
# This file MUST be edited with the 'visudo' command as root.
# See the man page for details on how to write a sudoers file.

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL
yourusername ALL=(ALL) ALL

Log out and log back in again as your normal user. You can now use sudo to do stuff as root and sudo -s to get a prompt as root.

You need a root prompt now, so type

sudo -s

Shorewall is a great front end for iptables, the Linux Kernel's firewall.

apt-get install shorewall

Also, you'll need the sample configuration files for shorewall.

tar zxf two-interfaces.tgz
mv two-interfaces/* /etc/shorewall
chown -R root:root /etc/shorewall

Next, you need to think about how you are going to set up your IP addresses. I decided to do it like this:

Example network

My external IP address, is statically assigned by my ISP. My Cisco 827 does one-to-one nat from this address to on e0. It uses this config. Note that is a private (RFC1918) IP range. My internal network is The firewall is connected to the local network through eth1 and to the 827 by eth0.

By default, eth1 is disabled and eth0 is assigned an address by DHCP. This may or may not be what you want. In my setup, the internet side,, is static, so I want to fix it. You may wish to leave it as DHCP. The address on eth1 must always be statically assigned. All this is done by editing /etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

# The external network interface
auto eth0
iface eth0 inet static

# If your external IP is assigned by DHCP use this instead:
# auto eth0
# iface eth0 inet dhcp

# The internal network interface
auto eth1
iface eth1 inet static

Also, /etc/resolv.conf needs changing to list your or your ISP's DNS server (or both).

search local

Now, type

sudo /etc/init.d/networking restart

this applies the configuration to the interfaces. Check it with sudo ifconfig

Let's configure the firewall itself. Essentially, just follow this guide. The only thing not covered here is that if your external IP address is RFC1918 private like mine, you need to do this:

sudo -s
cd /etc/shorewall
cp /usr/share/shorewall/rfc1918 .

Edit /etc/shorewall/rfc1918 and add a line near the bottom like:         RETURN

Once you've worked through the guide, type shorewall start to start the firewall. The firewall will spew messages all over the console whenever it blocks a packet. This can be useful for a start, but annoying after a while. To get rid of them, stop shorewall with shorewall clear . Now edit /etc/init.d/klogd and find the line KLOGD="". Change it to KLOGD="-c 5". Now, restart klogd with /etc/init.d/klogd restart and restart shorewall with shorewall restart.

By default, shorewall does not start on boot. You probably want it to. Edit /etc/default/shorewall and change startup=0 to startup=1.

If you set the firewall to net policy to REJECT in /etc/shorewall/policy, you'll want to allow the firewall to access stuff by inserting some lines into /etc/shorewall/rules

AllowPing fw loc
AllowPing fw net

#Telnet to 827
AllowTelnet fw net:

#Allow FTP to Internet
AllowFTP fw net

# Allow HTTP to Internet
AllowWeb fw net

# Allow DNS
AllowDNS fw loc

# Allows NTP
ACCEPT fw net udp 123

Don't forget to shorewall restart to apply the changes.

Let's tackle DHCP next.

apt-get install dhcp

The dhcp daemon's config is stored in /etc/dhcpd.conf.

#Set your domain name and the address of your (or your ISP's) DNS server
option domain-name "local";
option domain-name-servers;

#You need a subnet declaration for the internal interface
subnet netmask
option subnet-mask;
option broadcast-address;
option routers;
default-lease-time 600;
max-lease-time 7200;

#Specific hosts can be given reservations like this:
host iMac
hardware ethernet 00:03:93:a2:2b:5e;

You must tell dhcpd to listen only on eth1 or it won't work. Edit /etc/default/dhcp, changing INTERFACES="" to INTERFACES="eth1".

Restart dhcpd with /etc/init.d/dhcp restart.

Have fun with your firewall. If you have problems, tail -f /var/log/syslog is your friend!

New Comments

Some Rights Reserved