Setting up Ubuntu as a
Firewall / Router / Nat
The following instructions describe how to make a Ubuntu Linux box act
much like a common firewall/router/NAT box. The advantage of the Linux
OS on disk instead of what is often Linux in firmware is that you can
tailor the code to do precisely what you want. This was done with
Ubuntu 9.04 (current in September 2009).
In my case I wanted to be able to ssh to a Linux system running in my
house but did not like seeing the hundreds of daily attacks trying to
break into my system. I thought that by not acknowledging that there
was an ssh listener I would cut down on these attacks. My firewall only
allows specific addresses into the box.
Note: In addition to only allowing an ssh from selected addresses I
require that an ssh key be present on the box. This means that even if
you could guess a login and password you would need that ssh key to get
on the box. And yes, for additional security I could
change the ssh port or use "port knocking".
Hardware needed: A very small computer with two network interfaces. I
used a very inexpensive system with about 3/4 gig of memory and a 40
gig disk. The motherboard had an on-board network so I added an
inexpensive network interface as eth1.
There are three parts to this process (described on three pages):
- Step one: Testing - set up a
static eth0, dhcp on eth1
- Step two: Testing - replace
your hardware router
- Step three: Add DNS
In step one I had a Linksys firewall/router in place. The router was
set to 192.168.1.1 and was connected to my cable modem. I configured
eth0 as a static address and set eth1 as a DHCP server. I could connect
one device to eth1 and test that it was given a dynamic address.
In step two I removed the Linksys firewall/router and substituted the
Ubuntu box. To do this I had to change eth0 from a static address to
DHCP so that it would request an address from my cable modem. I could
then connect eth1 to a switch and provide addresses for my home network.
What this still lacked was the Ubuntu box acting as a name server. All
connected devices configured for DHCP were fine. However a device that
had a static IP would not know what to use as a name server.
Step three was setting the Ubuntu box to act as a name server.
Disclaimer: I documented this and did some of the work (mostly moving
cables and rebooting boxes when necessary. James Washer was working
remotely and did 98% of the hard technical work. (OK, maybe 99%).