Setting up Ubuntu as a Firewall / Router / Nat

The following instructions describe how to make a Ubuntu Linux box act much like a common firewall/router/NAT box. The advantage of the Linux OS on disk instead of what is often Linux in firmware is that you can tailor the code to do precisely what you want. This was done with Ubuntu 9.04 (current in September 2009).

In my case I wanted to be able to ssh to a Linux system running in my house but did not like seeing the hundreds of daily attacks trying to break into my system. I thought that by not acknowledging that there was an ssh listener I would cut down on these attacks. My firewall only allows specific addresses into the box.

Note: In addition to only allowing an ssh from selected addresses I require that an ssh key be present on the box. This means that even if you could guess a login and password you would need that ssh key to get on the box.  And yes, for additional security I could change the ssh port or use "port knocking".

Hardware needed: A very small computer with two network interfaces. I used a very inexpensive system with about 3/4 gig of memory and a 40 gig disk. The motherboard had an on-board network so I added an inexpensive network interface as eth1.

There are three parts to this process (described on three pages):
  1. Step one: Testing - set up a static eth0, dhcp on eth1
  2. Step two: Testing - replace your hardware router
  3. Step three: Add DNS

In step one I had a Linksys firewall/router in place. The router was set to and was connected to my cable modem. I configured eth0 as a static address and set eth1 as a DHCP server. I could connect one device to eth1 and test that it was given a dynamic address.

In step two I removed the Linksys firewall/router and substituted the Ubuntu box. To do this I had to change eth0 from a static address to DHCP so that it would request an address from my cable modem. I could then connect eth1 to a switch and provide addresses for my home network.

What this still lacked was the Ubuntu box acting as a name server. All connected devices configured for DHCP were fine. However a device that had a static IP would not know what to use as a name server.

Step three was setting the Ubuntu box to act as a name server.

Disclaimer: I documented this and did some of the work (mostly moving cables and rebooting boxes when necessary. James Washer was working remotely and did 98% of the hard technical work.  (OK, maybe 99%).