Making your own Firewall / Router / Fileserver / Print Server

As I have just done the above numerous times for myself and my brother, I thought that a little writeup might help. This is not designed to be complete or simple, but is for someone with a basic grasp of Linux and/or an advanced grasp of PC's in general.

I assume several things. You have a local Windows network. You have ADSL and an ADSL router that is connected to this local network. You know the basics of TCP/IP and are comfortable with command-line interfaces. You have a spare machine that has nothing of any value on it (e.g. Windows, documents etc.) that can safely be wiped and made to become a firewall/router/server. You have a spare parallel port laser printer (e.g. an HP Laserjet) that you want shared over the network. You know how to use Google and look things up for yourself if this article doesn't cover your problem.

First, get a computer and network it. I happen to have a source for old Pentium machines (233's) but for my brother's project, I gave him an old P400 with 64Mb RAM, two PCI network cards and an 80Gb hard drive - smaller harddrives are fine, down to about 4Gb, and may actually be more compatible with a machine with an old BIOS. 2Gb is an absolute minimum but it's then a struggle to keep up to date with such little free space.

[Author's Note: Yes, I'm being lazy and installing EVERYTHING from Slackware, I know perfectly well that you can do this from a single floppy but that's not the point. See Freesco if you want to be an expert and do it properly... I ran a Freesco install for about 4 years, making it do all of the above.]

The PC could really have done with a bit more RAM but it runs fine with just that much. Plug it into your network. At first, you can just add it onto an existing network by plugging into the hub/switch, to make installation easier. Later, we'll turn it into a router that can be put between your broadband connection and your computers to keep them much safer than they would normally be.

Next, blank the harddrive completely (or just be aware that you will be wiping everything on it, even Windows or whatever else is on there) and download Slackware. You can use any recent version but for me the version was 10.1. Download the first two ISO disk images and burn them to CD. CD Burner XP Pro is good for putting them onto CD if you don't have Nero or anything else to use, is free and runs fine under Windows 98 despite the name.

Next, boot the machine intended to be a firewall, file server etc. from the first CD. Follow the instructions until you get to the login prompt. Login as root and you'll be left hanging on a command line. Type cfdisk and delete any partitions on your hard drive (THIS WILL DELETE ALL YOUR DATA ON THAT HARD DRIVE, OBVIOUSLY). Then install one large partition over the whole disk and make it bootable. Exit out of cfdisk and reboot.

Boot back off of the CD again and login, then type setup. Go through the setup process (selecting a keyboard layout etc.), select the partition you just made to install into, don't set swap space, use the default kernel and make sure you install all packages, full install.

After a few hours, you should be done and rebooting without the CD in will take you straight into Slackware Linux. You would have been asked to set a root password. It's a bloody good idea and you'll need it to log in to this computer from then on. Now we have to set up your network card in order to connect to the internet and the rest of the network.

Login as root and type dmesg | more and scroll through, looking for anything that indicates that Slackware has found a network card. If it is a PCI or even an onboard card, it should find it without any assistance. Non-PNP ISA cards need a bit of a nudge beyond the scope of this article (Google isapnp).

If your network cards were successfully detected, type pico /etc/rc.d/rc.inet1.conf. This will allow you set IP's, network mask and (if need be) a gateway address (e.g. of an adsl router or any other device that all Internet-bound traffic should be directed through). You should set one card to an internal network address (e.g. 192.168.0.1 or 10.0.0.1) and the other card to an address which will be "external" (or enable DHCP for that card).

[For an example, my ADSL router gives out addresses in the 10.0.2.x / 255.255.255.0 range, which my server picks up as it's "external" address. The local network uses 10.0.1.x / 255.255.255.0 which the server has an address set for on its other card.]

Hit Ctrl-X when you're done.

After a reboot, both cards should now appear in the output of ifconfig as eth0 and eth1 (lo is a loopback interface that's always there, network or not).

Test your connection by ping'ing a website, ping www.example.com. This should come back with replies. Hit Ctrl-C to stop the pinging.

If you have two cards and the ping doesn't work, make sure you try this with a cable in both cards... sometimes the cards are chosen in a different order to what you might expect. Also, try pinging the address of other machines on the network, your ADSL router etc.

If you have a succesful website ping, it means that the Slackware machine is now able to connect to the internet. Now we can download a little program that will help us later on. Personally, I like Projectfiles.com's firewall... a simple script that enables all sorts of things without the complications of a GUI.

Type lynx http://projectfiles.com/firewall/. (Lynx is a text-based web browser that is simple enough to download files should you need them). Select the link for the latest stable release and hit d for download. Let it download it and then save it. It should have saved it in the home directory for root. Exit out of Lynx.

Copy it to /etc/rc.d (cp rc.firewall /etc/rc.d/)
Edit it to suit your network (pico /etc/rc.d/rc.firewall) using the output from ifconfig to remember which card (eth0 or eth1) has which IP address etc. There is a line in the file that tells you below which point you should not make any changes.

Make sure that you add the local network interface (e.g. eth0) to the list of internal interfaces. Any other network cards are considered external, i.e. anything that comes through them is NOT trusted, as if it were a direct connection to the Internet.

Press Ctrl-X when you are done.

Now, to turn the firewall on, you type chmod +x /etc/rc.d/rc.firewall and it will run at the next reboot. To turn it off, do the same with a -x instead and reboot. If you have done it correctly, you should get no errors and still be able to access the internet with ping etc.

While we're here, we need to turn a few other things on and off:

chmod +x /etc/rc.d/rc.dnsmasq
chmod +x /etc/rc.d/rc.samba
chmod +x /etc/rc.d/rc.cups

For these to work, however, they need some configuring. If in doubt, google for the name of the program or config file (e.g. dnsmasq.conf) and read their documentation.

DNSMasq
=======

This program forwards DNS lookup requests (i.e. resolving www.example.com to an address the computer can use) to an upstream DNS server. This is usually the same machine as your gateway if you have an ADSL connection (i.e. the IP address of your ADSL router) or it can be your ISP's DNS address (they will have these written down somewhere on their website but you may need to login to their website first... usually they can be found inside their instructions for connecting other types of computer to the internet, e.g. Mac, Linux, Playstation, XBox etc.)

Mostly, it needs no configuration at all but any can be done using pico /etc/dnsmasq.conf. It will get the IP of the upstream DNS server from /etc/resolv.conf which you can edit using pico too.

If this works properly, you should be able to set the other computers in your network to use your server's LOCAL ip address as a gateway and DNS server. E.g.

Internet (some address which your ISP has given you)
|
|
ADSL Router (10.0.2.1 / 255.255.255.0 and providing DHCP in that range)
|
|
10.0.2.100 / 255.255.255.0 on eth0
Server
10.0.1.1 /255.255.255.0 on eth1
|
|
Windows machines
10.0.1.x /255.255.255.0 using 10.0.1.1 as their gateway and DNS.

With this setup, the Windows machines should be able to connect to the internet as if the server wasn't even there. A quick trip to GRC to run their ShieldsUp! test should show all ports as Stealth, though.

That's routing, firewall and DNS-forwarding configured already!

Samba
=====

Samba is the piece of software that will allow you to produce network shares, which in Windows will appear as shares under Network Neighbourhood. pico /etc/samba/smb.conf to set it up. Generally, you should set the workgroup to the same for all computers on your local network, which you can do for your other computers using the settings inside Windows Control Panel. I use something like HOME or OFFICE for this so, for example, all the machines in the office have a workgroup of OFFICE. Also, for simple purposes, security=shareis fine.

You should also set a name for the server, which can be anything you like but which is probably better off as "server" or something simple. With just a name and workgroup configured, saving the file and rebooting (all this rebooting is *completely* unnecessary under Linux but it's quicker to type... :-)) the machine should appear under Network Neighbourhood of any Windows machine on the local network with the same workgroup.

If not, check whether you can ping the server from one of the Windows machines (type ping followed by the internal IP address in a command prompt) and also try disabling the firewall on the server (chmod -x /etc/rc.d/rc.firewall). If disabling the firewall works, check your firewall config... all machines on the local network should be able to have unrestricted access to the server if they are on a card which is listed in rc.firewall as being an internal interface.

Also, check any Windows firewall software you might have. Zonealarm, for instance, will sometimes through a wobbler when it sees file-sharing protocol traffic from the server and this may make it block the server... in this case sometimes the internet will work for five minutes or so and then stop. Add the server IP address as a "Trusted" IP address in Zonealarm on the client machines to fix this.

Now the hard part: read through the shares part at the bottom of the /etc/samba/smb.conf file and comment out any you aren't going to explicitly use (except for the printers one, leave that one there) and then make your own, following their example. If you want to create a basic, empty share using the hard drive space that you have left over on the server, that you can store stuff on from your Windows machines, it's best to do this:

Type mkdir /mnt/share. This makes a directory for us to use.
Type chown nobody:nogroup /mnt/share. This gives anyone permission to use that directory.
Type chmod +r +w /mnt/share. This lets anyone who has permission to read from and write to that directory.

Add the following share to smb.conf:-

[storage]
browseable = yes
comment = General storage
guest ok = yes
path = /mnt/share
read only = no

The share should now show up and be writable (i.e. you can save files to it) from the Windows machines.

If you install more hard drives into this machine, you can incorporate them into this share by putting a line for them into your /etc/fstab and making the directory inside /mnt/share.

An example fstab might be:

#
# /etc/fstab
#
#

/dev/hda1 / ext2 defaults 1 1
/dev/hdb1 /mnt/share/another ext2 defaults 0 0
1

To prepare this second harddrive and show it under the existing share, you can use:

mkdir /mnt/share/another (this creates the directory that it will "live" under).
Edit the /etc/fstab file as above
cfdisk /dev/hdb and delete any partitions on this new hard drive. THIS WILL LOSE YOU ANY DATA OBVIOUSLY. Type carefully. (Note that by using /dev/hdb, we are modifying the SECOND hard drive that the computer sees.)

Create one large Linux partition on it which should show as hdb1.

Similarly for hdc, hdd etc. as you add extra hard drives.

Printing
========

First pico /etc/rc.d/rc.modules and uncomment anything under the Parallel port sections (remove the # character from the beginning of the lines). When you reboot, typing lsmod should show up some stuff to do with "parport".

Then, use lynx to go to http://localhost:631 and in there you will find an interface that will let you add most laser printers. Any printers added should print a test page and should then appear under Network Neighbourhood as a shared printer.

If you have a non-laser printer or a strange standard one (e.g. Samsung), you can try with CUPS using Linux Printing.org's CUPS tutorial or use APSFilter:

/usr/lib/apsfilter/SETUP

(remember to cd back to the home directory when you are done).

APSFilter is more complicated and quite tricky to piece together.