Building a Server from Scratch, Part 2: Firewalls, Port Forwarding, NAT, DHCP & TFTP

Welcome back! For all intents and purposes, we are going to pamper the expensive machine that we built last month. This time, we will look at firewalling, ADSL Router port forwarding, DHCP and TFTP.

Firewalls

Let me break the bad news: There’s no firewall software for Linux.

Surprised? Did I just say that all the people who run Linux servers, including the guys at GNU, have no firewall? Of course not. Well, technically, yes, they have no firewall software, but they have a firewall.

Let me explain. All network traffic in a Linux box is intercepted by the kernel. No direct access is allowed. So, inside the kernel itself, an entire firewall is implemented. We know of this firewall as iptables. The route command that we executed last month was a part of it.

This iptables cannot be called a firewall—it’s just a set of rules according to which network traffic is handled. The route command that we executed last month added a single default route that all network traffic directed towards the Internet, should take. Rules like this can be used to block viral traffic, or better still, accumulate the viral data in a file for inspection later (that is very complicated, though).

There are several different software available that act as GUIs for iptables, like XFWall. You can use these tools to control your network traffic. XFWall is a very good piece of software, but not entirely documented. Another such software is Firewall Builder, which is also very good (some say the best). However, let’s not forget that firewall configuration is unique for every network.

There is another simple, but expensive solution. It constitutes buying an ADSL router (modem), which has in-built firewalling capabilities. My aim was to make the server simple to maintain, and that involves not writing long scripts. If you have a Type-1 ADSL modem (1 port each for power, a phone-line and the network, respectively), then a separate router would be required anyway, because you require port forwarding, which is not present in Type 1 routers. If you go for this, I’d suggest one from Linksys (Cisco)—they’re quite easily available.

Network Address Translation

NAT, or Network Address Translation, is a protocol used to forward IP packets from one interface to another. This is a bit different from bridging. Anyway, NAT is essential if we want to browse the Internet from a client. To enable it, execute the following:

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

In fact, it’s better you add these lines to the end of your /etc/rc.local file to set up NAT every time your server boots.

Note: If the system cannot find the iptables command, add an /sbin/ before it. If that too doesn’t work, you need to go for an apt-get install.

Port forwarding

This is another feature about which I cannot help you much. Port forwarding configuration is different for every modem. Anyway, the instructions here are a bit more general.

Only the ADSL modem can be seen by people on the Internet, not your server. Because of this, all traffic stops at your modem. Port forwarding is enabled to forward all data packets from the modem to the respective port on your computer. If an HTTP request is sent to port 80 of the modem, the request is forwarded to port 80 on your server, on which (hopefully) your HTTP server is running.
You can avoid port forwarding altogether if you do not have an always-on connection. I recommend you go for it, but you don’t have to. Make a call to your Internet service provider requesting your modem to be switched back to bridged mode. Use the static IP address you obtained from your ISP here. Now execute pppoeconf from your server. Configure the connection. When you are done, run pon dsl-provider to bring up the Internet connection. That’s it!

DHCP, PXE, DNS and TFTP

Now we begin with the juicy part: setting up the server. Before you start, make sure a client is connected to your server. For simplicity, go for a Linux client.

Issue this command: sudo apt-get install dnsmasq. This will install an all-in-one DNS, DHCP and TFTP server on your computer.
Before we start with DHCP, we need to configure the DNS forwarder. The configuration for DNSMASQ is stored in the /etc/dnsmasq.conf file. We need to edit it. But first, execute these commands:

# mkdir /etc/dnsmasq
# mv /etc/resolv.conf /etc/dnsmasq/resolv.upstream
# echo “nameserver 127.0.0.1” > /etc/resolv.conf

This moves the previous /etc/resolv.conf file to /etc/resolv.upstream and creates a new resolv.conf that references the locally running DNSMASQ. Right now, Internet browsing should not be working.

Open the /etc/dnsmasq.conf file for editing in a text editor and set the following parameters (uncomment them if necessary):

  1. First of all, set it to listen on ‘loopback’ and ‘eth1’. Do this by setting two interface lines:
    except-interface eth0
    except-interface ppp0
  2. Set DNSMASQ to reference /etc/resolv.upstreamto get the list of upstream name servers:
    resolv-file=/etc/dnsmasq/resolv.upstream
  3. Increase the cache size to 1024:
    cache-size=1024
  4. Set the domain name to anything you like:
    domain=anything-you-like.local
  5. Now the main part: enable DHCP and set the lease time to ‘infinite’:
    dhcp-range=192.168.1.10,192.168.1.254,255.255.255.0,infinite
  6. Set up a Microsoft Windows hack to release DHCP leases on shutdown:
    dhcp-option=vendor:MSFT,2,1i
  7. Set up the PXE server:
    dhcp-boot=pxelinux.0
    enable-tftp
    tftp-root=/tftpboot
  8. Set some miscellaneous options:
    dhcp-leasefile=/etc/dnsmasq/dnsmasq.leases
    dhcp-script=/bin/echo
    log-queries
    log-dhcp
  9. Disable authoritative DHCP: Comment the line, that is put a # sign at the beginning of the line that says “dhcp-authoritative”.

Right now, the configuration is a bit broken. Create the directories /tftpboot and /tftpboot/pxelinux.cfg.

Download the latest syslinux tar.bz2 file. Don’t worry, ‘Testing’ releases aren’t that broken. Extract it and copy the files core/pxelinux.0 and com32/menu/menu.c32 to /tftpboot.

As an exercise, we are going to download SystemRescueCD and set it up to boot over the network. Download the latest ISO, mount it and copy files rescuecd, initram.igz, sysrcd.dat, and sysrcd.md5 to /tftpboot/sysrcd/.

Copy the following lines to the /tftpboot/pxelinux.cfg/default file:

default menu.c32
prompt 0
menu title PXE Boot Menu

label sysrcd
menu label Boot SystemRescueCD
kernel sysrcd/rescuecd
append initrd=sysrcd/initram.igz setkmap=us vga=791 boottftp=tftp://192.168.1.1/sysrcd/sysrcd.dat

Disable PEERDNS if you are using PPPOECONF by commenting the “usepeerdns” line in the /etc/ppp/peers/dsl-provider file.

Now restart the dnsmasq server:

# /etc/init.d/dnsmasq restart

That should do it. Any machine that accesses PXE when booting will boot into the PXE Bootloader installed on your server. Find out from the motherboard manual of your client how to boot from the network. When you do so, you will be presented with a menu with a single entry.

Press Enter now. The kernels, rootfs and the datfile will be downloaded through TFTP and the kernel will be executed. Thus SysRCD will boot up on the client. It will get all its network configuration from DNSMASQ (DHCP).

What next?

Try browsing the Internet from your newly PXE-booted PC. If all goes well, you should be able to.

Tips: You don’t need to shut down or restart your server at all from now on. Keep it as it is, and try setting a Guinness Book World Record. On a more serious note, all maintenance, installations and removals will be performed dynamically.

Coming up next, we’ll set up two Web server instances on the same server: one to serve your Intranet and one to serve the public through the Internet. Till then, see you!

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherwise noted.
Open Source For You is powered by WordPress, which gladly sits on top of a CentOS-based LEMP stack.

Creative Commons License.