I have a couple of questions pertaining to Network and Firewall setup.

I'm going to be building a firewall soon and I would like to know how to configure the PC's behind the firewall so they can have internet access (like what IP's to give them etc) I'm pretty new to the whole networking idea (especially with linux). There is one catch though when I return to school in the fall they only assign 2 IP addresses and I have three computers (firewall, laptop and desktop). How do I get around this? I don't have a router to put behind the firewall only a hub. Essentially I want to set my network up like the following (sorry about diagram but spacing doesn't work):


Firewall ----> Hub -----> Desktop, Laptop


Like I mentioned above I don't know how to configure the PC's to get access through the firewall especially since I'm limited with IP addresses. I've heard people mention a "gateway" but I wouldn't know how to set one up. I've also heard of having a firewall / router so I could get more IP's but I don't know how to set that up either. Thanks for the help!

You use IP masquerading to have multiple machines using a single IP address - Linux does it very well. My entire home Network (up to four PCs) all access the net thru a single router with just one WAN-side IP.

Depending on what you want to do with your firewall, a simple one is to use iptables to block ALL incoming traffic other than replies to your outgoing requests - this'll make it impossible for anybody to get access to your machine while still allowing you to chat & browse the web unrestricted.

I'm still very new with IPTables. I'm trying to learn that also so I can setup the firewall.

So do I have to setup a gateway on the firewall box so the PC's can get access to the internet?


Essentially how do the PC's know what to go through to access the internet?

Thanks!

That would probably be the easiest way to connect more PCs than you have IP numbers, yes.

I don't have my current firewall config available, but a simple & effective ruleset is something like:

You can improve it further to allow only specific traffic out, such as only allowing outbound requests to port 80 so only web traffic is allowed, but this is a good place to begin. . .

Thanks for the sample config I will save that so I can use it when I start building my firewall.

Hi,

For the PC to access internet, you have to configure their:
1/ IP address, say 192.168.0.1, 192.168.0.2...
2/ Netmask, say 255.255.255.0 (every PC/router/firewall on the same network MUST have the same netmask, it's used to know what part of the IP address is used to address the subnet and what part is used to identify each host)
3/ Gateway, the IP address of the network adapter of the firewall that is on the same subnet as the PCs (so NOT the IP given by your provider).
4/ DNS, the IP addresses of nameservers provided to you by your provider (unless you have your own DNS server)

you can easily configure all this by right-clicking on your network adapter icon and select options, or configuration (just don't remember at the moment) under windows... under linux, that will depend on your distro, but this is usually well documented on internet.


that was for the PC. I'll had 2 things to what proposed oneandoneis2 for the firewall config:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

the first line will configure masquerading, which enables NAT (network address translation) in iptables: every packet coming from your LAN and going to internet will use your public IP address.

the second line enables packet forwarding from an interface to another: if the /proc/sys/net/ipv4/ip_forward file countains 0, then packets cannot be transfered from a network adapter to another.

Good luck...

fr_laz thanks! You cleared that right up

Now I just need to figure out how to use IPTables and setup a gateway