Configuring Linux Router/Firewall

These instructions assume a Linux computer with an Ethernet card, and an ADSL-modem. The Linux computer routes and does NAT for the other computers on the LAN, so they can reach the internet (via the ADSL modem). The following instructions show you how to enable incoming connections on a certain port and forward them to the appropriate computer.

1. Login to your Linux computer as root.

2. If you are in a GUI environment, open a terminal/console window.

3. Enter an iptables command which should look something like this:

iptables --protocol tcp -t nat -A PREROUTING -i ppp0 --dport 10200 -j DNAT --to-destination 192.168.42.11:10200

• 10200 is the port number of the program you are trying to use (for example, Haxial NetFone). Note the port number appears twice, the first is the port number the public sees, the second is the internal/LAN port number. For simplicity, I suggest you keep both of them the same.
  
  
• 192.168.42.11 is the LAN address of the computer which is running the program you are trying to use (for example, Haxial NetFone).
  
  
• ppp0 is the networking-device of the ADSL-modem.

5. You can repeat these steps to enable incoming connections for more programs or computers.

Restarting The Computer

IMPORTANT NOTE: The iptables rules are not permanently added, they are lost after restarting the computer. So you would normally add the iptables command(s) to a runlevel-script or similar. How this is done depends on which linux distribution you use, so you should consult the documentation that came with your linux distribution. However, for many linuxes, the following instructions or similar should work:

1. Locate the runlevel scripts. They are probably in /etc/init.d/. The actual scripts are located here. In the rcX.d/ directories are only links to the files in /etc/init.d/. Every rcX.d/ (where X is the runlevel) holds all scripts (or the links to them) which should be run on a runlevel change TO this runlevel.

2. Change to the runlevel scripts directory using the "cd" command:

cd /etc/init.d

3. You can create the new iptables script by copying one of the existing scripts and modifying it. Copy one of the scripts to a new name:

cp sendmail iptables

4. Edit the new iptables file using "vi" and remove all lines concering sendmail (the previous use of the script), and add the iptables command as described above.

vi iptables

5. Create a link in the appropriate runlevel directory to the iptables script file. "S" means that "start" will be given as argument to the script. And 99 is just for the ordering.

ln -s /etc/init.d/iptables /etc/init.d/rc3.d/S99iptables

Finding Your Public Internet Address

You cannot tell someone on the internet to connect to you using an address that begins with 192.168.x.x or 10.x.x.x because this is the private LAN address of your computer. You need to tell them your public/real IP address instead, which can be obtained as follows.

1. Enter this command into a terminal/console:

ifconfig -a

2. All of your interfaces are displayed. Look for the one that is your cable modem (or whatever your connection to the internet is). For example, it might look like this:

ppp0      Link encap:Point-to-Point Protocol 
          inet addr:123.456.74.99  P-t-P:217.5.98.39  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:1275 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1190 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0

3. Where it says, "inet addr:", in this example 123.456.74.99, that is your internet address.

Very Strict Firewalls

If you have your Linux firewall configured so that the default policy for the FORWARD chain is deny, then it is necessary to add a rule like this:

iptables -A FORWARD -i ppp0 -p TCP --dport 10200 -j ACCEPT

Back to the Routers page.