Linux is built on networking. It's at the core of the operating system, not a bolted on extension. This means that if you want to build an internet appliance, Linux is the obvious choice.
The most popular internet appliance is a router and most homes have one these days, translating your DSL or cable internet connection into Ethernet or wireless to be used by your computer. If you have more than one computer, such a device is even more important because it enables them to use the internet at the same time without getting their packets in a twist.
If you do have a number of computers, it's possible you have at least one that's neglected and gathering dust in a cupboard somewhere because it's no longer considered powerful enough for current needs. You've probably thought about putting it on Ebay, but a combination of apathy and the rapidly diminishing value of older hardware means you never got round to it.
Well, you can give this box a new lease of life as an internet gateway. You may be asking why you would want to do this instead of using a pre-packaged modem/router.
One reason is that you can have far more control over exactly what goes on in the box, what functions it has and who can do what. Another reason for doing it is because it's a fun way of learning about such things, rather than just leaving it all to a magic black (or, more likely, white or silver) box.
There are two ways of approaching this task; the first is to use a distro specifically designed for the job, already set up with the packages you need. The other is to build it entirely yourself, using a minimal Linux installation and adding the software you need to do what you want.
This month, we'll look at the first path, but we'll cover the full DIY approach in the next issue.
Pick a distro
There are quite a few distros intended for use on firewall appliances, and some of them are based on FreeBSD rather than Linux. The distros can be divided into two groups, those that provide a dedicated firewall/router and those that comprise a more complete internet gateway, including things like print, mail, file and even web servers.
For this tutorial, we are concentrating on a pure gateway, a more flexible and powerful alternative to an off-the-shelf modem/router and one that enables the other services to be run more securely behind the firewall.
The distro that we've picked for this example is IPCop. We are using the stable 1.4.21 release, although the more adventurous might consider the 1.9 version.
You will also need a computer, obviously. Just about anything modern enough to be powered by electricity should be acceptable. An i586 or later box can handle the internet requirements of a medium-sized network.
There's no desktop with IPCop – after installation, everything is done remotely via a web browser, so memory requirements on the hardware are minimal. You will need a keyboard and monitor for installation, but these can be removed once the system has rebooted.
The computer will need at least two network interfaces: Ethernet for the local network and whatever your internet connection needs. This could be a PCI DSL modem card, another Ethernet card to connect to a standard cable or DSL modem or even just a USB port if you have no wired connection and are using a 3G dongle.
If you want to set up a demilitarised zone (DMZ) you'll need another Ethernet card, and you'll need a wireless card if you want this box to also act as a Wi-Fi access point. An Ethernet switch or hub plugged into the green Ethernet port will enable multiple computers to be connected to the network.
Installation Boot from the IPCop CD to get into the text-based installer. If you have only used the graphical installers of the likes of OpenSUSE, Mandriva and Ubuntu, this may come as a bit of a shock – use the cursor keys to move around, the Space bar to select options and Enter to proceed.
Heed the warning early on: this installer will wipe your hard drive. You can't dual boot your router with Windows – this is a one-shot machine.
The lack of partitioning or package choices means there's very little for you to do prior to installation. Select Skip at the restore screen. The next step is to pick the Ethernet interface to use for the green network; the other interface(s) will be set up later.
Letting the installer probe for a suitable interface is generally best, although there are manual configuration options should your network adaptor need special module options passed to it. Because the router will also act as a DHCP server for your network, it must have its address assigned statically. If in doubt what to put here, 192.168.1.1 is a good choice.
You are now given the web address for configuration, so make a note of this. The network configuration type is one of the most important choices during installation; the historical default is to use Ethernet for green and a modem for the red network. If your modem connects via Ethernet, change this to GREEN + RED.
Choose the option that includes ORANGE or BLUE if you also want a DMZ or wireless sector in your network – you can change this later if you would rather keep it simple and just set up the red and green networks to start with.
You then need to tell IPCop what to use for the extra interfaces in the Drivers And Card Assignments section.
The DNS and Gateway section can be left blank if your modem gets this information from your ISP with DHCP, but the DHCP configuration section relates to the addresses that IPCop gives out over the green and blue networks. You specify a range of addresses from which IPCop can choose, but leave some for any computer that may use static addressing.
I generally start the DHCP range at 100 (192.168.1.100 if you used 192.168.1.1 for IPCop itself) and use lower addresses for any static allocations, for no other reason than it makes it immediately obvious whether an address has been given by DHCP.
You must also enable the DHCP server here. The primary DNS server can be left at the address of the IPCop computer, which means IPCop will act as a DNS cache, speeding up lookups when the same domain is referenced by more than one computer – how many computers on your network don't look up www.google.com or www.linuxformat.com?
Finally, you need to set passwords for three users. The root user is not normally used, unless you want to log in directly on the router, the admin user is the user of the web interface, which you will normally use for configuration, and the backup user. Now you can remove the installation CD and reboot.
The computer will reboot to an unhelpful-looking login prompt, but you won't be using this. Open a browser on another computer on the green network and go to https://192.168.1.1:445, replacing the IP address with whatever you set in the installation.
If the computer you're connecting from had its network started after rebooting the router, you can use the hostname set in the installation instead; the default is ipcop (https://ipcop:445). Your browser will probably complain about an untrusted certificate when connecting, which you can tell it to accept.
This is because IPCop is using a self-generated certificate, so your browser can't check its trustworthiness. Since you've just installed it, you know you can trust it.
Remember the admin user's password you set up during installation? IPCop enables you to view the home page without it, but selecting anything pops up a password requester.
The first link you should select is System > Updates since the home page will have told you there are updates available. Press the Download button, which doesn't appear to do much, but the description of the updates should appear in the section below, so press Apply Now.
If you see an error that this is not an authorised update, your hardware clock is probably way out. This isn't uncommon on hardware that has not been used for years or had a BIOS reset.
Go to Services > Time server and set the time manually. Then tick the box to use a network time server and press Save. You have to set the time manually first because NTP will not change the time if the jump is too great.
The web interface is where you do everything from now on. If you want, you can now power down the router, disconnect the keyboard and monitor and tuck it away somewhere out of sight and sound before switching back on (but make sure it has enough air to cool itself).
Your new router should now be providing DHCP and DNS services to your local network and giving access to the internet, so it's time to start exploring the options.
Your first stop should be System > Backup, where you can create a DAT file containing all your settings, enabling you to roll back if your changes don't work out as intended. Do this before you start experimenting. You can even use the Export button to transfer this to a USB stick for safe keeping.
Explore the features
IPCop provides a number of services that are not enabled by default but are worth investigating and turning on.
These can be found in the Services menu and include a web proxy, to reduce traffic and response times for commonly used pages, a time server, a dynamic DNS feature to update your IP address on services like www.dyndns.org, intrusion detection with Snort and traffic shaping. The last is useful with several machines sharing limited bandwidth, you don't want someone's BitTorrent download of the latest Ubuntu ISO image to slow down your browsing of the Fedora forums.
By setting various port ranges to High for email ports such 25, 110 and 143, Medium for web ports 80 and 443, and Low for FTP (21) and BitTorrent (6881–6999) you can stop file downloads from slowing down browsing by too much while making sure that email always gets through.
We said that you can add a network post-installation, so how do you do this when there doesn't appear to be an option in the web interface? The answer is that this has to be done on the command line, either directly on your IPCop box (assuming it still has a keyboard and monitor) or via an SSH connection from the green network. For the latter, you need to enable SSH access from the System menu, then connect to it with: ssh -p 222 root@ipcop
Then run setup to get a curses GUI similar to the installer from where you can change choices made at that time. Go into Networking > Change Network Type and pick GREEN + ORANGE + RED to add a DMZ, or add a BLUE for a wireless sector. Either way, you must have a suitable network card already installed in the computer.
Go to Drivers And Card Assignments to pick the card for the new network, then use Address Settings to pick an address for the new network's interface. This must be on a different subnet, so if you used 192.168.1.1 for green, use 192.168.2.1 for orange.
Once you have done this, turn off SSH for security.
Setting up the DMZ
Now that you have a DMZ, you can begin setting it up. There is no DHCP server on the orange network, so any computer you add here should have a static address, which is a good thing if you're providing access from outside because you need to forward traffic to a specific address.
To set up access to a web server with the address of 192.168.2.2, the first step is to set up port forwarding, just as you would on a standard modem/router, except here we are forwarding to the server on the DMZ.
Go to Firewall > Port Forwarding page. The Source IP Or Network box is normally left blank, to enable access from all external addresses, but you can restrict access to a specific address or range if you wanted your server to only be accessible from one location (although a VPN may be a more suitable approach in this situation).
Set the source and destination ports to 80 (HTTP) and the Destination IP to 192.168.2.2, press Add to see the rule appear in the list below. Now hit Reset and repeat the process for port 443 (HTTPS).
Now you have a web server that is accessible from the internet and from your LAN (the green network), but it cannot access your green network. This means that if the server, or perhaps some PHP code it is running, is exploited, it can only harm itself, not the rest of your computers.
There may be times when your web server needs to communicate with a machine on the green network, for example sending a backup of its MySQL tables.
IPCop has a feature called a DMZ pinhole that provides restricted access from one computer in the orange network to one port on one computer in the green network. This is set up in Firewall > DMZ Pinholes but use this option only when you have to, because it partially compromises the security provided by the DMZ.
There is lots more you can do with IPCop, but we've given you enough to get started. Browse around the web interface and read the associated documents on the IPCop website for more information.
First published in Linux Format Issue 139
Liked this? Then check out 7 of the best Linux firewalls
Sign up for TechRadar's free Weird Week in Tech newsletter
Get the oddest tech stories of the week, plus the most popular news and reviews delivered straight to your inbox. Sign up at http://www.techradar.com/register