Using Fedora as firewall.

Eric Diamond eric at
Sat Apr 17 17:18:27 UTC 2004


FC1 works great as a firewall. I run several for myself and my
customers. But, there's a bit more that needs to be done besides
configuring two network interfaces.

But first, the problems you've described so far as they will get in the
way of a proper config.

Saturday, April 17, 2004 3:56 AM David Pettersson posted:

> Now I have two networking cards, one buildin in the 
> motherboard (eth0) and one in a PCI slot (eth1). When I tried 
> to do the same to give my WinXP box access to the internet I 
> couldn't get it right. When I connect to internet using eth0 
> everything is fine. When I start eth1 to the WinXP box it 
> works, but then I have no contact with the internet thru 
> eth0. To get contact with the internet again I have to stop 
> eth1 and restart eth0. Does anyone have a clue?

This sounds like you specified a default gateway on the eth1 interface.
Since it is a gateway, it shouldn't have one. The default gateway
setting is used to create default routes when the interface is brought
up. If you configure a gateway address on a gateway interface then
packets passed to it destined for other networks will not be routed
through it but rather passed on to it's gateway. 

If that gateway exists, then things may still work, but it would be a
case of the network being able to route around a misconfiguration and
your actual traffic path would be drastically different than what you

If that gateway doesn't exist then all traffic goes into the bit bucket.
Even worse, if the gateway is defined as itself then you might even
create a routing loop.

> The internet company used DNS to assign network adresses and 
                            DHCP - Dynamic Host Configuration Protocol

DNS -Domain Name System (Service) - I've seen it written as both, and
both names work. DNS resolves names to addresses. DHCP configures
network interfaces (and other things).

> eth0 Link encap:Ethernet HWaddr 00:0E:A6:38:BC:53
> inet addr: Bcast: 
> Metric:1 RX packets:3820 errors:0 dropped:0 overruns:0 
> frame:0 TX packets:6080 errors:0 dropped:0 overruns:0 
> carrier:0 collisions:0 txqueuelen:1000 RX bytes:1871476 (1.7 
> Mb) TX bytes:840285 (820.5Kb) Interrupt:10 Base address:0x7800
> eth1 Link encap:Ethernet HWaddr 00:30:4F:1E:0B:2A
> inet addr: Bcast: Mask:
> RX packets:10 errors:0 dropped:0 overruns:0 frame:0
> TX packets:248 errors:0 dropped:0 overruns:0 carrier:0 
> collisions:0 txqueuelen:1000 RX bytes:759 (759.0 b) TX 
> bytes:30639 (29.9 Kb) Interrupt:11 Base address:0x1000

This much looks good. Just make sure you edit the eth1 config and make
sure there's no default gateway defined.

In order for the kernel to route traffic between the interfaces, you
must turn on packet forwarding. Edit /etc/sysctrl.conf and set the

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

The first enables forwarding on all interfaces. The second enables
source rout verification. This makes it harder for someone to get past
your firewall using address spoofing.

You then need to set up iptables for stateful filtering and
masquerading. That's a whole other dissertation, but one I've covered in
the past. Complete with sample script. Check in the archives from late
February or early March.

For now I've got to go. The wife and kids are waiting for me. I'm
holding the family up, again... ;)


Eric Diamond
eDiamond Networking & Security
eric at

More information about the fedora-list mailing list