Linux Gateway Notes

This gateway connects to the private trusted network via one ethernet interface and to the Internet via a separate ethernet interface .  The firewall allows restricted services to the Internet by TCP port such as smtp, http, etc.   The server freely provides a wide spectrum of services to the private network, such as DNS, DHCP/DDNS, email SMTP and POP/IMAP, NIS/NFS, private web pages as well as public web access.  There are some links below to example config files.  Some examples are not available for security reasons, other examples have benn sanitized.  These notes are for overall configuration with selected hints.  Please see the web pages and man pages for more complete documentation.
  1. ifconfig - network configuration
  2. named - Domain Name System (DNS)
  3. dhcpd - Dynamic Host Configuration Protocol update, private Dynamic DNS
  4. noip - Internet domain name, public Dynamic DNS
  5. iptables - NAT firewall
  6. email - postfix SMTP, POP, IMAP
  7. NIS - Network Information Service
  8. httpd - Apache Virtual Hosts
  9. SSL - Secure Sockets Layer
  10. nptd - Network Time Protocol
  11. tripwire
files to modify/configure (ifup requires a fix):

1. ifconfig - network configuration

gateway/router server configuration

LAN_IF=eth0     # private-side trusted local network
INET_IF=eth1    # wild-side untrusted internet



Assign Private Network Addresses to the Internal LAN
ifconfig eth0 broadcast netmask

K > System > Network Configuration > Devices > eth0 > Edit > Ethernet Device > Protocols > TCP/IP > Edit
    Manual IP Address Settings
        Subnet Mask:
        Default Gateway Address:

edit /sbin/ifup # edit so that DHCPDARGS is appended each time so that the -R option is not lost

client configuration


edit /sbin/ifup # edit so that DHCPDARGS is appended each time so that the -D option is not lost

2. named - Domain Name System (DNS) - -


service named start
chkconfig named on

domain yourdomain
search yourdomain

dig -x
dig host.domain
tail -f /var/log/messages
echo "known secret text message" | mmencode
dnssec-keygen -a hmac-md5 -b 512 -n HOST rndckey

3. dhcpd - Dynamic Host Configuration Protocol update, private Dynamic DNS - - update with DDNS, RH7.2 dhcpd does not have DDNS -

route add -host dev eth0 # add this to your dhcpd init script

subnet netmask {
        option subnet-mask;
        option broadcast-address;
        option routers;
        option domain-name-servers;
        option domain-name "yourdomain";

# Command line options here

> /var/state/dhcp/dhcpd.leases
chkconfig dhcpd on
service dhcpd start
tail /var/log/messages

dhcpd -d -f eth0

4. noip - Internet Domain Name - public Dynamic DNS - recommended - free if you use their top level domains, $24.95 for the No-IP+ service to be DNS for your own domain.

chkconfig noip on
service noip start

For your own domain name, register with one of the domain name registry services, then edit your DNS entry there to point at the DNS servers for -- see the documentation on the No-IP+ service at for details. - a recommended domain name registry service - - - -

5. iptables - NAT firewall

Kernel configuration -
make xconfig
Networking Options
y    Network packet filtering (replaces ipchains)
    IP: Netfilter Configuration
    m    IP tables support
    m    * - compile modules for Netfilter options except ipchains and ipfwadm

Mourani, Securing and Optimizing Linux,

There's also Oskar Andreassen's tutorial on iptables, which unfortunately is incomplete: -

6. email - postfix smtp, imap/pop

postfix - email SMTP

Postfix -
chkconfig sendmail on
service sendmail start

POP/IMAP - email access

edit /etc/rc.d/init.d/firewall # allow specific TCP port services via multiport
chkconfig ipop2 on
chkconfig ipop3 on
chkconfig imap on

7. NIS - Network Information Service -

/etc/sysconfig/network # make sure to set the correct nisdomain name on all clients!


cd /var/yp
edit securenets # add your private net
edit Makefile
chkconfig ypserv on
service ypserv start


edit /etc/yp.conf # substitute your settings for HOSTNAME or NISDOMAIN
On server:
ypserver HOSTNAME
On clients:
domain NISDOMAIN broadcast
chkconfig ypbind on
service ypbind start

8. httpd - Apache VirtualHost

/etc/httpd/conf/httpd.conf # private network has a separate VirtualHost
<VirtualHost *>
DocumentRoot "/var/www/public/html"
ScriptAlias /cgi-bin/ "/var/www/public/cgi-bin/"
ErrorLog logs/public-error_log
CustomLog logs/public-access_log combined
<Directory "/var/www/public/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
<IfModule mod_userdir.c>
    UserDir public_html

Make sure to define something similar for <VirtualHost _default_:443> if you permit TCP port https through the firewall.

chkconfig httpd on
service httpd restart

webbot - web walker that can be used to check (local-only) links, HTML, map out a web site.
linklint - fast html link checker, works for remote links.
    linklint -help_all
    linklint -doc linkdoc -host host.domain /@ -http # replace host.domain with site to test
    linklint -doc linkdoc @@linkdoc/remote.txt
    more linkdoc/urllog.txt # test results for remote links

9. SSL - Secure Sockets Layer - -

cd /etc/httpd/conf
rm ssl.key/server.key
rm ssl.crt/server.crt
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
make testcert
service httpd restart
[https shows the Self-Signed Certificate, but IMAP still seem to be picking up a default certificate]

10. ntpd - Network Time Protocol -

edit /etc/ntpd.conf # recommend adding 3 stratum-2 servers
chkconfig ntpd on
service ntpd start

11. tripwire
man tripwire
man twfiles

NoBell Home - gjm - last update 4/13/2002