well, I'm getting sick of dealing with the NAT firewall on my dlink hardware router, so I'm going to convert to a linux pc firewall tomorrow. However, I'm on somewhat of a budget, and can't afford much downtime.

My current setup is internet -> router -> 3 computers (1 server box, my computer, parents computer).

One thing I want to verify before I start is if I can use my router as a switch if I simply don't use the wan port? This will disable all of the nat features of the router, and it'll simply act like a switch right?


The plan (if the above is true), is to get 2 nics for the server box, and make the server box (which does ssh, smtp, http, and imap), to now do routing/firewall as well (1 nic in from the cable modem, 1 nic out to the switch, which will go to the other 2 computers). I guess another option would be 2 nics out, 1 to each other computer, since I don't have a large network, but I'd like to save the $10 if possible.

So I'm looking for all information possible in aiding me with the above setup, anybody who's done similar setups, I'd appreciate links to kernel configs (i'm sure some kernel networking stuff has to be changed/added), getting 2 eth interfaces up (especially if they are both the same card, which they probably will be), as well as baseline iptables rules, and anything else I need to know and the general infrastructure.

Also, what would be the best/cheapest way to add wifi access to a setup like this?

Also, what type of processing power is necessary to be a firewall box?

Hi -- the firewall box does not have to be a speed deamon.
that old box in the closet aunt jenny gave you will do fine.
requirements are a little stiffer to also run proxy or other services
but you got what you need going already.
so your server will work great.
no need for anything special to use two NICS
one kernel module will do both if they are the same i think
Trouble is getting the NIC and the cable modem to get along
http://tldp.org/docs.html
has some info about some ISP's -- seems they are all different and different even for certain locations.
will probably have to have the server be a DHCP client to the ISP
so that takes running the client software
I don't know for sure but imagine the dlink can be a switch.
then for the firewall you just use IPTABLES
lots of people on the net will give you a working ruleset to use.
also using IPTABLES you turn on NAT and IPForwarding .
here are some simple rulesets -- i am assuming the second card eth1 is connected to the cable modem and the other one eth0 stays the network card (these just go in init.d with a link in your bootup runlevel)
for firewall

#!/bin/bash
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES='/usr/sbin/iptables'
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth1 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth1 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth1 -p udp
#Allow traffic from ethernet adapter eth0 to pass through
$IPTABLES -A INPUT -i eth0 -j ACCEPT
#screw everything else
$IPTABLES -A INPUT -i ! lo -j DROP


for masquerading

#!/bin/bash
IPTABLES='/usr/sbin/iptables'

# flush any old rules
$IPTABLES -F -t nat

# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth1 -j MASQUERADE


# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forward