Configure a Debian Firewall Gateway

October 5, 2015 | Views: 5296

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I am presenting to you, the Cybrary members, a Firewall/gateway configuration that’s used here in my home/HQ for Twisted Security.

It’s recommended that you learn the basic Linux Command Line operations and know how to use the tools provided to scan and monitor your firewall.


1. Install Latest Debian Distro
a. Absolute minimal install
b. No Web, FTP, Mail or any services not needed to run the Server
c. Change its internal IP on eth0 to static and .10 of the internal network IP allocation


2. We’ll Need Vim
a. Using Apt apt-get install vim –y


3. A System Config to Forward ipv4
a. Using vim, vi /etc/sysctl.conf
b. net.ipv4.ip_forward=1
c. Escape, :wq


4. Network Interfaces
a. The interface eth0 is set to DHCP to get its IP Address from the Modem
b. The interface eth1 and set to static with an address of
c. Using Vim vi /etc/network/interfaces # The external WAN interface (eth0) Both adapters should be of the gigbit variety

# External Network Adapter (eth0)
allow-hotplug eth0
iface eth0 inet dhcp

# The internal LAN Adapter (eth1)
# 1000 (Gigabit)
allow-hotplug eth1
iface eth1 inet static


5. Setup the DHCP/DNS Server
a. We prefer the network for 24 machines, /24 may change if more machines are needed
b. Using Apt apt-get install dnsmasq
c. In /etc vi /etc/dnsmasq.conf
d. At the top interface=eth1
e. Escape, :wq


6. IP Tables
a. IP tables are the preferred means of securing a Linux Server
b. The standard script below allows outgoing – but blocks anything incoming

# firewall
# delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state –state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don’t forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
c. Create this in /etc/init.d and make it executable chmod a+x firewall


7. Restart the Server


8. Once Restarted, Install Security Software
a. Using Apt apt-get install clamav rkhunter chkrootkit fail2ban


9. FastNetMon Anti-DDOS Analyzer
a. This application will force a DOS or DDoS Attacks into a Black hole
b. Gain Root Access su (Or a user with sudo/admin rights)
c. Get the software wget   /src/
d. perl
e. Let it install
f. Type /opt/fastnetmon/fastnetmon –daemonize


a. Type cd / as root
b. Type clamscan -r /


11. Reboot all systems within the network to gain a new IP from the Firewall and DNS settings.

It’s my hope that this, in itself, will help others in locking down their internal networks or even the office network given the correct configuration. Truth be told, my security layers are much deeper than this, but most are configured closely to this configuration. Different IP Schemes and my network is hidden quite securely behind 4 firewalls with a honey pot, (monitored by my company) in my DMZ – drawing the would be attackers away from my primary network.


Scott Cilley
Twisted Security

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?