Linux as a router and firewall

March 9, 2023

Lang: cs en de es

If you have more than one internet device you need a router. At the same time, you need to protect the devices on your network from the dangerous Internet and sometimes even from your own devices. For all this you need a router with a firewall. And this is exactly one of the tasks that the Linux operating system is suited for. When you use the multifunctional Linux, you also get additional functionalities that you can use. And other benefits of a standardized Linux solution that you will appreciate in the long run. Find out what specific benefits Linux has on a router and how to secure such a solution in this article.

What is a router?

A router is a network device that is used to connect different networks and route data packets between them. A router typically operates at the network layer of the OSI model and allows data to be transferred between different networks with different protocols. A router can be used in different types of networks, including LANs (local area networks), WANs (wide area networks), MANs (metropolitan area networks), or the Internet. A router can also be used to distribute an Internet connection to multiple computers on a home or office network. In addition to routing data, a router can provide other features such as a firewall to provide network security, NAT to allow multiple devices on a private network to share a single public IP address, and DHCP to automatically configure the network and assign IP addresses to devices on the network.

What is NAT?

NAT (Network Address Translation) is a technology in computer networks that allows you to change the IP addresses and ports of packets transmitted between networks. NAT is most commonly used to connect private networks to a public network, such as the Internet. This allows multiple devices on a private network to use a single public IP address because public IPv6 addresses are scarce. Sometimes users also consider this to increase network security, but a firewall is used to provide secure separation. NAT can also be used to filter network access and hide internal IP addresses from the outside world.

What is a firewall?

A firewall (Czech for "firewall") is a security system, A firewall is a security system used to protect a computer network or individual computers from unauthorized access, attacks, and malware from the Internet or other networks. A firewall operates based on certain rules and filters that determine which network services are allowed or denied and which types of network can access specific resources. A firewall can be implemented in software or hardware form. (A firewall on your computer is considered software. Hardware is a specialized device that has unspecified software inside, and you place this box at the edge of your network) A firewall can be located at various points on the network, such as on a router, server or end stations. The main purpose of a firewall is to increase the security and protection of your computer network and minimize the risk of attacks from the network.

Why not use commercially available routers?

  • Little features.
  • Despite almost always running Linux inside, its advanced and varied features are not available.
  • Each device has different features.
  • Each device has a different administration interface. So you have to relearn it every time.
  • Often lacks ssh access

Linux

The role of router, NAT, firewall, and other activities are well taken care of by Linux. With Linux, you get a versatile and powerful foundation.

Why Linux?

Why have Linux on your router? Why have linux as a firewall?

  • Flexibility: Linux distributions offer many features and tools that allow you to configure your router to meet specific user needs. This allows you to build and configure the system to be fully tailored to your needs.
  • Security: Linux is known for its security. With a Unix-like architecture, open source code, mass usage and testing, more security is ensured.
  • Performance: Linux is low on performance due to this and can run on older devices not with new hardware to ensure operation on busy connections.
  • Stability: Linux is known for its stability and reliability, which means a firewall built on this operating system will have a much lower chance of crashes and outages.
  • Cost: Linux is free, and many Linux distributions for routers are also free. So you don't have to deal with constant payments and license management.
  • Support: Linux has a huge community of users and developers, which means users can easily find help from volunteers or professionals. There are many discussion forums and documentation that is comprehensive and of high quality, making it easy to configure the router.
  • Standard: Linux is a universal multi-platform standardized solution. You can therefore run it on a variety of devices from different manufacturers and different processors.
  • Multifunctional: You can also run other services such as VPN, web server, network printer, network storage on a Linux device.
  • Updates: since Linux is one of the most used operating system, updates are released for it regularly to ensure security first and foremost, as well as new features.
With a Linux router in combination with a firewall, you can divide your company network into individual parts and thus, in combination with a firewall, protect your network infrastructure much better.

How to get a router with Linux?

You have several options to get a router with Linux:

  • Manufacturer supports Linux. For example, the Turris router comes with Linux as standard.
  • Running computer - You can install Linux or a Linux distribution preloaded for router functionality on a regular computer with multiple network cards.
  • Hardware developed as a Linux-enabled router. There are various boards with x86 or SOC ARM CPUs such as Banana PI R1, which is ideal for use as a router. Already encapsulated devices designed for use as a router are also sold.
  • Buy a regular router that you verify ahead of time that you can load OpenWRT

What are the Linux distributions for router/firewall?

There are many Linux distributions that are optimized for use as a firewall. Some are BSD-based instead of Linux-based For example, these distributions are:

  • pfSense: is based on FreeBSD. A commercial project, the company supplies its own routers with this system.
  • OPNsense: is based on FreeBSD.
  • IPFire: a Linux distribution that provides a wide range of firewall and networking features.
  • IP cop - no longer in development
  • ClearOS: a Linux distribution designed for use as a firewall, router, and gateway. It also provides other features such as file sharing, email servers, and user management.
  • RaspAP: an application that can be installed on Debian base systems.
These distributions are designed to make it as easy as possible to install, configure and manage the device that will serve as your router and firewall. They not only address network security, but offer a wide range of other features.

Video

Video Linux as a router and firewall and how to secure it:

How is and would be addressed in a Linux firewall?

When talking about the Linux firewall, it's good to know what it's built on. Since it has continuously changed, we'll take it with history.

ipfwadm

Between 1995 and 1999, in kernel version 1.2.1 - 2.2.0, the firewall was addressed by a technology called ipfwadm It was a stateless filter, it was IPv4 only. It did not address NAT - that had to be dealt with on the side. Each packet was treated separately. The firewall had to be set to either open to everyone or no one, which is less secure.

ipchains

Between 1999 and 2001, kernel versions 2.2.0 - 2.4.0 used ipchains. To this day, you can find tutorials on this technology on the internet. It had IPv6 support., multiple protocols Still a stateless filter and thus the same drawbacks.

iptables

Since 2001, the iptables/netfilter technology has been in the kernel version 2.4.0. For now, it is still possible to switch to it Full stateful firewall. It can also work statelessly Universal netfilter (hooks), conntrack and NAT + iptables implementing generic rule tables. This makes it possible to set up and use a full stateful filter. (can also do stateless).

nftables

Since January 2014, nftables is available in the kernel since version 3.13. It does not replace netfilter, only iptables.

As of 2022, nftables is commonly available in server Linux distributions. For example, Debian 10 Buster has it set as default.

Firewall Extensions

Iptables and nftables is a firewall management tool for the Linux operating system. Using iptables or nftables, the user can set rules for accepting, blocking, and forwarding network traffic based on various criteria, such as source and destination address, port, protocol, and more. Iptables/nftables is integrated directly into the Linux kernel, allowing for efficient and powerful network protection.

However, you don't need to delve deep into the technology of iptables and nftable respectively. There are firewall management tools that offer a simple user interface for configuring the firewall.

Simplified firewall configuration tools that offer a simple user interface and easy rule management are:

  • Shorewall is a superset that is included by default in the Mageia distribution
  • UncomplicatedFirewall (UFW) is found, for example, by default in the Ubuntu distribution and its clones
  • Firewalld allows you to manage your firewall using a simple command-line or graphical interface, and also allows you to dynamically control access to services using so-called zones. Firewalld is the default firewall solution for Linux distributions that use the systemd system daemon. Examples of these distributions include RHEL/CentOS 7 and later, Fedora 18 and later, and OpenSUSE 15.0

Add-ons

Because Linux is an open solution, add-ons have always been created that use features directly in the Linux kernel or you can program your own. But this already applies to specific requirements such as a data center, advanced monitoring of what's happening on the network or providing internet connectivity.

Linux Deployment

Deploying Linux is easy, you can use a regular computer, a decommissioned router or try out a Linux router on a virtual machine(VPS). If you need advice on implementing Linux as a router and firewall feel free to contact me, I provide IT development and Linux services.

Articles on a similar topic

GitLab CI/CD: test automation and application deployment
Migrating VPS from VMware to Proxmox
VMware licensing change
Running Microsoft SQL Server on Linux
Backup: the Proxmox Backup Server
How to upload a docker image to the Docker Registry
Linux: logical volume management
Linux Software RAID
Running a web application behind a proxy
Mailbox migration
Docker multistage build
Backing up your data by turning on your computer
Podman
Importing Windows into Proxmox virtualization
Docker and PHP mail
Proxmox virtualization
Docker and Cron
Lenovo ThinkPad X1 Carbon: LTE modem EM7544 commissioning
Yocto Project: Build custom operating system for embedded devices
Preparing a Linux server to run a web application in Python
How to address poor file share performance in Docker
How to get started using Docker correctly
Installing Linux on a dedicated HPE ProLiant DL320e server
How to stress test a web application
Why use the JFS filesystem
How to boot from a 4TB drive with GTP using UEFI
Btrfs file system
Raspberry PI
WINE - running Windous programs under Linux
GNU/Linux operating system

Newsletter

If you are interested in receiving occasional news by email.
You can register by filling in your email news subscription.


+