[ Home | Music | Visual Media | Tech | Blog ]
MiniITX Gentoo Linux Firewall and Gateway
I have been running a dedicated linux gateway for as long as I have had broadband and this report outlines what I did in my latest gateway (the 4th I have made). This document is also a generic description of linux gateway software, and hopefully it will help spread the word about some of the great linux software that is out there which justifies using a PC gateway instead of a dedicated hardware router. I tend to use this price comparison site to find linux compatible hardware.
Hardware
In building this latest gateway there were a few things in the back of my mind. I wanted something powerful enough to run basic reporting processes, caching systems, SSH, downloading systems and anything else I might think of in the future. I did not want anything that consumed too much power or I would pay more for power than the machine itself since it will be on 24/7. The machine needs to recover from power failures and I want to keep noise to a minimum as it will be situated in my front room by the cable modem. I do not want to replace the machine for a long time, so it needs to be resiliant and have as few moving parts as possible. I want to use a 1U case if possible so I can put it in my server cabinet and not take up too much space. Somehow I managed to accomplish all of these requirements with my box.
I bought a 1U dual-motherboard MiniITX case (Travla C147) which is pretty good. The PSUs that came with it had become disconnected so I had to open the whole thing up and reconnect them to get the machine to boot the first time, but other than that I had no major problems. The PSUs had extremely noisy fans so as a stopgap solution (until I switch those fans for something else), I use an external PSU (just a standard ATX PSU with the cables routed in through the back of the machine). This makes the machine just over 2U high, but the machine is quite shallow so the PSU sits neatly in the background behind the case on the shelf in the cabinet and is nice and silent.
The motherboard is a MiniITX fanless 800MHz. I got an IDE-Compact Flash adaptor and a 1GB compact flash card and a 512 MB stick of RAM as well. This enabled a completely silent machine with no moving parts. If you have never turned on a machine with no moving parts, I assure you it is very odd as you are normally used to hearing the fans rev up. Since 1GB is not enough space to compile Gentoo, I put a 300GB hard drive in there as well. The 800MHz processor is fast enough for all but one thing that I have tried to run on the machine which I will cover in more detail in the software section of this document below. There is no CD drive in the machine, but I used one for the install and then removed it after installation was complete. The compact flash is rather slow compared to a hard drive and only gets about 5MB/sec with buffered disk reads, even after hdparm optimisations have been performed, but I do not require fast disk speed on this machine, just decent memory speed (for caching), and reliable, standardised hardware.
Installing Gentoo was easy enough and no special steps were required to get the IDE-Compact Flash adaptor working. The partition scheme was fairly complex though and here is the output of "df -h" to show you how I got the disk space required for the install:
Software
Now for the fun stuff, installing all the software required to show off a Linux Gateway instead of some crappy hardware router. Obviously iptables is required for the firewall and IP masquerading, but I wont go into detail here as that is covered in much more detail and with much more accuracy elsewhere.
The only software that I tried to run which failed due to the low cpu power was zoneminder, the Linux motion-detection camera management software which I use to monitor my home when I am away on holiday. This software runs on my (more powerful) file server instead.
Caching Software
The main bonus of a PC instead of a hardware router is the level of caching that can be performed due to disk space and RAM. I installed a transparent SQUID proxy to make HTTP faster for the users of my network. I basically followed the document at The LDP for this. I then installed NNTPCache which allows caching of NNTP data, and therefore I can run a daemon to request NNTP data, removing the wait for me when I download new newsgroup listings each day. The software is not perfect and sends mails back when it fails, so I put nntpcache.org and nntpcache.com in my /etc/hosts pointing at 127.0.0.1 to stop this. NNTPCache requires careful configuration too (RTFM). I use port forwarding in iptables to force all nntp requests to be routed through nntpcache.
Security
Obviously only installing things that are required is a must. I use the hardened gentoo kernel for extra security and only run software facing internally (so no open ports to the outside world except for SSH, and that is restricted to not allow any remote root logins, just regular users who can then use sudo). I should really get around to running more things in a chroot jail as well, just in case. I keep careful time on the server so logs are accurate and use ntpdate to set the clock to atomic time once per day (I recommend pool.ntp.org for a great free time server, though I use the time server from my ISP).
Reporting
I run a few reporting programs. Cacti allows reporting via SNMP across my whole network and gives me some pretty diagrams showing bandwidth usage, processes, etc. I use (and love) awstats in static mode from cron to parse the logs for this website. I also use sarg for squid cache reporting but I do not like it much and intend to replace it at some point. All of these reports are read through apache which runs on the firewall but is locked down and limited to the internal network only, and is password protected on top of that.
Other Software
I sometimes use my own script, newsbinripper, to download vast amounts of usenet overnight and store it on the spare hard drive, but now that I have 10MB/sec broadband, I have reduced need for this ability as I can get most things when I want them instead of having to wait.
Conclusion
In closing, I am quite satisfied with my machine. If I was doing it all over again, I would have got a 2GB compact flash instead of 1GB, and would have investigated silent 1U PSUs for the case. The rest of the system is really good and does everything I want it to. I have not yet tried to implement traffic shaping but now that I have vonage I might do so at some point in the future. I might opt for a USB NIC so that I can have a locked-down second internal network which I can put wireless on as I do not want to run wireless plugged directly in to my main network for security reasons.
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 944M 871M 74M 93% /
/dev/hdc1 5.8G 691M 5.1G 12% /var/log
/dev/hdc3 3.9G 509M 3.4G 13% /usr/portage
/dev/hdc5 2.9G 69M 2.8G 3% /home
/dev/hdc6 2.0G 81M 1.9G 5% /tmp
/dev/hdc7 49G 14G 36G 27% /cache
/dev/hdc8 216G 99G 118G 46% /data
The primary requirement in partitioning was that the machine would still boot if the hard drive failed. I had to make some symlinks from /var/portage and /var/tmp away from the compact flash (/dev/hda2) to keep space available for using portage. /dev/hda1 is /boot in case you were wondering.