===========================================
Installation of IPTables-firewall on Debian
===========================================


:author: Dave Kuhlman
:address: dkuhlman@rexx.com
    http://www.rexx.com/~dkuhlman

:revision: 1.0a
:date: Feb. 10, 2004

:copyright: Copyright (c) 2004 Dave Kuhlman. This documentation is
    covered by The MIT License:
    http://www.opensource.org/licenses/mit-license.

:abstract: This document provides instructions on how to install
    Arno's IPtables-firewall on a Debian GNU/Linux system.

.. sectnum::    :depth: 4

.. contents::   :depth: 4


Introduction
============

Arno's IPables-firewall script provides an easy to install and
effective way to protect a Linux machine connected to the
Internet.  It also supports NAT (network address translation) and
IP Masquerading, so that you can connect machines on your sub-net
to the Internet through a single connection.

I use support for PPPoE from RoaringPenguin.  If you use
something else, then you will need to modify the start-up/boot
script.  See note below.

You can learn more about IPtables-firewall at:
http://rocky.molphys.leidenuniv.nl/.


How to Do It
============

1. Down load and unroll IPTables-firewall.

2. Copy the configuration file to someplace in your ``/etc/``
   directory.  Note that if you place it somewhere *other* than in
   ``/etc/`` itself, you will need to modify the line in
   ``rc.iptables`` that refers to it.

3. Edit the configuration file at ``/etc/iptables-firewall.conf``.
   There are comments in that file to guide you in making the
   needed changes.  You can find additional help at
   http://rocky.molphys.leidenuniv.nl/.  Click on
   "IPtables-firewall" and then "Help/Installation".

4. Copy ``rc.iptables`` to directory ``/etc/init.d/``.

5. Put the following script in file
   ``/etc/init.d/inetconnection``.  Note that since I use
   RoaringPenguin support for PPPoE, I've also included the lines
   containing ``adsl-start`` and ``adsl-stop``.  If you use other
   support for PPPoE or connect in a different way, you will want
   to modify these lines.::

       #! /bin/sh
       #
       #     File to start an internet connection, a firewall (using
       #        firestarter, and a router.
       #

       PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
       NAME=inetconnection
       DESC="internet connection"

       set -e

       # Checks for config file first
       [ -r /etc/iptables/iptables-firewall.conf ] || exit 0

       case "$1" in
         start)
       	echo -n "Starting $DESC: "
               /etc/init.d/rc.iptables start > /dev/null 2>&1
               adsl-start > /dev/null 2>&1
       	echo "$NAME."
       	;;
         stop)
       	echo -n "Stopping $DESC: "
               adsl-stop > /dev/null 2>&1
               /etc/init.d/rc.iptables stop > /dev/null 2>&1
       	echo "$NAME."
       	exit 0
       	;;
         restart|force-reload)
       	#
       	#	If the "reload" option is implemented, move the "force-reload"
       	#	option to the "reload" entry above. If not, "force-reload" is
       	#	just the same as "restart".
       	#
       	echo -n "Restarting $DESC: "
               adsl-stop > /dev/null 2>&1
               /etc/init.d/rc.iptables restart > /dev/null 2>&1
               adsl-start > /dev/null 2>&1
       	echo "$NAME."
       	;;
         *)
       	N=/etc/init.d/$NAME
       	# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
       	echo "Usage: $N {start|stop|restart|force-reload}" >&2
       	exit 1
       	;;
       esac

       exit 0

6. Start (or stop or restart) your firewall -- Executing the
   following (as root) from the command line should now start,
   stop, and restart your firewall::

       $ /etc/init.d/inetconnection start
       $ /etc/init.d/inetconnection stop
       $ /etc/init.d/inetconnection restart

7. Automatic start-up -- Configure your system so that the
   firewall automatically starts when you boot your machine.  To
   do so create symbolic links in each of ``rc0.d`` ... ``rc6.d``
   to the script ``/etc/init.d/inetconnection``.  You can use the
   script ``update-rc.d``, which is delivered with your Debian
   system, to do this.  For more information about these links and
   how they are used during the boot process, see section `2.4 The
   Debian boot process`_ of the `Debian Reference Chapter 2 -
   Debian fundamentals`_.

.. _`2.4 The Debian boot process`:
    http://www.pdxlinux.org/doc/Debian/reference/ch-system.en.html#s-boot

.. _`Debian Reference Chapter 2 - Debian fundamentals`:
    http://www.pdxlinux.org/doc/Debian/reference/ch-system.en.html



See Also
========

`IPtables-firewall`_: At Arno's Projects.

.. _`IPtables-firewall`:  http://rocky.molphys.leidenuniv.nl/

`PPPoE - Roaring Penguin`_: rp-pppoe from Roaring Penguin`

.. _`PPPoE - Roaring Penguin`:
    http://roaringpenguin.com/products/rp-pppoe/index.php