Gentoo Wiki


This page is a candidate for deletion 
Reason given: Orphan, dead temporary article. No edits since June.
If you disagree with its deletion, please explain why on its discussion page.
If you intend to fix it, please remove this notice, but do not remove this notice from articles that you have created yourself.
Make sure no other pages link here and check the page's history before deleting.



This HOWTO intends to describe how to configure a clean Gentoo box as a home gateway & firewall. While a few additional features are described, this is not intended to be an indepth explaination of internet security.

The Gentoo Install

Firstly, follow the Gentoo Handbook installation instructions.


Disable X, as it shouldn't be needed on a firewall. It is a secuity hazard. {{Box File| /etc/make.conf |

  USE="-kde -gnome -X"
# Networking options
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set

#   IP: Netfilter Configuration
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_QUEUE is not set

Please use this only as a guideline. It fits my configuration perfectly; but if you know what you're doing, remove or add features as you desire.

For more information, read Kernel.


Another requirement is that your gentoo server has proper access to both your local intranet and the Internet. As this is basically covered within the gentoo-installation (eg ), I will not write too much about it.

Network Scenario

The scenario which is to be configured in this HOWTO looks like this:

 __________       _____________      ______________      __________
|          |     |             |    |              |    |          |
| internet |=====| cable modem |===(R) gentoo box (G)===| intranet |
|__________|     |_____________|    |______________|    |__________|

Interface R (or Red) : eth0,
Interface G (or Green): eth1,

The server is getting its IP ( on the external network interface eth0 via DHCP from the cable modem. The other interface, eth1, has a static ip ( and is linked with your intranet. To achieve this, you have to edit /etc/conf.d/net with your favourite editor and change it to this:

File: /etc/conf.d/net
 config_eth1=" netmask"

Please comment any other lines (by puting a # on every line). Then you have to add the network devices to startup:

cd /etc/init.d
ln -sf net.eth0 net.eth1
rc-update add net.eth0 default
rc-update add net.eth1 default
# activate dhcpcd now
dhcpcd eth0

If everything worked out you now should see something like this when calling ifconfig:

nexus linux # ifconfig
 eth0      Link encap:Ethernet  HWaddr 00:C5:2C:D5:F5:48
           inet addr:  Bcast:  Mask:
           RX packets:2628042 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1014124 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:510846263 (487.1 Mb)  TX bytes:510083552 (486.4 Mb)
           Interrupt:11 Base address:0x6c00
 eth1      Link encap:Ethernet  HWaddr 00:F0:7C:D3:B7:98
           inet addr:  Bcast:  Mask:
           RX packets:853111 errors:0 dropped:0 overruns:0 frame:0
           TX packets:748590 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:500603484 (477.4 Mb)  TX bytes:231023059 (220.3 Mb)
           Interrupt:10 Base address:0x8800
 lo        Link encap:Local Loopback
           inet addr:  Mask:
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:549 errors:0 dropped:0 overruns:0 frame:0
           TX packets:549 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:43074 (42.0 Kb)  TX bytes:43074 (42.0 Kb)

Congratulations! Now, as we are sure, the basic network is functioning, let's get down to business... First of all:


Ok, this is now very important... if your server is up 24/7 as intended, there will be lots of intrusion attempts. I think in times of W32.blaster-like worms and trojans, I really don't need to explain why a firewall is useful. Here only a basic firewall will be setup, please feel encouraged to modify the iptable-rules as desired for best fitting your needs. Masquerading simply means allowing computers of your intranet to connect to others on the Internet (more or less directly). This is not needed for just browsing the web, as we previously configured squid to do so, but for many applications (like ftp clients, instant messenger, email clients or filesharing tools) a direct connection is needed. Just to refresh your memory, this is the network scenario we talk about:

 __________       _____________      ______________      __________
|          |     |             |    |              |    |          |
| internet |=====| cable modem |===(R) gentoo box (G)===| intranet |
|__________|     |_____________|    |______________|    |__________|

Interface R (or Red) : eth0,
Interface G (or Green): eth1,

At the moment, everyone within your intranet (192.168.0.*) can easily browse the Internet. But the web is more than just www. So, if, let's say, (I'll call him foo) wants to establish a ftp connection to, this won't work because

What is IP Masquerading?

IP Masquerading is a form of network address translation that many routers already support. The idea behind this implementation is that people running Linux can install the IP masquerading features being developed for Linux and get the features of the high priced routers and NAT boxes without paying the high prices.

IP masquerading lets you use a single Internet-connected computer running Linux with a real IP address as a gateway for non-connected machines with "fake" IP addresses. The Linux box with a real address handles mapping packets from your intranet out to the Internet, and when responses come back, it maps them back to your intranet.

Add the following rules (this is just masquerading): (part of this I took from thanks very much to John Tapsell, Thomas Spellman and Matthias Grimm for letting me 8))

# iptables -F; iptables -t nat -F; iptables -t mangle -F
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -P INPUT DROP

Running Your Firewall/Masquerade Rules "The Gentoo Way"

As of iptables-1.2.9 (the one I have used here), the iptables ebuild installs some nice initscripts for starting the firewall during the boot sequence, in the same way as other daemons like dhcpd, ftpd and apache.

The configuration file for this initscript is /etc/conf.d/iptables. Here is how the config should loook like.

File: /etc/conf.d/iptables
# /etc/conf.d/iptables

# Location in which iptables initscript will save set rules on
# service shutdown

# Options to pass to iptables-save and iptables-restore

# Save state on stopping iptables

# Change to "yes" to enable forwarding support in the kernel.  Please
# note that this will override any setting placed in /etc/sysctl.conf.

You should change the ENABLE_FORWARDING_IPv4 variable to "yes". This will perform the echo 1 > /proc/sys/net/ipv4/ip_forward for you. The IPTABLES_SAVE variable is where the daemon expects to find the firewall rules to activate when it starts up.

To save your configuration:

# /etc/init.d/iptables save

Then start it up:

# /etc/init.d/iptables start

Use this command to add iptables to your boot sequence:

# rc-update add iptables default

Now everything should be working and setup to automatically start up on boot too.

You can find more documentation at the following places : HOWTO Iptables for newbies

Recommended Packages

If you run your gentoo box without screen and keyboard attached I strongly recommend to install OpenSSH, that way you can access your router while it's running in your closet.


See OpenSSH Note: the default SSH config is OK to start with. Start and auto load it at boot with :

  1. /etc/init.d/sshd start
  2. rc-update add default sshd


Now comes something as comfortable as having an own domain, dhcp. You may ask, what's it good for if I have a dhcp-server running for telling my 2-3 computers their IP addresses? Well, if you sometimes change your infrastructure, i.e. a few friends come around with their notebooks or of course case-modded big machines to play some relaxing 1st-person-shoot-em-ups for hours, it's much more comfy to have their IP addresses, network ranges, gateways and dns-resolver autoassigned. And well, configuration is really quite easy!

You have to choose between ISC DHCPd and dnsmasq. The dnsmasq package is an alternative to using the more common dhcpd daemon. It does everything dhcpd can, with the added coolness factor of being a local DNS server! Now you can avoid that premature aging and hair loss that comes with BIND if you would like a small DNS server for your LAN.


# emerge net-misc/dhcp

These are the only settings needed in /etc/dhcp/dhcpd.conf (copy sample before) :

File: /etc/dhcp/dhcpd.conf
default-lease-time 3600;
max-lease-time 7200;
log-facility local7;
ddns-update-style ad-hoc;

subnet netmask {

        option subnet-mask;
        option netbios-name-servers;
        option broadcast-address;
        option routers;
        option domain-name-servers;

        host VeroMars
                hardware ethernet 00:50:8D:6C:AA:BB;

The section beginning with host VeroMars just makes sure that the machine with the mac-address 00:50:8D:6C:AA:BB always gets the same IP address. Be sure that this specially assigned ip is not in the range of the dynamically assigned IP addresses (else, I have been told, hell breaks loose!).

Before we start the dhcp daemon, we need to change the interface on which dhcp will listen for dhcp requests. Open /etc/conf.d/dhcp and change IFACE="eth0" to IFACE="eth1". Save and quit your favourite editor.

Okay, now we just have to start the dhcp daemon, and then change all your client PC's settings to retrieve IP addresses and nameservers via dhcp (so that the dhcp-server makes some sense).

# rc-update add dhcp default
# /etc/init.d/dhcp start


One small caveat here - the machine that you install dnsmasq on should have a fully functional /etc/resolv.conf file containing valid "upstream" DNS servers.

To get installed dnsmasq, simply emerge the package:

emerge dnsmasq

dnsmasq has a wealth of options, but we'll just concentrate on duplicating the functionality of dhcpd and setting up a small DNS server. Open the /etc/dnsmasq.conf file in your chosen text editor, and look for this section:

File: /etc/dnsmasq.conf
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.

Note that I have uncommented the line beginning dhcp-range=... - this is the line that does the dynamic IP magic and is much simpler that dhcpd! Just change the range of IP addresses to suit your purposes.

We also want to be able to serve up specific IP addresses to certain machines, depending on their MAC addresses. Scroll down to find this block:

# Always allocate the host with ethernet address 11:22:33:44:55:66
# The IP address

Once again, I've uncommented the line beginning dhcp-host=... You can repeat this line as many times as you want, with the appropiate MAC/IP address combination.

You may want to set the interface that dnsmasq will listen on, especially if you have direct access to the WAN subnet. Here I set it to only serve clients on the subnet connected to eth1.

# If you want dnsmasq to listen for requests only on specified interfaces
# (and the loopback) give the name of the interface (eg eth0) here.
# Repeat the line for more than one interface.

Optional packages

You don't need these packages to reproduce a simple router. But they add features or enhance the security on your network and/or the router. Remember that every extra service creates potential leaks. Only typical router services are described indepth. Others are mentioned (like Apache2) and linked to the correct wiki page where you can continu.


Squid is an advanced proxy, it enables you to restrict and filter webpages also it caches webpages.

Squid is easily configured, don't be scared by the 110kb squid.conf-sample, most of it are very easily understood comments. Here is what I had to change from the squid.conf.sample (my whole config is here, try a cat /etc/squid/squid.conf |grep -e"^[^#]" to only see your changes from default values):

icp_port 0
cache_mem 20 MB

cache_dir ufs /usr/tmp/squid 256 16 256
# change this path to somewhere you have enough diskspace

acl all src
acl manager proto cache_object
acl allowed_hosts src

#http_access allow purge localhost
#http_access deny purge

#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports

acl our_networks src
http_access allow our_networks

icp_access allow allowed_hosts
icp_access deny all

miss_access allow allowed_hosts
miss_access deny all
To use squid as a transparent proxy add also the following:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

With this squid.conf, your proxy can only be accessed from your intranet with a storage of 256 MB for its temporary files.

Then we have to let Squid create its directories, add it to startup and run it.

# squid -z
# rc-update add squid default
# /etc/init.d/squid start

That's it. The last step which is to be done to allow your clients to browse the web is to set their browsers to use the proxy.

Apache 2

See Apache2


See ProFTPd

Configuring dynamic dns

As not everyone is gifted with an excellent memory for numbers, and as it doesn't make any sense to remember dynamic IP addresses or tell every friend of yours, and first of all since it's easy to configure and free, go to and register a dynamic domain name.

You'll now want to set up ddclient to update your dynamic domain name.

Note: If you are using an ADSL modem with pppd, you should move /etc/ddclient/sample-etc_ppp_ip-up.local to /etc/ppp/ip-up.local. This way, pppd will launch ddclient (with the options given in /etc/ddclient/ddclient.conf) at each (re)connection.

And if you use nsswitch.ldap like me be sure to have this line

protocols: files ldap


Since it's easier to remember names than numbers alot of people setup a internal DNS server. That way they can create aliases for their intranet.


First off, BIND is a hightech DNS server. It's not easy to configure and probably create a few headaches. Start by emerging bind.

emerge bind bind-tools

Bind-tools is a package which allows you to use dig,nslookup and host. Let's edit the main configuration file of bind found at /etc/bind/named.conf.

File: /etc/bind/named.conf
options {
        directory "/var/bind";

        listen-on-v6 { none; };
        listen-on {

        allow-query {

        forwarders {

        pid-file "/var/run/named/";

zone "." IN {
        type hint;
        file "";

zone "localhost" IN {
        type master;
        file "pri/";
        allow-update { none; };
        notify no;

zone "" IN {
        type master;
        file "pri/";
        allow-update { none; };
        notify no;

zone "mars.lan" IN {
        type master;
        file "pri/";
        allow-update { none; };
        notify no;

zone "" IN {
        type master;
        file "pri/";
        allow-update { none; };
        notify no;

This configuration file needs a little explanation. listen-on and allow-query define on what ip-address bind is listening and from what ip-address' it accepts DNS queries. forwarders defines to where DNS requests are sent when BIND hasn't an answer. Change them to your ISP's DNS servers. The ones in the example are from Telenet (Belgium). The zone statement 'mars.lan' defines a zone 'mars.lan' . The configuration file for that zone is found in : /var/bind/pri/ The reverse DNS zone file is called It's placed in /var/bind/pri also.

File: /var/bind/pri/
$TTL 86400
@               IN SOA  boxname.mars.lan        dnsadmin@mars.lan (
                2005101003      ;serial
                10800           ;refresh
                7200            ;retry
                36000000        ;expire
                86400)          ;default minimum ttl
                IN NS   boxname.mars.lan.

smoothwall      IN A  
anlaug          IN A  
printserver     IN A  
3com4300        IN A  
h4x0r           IN A  

areabitchslap   IN A  

ntp             IN CNAME        anlaug
proxy           IN CNAME        anlaug
sw              IN CNAME        smoothwall
it              IN CNAME        anlaug
ps              IN CNAME        printserver
3com            IN CNAME        3com4300
switch          IN CNAME        3com4300

abs             IN CNAME        areabitchslap
www             IN CNAME        areabitchslap

A bit of explanation: this config file says that smoothwall.mars.lan is equal to 192.1683.0.10. But sw.mars.lan is an alias to the same IP-address.

File: /var/bind/pri/
$TTL 86400
@               IN SOA  boxname.mars.lan        dnsadmin@mars.lan (
                2005101003      ;serial
                10800           ;refresh
                7200            ;retry
                36000000        ;expire
                86400)          ;default minimum ttl
                IN NS   boxname.mars.lan.

10              IN PTR  smoothwall.mars.lan.
11              IN PTR  anlaug.mars.lan.
30              IN PTR  3com4300.mars.lan.
20              IN PTR  printserver.mars.lan.
50              IN PTR  h4x0r.mars.lan.

Adjust the files to suit your needs and save them. Now we're going to add BIND to the default system start and launch it for the first time.

# rc-update add named default
# /etc/init.d/named start


Static /etc/hosts File

If the machine running dnsmasq has a nice, full /etc/hosts file, other machines on your LAN will be able to look up each other without maintaining their own hosts file - a nice centralization.

Here's my own hosts file on my dnsmasq box:       localhost     tux.homenetwork tux     idontcare.homenetwork idontcare     goblin.homenetwork goblin   gateway.homenetwork gateway    ultra.homenetwork ultra    sparc20.homenetwork sparc20

Now I can be logged into tux, and ping ultra and dnsmasq will dig out the right IP address!

Dynamic via the -l Option

Since you have dnsmasq working as a DHCP server, why not use the hostnames your clients pass as part of their DHCP requests?

1. Alter /etc/dnsmasq.conf to ensure that we know where the leases file will be

File: /etc/dnsmasq.conf
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.

2. Alter /etc/conf.d/dnsmasq

File: /etc/conf.d/dnsmasq
DNSMASQ_OPTS="-l /var/lib/misc/dnsmasq.leases"

The '-l' option tells dnsmasq to look to the leases file for hostnames. So now you don't have to worry about maintaining a static hosts file.

Starting dnsmasq

Finally, you can start dnsmasq and add it to your boot sequence with:

# /etc/init.d/dnsmasq start
# rc-update add dnsmasq default

Core Software

Depending on how you install Gentoo you may have some outdated packages after the install. Before you proceed, you should do emerge sync and emerge -NuavD world to make sure your system is up to date.

Software Manifest


So we don't re-emerge software and to make sure everything is updated: emerge -uav rcs snort aide rrdtool ntop iptables logsentry ntp openssh squid.


sSSMTP must be compiled with the mailwrapper useflag for some things to work. To do that type in echo "mail-mta/ssmtp mailwrapper" >> /etc/portage/package.use before emerging.

  1. cd /etc/ssmtp
  2. mkdir RCS
  3. ci -l ssmtp.conf
  4. $EDITOR ssmtp.conf
  5. update /etc/ssmtp/revaliases
  6. update /etc/passwd
  7. Send a test mail: echo "Is this working?"

change roots name from 'root' to whatever, This will then go into the from field And look better in your e-mails.

File: /etc/passwd
  root:x:0:0:Benjamin Sisko:/root:/bin/bash

To configure sSMTP you can use the ssmtp-config command. Run it and answer the questions posed.

or update; 'mailhub' and 'hostname', 'rewriteDomain' in

File: /etc/ssmtp/ssmtp.conf
    # /etc/ssmtp.conf -- a config file for sSMTP sendmail.
    # The person who gets all mail for userids < 10
    # The place where the mail goes. The actual machine name is required
    # no MX records are consulted. Commonly mailhosts are named
    # The example will fit if you are in and you mailhub is so named.
    # Where will the mail seem to come from?
    # The full hostname
    # Set this to never rewrite the "From:" line (unless not given) and to
    # use that address in the "from line" of the envelope.

If 'rewriteDomain=bar.baz' is uncommented, ssmtp always rewrites the 'From' envelope and the 'From:' line so that the domain name is set to bar.baz.

File: /etc/ssmtp/revaliases
    # sSMTP aliases
    # Format: local_account:outgoing_address:mailhub
    # Example: root:your_login@your.domain:mailhub.your.domain:[port]
    # where [port] is an optional port number that defaults to 25.

If the option 'FromLineOverride' is set to YES, ssmtp uses the same 'From' in the mail envelope as you have written into the 'From:' line of your mail.

In case you send mail through another server than the one providing your e-mail address, it is not likely that your mails come through unless the envelope from presents you as a valid user at the server. That is, you need the From: and From_ lines to differ. (For example, if the cygwin user cygwinuser wishes to send a mail with the From: line reading a.user@some.domain through the mail server, he probably needs the envelope from to be user@bar.baz.) You can do this by editing the revaliases file.


  1. cd /etc/cron.hourly
  2. mkdir RCS
  3. ci -l
    • Give an explanation: logsentry hourly run, cron job.
  4. $EDITOR
    • remove the '#' from the line

Please note that this is for vixie-cron.


  1. cd /etc/aide/
  2. mkdir RCS
  3. ci -l aide.conf
  4. $EDITOR aide.conf
  5. /usr/bin/aide -i
    • This takes about 10 minutes.
  6. mv aide.db
  7. /usr/bin/aide -C
  8. cd /etc/cron.daily
  9. mkdir RCS
  10. $EDITOR aide.cron

File: /etc/aide/aide.conf
# AIDE 0.10
# Base configuration taken from the Gentoo security handbook.

# $Id: aide.conf,v 1.3 2005/09/02 04:40:17 root Exp root $

#p:     permissions
#i:     inode
#n:     number of links
#u:     user
#g:     group
#s:     size
#b:     block count
#m:     mtime
#a:     atime
#c:     ctime
#S:     check for growing size
#md5:   md5 checksum
#sha1:  sha1 checksum
#rmd160:     rmd160 checksum
#tiger:     tiger checksum
#R:     p+i+n+u+g+s+m+c+md5
#L:     p+i+n+u+g
#E:     Empty group
#>:     Growing logfile p+u+g+i+n+S
#The following are available if you have mhash support enabled.
#haval:         haval checksum
#gost:          gost checksum
#crc32:         crc32 checksum

# define the Top directory.
@@ifndef TOPDIR
@@define TOPDIR /

# define where aide specific stuff is storred.
@@ifndef AIDEDIR
@@define AIDEDIR /etc/aide

# Not used here.
@@ifhost smbserv
@@define smbactive

# The location of the database to be read.

# The location of the database to be written.

# Don't know what the verbosity level means.

# Where to send the output.

# warn about dead symlinks.

# Rule definition

# Do include everything.

@@{TOPDIR} Norm
# Dont barf about the new db file. Perhaps this should be removed
#  once the system is stable ?
# directories not to include.
# This one might be interesting once we have a stable box.
# the rrd db is continously being updated.

# I'm not sure if this is a good idea but I get lot of errors in that dir.

# NTP writes to this.

# I dont know what this does, since we are starting at / this should be included.
=@@{TOPDIR}home Norm

File: /etc/cron.daily/aide.cron
# $Id:$
# script concept from /etc/logcheck/
# Shouldn't need to touch these...
DATE=`date +%m/%d/%y:%H.%M`

# Set the flag variables

szOutPut=`/usr/bin/aide --update`

# here must be some grep stuff to identify the state of security.
echo "$szOutPut" | $MAIL -s "$HOSTNAME $DATE file system check" $SYSADMIN

# remove the new df if it is identical except for the date generated.

If your aide.conf is syntactically incorrect aide will segfault. So use RCS to keep taps on the changes.


  1. cd /etc/conf.d
  2. mkdir RCS
  3. ci -l -m "Configuration file for ntop." ntop
  4. $EDITOR /etc/conf.d/ntop
    • add: NTOP_OPTS="--http-server 3000 --https-server 0 --interface eth0,eth1"
  5. /usr/bin/ntop --http-server 3000 --https-server 0 --interface eth0,eth1
    • both NICs have to be configured for ntop to run.
  6. Enter password: Please enter the password for the admin user:
  7. /etc/init.d/ntop start
  8. rc-update add ntop default




Extras for LAN with Many Gentoo Boxes

Local RSYNC Mirror

If you have a few gentoo boxes in your LAN, you can be a good netizen and set up a local RSYNC mirror. This means that only one box needs to go out to one of the main RSYNC mirrors, and the rest can use this local mirror. The syncing for the internal clients will then happen at LAN speeds!

Check out: HOWTO Local Rsync Mirror.

Share /usr/portage with NFS

When security is not a big issue in your LAN, you should share your /usr/portage directory via NFS. That way you only need to emerge --sync on 1 box and share the portage tree with all your machines. Distfiles are also only downloaded once (since /usr/portage/distfiles is shared, too).

See Shared Portage via NFS

DistCC compile farm

With many computers on the LAN doing nothing most of the time, why not set up a distcc compile farm and set portage to use all the computers in its compiles?

See The official gentoo distcc guide

Related Pages

External References

Last modified: Mon, 22 Sep 2008 03:21:00 +0000 Hits: 5,330