Building a Windows firewall/gateway
How to create a dual-homed router/firewall using Windows 2000.
In a previous How To we looked at how you set up Linux as a basic gateway with some simple firewall rules. In this article, we'll describe how you achieve something similar using Windows 2000.
The first requirement is for a PC with a pair of Ethernet cards for which Windows 2000 drivers are available. One of our "staple" lab machines is a Pentium-III with 512MB RAM, a 20GB hard disk and two network adaptors one NetGear, one SMC (the adaptors don't have to be identical). Next, you need a copy of Windows 2000 Server; we used the standard release, which has everything you need.
When installing Windows, there are two things to remember. First is to ensure that the Routing and Remote Access feature is chosen, should you decide to do a custom install instead of going with the defaults. Second, ensure that instead of allowing the network adaptors to obtain their addresses automatically, allocate their addresses by hand either in the installation process or after installation, via the Network and Dial-up Connections control panel. Here's how to do it.
Let's assume we want to run our Windows PC as the gateway between two networks 192.168.1.x and 192.168.2.x. The 192.168.1.x network has a connection to the Internet via a DSL router, whose address is 192.168.1.1. The 192.168.2.x network will route through the 192.168.1.x network to get to the Internet.
On our test machine, the SMC NIC is the 192.168.1.x world, so we'll tell it the following:
The NetGear NIC drives the 192.168.2.x world, and we tell it:
All the machines in the 192.168.2.x world should be told that their default gateway is 192.168.2.220 this way, they'll send anything destined for somewhere outside the subnet to our new router.
Routing and remote access
Once the addresses are set up correctly, we tell the machine to become a router. In the Start menu, select Programs->Administrative Tools->Routing and Remote Access. The RRAS window opens, and it should notice that there's just one server, flagged as "local". Setting up routing is dead easy, as there's a handy wizard that does everything for us, so right-click on the server icon and select "Configure and Enable Routing and Remote Access".
The first question asks us what type of device we're setting up. We're going for the last option but one, "Network router". Hit Next, and it'll tell us that the only protocol it knows about is TCP/IP; we could add others, but we only care about TCP/IP, so we can safely hit Next. Now we're asked whether we want to use dial-on-demand networking (i.e. modem or ISDN) to connect to remote networks; as we're building an Ethernet router, we leave the default "No" selected, and hit Next. On the final screen, hit "Finish" and the job's done it fires up the routing service and we're ready to go.
The WAN router
Actually, we're not quite ready to go, as there's one more thing we need to do namely tell the existing WAN router that the 192.168.2.x network exists, as it doesn't know already. Although routers use information protocols such as RIP and OSPF to exchange this kind of information automatically, you generally find that these features aren't turned on with most devices, so the simplest way to go is to add an entry to the Static Routes screen on your router. Give it an entry for network 192.168.2.0, netmask 255.255.255.0, gateway 192.168.1.220, and now you really are ready to go.
You can test the router by running up a client on the 192.168.2.x network and attempting to ping something in the 192.168.1.x network. If you get a response, everything's OK; if you don't, you probably typed an address in wrongly somewhere in the setup process, so go back to the Network and Dial-up Connections control panel and double-check everything.
Like Linux, Windows includes some basic packet filtering that you can use as a basic firewall function. You enable filtering by double-clicking on an interface in the RRAS configuration screen and clicking the "Input Filters" button. As we did with our Linux machine, you can now define permissions based on IP address and port number. So if we wanted to allow "ping" traffic, we'd define a rule as follows:
An "allow HTTP" rule would be:
Note that it's normal to select the "Drop all packets except those that meet the criteria below" button a "deny by default" policy. This means that anything we don't specifically define will be dropped by the router.
As with the Linux installation we looked before, packet filtering gives only the most rudimentary firewalling capabilities. But it's a start, and if you need to go further, that's what third-party firewall software is for.