/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Contents of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.1 - (hide annotations) (download) (as text)
Thu Jul 22 05:53:40 2004 UTC (10 years, 3 months ago) by vapier
Branch: MAIN
File MIME type: application/xml
initial draft

1 vapier 1.1 <?xml version='1.0' encoding='UTF-8'?>
2     <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/qmail-howto.xml,v 1.26 2004/06/25 22:28:55 vapier Exp $ -->
3     <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4    
5     <guide link="/doc/en/home-router-howto.xml">
6    
7     <title>Home Router Guide</title>
8    
9     <author title="Author">
10     <mail link="vapier@gentoo.org">Mike Frysinger</mail>
11     </author>
12    
13     <abstract>
14     This document details how to turn an old Gentoo machine into a router
15     for connecting your home network to the internet.
16     </abstract>
17    
18     <version>1.1</version>
19     <date>July 21, 2004</date>
20    
21     <chapter>
22     <title>Introduction</title>
23     <section>
24     <body>
25    
26     <p>
27     Building your own router out of old spare parts has many advantages
28     over buying a pre-made canned router by say Linksys. The biggest one by
29     far is control over the connection. The other advantages are left up to
30     your imagination; just about anything can be done in this scenario,
31     it's just a matter of needing it.
32     </p>
33    
34     <p>
35     This guide will show you how to setup Network Address Translation (NAT)
36     on the router (kernel and iptables), add and configure common services
37     (DNS via dnsmasq, dhcp via dhcpcd, ADSL via rp-pppoe), and conclude
38     with more elaborate and fun things that can be done (mail caching, port
39     forwarding, traffic shaping, http/ftp hosting).
40     </p>
41    
42     <p>
43     Before getting started, there's a few basic requirements you must meet.
44     First, you'll need a computer that has at least 2 Network Interface
45     Cards (NICs) in it. Next, you'll need the configuration settings for
46     your internet connection (may include things like
47     IP/DNS/Gateway/username/password). Finally, you'll need a bit of spare
48     time and some Gentoo loving.
49     </p>
50    
51     <p>
52     The conventions used in this guide are:
53     </p>
54     <ul>
55     <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
56     <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
57     <li>LAN utilizes the private 192.168.0.xxx network</li>
58     <li>router is hardcoded to the standard 192.168.0.1 IP</li>
59     </ul>
60    
61     <impo>
62     Due to security precautions, I would highly suggest you shut down any
63     unneeded services on the router until we have a chance to get the
64     firewall up and rolling. To view the currently running services, just
65     run <c>rc-status</c>.
66     </impo>
67    
68     </body>
69     </section>
70     </chapter>
71    
72     <chapter>
73     <title>Kernel setup (know thyself first)</title>
74     <section>
75     <body>
76    
77     <p>
78     Your kernel needs to have the drivers running for both your NICs. To
79     see if your cards are already setup, just run <c>ifconfig</c>. Your
80     output may differ slightly from the following, that's fine. What
81     matters is that the interface shows up at all.
82     </p>
83     <pre caption="Checking NICs">
84     # <i>ifconfig -a</i>
85     eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
86     BROADCAST MULTICAST MTU:1500 Metric:1
87     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
88     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
89     collisions:0 txqueuelen:1000
90     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
91     Interrupt:11 Base address:0x9800
92    
93     eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
94     BROADCAST MULTICAST MTU:1500 Metric:1
95     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
96     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
97     collisions:0 txqueuelen:1000
98     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
99     Interrupt:10 Base address:0x9400
100     </pre>
101     <p>
102     If you do not see your two cards showing up and you're not sure what
103     kind of cards you have, try running <c>lspci</c>. You can get that from
104     <c>emerge sys-apps/pciutils</c>. Look for "Ethernet controller" in the
105     output. Once you have this information, go into your kernel and add
106     support for the correct drivers.
107     </p>
108    
109     <p>
110     The next thing you'll need is support for iptables and NAT (and packet
111     shaping if you want). The following list is split up into required
112     (*), suggested (x), and shaper (s) features. It does not matter whether
113     you build the features into the kernel or as a module so long as when
114     the feature is need, the correct module(s) are loaded (module loading
115     is left to the reader as a fun exercise however).
116     </p>
117     <pre caption="Network Options">
118     <i>Networking options ---&gt;</i>
119     <i> [*] TCP/IP networking</i>
120     <i> [*] IP: advanced router</i>
121     <i> [*] Network packet filtering (replaces ipchains)</i>
122    
123     <i> IP: Netfilter Configuration ---&gt;</i>
124     <i> [*] Connection tracking (required for masq/NAT)</i>
125     <i> [x] FTP protocol support</i>
126     <i> [x] IRC protocol support</i>
127     <i> [*] IP tables support (required for filtering/masq/NAT)</i>
128     <i> [*] IP range match support</i>
129     <i> [x] MAC address match support</i>
130     <i> [*] Multiple port match support</i>
131     <i> [*] Packet filtering</i>
132     <i> [*] REJECT target support</i>
133     <i> [x] REDIRECT target support</i>
134     <i> [*] Full NAT</i>
135     <i> [*] MASQUERADE target support</i>
136     <i> [s] Packet mangling</i>
137     <i> [s] MARK target support</i>
138     <i> [x] LOG target support</i>
139    
140     <i> QoS and/or fair queueing ---&gt;</i>
141     <i> [s] QoS and/or fair queueing</i>
142     <i> [s] HTB packet scheduler</i>
143     <i> [s] Ingress Qdisc</i>
144     </pre>
145     <note>
146     Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you
147     should be able to figure it out :). 2.2 + ipchains is not covered here.
148     </note>
149    
150     </body>
151     </section>
152     </chapter>
153    
154     <chapter>
155     <title>Hug the WAN (a.k.a. The Internet)</title>
156    
157     <section>
158     <title>Intro</title>
159     <body>
160     <p>
161     There are many ways to connect to the internet so I'll just cover the
162     ones I'm familiar with. That leaves us with ADSL (PPPoE) and cable
163     modems (static/dynamic). If there are other methods out there, feel
164     free to write up a little blurb and e-mail me. Feel free to skip any of
165     the following sections in this chapter that don't apply to you. This
166     chapter is just about getting the router connected to the internet via
167     eth1.
168     </p>
169     </body>
170     </section>
171    
172     <section>
173     <title>ADSL and PPPoE</title>
174     <body>
175    
176     <p>
177     All the fancy PPPoE software has been bundled up into one little nice
178     package nowadays called <uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>.
179     Simply <c>emerge rp-pppoe</c> and you'll be on your way. Remember how
180     I said you'll need username/password information? Well I wasn't lying
181     so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
182     your favorite editor and set it up.
183     </p>
184    
185     <pre caption="Setting up eth1">
186     <comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
187    
188     # <i>nano /etc/ppp/pppoe.conf</i>
189     <comment># Ethernet card connected to ADSL modem
190     ETH=eth1
191     # ADSL user name.
192     USER=vla9h924</comment>
193     # <i>nano /etc/ppp/pap-secrets</i>
194     <comment># client server secret
195     "vla9h924" * "password"</comment>
196     # <i>nano /etc/conf.d/net</i>
197     <comment>Add an entry for ifconfig_eth1 and set it to adsl:
198     ifconfig_eth1=( "adsl" )</comment>
199     # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
200     # <i>rc-update add net.eth1 default</i>
201     # <i>/etc/init.d/net.eth1 start</i>
202     </pre>
203    
204     <p>
205     You should be all set to go now.
206     </p>
207    
208     </body>
209     </section>
210    
211     <section>
212     <title>Cable and/or dynamic/static IP</title>
213     <body>
214    
215     <p>
216     If you have a static IP then you will need the few more details than if
217     you have a dynamic IP. For static users, you will need your IP,
218     gateway, and DNS servers.
219     </p>
220    
221     <pre caption="Setting up eth1">
222     <comment>Dynamic IP Users:</comment>
223     # <i>emerge dhcpcd</i>
224     # <i>nano /etc/conf.d/net</i>
225     <comment>You'll need an entry like so:
226     ifconfig_eth1=( "dhcp" )</comment>
227    
228     <comment>Static IP Users:</comment>
229     # <i>nano /etc/conf.d/net</i>
230     <comment>You'll need entries like so:
231     ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
232     routes_eth1=( "default gw 66.92.78.1" )</comment>
233     # <i>nano /etc/resolv.conf</i>
234     <comment>Add one line per DNS server:
235     nameserver 123.123.123.123</comment>
236    
237     <comment>Dynamic and Static Setup:</comment>
238     # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
239     # <i>rc-update add net.eth1 default</i>
240     # <i>/etc/init.d/net.eth1 start</i>
241     </pre>
242    
243     <p>
244     You should be all set to go now.
245     </p>
246    
247     </body>
248     </section>
249     </chapter>
250    
251     <chapter>
252     <title>Hug the LAN (bring along some friends)</title>
253     <section>
254     <body>
255    
256     <p>
257     This step is a breeze compared to the previous one.
258     </p>
259    
260     <pre caption="Setting up eth0">
261     # <i>nano /etc/conf.d/net</i>
262     <comment>Add a line like the following:
263     ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )</comment>
264     # <i>rc-update add net.eth0 default</i>
265     # <i>/etc/init.d/net.eth0 start</i>
266     </pre>
267    
268     </body>
269     </section>
270     </chapter>
271    
272     <chapter>
273     <title>LAN Services (because we're nice people)</title>
274    
275     <section>
276     <title>DHCP Server</title>
277     <body>
278     <p>
279     I bet it'd be nice if everyone else in your house could just plug
280     their computers into the network and things would just work. No need to
281     remember mind-numbing details or make them stare at confusing
282     configuration screens! Life would be grand eh? Introducing the Dynamic
283     Host Configuration Protocol (DHCP) and why you should care.
284     </p>
285    
286     <pre caption="Setting up dhcpd">
287     # <i>emerge dhcp</i>
288     # <i>nano /etc/dhcp/dhcpd.conf</i>
289     <comment>Here is a sample configuration file:
290     authoritative;
291     subnet 192.168.0.0 netmask 255.255.255.0 {
292     range 192.168.0.100 192.168.0.250;
293     default-lease-time 259200;
294     max-lease-time 518400;
295     option subnet-mask 255.255.255.0;
296     option broadcast-address 192.168.0.255;
297     option routers 192.168.0.1;
298     option domain-name-servers 192.168.0.1;
299     }
300     </comment>
301     # <i>nano /etc/conf.d/dhcp</i>
302     <comment>Set IFACE="eth0"</comment>
303     # <i>rc-update add dhcp default</i>
304     # <i>/etc/init.d/dhcp start</i>
305     </pre>
306    
307     <p>
308     Now your little router is a bona-fide DHCP server! Plugin those
309     computers and watch them work! With Windows systems you should go into
310     the TCP/IP Properties and select the 'Obtain an IP address
311     automatically' and 'Obtain DNS server address automatically' options.
312     Sometimes the changes aren't instantaneous, so you may have to run a
313     command prompt and run <c>ipconfig /release</c> and <c>ipconfig
314     /renew</c>. But enough about Windows, let's get back to our favorite
315     penguin.
316     </p>
317     </body>
318     </section>
319    
320     <section>
321     <title>DNS Server</title>
322     <body>
323    
324     <p>
325     You may have noticed in the previous section that we told the DHCP
326     clients we have a DNS server at 192.168.0.1. You may also remember that
327     192.168.0.1 is our little router that we're making. I don't remember
328     setting up a DNS server ... so let's do so now!
329     </p>
330    
331     <pre caption="Setting up dnsmasq">
332     # <i>emerge dnsmasq</i>
333     # <i>nano /etc/conf.d/dnsmasq</i>
334     <comment>Add "-i eth1" to DNSMASQ_OPTS</comment>
335     # <i>rc-update add dnsmasq</i>
336     # <i>/etc/init.d/dnsmasq start</i>
337     </pre>
338    
339     <p>
340     Well that was quick, but what did we do? The great thing is, we didn't
341     have to do very much! You're welcome to choose other DNS servers if
342     you're more comfortable with them, but the reason dnsmasq is great is
343     because it was designed to do exactly what we want it for. It's a
344     little DNS caching/forwarding server for local networks. We're not
345     looking to provide our own DNS server here, just offer simple DNS
346     services to everyone else on our LAN.
347     </p>
348    
349     </body>
350     </section>
351    
352     <section>
353     <title>NAT</title>
354     <body>
355    
356     <p>
357     At this point, people on your network can talk to each other and they
358     can look up hostnames via DNS, but they still can't actually connect to
359     the internet. While you may think that's great (more bandwidth for
360     you!), I bet they're not too happy just yet.
361     </p>
362    
363     <pre caption="Setting up iptables">
364     <comment>First we flush our current rules</comment>
365     # <i>iptables -F</i>
366     # <i>iptables -t nat -F</i>
367    
368     <comment>Then we lock our services so they only work from the LAN</comment>
369     # <i>iptables -I INPUT 1 -i eth0 -j ACCEPT</i>
370     # <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
371     # <i>iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT</i>
372     # <i>iptables -A INPUT -p UDP --dport dns -i ! eth0 -j REJECT</i>
373    
374     <comment>Drop TCP / UDP packets to privileged ports</comment>
375     # <i>iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
376     # <i>iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
377    
378     <comment>Finally we add the rules for NAT</comment>
379     # <i>iptables -I FORWARD -i 192.168.0.0/255.255.0.0 -j DROP</i>
380     # <i>iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
381     # <i>iptables -A FORWARD -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
382     # <i>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE</i>
383     <comment>Tell the kernel that ip forwarding is OK</comment>
384     # <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
385     # <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>
386    
387     <comment>This is so when we boot we don't have to run the rules by hand</comment>
388     # <i>/etc/init.d/iptables save</i>
389     # <i>rc-update add iptables default</i>
390     </pre>
391    
392     <p>
393     Once you've typed out all of that, the rest of your network should now
394     be able to use the internet as if they were directly connected
395     themselves.
396     </p>
397    
398     <p>
399     Believe it or not, you're done :). The only thing left involves adding
400     extra services to make your life (or the lives of your users) easier.
401     </p>
402    
403     </body>
404     </section>
405    
406     </chapter>
407    
408     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20