/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Contents of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.19 - (hide annotations) (download) (as text)
Fri Aug 13 15:14:03 2004 UTC (10 years ago) by vapier
Branch: MAIN
Changes since 1.18: +2 -1 lines
File MIME type: application/xml
add missing dns style line for dhcp ... thanks to Jonas Wagner

1 vapier 1.1 <?xml version='1.0' encoding='UTF-8'?>
2 vapier 1.19 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.18 2004/08/12 23:16:19 vapier Exp $ -->
3 vapier 1.1 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4    
5     <guide link="/doc/en/home-router-howto.xml">
6    
7     <title>Home Router Guide</title>
8    
9     <author title="Author">
10     <mail link="vapier@gentoo.org">Mike Frysinger</mail>
11     </author>
12    
13     <abstract>
14     This document details how to turn an old Gentoo machine into a router
15     for connecting your home network to the internet.
16     </abstract>
17    
18     <version>1.1</version>
19     <date>July 21, 2004</date>
20    
21     <chapter>
22     <title>Introduction</title>
23     <section>
24     <body>
25    
26     <p>
27     Building your own router out of old spare parts has many advantages
28     over buying a pre-made canned router by say Linksys. The biggest one by
29     far is control over the connection. The other advantages are left up to
30     your imagination; just about anything can be done in this scenario,
31     it's just a matter of needing it.
32     </p>
33    
34     <p>
35     This guide will show you how to setup Network Address Translation (NAT)
36     on the router (kernel and iptables), add and configure common services
37 vapier 1.2 (Domain Name System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via
38     rp-pppoe), and conclude with more elaborate and fun things that can be
39 vapier 1.3 done (port forwarding, traffic shaping, proxies/caching, etc...).
40 vapier 1.1 </p>
41    
42     <p>
43     Before getting started, there's a few basic requirements you must meet.
44     First, you'll need a computer that has at least 2 Network Interface
45     Cards (NICs) in it. Next, you'll need the configuration settings for
46     your internet connection (may include things like
47     IP/DNS/Gateway/username/password). Finally, you'll need a bit of spare
48     time and some Gentoo loving.
49     </p>
50    
51     <p>
52     The conventions used in this guide are:
53     </p>
54     <ul>
55     <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
56     <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
57     <li>LAN utilizes the private 192.168.0.xxx network</li>
58     <li>router is hardcoded to the standard 192.168.0.1 IP</li>
59 vapier 1.3 <li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li>
60 vapier 1.1 </ul>
61    
62     <impo>
63     Due to security precautions, I would highly suggest you shut down any
64     unneeded services on the router until we have a chance to get the
65     firewall up and rolling. To view the currently running services, just
66     run <c>rc-status</c>.
67     </impo>
68    
69     </body>
70     </section>
71     </chapter>
72    
73     <chapter>
74     <title>Kernel setup (know thyself first)</title>
75     <section>
76     <body>
77    
78     <p>
79     Your kernel needs to have the drivers running for both your NICs. To
80     see if your cards are already setup, just run <c>ifconfig</c>. Your
81     output may differ slightly from the following, that's fine. What
82     matters is that the interface shows up at all.
83     </p>
84     <pre caption="Checking NICs">
85     # <i>ifconfig -a</i>
86     eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
87     BROADCAST MULTICAST MTU:1500 Metric:1
88     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
89     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
90     collisions:0 txqueuelen:1000
91     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
92     Interrupt:11 Base address:0x9800
93    
94     eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
95     BROADCAST MULTICAST MTU:1500 Metric:1
96     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
97     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
98     collisions:0 txqueuelen:1000
99     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
100     Interrupt:10 Base address:0x9400
101     </pre>
102     <p>
103     If you do not see your two cards showing up and you're not sure what
104     kind of cards you have, try running <c>lspci</c>. You can get that from
105 vapier 1.4 <c>emerge pciutils</c>. Look for "Ethernet controller" in the output.
106     Once you have this information, go into your kernel and add support for
107     the correct drivers.
108 vapier 1.1 </p>
109    
110     <p>
111     The next thing you'll need is support for iptables and NAT (and packet
112     shaping if you want). The following list is split up into required
113     (*), suggested (x), and shaper (s) features. It does not matter whether
114     you build the features into the kernel or as a module so long as when
115 vapier 1.4 the feature is needed, the correct module(s) are loaded (module loading
116 vapier 1.1 is left to the reader as a fun exercise however).
117     </p>
118     <pre caption="Network Options">
119     <i>Networking options ---&gt;</i>
120     <i> [*] TCP/IP networking</i>
121     <i> [*] IP: advanced router</i>
122     <i> [*] Network packet filtering (replaces ipchains)</i>
123    
124     <i> IP: Netfilter Configuration ---&gt;</i>
125     <i> [*] Connection tracking (required for masq/NAT)</i>
126     <i> [x] FTP protocol support</i>
127     <i> [x] IRC protocol support</i>
128     <i> [*] IP tables support (required for filtering/masq/NAT)</i>
129     <i> [*] IP range match support</i>
130     <i> [x] MAC address match support</i>
131     <i> [*] Multiple port match support</i>
132     <i> [*] Packet filtering</i>
133     <i> [*] REJECT target support</i>
134     <i> [x] REDIRECT target support</i>
135     <i> [*] Full NAT</i>
136     <i> [*] MASQUERADE target support</i>
137     <i> [s] Packet mangling</i>
138     <i> [s] MARK target support</i>
139     <i> [x] LOG target support</i>
140    
141     <i> QoS and/or fair queueing ---&gt;</i>
142     <i> [s] QoS and/or fair queueing</i>
143     <i> [s] HTB packet scheduler</i>
144     <i> [s] Ingress Qdisc</i>
145     </pre>
146     <note>
147     Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you
148 vapier 1.3 should be able to figure it out :).
149 vapier 1.1 </note>
150    
151     </body>
152     </section>
153     </chapter>
154    
155     <chapter>
156     <title>Hug the WAN (a.k.a. The Internet)</title>
157    
158     <section>
159     <title>Intro</title>
160     <body>
161     <p>
162     There are many ways to connect to the internet so I'll just cover the
163     ones I'm familiar with. That leaves us with ADSL (PPPoE) and cable
164     modems (static/dynamic). If there are other methods out there, feel
165     free to write up a little blurb and e-mail me. Feel free to skip any of
166     the following sections in this chapter that don't apply to you. This
167     chapter is just about getting the router connected to the internet via
168     eth1.
169     </p>
170     </body>
171     </section>
172    
173     <section>
174     <title>ADSL and PPPoE</title>
175     <body>
176    
177     <p>
178     All the fancy PPPoE software has been bundled up into one little nice
179     package nowadays called <uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>.
180     Simply <c>emerge rp-pppoe</c> and you'll be on your way. Remember how
181     I said you'll need username/password information? Well I wasn't lying
182     so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
183     your favorite editor and set it up.
184     </p>
185    
186 vapier 1.8 <note>
187     In order for the following net.eth1 settings to work, you must have
188     baselayout-1.10.1 or later installed on your system.
189     </note>
190    
191 vapier 1.1 <pre caption="Setting up eth1">
192     <comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
193    
194     # <i>nano /etc/ppp/pppoe.conf</i>
195     <comment># Ethernet card connected to ADSL modem
196     ETH=eth1
197     # ADSL user name.
198     USER=vla9h924</comment>
199     # <i>nano /etc/ppp/pap-secrets</i>
200     <comment># client server secret
201     "vla9h924" * "password"</comment>
202     # <i>nano /etc/conf.d/net</i>
203     <comment>Add an entry for ifconfig_eth1 and set it to adsl:
204     ifconfig_eth1=( "adsl" )</comment>
205     # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
206     # <i>rc-update add net.eth1 default</i>
207     # <i>/etc/init.d/net.eth1 start</i>
208     </pre>
209    
210 vapier 1.3 <warn>
211     When the DSL interface comes up, it will create ppp0. Although your NIC
212     is called eth1, the IP is actually bound to ppp0. From now on, when you
213     see examples that utilize 'eth1', substitute with 'ppp0'.
214     </warn>
215 vapier 1.1
216     </body>
217     </section>
218    
219     <section>
220     <title>Cable and/or dynamic/static IP</title>
221     <body>
222    
223     <p>
224 vapier 1.4 If you have a static IP then you will need a few more details than if
225 vapier 1.1 you have a dynamic IP. For static users, you will need your IP,
226     gateway, and DNS servers.
227     </p>
228    
229     <pre caption="Setting up eth1">
230     <comment>Dynamic IP Users:</comment>
231     # <i>emerge dhcpcd</i>
232     # <i>nano /etc/conf.d/net</i>
233     <comment>You'll need an entry like so:
234     ifconfig_eth1=( "dhcp" )</comment>
235    
236     <comment>Static IP Users:</comment>
237     # <i>nano /etc/conf.d/net</i>
238     <comment>You'll need entries like so:
239     ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
240     routes_eth1=( "default gw 66.92.78.1" )</comment>
241     # <i>nano /etc/resolv.conf</i>
242     <comment>Add one line per DNS server:
243     nameserver 123.123.123.123</comment>
244    
245     <comment>Dynamic and Static Setup:</comment>
246     # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
247     # <i>rc-update add net.eth1 default</i>
248     # <i>/etc/init.d/net.eth1 start</i>
249     </pre>
250    
251     <p>
252     You should be all set to go now.
253     </p>
254    
255     </body>
256     </section>
257     </chapter>
258    
259     <chapter>
260     <title>Hug the LAN (bring along some friends)</title>
261     <section>
262     <body>
263    
264     <p>
265     This step is a breeze compared to the previous one.
266     </p>
267    
268     <pre caption="Setting up eth0">
269     # <i>nano /etc/conf.d/net</i>
270     <comment>Add a line like the following:
271     ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )</comment>
272     # <i>rc-update add net.eth0 default</i>
273     # <i>/etc/init.d/net.eth0 start</i>
274     </pre>
275    
276     </body>
277     </section>
278     </chapter>
279    
280     <chapter>
281     <title>LAN Services (because we're nice people)</title>
282    
283     <section>
284     <title>DHCP Server</title>
285     <body>
286     <p>
287     I bet it'd be nice if everyone else in your house could just plug
288     their computers into the network and things would just work. No need to
289     remember mind-numbing details or make them stare at confusing
290     configuration screens! Life would be grand eh? Introducing the Dynamic
291     Host Configuration Protocol (DHCP) and why you should care.
292     </p>
293    
294 vapier 1.2 <p>
295     DHCP is exactly what its name implies. It's a protocol that allows you
296     to dynamically configure other hosts automatically. You run a DHCP
297     server on the router (dhcpd), give it all the information about your
298     network (valid IPs, DNS servers, gateways, etc...), and then when the
299     other hosts start up, they run a DHCP client to automatically configure
300 vapier 1.6 themselves. No fuss, no muss! For more information about DHCP, you can
301 vapier 1.2 always visit <uri link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
302     </p>
303    
304 vapier 1.1 <pre caption="Setting up dhcpd">
305     # <i>emerge dhcp</i>
306     # <i>nano /etc/dhcp/dhcpd.conf</i>
307     <comment>Here is a sample configuration file:
308     authoritative;
309 vapier 1.19 ddns-update-style ad-hoc;
310 vapier 1.1 subnet 192.168.0.0 netmask 255.255.255.0 {
311     range 192.168.0.100 192.168.0.250;
312     default-lease-time 259200;
313     max-lease-time 518400;
314     option subnet-mask 255.255.255.0;
315     option broadcast-address 192.168.0.255;
316     option routers 192.168.0.1;
317     option domain-name-servers 192.168.0.1;
318     }
319     </comment>
320     # <i>nano /etc/conf.d/dhcp</i>
321     <comment>Set IFACE="eth0"</comment>
322     # <i>rc-update add dhcp default</i>
323     # <i>/etc/init.d/dhcp start</i>
324     </pre>
325    
326     <p>
327     Now your little router is a bona-fide DHCP server! Plugin those
328     computers and watch them work! With Windows systems you should go into
329     the TCP/IP Properties and select the 'Obtain an IP address
330     automatically' and 'Obtain DNS server address automatically' options.
331     Sometimes the changes aren't instantaneous, so you may have to run a
332     command prompt and run <c>ipconfig /release</c> and <c>ipconfig
333     /renew</c>. But enough about Windows, let's get back to our favorite
334     penguin.
335     </p>
336     </body>
337     </section>
338    
339     <section>
340     <title>DNS Server</title>
341     <body>
342 vapier 1.2 <p>
343     When people want to visit a place on the internet, they remember names,
344     not a string of useless numbers. After all, what's easier to remember,
345     ebay.com or 66.135.192.87? This is where the DNS steps in. DNS servers
346     run all over the internet, and whenever someone wants to visit 'ebay.com',
347     these servers turn 'ebay.com' (what we understand) into '66.135.192.87'
348 vapier 1.6 (what our computers understand). For more information about DNS, you can
349 vapier 1.2 always visit <uri link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
350     </p>
351 vapier 1.1
352     <p>
353     You may have noticed in the previous section that we told the DHCP
354     clients we have a DNS server at 192.168.0.1. You may also remember that
355     192.168.0.1 is our little router that we're making. I don't remember
356     setting up a DNS server ... so let's do so now!
357     </p>
358    
359     <pre caption="Setting up dnsmasq">
360     # <i>emerge dnsmasq</i>
361     # <i>nano /etc/conf.d/dnsmasq</i>
362 vapier 1.18 <comment>Add "-i eth0" to DNSMASQ_OPTS</comment>
363 vapier 1.11 # <i>rc-update add dnsmasq default</i>
364 vapier 1.1 # <i>/etc/init.d/dnsmasq start</i>
365     </pre>
366    
367     <p>
368     Well that was quick, but what did we do? The great thing is, we didn't
369     have to do very much! You're welcome to choose other DNS servers if
370     you're more comfortable with them, but the reason dnsmasq is great is
371 vapier 1.4 because it was designed to do exactly what we want and nothing more.
372     It's a little DNS caching/forwarding server for local networks. We're
373     not looking to provide DNS for our own domain here, just offer simple DNS
374 vapier 1.1 services to everyone else on our LAN.
375     </p>
376    
377     </body>
378     </section>
379    
380     <section>
381 vapier 1.4 <title>NAT (a.k.a. IP-masquerading)</title>
382 vapier 1.1 <body>
383    
384     <p>
385     At this point, people on your network can talk to each other and they
386     can look up hostnames via DNS, but they still can't actually connect to
387     the internet. While you may think that's great (more bandwidth for
388     you!), I bet they're not too happy just yet.
389     </p>
390    
391 vapier 1.2 <p>
392     This is where NAT steps in. NAT is a way of connecting multiple computers
393     in a private LAN to the internet when you only have a smaller number of
394     IP addresses availabe to you. Typically you were given 1 IP by your ISP,
395     but you want to let your whole house connect to the internet. NAT is the
396 vapier 1.6 magic that makes this possible. For more information about NAT, you can
397 vapier 1.2 always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
398     </p>
399    
400     <note>
401     Before we get started, make sure you have iptables on your system. Although
402     it is automatically installed on most systems, you may not have it. If you
403     don't, just run <c>emerge iptables</c>.
404     </note>
405    
406 vapier 1.1 <pre caption="Setting up iptables">
407     <comment>First we flush our current rules</comment>
408     # <i>iptables -F</i>
409     # <i>iptables -t nat -F</i>
410    
411     <comment>Then we lock our services so they only work from the LAN</comment>
412     # <i>iptables -I INPUT 1 -i eth0 -j ACCEPT</i>
413     # <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
414     # <i>iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT</i>
415 vapier 1.12 # <i>iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT</i>
416 vapier 1.1
417     <comment>Drop TCP / UDP packets to privileged ports</comment>
418     # <i>iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
419     # <i>iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
420    
421     <comment>Finally we add the rules for NAT</comment>
422 vapier 1.7 # <i>iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP</i>
423     # <i>iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
424     # <i>iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
425 vapier 1.1 # <i>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE</i>
426     <comment>Tell the kernel that ip forwarding is OK</comment>
427     # <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
428     # <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>
429    
430     <comment>This is so when we boot we don't have to run the rules by hand</comment>
431     # <i>/etc/init.d/iptables save</i>
432     # <i>rc-update add iptables default</i>
433 vapier 1.14 # <i>nano /etc/sysctl.conf</i>
434     <comment>Add/Uncomment the following lines:
435     net.ipv4.ip_forward = 1
436     net.ipv4.conf.default.rp_filter = 1</comment>
437 vapier 1.1 </pre>
438    
439     <p>
440     Once you've typed out all of that, the rest of your network should now
441     be able to use the internet as if they were directly connected
442 vapier 1.3 themselves.
443 vapier 1.1 </p>
444    
445 vapier 1.3 </body>
446     </section>
447     </chapter>
448    
449     <chapter>
450     <title>Fun Things (for a rainy day)</title>
451    
452     <section>
453     <title>Intro</title>
454     <body>
455 vapier 1.1 <p>
456 vapier 1.3 Believe it or not, you're done :). From here on out, I'll cover a bunch
457     of common topics that may interest you. Everything in this chapter is
458     completely optional.
459 vapier 1.1 </p>
460 vapier 1.3 </body>
461     </section>
462 vapier 1.1
463 vapier 1.3 <section>
464     <title>Port Forwarding</title>
465     <body>
466     <p>
467     Sometimes you would like to be able to host services on a computer behind
468     the router, or just to make your life easier when connecting remotely.
469     Perhaps you want to run a FTP, HTTP, SSH, or VNC server on one or more
470     machines behind your router and be able to connect to them all. The only
471     caveat is that you can only have one service/machine combo per port.
472     For example, there is no practical way to setup three FTP servers behind
473     your router and then try to connect to them all through port 21; only one
474     can be on port 21 while the others would have to be on say port 123 and
475     port 567.
476     </p>
477    
478     <p>
479     All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
480     [-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port
481     to forward to]</c>. iptables does not accept hostnames when port forwarding.
482     If you are forwarding an external port to the same port on the internal machine,
483     you can omit the destination port. See the iptables(8) page for more information.
484     </p>
485    
486     <pre>
487     <comment>Forward port 2 to ssh on an internal host</comment>
488     # <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i>
489    
490     <comment>FTP forwarding to an internal host</comment>
491     # <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.56</i>
492    
493     <comment>HTTP forwarding to an internal host</comment>
494     # <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.56</i>
495    
496     <comment>VNC forwarding for internal hosts</comment>
497     # <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i eth1 -j DNAT --to 192.168.0.2</i>
498     # <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i eth1 -j DNAT --to 192.168.0.3:5900</i>
499     <comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment>
500    
501     <comment>Bittorrent forwarding</comment>
502     # <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i eth1 -j DNAT --to 192.168.0.2</i>
503 vapier 1.15
504     <comment>Game Cube Warp Pipe support</comment>
505     # <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i eth1 -j DNAT --to 192.168.0.56</i>
506    
507     <comment>Playstation2 Online support</comment>
508     # <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i>
509     # <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i>
510 vapier 1.3 </pre>
511    
512     <note>
513     If you have other common / cool examples, please <uri link="mailto:vapier@gentoo.org">e-mail me</uri>.
514     </note>
515     </body>
516     </section>
517    
518     <section>
519     <title>Identd (for IRC)</title>
520     <body>
521     <p>
522     Internet Relay Chat utilizes the ident service pretty heavily. Now that
523     the IRC clients are behind the router, we need a way to host ident for
524     both the router and the clients. One such server has been created
525     called <c>midentd</c>.
526     </p>
527    
528     <pre caption="Setting up ident">
529     # <i>emerge midentd</i>
530     # <i>rc-update add midentd default</i>
531     # <i>/etc/init.d/midentd start</i>
532     </pre>
533    
534     <p>
535     There are a few other ident servers in portage. Depending on your needs,
536     I would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
537     </p>
538     </body>
539     </section>
540    
541 vapier 1.5 <!--
542     <section>
543     <title>Traffic Shaping</title>
544     <body>
545     <p>
546     This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri>
547     found over at the TLDP. Feel free to refer to the original document
548     for more details.
549     </p>
550    
551     <p>
552     Here we will be setting up what some people refer to as a "Packet Shaper",
553     <uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>,
554     or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>.
555     Simply put, we want to setup rules on our router that will slow down
556     certain activities (like sending large e-mails or downloading from P2P
557     networks) while keeping other activities (like browsing the web or playing
558     online video games) reasonably fast. A 30 second difference in a video
559     game is a lot worse than a 30 second difference in downloading large
560     files :).
561     </p>
562    
563     <p>
564     The first thing is to make sure your kernel has all the features added to
565     it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more
566     information. Next, you will need to <c>emerge iptables iputils</c> so that
567     you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c>
568     commands.
569     </p>
570    
571     <p>
572     Before we jump into the commands, let's cover a little of the theory. The
573     way this whole system works is to classify common network streams and then
574     to prioritize them. You use iptables to classify network streams, iputils
575     to define the different priority levels, and the kernel to adjust speeds.
576     Just remember that although you can control outbound traffic pretty tightly
577     (from the LAN to the WAN), your ability to control inbound traffic (from
578     the WAN to the LAN) is somewhat limited. Just remember that the following
579     examples are to get your feet wet; if you want more then I'd suggest
580     reading up on the subject. In this example, we will be using the
581     <uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri>
582     packet scheduling algorithm. Still with me? Great, let's start shaping :).
583     </p>
584    
585     <pre caption="Setup">
586     DEV=eth1 <comment>NIC connected to WAN</comment>
587     RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment>
588     RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment>
589    
590     <comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment>
591     ip link set dev ${DEV} qlen 30
592     tc qdisc add dev ${DEV} root handle 1: htb default 45
593     tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit
594     </pre>
595    
596     <p>
597     Here we initialized the system which will be used to prioritize all of
598     our network traffic. We created our queue, told it to use the HTB
599     algorithm, and set the default classification level to '45'. The
600     default is completely arbitrary, as are the levels we choose from
601     here on out. The only thing that matters is how the levels compare
602     relatively; a level '10' packet will be given preference over a
603     level '45' packet. Let's move on to declaring different levels.
604     </p>
605    
606     <pre caption="Declaring levels">
607     tc class add dev $DEV parent 1:1 classid 1:10 htb rate $rkbit ceil $tkbit prio $p
608     tc qdisc add dev $DEV parent 1:10 handle 10: sfq
609     </pre>
610     </body>
611     </section>
612     -->
613    
614 vapier 1.3 <section>
615 vapier 1.9 <title>Time Server</title>
616     <body>
617     <p>
618     Keeping your system time correct is essential in maintaing a healthy
619     system. One of the most common ways of accomplishing this is with
620 vapier 1.16 the Network Time Protocol (NTP) and the ntp package (which provides
621 vapier 1.9 implementations for both server and client).
622     </p>
623    
624     <p>
625     Many people run ntp clients on their computers. Obviously, the more
626     clients in the world, the larger the load the ntp servers need to
627     shoulder. In environments like home networks though, we can help
628     keep the load down on public servers while still providing the proper
629     time to all our computers. As an added bonus, our private updates
630     will be a lot faster for the clients too! All we have to do is run
631     a ntp server on our router that synchronizes itself with the public
632     internet servers while providing the time to the rest of the computers
633     in the network. To get started, simply <c>emerge ntp</c> on the
634     router.
635     </p>
636    
637     <pre caption="Setting up the NTP server">
638     # <i>nano /etc/conf.d/ntp-client</i>
639     <comment>Customize if you wish but the defaults should be fine</comment>
640     # <i>rc-update add ntp-client default</i>
641    
642     # <i>nano /etc/ntp.conf</i>
643     <comment>Add the follwing lines:
644     restrict default ignore
645     restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
646     These will allow only ntp clients with an IP address in the 192.168.0.xxx range to use your ntp server</comment>
647     # <i>nano /etc/conf.d/ntpd</i>
648     <comment>Customize if you wish but the defaults should be fine</comment>
649 vapier 1.17 # <i>rc-update add ntpd default</i>
650 vapier 1.9
651     # <i>/etc/init.d/ntp-client start</i>
652     # <i>/etc/init.d/ntpd start</i>
653     </pre>
654    
655     <p>
656     Now, on your clients, have them <c>emerge ntp</c> also. However,
657     we will just run the ntp client so setup is a lot simpler.
658     </p>
659    
660     <pre caption="Setting up a NTP client">
661     # <i>nano /etc/conf.d/ntp-client</i>
662     <comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment>
663     # <i>rc-update add ntp-client default</i>
664     # <i>/etc/init.d/ntp-client start</i>
665     </pre>
666     </body>
667     </section>
668    
669     <section>
670 vapier 1.3 <title>Mail Server</title>
671     <body>
672     <p>
673 vapier 1.4 Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP)
674     server on the router. You may have your own reason for wanting to do so,
675     but I run it so that the users see mail as being sent instantly and the
676     work of retrying/routing is left up to the mail server. Some ISPs also
677     don't allow for mail relaying for accounts that aren't part of their
678     network (like Verizon). Also, you can easily throttle the delivery of
679     mail so that large attachments won't seriously lag your connection for
680     half an hour.
681     </p>
682    
683     <pre caption="Setting up SMTP">
684     # <i>emerge qmail</i>
685     <comment>make sure the output of `hostname` is correct</comment>
686     # <i>ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config</i>
687 vapier 1.13 # <i>iptables -I INPUT -p tcp --dport smtp -i ! eth0 -j REJECT</i>
688 vapier 1.4 # <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i>
689 vapier 1.10 # <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i>
690 vapier 1.13 <!--
691 vapier 1.4 # <i>cd /etc/tcprules.d</i>
692     # <i>nano tcp.qmail-smtp</i>
693 vapier 1.13 -->
694     # <i>cd /etc</i>
695     # <i>nano tcp.smtp</i>
696 vapier 1.4 <comment>Add an entry like so to the allow section:
697     192.168.0.:allow,RELAYCLIENT=""</comment>
698 vapier 1.13 <!--
699 vapier 1.4 # <i>tcprules tcp.qmail-qmtp.cdb rules.tmp &lt; tcp.qmail-smtp</i>
700 vapier 1.13 -->
701     # <i>tcprules tcp.smtp.cdb rules.tmp &lt; tcp.smtp</i>
702 vapier 1.4 # <i>rc-update add svscan default</i>
703     # <i>/etc/init.d/svscan start</i>
704     </pre>
705    
706     <p>
707     I'm a huge fan of qmail, but you're free to use a different mta :).
708     When you setup e-mail on the hosts in your network, tell them that
709     their SMTP server is 192.168.0.1 and everything should be peachy.
710     You might want to visit the <uri link="http://qmail.org/">qmail
711     homepage</uri> for more documentation.
712 vapier 1.3 </p>
713     </body>
714     </section>
715    
716 vapier 1.4 <!--
717 vapier 1.3 <section>
718 vapier 1.4 <title>E-mail Virus Scanning</title>
719 vapier 1.3 <body>
720     <p>
721 vapier 1.4 If you'd like to provide e-mail virus scanning for your users, but
722     don't want to have to install a virus scanner on every single machine,
723     then <c>pop3vscan</c> may just be the thing for you; a transparent
724     Post Office Protocol (POP) scanner.
725 vapier 1.3 </p>
726 vapier 1.4
727     <pre caption="Setting up pop3vscan">
728     TODO
729     </pre>
730    
731 vapier 1.3 </body>
732     </section>
733 vapier 1.4 -->
734 vapier 1.3
735 vapier 1.4 </chapter>
736    
737     <chapter>
738     <title>Final Notes</title>
739 vapier 1.3 <section>
740     <body>
741     <p>
742 vapier 1.4 I have no final notes other than if you experience any troubles with the guide,
743     please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with
744     <uri link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If
745     you have some interesting bits you think would enhance this guide, by all means
746     send it my way for inclusion.
747 vapier 1.3 </p>
748 vapier 1.1 </body>
749     </section>
750     </chapter>
751     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20