/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Contents of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (hide annotations) (download) (as text)
Thu Jul 22 14:32:26 2004 UTC (10 years, 7 months ago) by vapier
Branch: MAIN
Changes since 1.1: +38 -4 lines
File MIME type: application/xml
explain a few more terms

1 vapier 1.1 <?xml version='1.0' encoding='UTF-8'?>
2 vapier 1.2 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.1 2004/07/22 05:53:40 vapier Exp $ -->
3 vapier 1.1 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4    
5     <guide link="/doc/en/home-router-howto.xml">
6    
7     <title>Home Router Guide</title>
8    
9     <author title="Author">
10     <mail link="vapier@gentoo.org">Mike Frysinger</mail>
11     </author>
12    
13     <abstract>
14     This document details how to turn an old Gentoo machine into a router
15     for connecting your home network to the internet.
16     </abstract>
17    
18     <version>1.1</version>
19     <date>July 21, 2004</date>
20    
21     <chapter>
22     <title>Introduction</title>
23     <section>
24     <body>
25    
26     <p>
27     Building your own router out of old spare parts has many advantages
28     over buying a pre-made canned router by say Linksys. The biggest one by
29     far is control over the connection. The other advantages are left up to
30     your imagination; just about anything can be done in this scenario,
31     it's just a matter of needing it.
32     </p>
33    
34     <p>
35     This guide will show you how to setup Network Address Translation (NAT)
36     on the router (kernel and iptables), add and configure common services
37 vapier 1.2 (Domain Name System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via
38     rp-pppoe), and conclude with more elaborate and fun things that can be
39     done (port forwarding, traffic shaping, http/ftp hosting, caching, etc...).
40 vapier 1.1 </p>
41    
42     <p>
43     Before getting started, there's a few basic requirements you must meet.
44     First, you'll need a computer that has at least 2 Network Interface
45     Cards (NICs) in it. Next, you'll need the configuration settings for
46     your internet connection (may include things like
47     IP/DNS/Gateway/username/password). Finally, you'll need a bit of spare
48     time and some Gentoo loving.
49     </p>
50    
51     <p>
52     The conventions used in this guide are:
53     </p>
54     <ul>
55     <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
56     <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
57     <li>LAN utilizes the private 192.168.0.xxx network</li>
58     <li>router is hardcoded to the standard 192.168.0.1 IP</li>
59     </ul>
60    
61     <impo>
62     Due to security precautions, I would highly suggest you shut down any
63     unneeded services on the router until we have a chance to get the
64     firewall up and rolling. To view the currently running services, just
65     run <c>rc-status</c>.
66     </impo>
67    
68     </body>
69     </section>
70     </chapter>
71    
72     <chapter>
73     <title>Kernel setup (know thyself first)</title>
74     <section>
75     <body>
76    
77     <p>
78     Your kernel needs to have the drivers running for both your NICs. To
79     see if your cards are already setup, just run <c>ifconfig</c>. Your
80     output may differ slightly from the following, that's fine. What
81     matters is that the interface shows up at all.
82     </p>
83     <pre caption="Checking NICs">
84     # <i>ifconfig -a</i>
85     eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
86     BROADCAST MULTICAST MTU:1500 Metric:1
87     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
88     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
89     collisions:0 txqueuelen:1000
90     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
91     Interrupt:11 Base address:0x9800
92    
93     eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
94     BROADCAST MULTICAST MTU:1500 Metric:1
95     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
96     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
97     collisions:0 txqueuelen:1000
98     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
99     Interrupt:10 Base address:0x9400
100     </pre>
101     <p>
102     If you do not see your two cards showing up and you're not sure what
103     kind of cards you have, try running <c>lspci</c>. You can get that from
104     <c>emerge sys-apps/pciutils</c>. Look for "Ethernet controller" in the
105     output. Once you have this information, go into your kernel and add
106     support for the correct drivers.
107     </p>
108    
109     <p>
110     The next thing you'll need is support for iptables and NAT (and packet
111     shaping if you want). The following list is split up into required
112     (*), suggested (x), and shaper (s) features. It does not matter whether
113     you build the features into the kernel or as a module so long as when
114     the feature is need, the correct module(s) are loaded (module loading
115     is left to the reader as a fun exercise however).
116     </p>
117     <pre caption="Network Options">
118     <i>Networking options ---&gt;</i>
119     <i> [*] TCP/IP networking</i>
120     <i> [*] IP: advanced router</i>
121     <i> [*] Network packet filtering (replaces ipchains)</i>
122    
123     <i> IP: Netfilter Configuration ---&gt;</i>
124     <i> [*] Connection tracking (required for masq/NAT)</i>
125     <i> [x] FTP protocol support</i>
126     <i> [x] IRC protocol support</i>
127     <i> [*] IP tables support (required for filtering/masq/NAT)</i>
128     <i> [*] IP range match support</i>
129     <i> [x] MAC address match support</i>
130     <i> [*] Multiple port match support</i>
131     <i> [*] Packet filtering</i>
132     <i> [*] REJECT target support</i>
133     <i> [x] REDIRECT target support</i>
134     <i> [*] Full NAT</i>
135     <i> [*] MASQUERADE target support</i>
136     <i> [s] Packet mangling</i>
137     <i> [s] MARK target support</i>
138     <i> [x] LOG target support</i>
139    
140     <i> QoS and/or fair queueing ---&gt;</i>
141     <i> [s] QoS and/or fair queueing</i>
142     <i> [s] HTB packet scheduler</i>
143     <i> [s] Ingress Qdisc</i>
144     </pre>
145     <note>
146     Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you
147     should be able to figure it out :). 2.2 + ipchains is not covered here.
148     </note>
149    
150     </body>
151     </section>
152     </chapter>
153    
154     <chapter>
155     <title>Hug the WAN (a.k.a. The Internet)</title>
156    
157     <section>
158     <title>Intro</title>
159     <body>
160     <p>
161     There are many ways to connect to the internet so I'll just cover the
162     ones I'm familiar with. That leaves us with ADSL (PPPoE) and cable
163     modems (static/dynamic). If there are other methods out there, feel
164     free to write up a little blurb and e-mail me. Feel free to skip any of
165     the following sections in this chapter that don't apply to you. This
166     chapter is just about getting the router connected to the internet via
167     eth1.
168     </p>
169     </body>
170     </section>
171    
172     <section>
173     <title>ADSL and PPPoE</title>
174     <body>
175    
176     <p>
177     All the fancy PPPoE software has been bundled up into one little nice
178     package nowadays called <uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>.
179     Simply <c>emerge rp-pppoe</c> and you'll be on your way. Remember how
180     I said you'll need username/password information? Well I wasn't lying
181     so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
182     your favorite editor and set it up.
183     </p>
184    
185     <pre caption="Setting up eth1">
186     <comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
187    
188     # <i>nano /etc/ppp/pppoe.conf</i>
189     <comment># Ethernet card connected to ADSL modem
190     ETH=eth1
191     # ADSL user name.
192     USER=vla9h924</comment>
193     # <i>nano /etc/ppp/pap-secrets</i>
194     <comment># client server secret
195     "vla9h924" * "password"</comment>
196     # <i>nano /etc/conf.d/net</i>
197     <comment>Add an entry for ifconfig_eth1 and set it to adsl:
198     ifconfig_eth1=( "adsl" )</comment>
199     # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
200     # <i>rc-update add net.eth1 default</i>
201     # <i>/etc/init.d/net.eth1 start</i>
202     </pre>
203    
204     <p>
205     You should be all set to go now.
206     </p>
207    
208     </body>
209     </section>
210    
211     <section>
212     <title>Cable and/or dynamic/static IP</title>
213     <body>
214    
215     <p>
216     If you have a static IP then you will need the few more details than if
217     you have a dynamic IP. For static users, you will need your IP,
218     gateway, and DNS servers.
219     </p>
220    
221     <pre caption="Setting up eth1">
222     <comment>Dynamic IP Users:</comment>
223     # <i>emerge dhcpcd</i>
224     # <i>nano /etc/conf.d/net</i>
225     <comment>You'll need an entry like so:
226     ifconfig_eth1=( "dhcp" )</comment>
227    
228     <comment>Static IP Users:</comment>
229     # <i>nano /etc/conf.d/net</i>
230     <comment>You'll need entries like so:
231     ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
232     routes_eth1=( "default gw 66.92.78.1" )</comment>
233     # <i>nano /etc/resolv.conf</i>
234     <comment>Add one line per DNS server:
235     nameserver 123.123.123.123</comment>
236    
237     <comment>Dynamic and Static Setup:</comment>
238     # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
239     # <i>rc-update add net.eth1 default</i>
240     # <i>/etc/init.d/net.eth1 start</i>
241     </pre>
242    
243     <p>
244     You should be all set to go now.
245     </p>
246    
247     </body>
248     </section>
249     </chapter>
250    
251     <chapter>
252     <title>Hug the LAN (bring along some friends)</title>
253     <section>
254     <body>
255    
256     <p>
257     This step is a breeze compared to the previous one.
258     </p>
259    
260     <pre caption="Setting up eth0">
261     # <i>nano /etc/conf.d/net</i>
262     <comment>Add a line like the following:
263     ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )</comment>
264     # <i>rc-update add net.eth0 default</i>
265     # <i>/etc/init.d/net.eth0 start</i>
266     </pre>
267    
268     </body>
269     </section>
270     </chapter>
271    
272     <chapter>
273     <title>LAN Services (because we're nice people)</title>
274    
275     <section>
276     <title>DHCP Server</title>
277     <body>
278     <p>
279     I bet it'd be nice if everyone else in your house could just plug
280     their computers into the network and things would just work. No need to
281     remember mind-numbing details or make them stare at confusing
282     configuration screens! Life would be grand eh? Introducing the Dynamic
283     Host Configuration Protocol (DHCP) and why you should care.
284     </p>
285    
286 vapier 1.2 <p>
287     DHCP is exactly what its name implies. It's a protocol that allows you
288     to dynamically configure other hosts automatically. You run a DHCP
289     server on the router (dhcpd), give it all the information about your
290     network (valid IPs, DNS servers, gateways, etc...), and then when the
291     other hosts start up, they run a DHCP client to automatically configure
292     themselves. No fuss, no muss! For even more information, you can
293     always visit <uri link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
294     </p>
295    
296 vapier 1.1 <pre caption="Setting up dhcpd">
297     # <i>emerge dhcp</i>
298     # <i>nano /etc/dhcp/dhcpd.conf</i>
299     <comment>Here is a sample configuration file:
300     authoritative;
301     subnet 192.168.0.0 netmask 255.255.255.0 {
302     range 192.168.0.100 192.168.0.250;
303     default-lease-time 259200;
304     max-lease-time 518400;
305     option subnet-mask 255.255.255.0;
306     option broadcast-address 192.168.0.255;
307     option routers 192.168.0.1;
308     option domain-name-servers 192.168.0.1;
309     }
310     </comment>
311     # <i>nano /etc/conf.d/dhcp</i>
312     <comment>Set IFACE="eth0"</comment>
313     # <i>rc-update add dhcp default</i>
314     # <i>/etc/init.d/dhcp start</i>
315     </pre>
316    
317     <p>
318     Now your little router is a bona-fide DHCP server! Plugin those
319     computers and watch them work! With Windows systems you should go into
320     the TCP/IP Properties and select the 'Obtain an IP address
321     automatically' and 'Obtain DNS server address automatically' options.
322     Sometimes the changes aren't instantaneous, so you may have to run a
323     command prompt and run <c>ipconfig /release</c> and <c>ipconfig
324     /renew</c>. But enough about Windows, let's get back to our favorite
325     penguin.
326     </p>
327     </body>
328     </section>
329    
330     <section>
331     <title>DNS Server</title>
332     <body>
333 vapier 1.2 <p>
334     When people want to visit a place on the internet, they remember names,
335     not a string of useless numbers. After all, what's easier to remember,
336     ebay.com or 66.135.192.87? This is where the DNS steps in. DNS servers
337     run all over the internet, and whenever someone wants to visit 'ebay.com',
338     these servers turn 'ebay.com' (what we understand) into '66.135.192.87'
339     (what our computers understand). For even more information, you can
340     always visit <uri link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
341     </p>
342 vapier 1.1
343     <p>
344     You may have noticed in the previous section that we told the DHCP
345     clients we have a DNS server at 192.168.0.1. You may also remember that
346     192.168.0.1 is our little router that we're making. I don't remember
347     setting up a DNS server ... so let's do so now!
348     </p>
349    
350     <pre caption="Setting up dnsmasq">
351     # <i>emerge dnsmasq</i>
352     # <i>nano /etc/conf.d/dnsmasq</i>
353     <comment>Add "-i eth1" to DNSMASQ_OPTS</comment>
354     # <i>rc-update add dnsmasq</i>
355     # <i>/etc/init.d/dnsmasq start</i>
356     </pre>
357    
358     <p>
359     Well that was quick, but what did we do? The great thing is, we didn't
360     have to do very much! You're welcome to choose other DNS servers if
361     you're more comfortable with them, but the reason dnsmasq is great is
362     because it was designed to do exactly what we want it for. It's a
363     little DNS caching/forwarding server for local networks. We're not
364     looking to provide our own DNS server here, just offer simple DNS
365     services to everyone else on our LAN.
366     </p>
367    
368     </body>
369     </section>
370    
371     <section>
372     <title>NAT</title>
373     <body>
374    
375     <p>
376     At this point, people on your network can talk to each other and they
377     can look up hostnames via DNS, but they still can't actually connect to
378     the internet. While you may think that's great (more bandwidth for
379     you!), I bet they're not too happy just yet.
380     </p>
381    
382 vapier 1.2 <p>
383     This is where NAT steps in. NAT is a way of connecting multiple computers
384     in a private LAN to the internet when you only have a smaller number of
385     IP addresses availabe to you. Typically you were given 1 IP by your ISP,
386     but you want to let your whole house connect to the internet. NAT is the
387     magic that makes this possible. For even more information, you can
388     always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
389     </p>
390    
391     <note>
392     Before we get started, make sure you have iptables on your system. Although
393     it is automatically installed on most systems, you may not have it. If you
394     don't, just run <c>emerge iptables</c>.
395     </note>
396    
397 vapier 1.1 <pre caption="Setting up iptables">
398     <comment>First we flush our current rules</comment>
399     # <i>iptables -F</i>
400     # <i>iptables -t nat -F</i>
401    
402     <comment>Then we lock our services so they only work from the LAN</comment>
403     # <i>iptables -I INPUT 1 -i eth0 -j ACCEPT</i>
404     # <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
405     # <i>iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT</i>
406     # <i>iptables -A INPUT -p UDP --dport dns -i ! eth0 -j REJECT</i>
407    
408     <comment>Drop TCP / UDP packets to privileged ports</comment>
409     # <i>iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
410     # <i>iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
411    
412     <comment>Finally we add the rules for NAT</comment>
413     # <i>iptables -I FORWARD -i 192.168.0.0/255.255.0.0 -j DROP</i>
414     # <i>iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
415     # <i>iptables -A FORWARD -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
416     # <i>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE</i>
417     <comment>Tell the kernel that ip forwarding is OK</comment>
418     # <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
419     # <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>
420    
421     <comment>This is so when we boot we don't have to run the rules by hand</comment>
422     # <i>/etc/init.d/iptables save</i>
423     # <i>rc-update add iptables default</i>
424     </pre>
425    
426     <p>
427     Once you've typed out all of that, the rest of your network should now
428     be able to use the internet as if they were directly connected
429     themselves.
430     </p>
431    
432     <p>
433     Believe it or not, you're done :). The only thing left involves adding
434     extra services to make your life (or the lives of your users) easier.
435     </p>
436    
437     </body>
438     </section>
439    
440     </chapter>
441    
442     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20