/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Contents of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.35 - (hide annotations) (download) (as text)
Sat Nov 5 02:45:18 2005 UTC (9 years ago) by vapier
Branch: MAIN
Changes since 1.34: +16 -7 lines
File MIME type: application/xml
add info for kernel features that adsl/pppoe require as noted by Jonathan Schmieg

1 vapier 1.1 <?xml version='1.0' encoding='UTF-8'?>
2 vapier 1.35 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.34 2005/10/11 01:02:53 vapier Exp $ -->
3 vapier 1.1 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4    
5     <guide link="/doc/en/home-router-howto.xml">
6    
7     <title>Home Router Guide</title>
8    
9     <author title="Author">
10     <mail link="vapier@gentoo.org">Mike Frysinger</mail>
11     </author>
12    
13     <abstract>
14     This document details how to turn an old Gentoo machine into a router
15     for connecting your home network to the internet.
16     </abstract>
17    
18 vapier 1.35 <version>1.22</version>
19     <date>2005-11-04</date>
20 vapier 1.1
21     <chapter>
22     <title>Introduction</title>
23     <section>
24     <body>
25    
26     <p>
27 neysx 1.23 Building your own router out of old spare parts has many advantages over buying
28     a pre-made canned router by say Linksys. The biggest one by far is control
29     over the connection. The other advantages are left up to your imagination;
30     just about anything can be done in this scenario, it's just a matter of needing
31     it.
32 vapier 1.1 </p>
33    
34     <p>
35 neysx 1.23 This guide will show you how to setup Network Address Translation (NAT) on the
36     router (kernel and iptables), add and configure common services (Domain Name
37     System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via rp-pppoe), and conclude
38     with more elaborate and fun things that can be done (port forwarding, traffic
39     shaping, proxies/caching, etc...).
40 vapier 1.1 </p>
41    
42     <p>
43 neysx 1.23 Before getting started, there's a few basic requirements you must meet. First,
44     you'll need a computer that has at least 2 Network Interface Cards (NICs) in
45     it. Next, you'll need the configuration settings for your internet connection
46     (may include things like IP/DNS/Gateway/username/password). Finally, you'll
47     need a bit of spare time and some Gentoo loving.
48 vapier 1.1 </p>
49    
50     <p>
51     The conventions used in this guide are:
52     </p>
53 neysx 1.23
54 vapier 1.1 <ul>
55     <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
56     <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
57     <li>LAN utilizes the private 192.168.0.xxx network</li>
58     <li>router is hardcoded to the standard 192.168.0.1 IP</li>
59 vapier 1.3 <li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li>
60 vapier 1.1 </ul>
61    
62     <impo>
63 neysx 1.23 Due to security precautions, I would highly suggest you shut down any unneeded
64     services on the router until we have a chance to get the firewall up and
65     rolling. To view the currently running services, just run <c>rc-status</c>.
66 vapier 1.1 </impo>
67    
68     </body>
69     </section>
70     </chapter>
71    
72     <chapter>
73     <title>Kernel setup (know thyself first)</title>
74     <section>
75     <body>
76    
77     <p>
78 neysx 1.23 Your kernel needs to have the drivers running for both your NICs. To see if
79     your cards are already setup, just run <c>ifconfig</c>. Your output may differ
80     slightly from the following, that's fine. What matters is that the interface
81     shows up at all.
82 vapier 1.1 </p>
83 neysx 1.23
84 vapier 1.1 <pre caption="Checking NICs">
85     # <i>ifconfig -a</i>
86     eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
87     BROADCAST MULTICAST MTU:1500 Metric:1
88     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
89     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
90     collisions:0 txqueuelen:1000
91     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
92     Interrupt:11 Base address:0x9800
93    
94     eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
95     BROADCAST MULTICAST MTU:1500 Metric:1
96     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
97     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
98     collisions:0 txqueuelen:1000
99     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
100     Interrupt:10 Base address:0x9400
101     </pre>
102 neysx 1.23
103 vapier 1.1 <p>
104 neysx 1.23 If you do not see your two cards showing up and you're not sure what kind of
105     cards you have, try running <c>lspci</c>. You can get that from <c>emerge
106     pciutils</c>. Look for "Ethernet controller" in the output. Once you have
107     this information, go into your kernel and add support for the correct drivers.
108 vapier 1.1 </p>
109    
110     <p>
111 neysx 1.23 The next thing you'll need is support for iptables and NAT (and packet shaping
112 vapier 1.35 if you want). The following list is split up into always required (*),
113     required only for adsl via PPPoE (a), suggested for everyone (x), and only
114     for shaper (s) features. It does not matter whether you build the features
115     into the kernel or as a module so long as when the feature is needed, the
116     correct module(s) are loaded (module loading is left to the reader as a fun
117 neysx 1.23 exercise however).
118 vapier 1.1 </p>
119 neysx 1.23
120 vapier 1.1 <pre caption="Network Options">
121 neysx 1.23 Networking options ---&gt;
122     [*] TCP/IP networking
123     [*] IP: advanced router
124     [*] Network packet filtering (replaces ipchains)
125 vapier 1.20 <comment>If you use 2.4.x, you have to enable the following for DHCP:</comment>
126 neysx 1.23 [*] Socket Filtering
127 vapier 1.1
128 neysx 1.23 IP: Netfilter Configuration ---&gt;
129     [*] Connection tracking (required for masq/NAT)
130     [x] FTP protocol support
131     [x] IRC protocol support
132     [*] IP tables support (required for filtering/masq/NAT)
133     [*] IP range match support
134     [x] MAC address match support
135     [*] Multiple port match support
136     [*] Packet filtering
137     [*] REJECT target support
138     [x] REDIRECT target support
139     [*] Full NAT
140     [*] MASQUERADE target support
141     [s] Packet mangling
142     [s] MARK target support
143     [x] LOG target support
144    
145     QoS and/or fair queueing ---&gt;
146     [s] QoS and/or fair queueing
147     [s] HTB packet scheduler
148     [s] Ingress Qdisc
149 vapier 1.35
150     [a] PPP (point-to-point protocol) support
151     [a] PPP filtering
152     [a] PPP support for async serial ports
153     [a] PPP support for sync tty ports
154     [a] PPP Deflate compression
155     [a] PPP BSD-Compress compression
156     [a] PPP over Ethernet
157 vapier 1.1 </pre>
158 neysx 1.23
159 vapier 1.1 <note>
160 neysx 1.23 Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you should be
161     able to figure it out :).
162 vapier 1.1 </note>
163    
164     </body>
165     </section>
166     </chapter>
167    
168     <chapter>
169     <title>Hug the WAN (a.k.a. The Internet)</title>
170    
171     <section>
172     <title>Intro</title>
173     <body>
174 neysx 1.23
175 vapier 1.1 <p>
176 neysx 1.23 There are many ways to connect to the internet so I'll just cover the ones I'm
177     familiar with. That leaves us with ADSL (PPPoE) and cable modems
178     (static/dynamic). If there are other methods out there, feel free to write up
179     a little blurb and e-mail me. Feel free to skip any of the following sections
180     in this chapter that don't apply to you. This chapter is just about getting
181     the router connected to the internet via eth1.
182 vapier 1.1 </p>
183 neysx 1.23
184 vapier 1.1 </body>
185     </section>
186     <section>
187     <title>ADSL and PPPoE</title>
188     <body>
189    
190     <p>
191 neysx 1.23 All the fancy PPPoE software has been bundled up into one little nice package
192     nowadays called <uri link="http://www.roaringpenguin.com/">Roaring
193     Penguin</uri>. Simply <c>emerge rp-pppoe</c> and you'll be on your way.
194     Remember how I said you'll need username/password information? Well I wasn't
195     lying so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
196 vapier 1.1 your favorite editor and set it up.
197     </p>
198    
199 vapier 1.8 <note>
200     In order for the following net.eth1 settings to work, you must have
201     baselayout-1.10.1 or later installed on your system.
202     </note>
203    
204 vapier 1.1 <pre caption="Setting up eth1">
205     <comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
206    
207     # <i>nano /etc/ppp/pppoe.conf</i>
208 neysx 1.23 <comment># Ethernet card connected to ADSL modem</comment>
209 vapier 1.1 ETH=eth1
210 neysx 1.23 <comment># ADSL user name.</comment>
211     USER=vla9h924
212 vapier 1.1 # <i>nano /etc/ppp/pap-secrets</i>
213 neysx 1.23 <comment># client server secret</comment>
214     "vla9h924" * "password"
215 vapier 1.1 # <i>nano /etc/conf.d/net</i>
216 vapier 1.25 <comment>Add an entry for config_eth1 and set it to adsl:</comment>
217     config_eth1=( "adsl" )
218 vapier 1.30 # <i>ln -s net.lo /etc/init.d/net.eth1</i>
219 vapier 1.1 # <i>rc-update add net.eth1 default</i>
220     # <i>/etc/init.d/net.eth1 start</i>
221     </pre>
222    
223 vapier 1.3 <warn>
224     When the DSL interface comes up, it will create ppp0. Although your NIC
225     is called eth1, the IP is actually bound to ppp0. From now on, when you
226     see examples that utilize 'eth1', substitute with 'ppp0'.
227     </warn>
228 vapier 1.1
229     </body>
230     </section>
231    
232     <section>
233     <title>Cable and/or dynamic/static IP</title>
234     <body>
235    
236     <p>
237 vapier 1.4 If you have a static IP then you will need a few more details than if
238 vapier 1.1 you have a dynamic IP. For static users, you will need your IP,
239     gateway, and DNS servers.
240     </p>
241    
242     <pre caption="Setting up eth1">
243     <comment>Dynamic IP Users:</comment>
244     # <i>emerge dhcpcd</i>
245     # <i>nano /etc/conf.d/net</i>
246 neysx 1.23 <comment>You'll need an entry like so:</comment>
247 vapier 1.25 config_eth1=( "dhcp" )
248 vapier 1.1
249     <comment>Static IP Users:</comment>
250     # <i>nano /etc/conf.d/net</i>
251 neysx 1.23 <comment>You'll need entries like so:</comment>
252 vapier 1.1 ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
253 neysx 1.23 routes_eth1=( "default gw 66.92.78.1" )
254 vapier 1.1 # <i>nano /etc/resolv.conf</i>
255 neysx 1.23 <comment>Add one line per DNS server:</comment>
256     nameserver 123.123.123.123
257 vapier 1.1
258     <comment>Dynamic and Static Setup:</comment>
259 vapier 1.30 # <i>ln -s net.lo /etc/init.d/net.eth1</i>
260 vapier 1.1 # <i>rc-update add net.eth1 default</i>
261     # <i>/etc/init.d/net.eth1 start</i>
262     </pre>
263    
264     <p>
265     You should be all set to go now.
266     </p>
267    
268     </body>
269     </section>
270     </chapter>
271    
272     <chapter>
273     <title>Hug the LAN (bring along some friends)</title>
274     <section>
275     <body>
276    
277     <p>
278     This step is a breeze compared to the previous one.
279     </p>
280    
281     <pre caption="Setting up eth0">
282     # <i>nano /etc/conf.d/net</i>
283 neysx 1.23 <comment>Add a line like the following:</comment>
284     ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
285 vapier 1.1 # <i>rc-update add net.eth0 default</i>
286     # <i>/etc/init.d/net.eth0 start</i>
287     </pre>
288    
289     </body>
290     </section>
291     </chapter>
292    
293     <chapter>
294     <title>LAN Services (because we're nice people)</title>
295    
296     <section>
297     <title>DHCP Server</title>
298     <body>
299 neysx 1.23
300 vapier 1.1 <p>
301 neysx 1.23 I bet it'd be nice if everyone else in your house could just plug their
302     computers into the network and things would just work. No need to remember
303     mind-numbing details or make them stare at confusing configuration screens!
304     Life would be grand eh? Introducing the Dynamic Host Configuration Protocol
305     (DHCP) and why you should care.
306 vapier 1.1 </p>
307    
308 vapier 1.2 <p>
309     DHCP is exactly what its name implies. It's a protocol that allows you
310 neysx 1.23 to dynamically configure other hosts automatically. You run a DHCP server on
311 vapier 1.33 the router, give it all the information about your network (valid IPs,
312 neysx 1.23 DNS servers, gateways, etc...), and then when the other hosts start up, they
313     run a DHCP client to automatically configure themselves. No fuss, no muss!
314     For more information about DHCP, you can always visit <uri
315     link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
316 vapier 1.2 </p>
317    
318 vapier 1.33 <p>
319     We'll use a package called dnsmasq which provides both DHCP and DNS services.
320     For now lets just focus on the DHCP aspect. Note that if you want to run a
321     different DHCP server, you can find another example in the Fun Things chapter.
322     Also, if you wish to tinker with the DHCP server settings, just read the
323     comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine
324     though.
325     </p>
326    
327     <pre caption="Setting up a DHCP server">
328     # <i>emerge dnsmasq</i>
329     # <i>nano /etc/dnsmasq.conf</i>
330     <comment>You should need to just add this one line:</comment>
331     dhcp-range=192.168.0.100,192.168.0.250,72h
332    
333     # <i>nano /etc/conf.d/dnsmasq</i>
334     <comment>Add "-i eth0" to DNSMASQ_OPTS</comment>
335     # <i>rc-update add dnsmasq default</i>
336     # <i>/etc/init.d/dnsmasq start</i>
337 vapier 1.1 </pre>
338    
339     <p>
340 neysx 1.23 Now your little router is a bona-fide DHCP server! Plugin those computers and
341     watch them work! With Windows systems you should go into the TCP/IP Properties
342     and select the 'Obtain an IP address automatically' and 'Obtain DNS server
343     address automatically' options. Sometimes the changes aren't instantaneous, so
344 vapier 1.31 you may have to open a command prompt and run <c>ipconfig /release</c> and
345 neysx 1.23 <c>ipconfig /renew</c>. But enough about Windows, let's get back to our
346     favorite penguin.
347 vapier 1.1 </p>
348 neysx 1.23
349 vapier 1.1 </body>
350     </section>
351    
352     <section>
353     <title>DNS Server</title>
354     <body>
355 neysx 1.23
356 vapier 1.2 <p>
357 neysx 1.23 When people want to visit a place on the internet, they remember names, not a
358 vapier 1.33 string of funky numbers. After all, what's easier to remember, ebay.com or
359 neysx 1.23 66.135.192.87? This is where the DNS steps in. DNS servers run all over the
360     internet, and whenever someone wants to visit 'ebay.com', these servers turn
361     'ebay.com' (what we understand) into '66.135.192.87' (what our computers
362     understand). For more information about DNS, you can always visit <uri
363     link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
364 vapier 1.2 </p>
365 vapier 1.1
366     <p>
367 vapier 1.33 Since we're using dnsmasq for our DHCP server, and it includes a DNS server,
368     you've got nothing left to do here! Your little router is already providing
369     DNS to its DHCP clients. Bet you wish everything was this easy ;).
370 vapier 1.1 </p>
371    
372     <p>
373 vapier 1.33 You're welcome to choose other DNS servers if you're more comfortable with
374     them, but the reason dnsmasq is great is because it was designed to do exactly
375     what we want and nothing more. It's a little DNS caching/forwarding server for
376     local networks. We're not looking to provide DNS for our own domain here, just
377     offer simple DNS services to everyone else on our LAN.
378 vapier 1.1 </p>
379    
380     </body>
381     </section>
382    
383     <section>
384 vapier 1.4 <title>NAT (a.k.a. IP-masquerading)</title>
385 vapier 1.1 <body>
386    
387     <p>
388 neysx 1.23 At this point, people on your network can talk to each other and they can look
389     up hostnames via DNS, but they still can't actually connect to the internet.
390     While you may think that's great (more bandwidth for you!), I bet they're not
391     too happy just yet.
392 vapier 1.1 </p>
393    
394 vapier 1.2 <p>
395 vapier 1.33 This is where Network Address Translation (NAT) steps in. NAT is a way of
396     connecting multiple computers in a private LAN to the internet when you have a
397     smaller number of public IP addresses available to you. Typically you are given
398     1 IP by your ISP, but you want to let your whole house connect to the internet.
399     NAT is the magic that makes this possible. For more information about NAT, you
400     can always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
401 vapier 1.2 </p>
402    
403     <note>
404 neysx 1.23 Before we get started, make sure you have iptables on your system. Although it
405     is automatically installed on most systems, you may not have it. If you don't,
406     just run <c>emerge iptables</c>.
407 vapier 1.2 </note>
408    
409 vapier 1.1 <pre caption="Setting up iptables">
410     <comment>First we flush our current rules</comment>
411     # <i>iptables -F</i>
412     # <i>iptables -t nat -F</i>
413    
414 vapier 1.33 <comment>Setup default policies to handle unmatched traffic</comment>
415 vapier 1.32 # <i>iptables -P INPUT ACCEPT</i>
416     # <i>iptables -P OUTPUT ACCEPT</i>
417     # <i>iptables -P FORWARD DROP</i>
418    
419 vapier 1.30 <comment>Copy and paste these examples ...</comment>
420     # <i>export LAN=eth0</i>
421     # <i>export WAN=eth1</i>
422    
423 vapier 1.1 <comment>Then we lock our services so they only work from the LAN</comment>
424 vapier 1.30 # <i>iptables -I INPUT 1 -i ${LAN} -j ACCEPT</i>
425 vapier 1.1 # <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
426 vapier 1.30 # <i>iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT</i>
427     # <i>iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT</i>
428 vapier 1.1
429 vapier 1.21 <comment>(Optional) Allow access to our ssh server from the WAN</comment>
430 vapier 1.30 # <i>iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</i>
431 vapier 1.21
432 vapier 1.1 <comment>Drop TCP / UDP packets to privileged ports</comment>
433 vapier 1.30 # <i>iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i>
434     # <i>iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i>
435 vapier 1.1
436     <comment>Finally we add the rules for NAT</comment>
437 vapier 1.30 # <i>iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP</i>
438     # <i>iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
439     # <i>iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
440     # <i>iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</i>
441 vapier 1.1 <comment>Tell the kernel that ip forwarding is OK</comment>
442     # <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
443     # <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>
444    
445     <comment>This is so when we boot we don't have to run the rules by hand</comment>
446     # <i>/etc/init.d/iptables save</i>
447     # <i>rc-update add iptables default</i>
448 vapier 1.14 # <i>nano /etc/sysctl.conf</i>
449     <comment>Add/Uncomment the following lines:
450     net.ipv4.ip_forward = 1
451     net.ipv4.conf.default.rp_filter = 1</comment>
452 vapier 1.1 </pre>
453    
454     <p>
455 neysx 1.23 Once you've typed out all of that, the rest of your network should now be able
456     to use the internet as if they were directly connected themselves.
457 vapier 1.1 </p>
458    
459 vapier 1.3 </body>
460     </section>
461     </chapter>
462    
463     <chapter>
464     <title>Fun Things (for a rainy day)</title>
465    
466     <section>
467     <title>Intro</title>
468     <body>
469 neysx 1.23
470 vapier 1.1 <p>
471 neysx 1.23 Believe it or not, you're done :). From here on out, I'll cover a bunch of
472     common topics that may interest you. Everything in this chapter is completely
473     optional.
474 vapier 1.1 </p>
475 neysx 1.23
476 vapier 1.3 </body>
477     </section>
478 vapier 1.1
479 vapier 1.3 <section>
480     <title>Port Forwarding</title>
481     <body>
482 neysx 1.23
483 vapier 1.3 <p>
484 neysx 1.23 Sometimes you would like to be able to host services on a computer behind the
485     router, or just to make your life easier when connecting remotely. Perhaps you
486     want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your
487     router and be able to connect to them all. The only caveat is that you can
488     only have one service/machine combo per port. For example, there is no
489     practical way to setup three FTP servers behind your router and then try to
490     connect to them all through port 21; only one can be on port 21 while the
491     others would have to be on say port 123 and port 567.
492 vapier 1.3 </p>
493    
494     <p>
495 neysx 1.23 All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
496 vapier 1.30 [-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port
497 vapier 1.33 to forward to]</c>. Unfortunately, iptables does not accept hostnames when port
498     forwarding. If you are forwarding an external port to the same port on the
499     internal machine, you can omit the destination port. See the iptables(8) man
500     page for more information.
501 vapier 1.3 </p>
502    
503 swift 1.28 <pre caption="Running the iptables commands">
504 vapier 1.30 <comment>Copy and paste these examples ...</comment>
505     # <i>export LAN=eth0</i>
506     # <i>export WAN=eth1</i>
507    
508 vapier 1.3 <comment>Forward port 2 to ssh on an internal host</comment>
509 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2:22</i>
510 vapier 1.3
511     <comment>FTP forwarding to an internal host</comment>
512 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56</i>
513 vapier 1.3
514     <comment>HTTP forwarding to an internal host</comment>
515 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56</i>
516 vapier 1.3
517     <comment>VNC forwarding for internal hosts</comment>
518 vapier 1.30 # <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.2</i>
519     # <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.168.0.3:5900</i>
520 vapier 1.3 <comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment>
521    
522     <comment>Bittorrent forwarding</comment>
523 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i>
524 vapier 1.15
525 vapier 1.33 <comment>eDonkey/eMule forwarding</comment>
526     # <i>iptables -t nat -A PREROUTING -p tcp --dport 4662 -i ${WAN} -j DNAT --to 192.168.0.55</i>
527    
528 vapier 1.15 <comment>Game Cube Warp Pipe support</comment>
529 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i>
530 vapier 1.15
531 vapier 1.33 <comment>Playstation 2 Online support</comment>
532 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
533     # <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
534 vapier 1.34
535     <comment>Xbox Live</comment>
536     # <i>iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i>
537     # <i>iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i>
538     # <i>iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.0.69</i>
539 vapier 1.3 </pre>
540    
541     <note>
542 neysx 1.23 If you have other common / cool examples, please <uri
543     link="mailto:vapier@gentoo.org">e-mail me</uri>.
544 vapier 1.3 </note>
545 neysx 1.23
546 vapier 1.3 </body>
547     </section>
548    
549     <section>
550     <title>Identd (for IRC)</title>
551     <body>
552 neysx 1.23
553 vapier 1.3 <p>
554 neysx 1.23 Internet Relay Chat utilizes the ident service pretty heavily. Now that the
555     IRC clients are behind the router, we need a way to host ident for both the
556     router and the clients. One such server has been created called
557     <c>midentd</c>.
558 vapier 1.3 </p>
559    
560     <pre caption="Setting up ident">
561     # <i>emerge midentd</i>
562     # <i>rc-update add midentd default</i>
563     # <i>/etc/init.d/midentd start</i>
564     </pre>
565    
566     <p>
567 neysx 1.23 There are a few other ident servers in portage. Depending on your needs, I
568     would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
569 vapier 1.3 </p>
570 neysx 1.23
571 vapier 1.3 </body>
572     </section>
573    
574 vapier 1.5 <!--
575     <section>
576     <title>Traffic Shaping</title>
577     <body>
578     <p>
579     This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri>
580     found over at the TLDP. Feel free to refer to the original document
581     for more details.
582     </p>
583    
584     <p>
585     Here we will be setting up what some people refer to as a "Packet Shaper",
586     <uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>,
587     or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>.
588     Simply put, we want to setup rules on our router that will slow down
589     certain activities (like sending large e-mails or downloading from P2P
590     networks) while keeping other activities (like browsing the web or playing
591     online video games) reasonably fast. A 30 second difference in a video
592     game is a lot worse than a 30 second difference in downloading large
593     files :).
594     </p>
595    
596     <p>
597     The first thing is to make sure your kernel has all the features added to
598     it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more
599     information. Next, you will need to <c>emerge iptables iputils</c> so that
600     you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c>
601     commands.
602     </p>
603    
604     <p>
605     Before we jump into the commands, let's cover a little of the theory. The
606     way this whole system works is to classify common network streams and then
607     to prioritize them. You use iptables to classify network streams, iputils
608     to define the different priority levels, and the kernel to adjust speeds.
609     Just remember that although you can control outbound traffic pretty tightly
610     (from the LAN to the WAN), your ability to control inbound traffic (from
611     the WAN to the LAN) is somewhat limited. Just remember that the following
612     examples are to get your feet wet; if you want more then I'd suggest
613     reading up on the subject. In this example, we will be using the
614     <uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri>
615     packet scheduling algorithm. Still with me? Great, let's start shaping :).
616     </p>
617    
618     <pre caption="Setup">
619     DEV=eth1 <comment>NIC connected to WAN</comment>
620     RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment>
621     RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment>
622    
623     <comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment>
624     ip link set dev ${DEV} qlen 30
625     tc qdisc add dev ${DEV} root handle 1: htb default 45
626     tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit
627     </pre>
628    
629     <p>
630     Here we initialized the system which will be used to prioritize all of
631     our network traffic. We created our queue, told it to use the HTB
632     algorithm, and set the default classification level to '45'. The
633     default is completely arbitrary, as are the levels we choose from
634     here on out. The only thing that matters is how the levels compare
635     relatively; a level '10' packet will be given preference over a
636     level '45' packet. Let's move on to declaring different levels.
637     </p>
638    
639     <pre caption="Declaring levels">
640     tc class add dev $DEV parent 1:1 classid 1:10 htb rate $rkbit ceil $tkbit prio $p
641     tc qdisc add dev $DEV parent 1:10 handle 10: sfq
642     </pre>
643     </body>
644     </section>
645     -->
646    
647 vapier 1.3 <section>
648 vapier 1.9 <title>Time Server</title>
649     <body>
650 neysx 1.23
651 vapier 1.9 <p>
652 vapier 1.24 Keeping your system time correct is essential in maintaining a healthy system.
653 neysx 1.23 One of the most common ways of accomplishing this is with the Network Time
654     Protocol (NTP) and the ntp package (which provides implementations for both
655     server and client).
656 vapier 1.9 </p>
657    
658     <p>
659 neysx 1.23 Many people run ntp clients on their computers. Obviously, the more clients in
660     the world, the larger the load the ntp servers need to shoulder. In
661     environments like home networks though, we can help keep the load down on
662     public servers while still providing the proper time to all our computers. As
663     an added bonus, our private updates will be a lot faster for the clients too!
664     All we have to do is run a ntp server on our router that synchronizes itself
665     with the public internet servers while providing the time to the rest of the
666     computers in the network. To get started, simply <c>emerge ntp</c> on the
667 vapier 1.9 router.
668     </p>
669    
670     <pre caption="Setting up the NTP server">
671     # <i>nano /etc/conf.d/ntp-client</i>
672     <comment>Customize if you wish but the defaults should be fine</comment>
673     # <i>rc-update add ntp-client default</i>
674    
675     # <i>nano /etc/ntp.conf</i>
676 neysx 1.23 <comment>Add the follwing lines:</comment>
677 vapier 1.9 restrict default ignore
678     restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
679 neysx 1.23 <comment>These will allow only ntp clients with an IP
680     address in the 192.168.0.xxx range to use your ntp server</comment>
681 vapier 1.9 # <i>nano /etc/conf.d/ntpd</i>
682     <comment>Customize if you wish but the defaults should be fine</comment>
683 vapier 1.17 # <i>rc-update add ntpd default</i>
684 vapier 1.9
685     # <i>/etc/init.d/ntp-client start</i>
686     # <i>/etc/init.d/ntpd start</i>
687     </pre>
688    
689 vapier 1.22 <note>
690 neysx 1.23 You should make sure that you allow inbound and outbound communication on the
691     ntp port (123/udp) when setting up the server. The client just needs outbound
692     access on port 123 over udp.
693 vapier 1.22 </note>
694    
695 vapier 1.9 <p>
696 neysx 1.23 Now, on your clients, have them <c>emerge ntp</c> also. However, we will just
697     run the ntp client so setup is a lot simpler.
698 vapier 1.9 </p>
699    
700     <pre caption="Setting up a NTP client">
701     # <i>nano /etc/conf.d/ntp-client</i>
702     <comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment>
703     # <i>rc-update add ntp-client default</i>
704     # <i>/etc/init.d/ntp-client start</i>
705     </pre>
706 neysx 1.23
707 vapier 1.9 </body>
708     </section>
709    
710     <section>
711 vapier 1.29 <title>Rsync Server</title>
712     <body>
713    
714     <p>
715     For those who run multiple Gentoo boxes on the same lan, you often want to
716     keep from having every machine running <c>emerge sync</c> with remote
717     servers. By setting up a local rsync, you save on both your bandwidth and
718     the Gentoo rsync servers' bandwidth. It's pretty simple to do.
719     </p>
720     <note>
721     For a much more in-depth rsync guide, please see the official <uri
722     link="/doc/en/rsync.xml#doc_chap4">rsync guide</uri>
723     </note>
724    
725     <p>
726     Since every Gentoo machine requires rsync, theres no need to emerge it. Edit
727     the default <path>/etc/rsyncd.conf</path> config file, uncomment the
728     <c>[gentoo-portage]</c> section, and make sure you add an <c>address</c>
729     option. All the other defaults should be fine.
730     </p>
731    
732     <pre caption="Rsync server config">
733     pid file = /var/run/rsyncd.pid
734     use chroot = yes
735     read only = yes
736     address = 192.168.0.1
737    
738     [gentoo-portage]
739     path = /mnt/space/portage
740     comment = Gentoo Linux Portage tree
741     exclude = /distfiles /packages
742     </pre>
743    
744     <p>
745     Then you need to start the service (again, the defaults are OK).
746     </p>
747    
748     <pre caption="Starting the rsync server">
749     # <i>/etc/init.d/rsyncd start</i>
750     # <i>rc-update add rsyncd default</i>
751     </pre>
752    
753     <p>
754     Only thing left is to set tell your clients to sync against the router.
755     </p>
756    
757     <pre caption="Client SYNC settings in make.conf">
758     SYNC="rsync://192.168.0.1/gentoo-portage"
759     </pre>
760    
761     </body>
762     </section>
763    
764     <section>
765 vapier 1.3 <title>Mail Server</title>
766     <body>
767 neysx 1.23
768 vapier 1.3 <p>
769 neysx 1.23 Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server
770     on the router. You may have your own reason for wanting to do so, but I run it
771     so that the users see mail as being sent instantly and the work of
772     retrying/routing is left up to the mail server. Some ISPs also don't allow for
773     mail relaying for accounts that aren't part of their network (like Verizon).
774     Also, you can easily throttle the delivery of mail so that large attachments
775     won't seriously lag your connection for half an hour.
776 vapier 1.4 </p>
777    
778     <pre caption="Setting up SMTP">
779     # <i>emerge qmail</i>
780     <comment>make sure the output of `hostname` is correct</comment>
781     # <i>ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config</i>
782 vapier 1.30 # <i>iptables -I INPUT -p tcp --dport smtp -i ! ${LAN} -j REJECT</i>
783 vapier 1.4 # <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i>
784 vapier 1.10 # <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i>
785 vapier 1.13 <!--
786 vapier 1.4 # <i>cd /etc/tcprules.d</i>
787     # <i>nano tcp.qmail-smtp</i>
788 vapier 1.13 -->
789     # <i>cd /etc</i>
790     # <i>nano tcp.smtp</i>
791 neysx 1.23 <comment>Add an entry like so to the allow section:</comment>
792     192.168.0.:allow,RELAYCLIENT=""
793 vapier 1.13 <!--
794 vapier 1.4 # <i>tcprules tcp.qmail-qmtp.cdb rules.tmp &lt; tcp.qmail-smtp</i>
795 vapier 1.13 -->
796     # <i>tcprules tcp.smtp.cdb rules.tmp &lt; tcp.smtp</i>
797 vapier 1.4 # <i>rc-update add svscan default</i>
798     # <i>/etc/init.d/svscan start</i>
799     </pre>
800    
801     <p>
802 neysx 1.23 I'm a huge fan of qmail, but you're free to use a different mta :). When you
803     setup e-mail on the hosts in your network, tell them that their SMTP server is
804     192.168.0.1 and everything should be peachy. You might want to visit the <uri
805     link="http://qmail.org/">qmail homepage</uri> for more documentation.
806 vapier 1.3 </p>
807 neysx 1.23
808 vapier 1.3 </body>
809     </section>
810    
811 vapier 1.4 <!--
812 vapier 1.3 <section>
813 vapier 1.4 <title>E-mail Virus Scanning</title>
814 vapier 1.3 <body>
815     <p>
816 vapier 1.4 If you'd like to provide e-mail virus scanning for your users, but
817     don't want to have to install a virus scanner on every single machine,
818     then <c>pop3vscan</c> may just be the thing for you; a transparent
819     Post Office Protocol (POP) scanner.
820 vapier 1.3 </p>
821 vapier 1.4
822     <pre caption="Setting up pop3vscan">
823     TODO
824     </pre>
825    
826 vapier 1.3 </body>
827     </section>
828 vapier 1.4 -->
829 vapier 1.3
830 vapier 1.33 <section>
831     <title>Full DHCP Server</title>
832     <body>
833    
834     <p>
835     Earlier we used dnsmasq to provide DHCP service to all our clients. For most
836     people with a simple small LAN, this is perfect. But you may need something
837     with more features. Thus we turn to a full-featured DHCP server as provided
838     by the <uri link="http://www.isc.org/products/DHCP">ISC</uri> folks.
839     </p>
840    
841     <pre caption="Setting up dhcpd">
842     # <i>emerge dhcp</i>
843     # <i>nano /etc/dhcp/dhcpd.conf</i>
844     <comment>(Here is a sample configuration file:)</comment>
845     authoritative;
846     ddns-update-style interim;
847     subnet 192.168.0.0 netmask 255.255.255.0 {
848     range 192.168.0.100 192.168.0.250;
849     default-lease-time 259200;
850     max-lease-time 518400;
851     option subnet-mask 255.255.255.0;
852     option broadcast-address 192.168.0.255;
853     option routers 192.168.0.1;
854     option domain-name-servers 192.168.0.1;
855     }
856     # <i>nano /etc/conf.d/dhcp</i>
857     <comment>(Set IFACE="eth0")</comment>
858     # <i>rc-update add dhcp default</i>
859     # <i>/etc/init.d/dhcp start</i>
860     </pre>
861    
862     <p>
863     This is the minimal setup required to replace the dnsmasq DHCP functionality
864     that we used earlier. Speaking of which, you did remember to disable the DHCP
865     features in dnsmasq didn't you? If not, you should do so now (just comment
866     out the <c>dhcp-range</c> setting in <path>/etc/dnsmasq.conf</path> and restart
867     the service).
868     </p>
869    
870     </body>
871     </section>
872    
873 vapier 1.4 </chapter>
874    
875     <chapter>
876 vapier 1.30 <title>Troubleshooting</title>
877 vapier 1.27
878     <section>
879     <title>Useful Tools</title>
880     <body>
881    
882     <p>
883     If you're having trouble getting your computers to communicate, you may way to
884     try out the following tools (they can all be found in the <c>net-analyzer</c>
885     portage category):
886     </p>
887    
888     <table>
889     <tr>
890     <th>Utility</th>
891     <th>Description</th>
892     </tr>
893     <tr>
894     <ti>ethereal</ti>
895     <ti>GUI tool to view all raw network data according to filters</ti>
896     </tr>
897     <tr>
898     <ti>tcpdump</ti>
899     <ti>Console tool to dump all raw network data according to filters</ti>
900     </tr>
901     <tr>
902     <ti>iptraf</ti>
903     <ti>ncurses based IP LAN monitor</ti>
904     </tr>
905     <tr>
906     <ti>ettercap</ti>
907     <ti>ncurses based network monitor/control</ti>
908     </tr>
909     </table>
910    
911     </body>
912     </section>
913    
914     <section>
915 vapier 1.31 <title>DHCP Fails To Start</title>
916     <body>
917    
918     <p>
919     When starting the dhcp init.d script for the first time, it may fail to load
920     but neglect to give you any useful info.
921     </p>
922    
923     <pre caption="DHCP Failing Example">
924     # <i>/etc/init.d/dhcp start</i>
925     * Setting ownership on dhcp.leases ... [ ok ]
926     * Starting dhcpd ... [ !! ]
927     </pre>
928    
929     <p>
930     The trick is to know where dhcpd is sending its output. Simply browse to
931     /var/log and read the log files. Since the exact log file depends on the
932     package you are using as a syslog, try running <c>grep -Rl dhcpd /var/log</c>
933     to narrow down the possibilities. Chances are you made a typo in your config
934     file. You could also try running <c>dhcpd -d -f</c> (short for debug /
935     foreground) and debug the error based upon the output.
936     </p>
937    
938     </body>
939     </section>
940    
941     <section>
942 vapier 1.27 <title>Incorrect MTU Value</title>
943     <body>
944    
945     <p>
946     If you experience odd errors (such as not being some webpages while others
947     load fine), you may be having Path MTU Discovery trouble. The quick way to
948     test is to run this iptables command:
949     </p>
950    
951     <pre caption="Circumvent MTU issues">
952     # <i>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</i>
953     </pre>
954    
955     <p>
956     This will affect all new connections, so just refresh the website you're
957     having problems with in order to test. In case it helps, the standard MTU
958     value for 100mbit ethernet connections is <c>1500</c> while for PPPoE
959     connections it is <c>1492</c>. For more info, you should read Chapter 15
960     of the <uri link="http://lartc.org/howto/">Linux Advanced Routing &amp;
961     Traffic Control HOWTO</uri>.
962     </p>
963    
964     </body>
965     </section>
966    
967     </chapter>
968    
969     <chapter>
970 vapier 1.4 <title>Final Notes</title>
971 vapier 1.3 <section>
972     <body>
973 neysx 1.23
974 vapier 1.3 <p>
975 neysx 1.23 I have no final notes other than if you experience any troubles with the guide,
976     please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with <uri
977     link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have
978     some interesting bits you think would enhance this guide, by all means send it
979     my way for inclusion.
980 vapier 1.3 </p>
981 neysx 1.23
982 vapier 1.1 </body>
983     </section>
984     </chapter>
985     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20