/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Contents of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.53 - (hide annotations) (download) (as text)
Sat Oct 21 21:04:48 2006 UTC (8 years, 1 month ago) by vapier
Branch: MAIN
Changes since 1.52: +4 -4 lines
File MIME type: application/xml
s/ethereal/wireshark/ as reported by Philip Stone

1 vapier 1.1 <?xml version='1.0' encoding='UTF-8'?>
2     <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
3 vapier 1.53 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.52 2006/09/16 05:29:33 vapier Exp $ -->
4 vapier 1.1
5 vapier 1.36 <guide link="/doc/en/home-router-howto.xml" lang="en">
6 vapier 1.1 <title>Home Router Guide</title>
7    
8     <author title="Author">
9     <mail link="vapier@gentoo.org">Mike Frysinger</mail>
10     </author>
11    
12     <abstract>
13     This document details how to turn an old Gentoo machine into a router
14     for connecting your home network to the internet.
15     </abstract>
16    
17 vapier 1.36 <!-- The content of this document is released into the public domain -->
18     <license/>
19    
20 vapier 1.53 <version>1.32</version>
21     <date>2006-10-21</date>
22 vapier 1.1
23     <chapter>
24     <title>Introduction</title>
25     <section>
26     <body>
27    
28     <p>
29 neysx 1.23 Building your own router out of old spare parts has many advantages over buying
30     a pre-made canned router by say Linksys. The biggest one by far is control
31     over the connection. The other advantages are left up to your imagination;
32     just about anything can be done in this scenario, it's just a matter of needing
33     it.
34 vapier 1.1 </p>
35    
36     <p>
37 neysx 1.23 This guide will show you how to setup Network Address Translation (NAT) on the
38     router (kernel and iptables), add and configure common services (Domain Name
39     System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via rp-pppoe), and conclude
40     with more elaborate and fun things that can be done (port forwarding, traffic
41     shaping, proxies/caching, etc...).
42 vapier 1.1 </p>
43    
44     <p>
45 neysx 1.23 Before getting started, there's a few basic requirements you must meet. First,
46     you'll need a computer that has at least 2 Network Interface Cards (NICs) in
47     it. Next, you'll need the configuration settings for your internet connection
48     (may include things like IP/DNS/Gateway/username/password). Finally, you'll
49     need a bit of spare time and some Gentoo loving.
50 vapier 1.1 </p>
51    
52     <p>
53     The conventions used in this guide are:
54     </p>
55 neysx 1.23
56 vapier 1.1 <ul>
57     <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
58     <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
59     <li>LAN utilizes the private 192.168.0.xxx network</li>
60     <li>router is hardcoded to the standard 192.168.0.1 IP</li>
61 vapier 1.3 <li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li>
62 vapier 1.1 </ul>
63    
64     <impo>
65 neysx 1.23 Due to security precautions, I would highly suggest you shut down any unneeded
66     services on the router until we have a chance to get the firewall up and
67     rolling. To view the currently running services, just run <c>rc-status</c>.
68 vapier 1.1 </impo>
69    
70     </body>
71     </section>
72     </chapter>
73    
74     <chapter>
75     <title>Kernel setup (know thyself first)</title>
76     <section>
77     <body>
78    
79     <p>
80 neysx 1.23 Your kernel needs to have the drivers running for both your NICs. To see if
81     your cards are already setup, just run <c>ifconfig</c>. Your output may differ
82     slightly from the following, that's fine. What matters is that the interface
83     shows up at all.
84 vapier 1.1 </p>
85 neysx 1.23
86 vapier 1.1 <pre caption="Checking NICs">
87     # <i>ifconfig -a</i>
88     eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
89     BROADCAST MULTICAST MTU:1500 Metric:1
90     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
91     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
92     collisions:0 txqueuelen:1000
93     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
94     Interrupt:11 Base address:0x9800
95    
96     eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
97     BROADCAST MULTICAST MTU:1500 Metric:1
98     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
99     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
100     collisions:0 txqueuelen:1000
101     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
102     Interrupt:10 Base address:0x9400
103     </pre>
104 neysx 1.23
105 vapier 1.1 <p>
106 neysx 1.23 If you do not see your two cards showing up and you're not sure what kind of
107 vapier 1.49 cards you have, try running <c>lspci | grep Ethernet</c>. You can get that
108     from <c>emerge pciutils</c>. Once you have this information, go into your
109     kernel and add support for the correct drivers.
110 vapier 1.1 </p>
111    
112     <p>
113 neysx 1.23 The next thing you'll need is support for iptables and NAT (and packet shaping
114 vapier 1.35 if you want). The following list is split up into always required (*),
115     required only for adsl via PPPoE (a), suggested for everyone (x), and only
116     for shaper (s) features. It does not matter whether you build the features
117     into the kernel or as a module so long as when the feature is needed, the
118     correct module(s) are loaded (module loading is left to the reader as a fun
119 neysx 1.23 exercise however).
120 vapier 1.1 </p>
121 neysx 1.23
122 vapier 1.1 <pre caption="Network Options">
123 neysx 1.23 Networking options ---&gt;
124     [*] TCP/IP networking
125     [*] IP: advanced router
126     [*] Network packet filtering (replaces ipchains)
127 vapier 1.20 <comment>If you use 2.4.x, you have to enable the following for DHCP:</comment>
128 neysx 1.23 [*] Socket Filtering
129 vapier 1.1
130 neysx 1.23 IP: Netfilter Configuration ---&gt;
131     [*] Connection tracking (required for masq/NAT)
132     [x] FTP protocol support
133     [x] IRC protocol support
134     [*] IP tables support (required for filtering/masq/NAT)
135     [*] IP range match support
136     [x] MAC address match support
137     [*] Multiple port match support
138     [*] Packet filtering
139     [*] REJECT target support
140     [x] REDIRECT target support
141     [*] Full NAT
142     [*] MASQUERADE target support
143     [s] Packet mangling
144     [s] MARK target support
145     [x] LOG target support
146    
147     QoS and/or fair queueing ---&gt;
148     [s] QoS and/or fair queueing
149     [s] HTB packet scheduler
150     [s] Ingress Qdisc
151 vapier 1.35
152     [a] PPP (point-to-point protocol) support
153     [a] PPP filtering
154     [a] PPP support for async serial ports
155     [a] PPP support for sync tty ports
156     [a] PPP Deflate compression
157     [a] PPP BSD-Compress compression
158     [a] PPP over Ethernet
159 vapier 1.1 </pre>
160 neysx 1.23
161 vapier 1.1 <note>
162 vapier 1.51 Some things may be slightly different in a 2.4 vs 2.6 kernel, but you should be
163     able to figure it out :). Even among 2.6 kernels, these options have a
164     tendency to move around. Good luck!
165 vapier 1.1 </note>
166    
167     </body>
168     </section>
169     </chapter>
170    
171     <chapter>
172     <title>Hug the WAN (a.k.a. The Internet)</title>
173    
174     <section>
175     <title>Intro</title>
176     <body>
177 neysx 1.23
178 vapier 1.1 <p>
179 neysx 1.23 There are many ways to connect to the internet so I'll just cover the ones I'm
180     familiar with. That leaves us with ADSL (PPPoE) and cable modems
181     (static/dynamic). If there are other methods out there, feel free to write up
182     a little blurb and e-mail me. Feel free to skip any of the following sections
183     in this chapter that don't apply to you. This chapter is just about getting
184     the router connected to the internet via eth1.
185 vapier 1.1 </p>
186 neysx 1.23
187 vapier 1.1 </body>
188     </section>
189     <section>
190     <title>ADSL and PPPoE</title>
191     <body>
192    
193     <p>
194 neysx 1.23 All the fancy PPPoE software has been bundled up into one little nice package
195     nowadays called <uri link="http://www.roaringpenguin.com/">Roaring
196     Penguin</uri>. Simply <c>emerge rp-pppoe</c> and you'll be on your way.
197     Remember how I said you'll need username/password information? Well I wasn't
198     lying so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
199 vapier 1.1 your favorite editor and set it up.
200     </p>
201    
202 vapier 1.8 <note>
203 vapier 1.39 In order for the following net settings to work, you must have
204     baselayout-1.11.14 or later installed on your system.
205 vapier 1.8 </note>
206    
207 vapier 1.1 <pre caption="Setting up eth1">
208     <comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
209    
210     # <i>nano /etc/ppp/pap-secrets</i>
211 neysx 1.23 <comment># client server secret</comment>
212     "vla9h924" * "password"
213 vapier 1.1 # <i>nano /etc/conf.d/net</i>
214 vapier 1.39 <comment>Tell baselayout to use adsl for your eth1:</comment>
215 vapier 1.25 config_eth1=( "adsl" )
216 vapier 1.39 user_eth1=( "vla9h924" )
217 vapier 1.30 # <i>ln -s net.lo /etc/init.d/net.eth1</i>
218 vapier 1.1 # <i>rc-update add net.eth1 default</i>
219     # <i>/etc/init.d/net.eth1 start</i>
220     </pre>
221    
222 vapier 1.3 <warn>
223 vapier 1.39 When the DSL interface comes up, it will create ppp0. Although your NIC is
224     called eth1, the IP is actually bound to ppp0. From now on, when you see
225     examples that utilize 'eth1', substitute with 'ppp0'.
226 vapier 1.3 </warn>
227 vapier 1.1
228     </body>
229     </section>
230    
231     <section>
232     <title>Cable and/or dynamic/static IP</title>
233     <body>
234    
235     <p>
236 vapier 1.4 If you have a static IP then you will need a few more details than if
237 vapier 1.1 you have a dynamic IP. For static users, you will need your IP,
238     gateway, and DNS servers.
239     </p>
240    
241     <pre caption="Setting up eth1">
242     <comment>Dynamic IP Users:</comment>
243     # <i>emerge dhcpcd</i>
244     # <i>nano /etc/conf.d/net</i>
245 neysx 1.23 <comment>You'll need an entry like so:</comment>
246 vapier 1.25 config_eth1=( "dhcp" )
247 vapier 1.1
248     <comment>Static IP Users:</comment>
249     # <i>nano /etc/conf.d/net</i>
250 neysx 1.23 <comment>You'll need entries like so:</comment>
251 vapier 1.43 config_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
252 neysx 1.23 routes_eth1=( "default gw 66.92.78.1" )
253 vapier 1.1 # <i>nano /etc/resolv.conf</i>
254 neysx 1.23 <comment>Add one line per DNS server:</comment>
255     nameserver 123.123.123.123
256 vapier 1.1
257     <comment>Dynamic and Static Setup:</comment>
258 vapier 1.30 # <i>ln -s net.lo /etc/init.d/net.eth1</i>
259 vapier 1.1 # <i>rc-update add net.eth1 default</i>
260     # <i>/etc/init.d/net.eth1 start</i>
261     </pre>
262    
263     <p>
264     You should be all set to go now.
265     </p>
266    
267     </body>
268     </section>
269     </chapter>
270    
271     <chapter>
272     <title>Hug the LAN (bring along some friends)</title>
273     <section>
274     <body>
275    
276     <p>
277     This step is a breeze compared to the previous one.
278     </p>
279    
280     <pre caption="Setting up eth0">
281     # <i>nano /etc/conf.d/net</i>
282 neysx 1.23 <comment>Add a line like the following:</comment>
283 vapier 1.43 config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
284 vapier 1.1 # <i>rc-update add net.eth0 default</i>
285     # <i>/etc/init.d/net.eth0 start</i>
286     </pre>
287    
288     </body>
289     </section>
290     </chapter>
291    
292     <chapter>
293     <title>LAN Services (because we're nice people)</title>
294    
295     <section>
296     <title>DHCP Server</title>
297     <body>
298 neysx 1.23
299 vapier 1.1 <p>
300 neysx 1.23 I bet it'd be nice if everyone else in your house could just plug their
301     computers into the network and things would just work. No need to remember
302     mind-numbing details or make them stare at confusing configuration screens!
303     Life would be grand eh? Introducing the Dynamic Host Configuration Protocol
304     (DHCP) and why you should care.
305 vapier 1.1 </p>
306    
307 vapier 1.2 <p>
308     DHCP is exactly what its name implies. It's a protocol that allows you
309 neysx 1.23 to dynamically configure other hosts automatically. You run a DHCP server on
310 vapier 1.33 the router, give it all the information about your network (valid IPs,
311 neysx 1.23 DNS servers, gateways, etc...), and then when the other hosts start up, they
312     run a DHCP client to automatically configure themselves. No fuss, no muss!
313     For more information about DHCP, you can always visit <uri
314     link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
315 vapier 1.2 </p>
316    
317 vapier 1.33 <p>
318     We'll use a package called dnsmasq which provides both DHCP and DNS services.
319     For now lets just focus on the DHCP aspect. Note that if you want to run a
320     different DHCP server, you can find another example in the Fun Things chapter.
321     Also, if you wish to tinker with the DHCP server settings, just read the
322     comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine
323     though.
324     </p>
325    
326     <pre caption="Setting up a DHCP server">
327     # <i>emerge dnsmasq</i>
328     # <i>nano /etc/dnsmasq.conf</i>
329 vapier 1.43 <comment>Add this line to enable dhcp:</comment>
330 vapier 1.33 dhcp-range=192.168.0.100,192.168.0.250,72h
331 vapier 1.43 <comment>Restrict dnsmasq to just the LAN interface</comment>
332     interface=eth0
333 vapier 1.33
334     # <i>rc-update add dnsmasq default</i>
335     # <i>/etc/init.d/dnsmasq start</i>
336 vapier 1.1 </pre>
337    
338     <p>
339 neysx 1.23 Now your little router is a bona-fide DHCP server! Plugin those computers and
340     watch them work! With Windows systems you should go into the TCP/IP Properties
341     and select the 'Obtain an IP address automatically' and 'Obtain DNS server
342     address automatically' options. Sometimes the changes aren't instantaneous, so
343 vapier 1.31 you may have to open a command prompt and run <c>ipconfig /release</c> and
344 neysx 1.23 <c>ipconfig /renew</c>. But enough about Windows, let's get back to our
345     favorite penguin.
346 vapier 1.1 </p>
347 neysx 1.23
348 vapier 1.1 </body>
349     </section>
350    
351     <section>
352     <title>DNS Server</title>
353     <body>
354 neysx 1.23
355 vapier 1.2 <p>
356 neysx 1.23 When people want to visit a place on the internet, they remember names, not a
357 vapier 1.33 string of funky numbers. After all, what's easier to remember, ebay.com or
358 neysx 1.23 66.135.192.87? This is where the DNS steps in. DNS servers run all over the
359     internet, and whenever someone wants to visit 'ebay.com', these servers turn
360     'ebay.com' (what we understand) into '66.135.192.87' (what our computers
361     understand). For more information about DNS, you can always visit <uri
362     link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
363 vapier 1.2 </p>
364 vapier 1.1
365     <p>
366 vapier 1.33 Since we're using dnsmasq for our DHCP server, and it includes a DNS server,
367     you've got nothing left to do here! Your little router is already providing
368     DNS to its DHCP clients. Bet you wish everything was this easy ;).
369 vapier 1.1 </p>
370    
371     <p>
372 vapier 1.33 You're welcome to choose other DNS servers if you're more comfortable with
373     them, but the reason dnsmasq is great is because it was designed to do exactly
374     what we want and nothing more. It's a little DNS caching/forwarding server for
375     local networks. We're not looking to provide DNS for our own domain here, just
376     offer simple DNS services to everyone else on our LAN.
377 vapier 1.1 </p>
378    
379     </body>
380     </section>
381    
382     <section>
383 vapier 1.4 <title>NAT (a.k.a. IP-masquerading)</title>
384 vapier 1.1 <body>
385    
386     <p>
387 neysx 1.23 At this point, people on your network can talk to each other and they can look
388     up hostnames via DNS, but they still can't actually connect to the internet.
389     While you may think that's great (more bandwidth for you!), I bet they're not
390     too happy just yet.
391 vapier 1.1 </p>
392    
393 vapier 1.2 <p>
394 vapier 1.33 This is where Network Address Translation (NAT) steps in. NAT is a way of
395     connecting multiple computers in a private LAN to the internet when you have a
396     smaller number of public IP addresses available to you. Typically you are given
397     1 IP by your ISP, but you want to let your whole house connect to the internet.
398     NAT is the magic that makes this possible. For more information about NAT, you
399     can always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
400 vapier 1.2 </p>
401    
402     <note>
403 neysx 1.23 Before we get started, make sure you have iptables on your system. Although it
404     is automatically installed on most systems, you may not have it. If you don't,
405     just run <c>emerge iptables</c>.
406 vapier 1.2 </note>
407    
408 vapier 1.1 <pre caption="Setting up iptables">
409     <comment>First we flush our current rules</comment>
410     # <i>iptables -F</i>
411     # <i>iptables -t nat -F</i>
412    
413 vapier 1.33 <comment>Setup default policies to handle unmatched traffic</comment>
414 vapier 1.32 # <i>iptables -P INPUT ACCEPT</i>
415     # <i>iptables -P OUTPUT ACCEPT</i>
416     # <i>iptables -P FORWARD DROP</i>
417    
418 vapier 1.30 <comment>Copy and paste these examples ...</comment>
419     # <i>export LAN=eth0</i>
420     # <i>export WAN=eth1</i>
421    
422 vapier 1.1 <comment>Then we lock our services so they only work from the LAN</comment>
423 vapier 1.30 # <i>iptables -I INPUT 1 -i ${LAN} -j ACCEPT</i>
424 vapier 1.1 # <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
425 vapier 1.30 # <i>iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT</i>
426     # <i>iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT</i>
427 vapier 1.1
428 vapier 1.21 <comment>(Optional) Allow access to our ssh server from the WAN</comment>
429 vapier 1.30 # <i>iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</i>
430 vapier 1.21
431 vapier 1.1 <comment>Drop TCP / UDP packets to privileged ports</comment>
432 vapier 1.30 # <i>iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i>
433     # <i>iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i>
434 vapier 1.1
435     <comment>Finally we add the rules for NAT</comment>
436 vapier 1.30 # <i>iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP</i>
437     # <i>iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
438     # <i>iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
439     # <i>iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</i>
440 vapier 1.1 <comment>Tell the kernel that ip forwarding is OK</comment>
441     # <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
442     # <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>
443    
444     <comment>This is so when we boot we don't have to run the rules by hand</comment>
445     # <i>/etc/init.d/iptables save</i>
446     # <i>rc-update add iptables default</i>
447 vapier 1.14 # <i>nano /etc/sysctl.conf</i>
448 vapier 1.50 <comment>Add/Uncomment the following lines:</comment>
449 vapier 1.14 net.ipv4.ip_forward = 1
450 vapier 1.50 net.ipv4.conf.default.rp_filter = 1
451    
452     <comment>If you have a dynamic internet address you probably want to enable this:</comment>
453     net.ipv4.ip_dynaddr = 1
454 vapier 1.1 </pre>
455    
456     <p>
457 neysx 1.23 Once you've typed out all of that, the rest of your network should now be able
458     to use the internet as if they were directly connected themselves.
459 vapier 1.1 </p>
460    
461 vapier 1.50 <p>
462     The ip_dynaddr option is useful for dial on demand systems or when your ISP
463     gives out dynamic addresses. This works around the problem where a connection
464     is attempted before the internet interface is fully setup. Really this just
465     provides for a smoother network experience for users behind your router.
466     </p>
467    
468 vapier 1.3 </body>
469     </section>
470     </chapter>
471    
472     <chapter>
473     <title>Fun Things (for a rainy day)</title>
474    
475     <section>
476     <title>Intro</title>
477     <body>
478 neysx 1.23
479 vapier 1.1 <p>
480 neysx 1.23 Believe it or not, you're done :). From here on out, I'll cover a bunch of
481     common topics that may interest you. Everything in this chapter is completely
482     optional.
483 vapier 1.1 </p>
484 neysx 1.23
485 vapier 1.3 </body>
486     </section>
487 vapier 1.1
488 vapier 1.3 <section>
489     <title>Port Forwarding</title>
490     <body>
491 neysx 1.23
492 vapier 1.3 <p>
493 neysx 1.23 Sometimes you would like to be able to host services on a computer behind the
494     router, or just to make your life easier when connecting remotely. Perhaps you
495     want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your
496     router and be able to connect to them all. The only caveat is that you can
497     only have one service/machine combo per port. For example, there is no
498     practical way to setup three FTP servers behind your router and then try to
499     connect to them all through port 21; only one can be on port 21 while the
500     others would have to be on say port 123 and port 567.
501 vapier 1.3 </p>
502    
503     <p>
504 neysx 1.23 All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
505 vapier 1.30 [-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port
506 vapier 1.33 to forward to]</c>. Unfortunately, iptables does not accept hostnames when port
507     forwarding. If you are forwarding an external port to the same port on the
508     internal machine, you can omit the destination port. See the iptables(8) man
509     page for more information.
510 vapier 1.3 </p>
511    
512 swift 1.28 <pre caption="Running the iptables commands">
513 vapier 1.30 <comment>Copy and paste these examples ...</comment>
514     # <i>export LAN=eth0</i>
515     # <i>export WAN=eth1</i>
516    
517 vapier 1.3 <comment>Forward port 2 to ssh on an internal host</comment>
518 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2:22</i>
519 vapier 1.3
520     <comment>FTP forwarding to an internal host</comment>
521 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56</i>
522 vapier 1.3
523     <comment>HTTP forwarding to an internal host</comment>
524 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56</i>
525 vapier 1.3
526     <comment>VNC forwarding for internal hosts</comment>
527 vapier 1.30 # <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.2</i>
528     # <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.168.0.3:5900</i>
529 vapier 1.3 <comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment>
530    
531     <comment>Bittorrent forwarding</comment>
532 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i>
533 vapier 1.15
534 vapier 1.33 <comment>eDonkey/eMule forwarding</comment>
535     # <i>iptables -t nat -A PREROUTING -p tcp --dport 4662 -i ${WAN} -j DNAT --to 192.168.0.55</i>
536    
537 vapier 1.15 <comment>Game Cube Warp Pipe support</comment>
538 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i>
539 vapier 1.15
540 vapier 1.33 <comment>Playstation 2 Online support</comment>
541 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
542     # <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
543 vapier 1.34
544     <comment>Xbox Live</comment>
545     # <i>iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i>
546     # <i>iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i>
547     # <i>iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.0.69</i>
548 vapier 1.3 </pre>
549    
550     <note>
551 neysx 1.37 If you have other common / cool examples, please <mail
552     link="vapier@gentoo.org">e-mail me</mail>.
553 vapier 1.3 </note>
554 neysx 1.23
555 vapier 1.3 </body>
556     </section>
557    
558     <section>
559     <title>Identd (for IRC)</title>
560     <body>
561 neysx 1.23
562 vapier 1.3 <p>
563 neysx 1.23 Internet Relay Chat utilizes the ident service pretty heavily. Now that the
564     IRC clients are behind the router, we need a way to host ident for both the
565     router and the clients. One such server has been created called
566     <c>midentd</c>.
567 vapier 1.3 </p>
568    
569     <pre caption="Setting up ident">
570     # <i>emerge midentd</i>
571     # <i>rc-update add midentd default</i>
572     # <i>/etc/init.d/midentd start</i>
573     </pre>
574    
575     <p>
576 neysx 1.23 There are a few other ident servers in portage. Depending on your needs, I
577     would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
578 vapier 1.3 </p>
579 neysx 1.23
580 vapier 1.3 </body>
581     </section>
582    
583 vapier 1.5 <!--
584     <section>
585     <title>Traffic Shaping</title>
586     <body>
587     <p>
588     This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri>
589     found over at the TLDP. Feel free to refer to the original document
590     for more details.
591     </p>
592    
593     <p>
594     Here we will be setting up what some people refer to as a "Packet Shaper",
595     <uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>,
596     or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>.
597     Simply put, we want to setup rules on our router that will slow down
598     certain activities (like sending large e-mails or downloading from P2P
599     networks) while keeping other activities (like browsing the web or playing
600     online video games) reasonably fast. A 30 second difference in a video
601     game is a lot worse than a 30 second difference in downloading large
602     files :).
603     </p>
604    
605     <p>
606     The first thing is to make sure your kernel has all the features added to
607     it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more
608     information. Next, you will need to <c>emerge iptables iputils</c> so that
609     you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c>
610     commands.
611     </p>
612    
613     <p>
614     Before we jump into the commands, let's cover a little of the theory. The
615     way this whole system works is to classify common network streams and then
616     to prioritize them. You use iptables to classify network streams, iputils
617     to define the different priority levels, and the kernel to adjust speeds.
618     Just remember that although you can control outbound traffic pretty tightly
619     (from the LAN to the WAN), your ability to control inbound traffic (from
620     the WAN to the LAN) is somewhat limited. Just remember that the following
621     examples are to get your feet wet; if you want more then I'd suggest
622     reading up on the subject. In this example, we will be using the
623     <uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri>
624     packet scheduling algorithm. Still with me? Great, let's start shaping :).
625     </p>
626    
627     <pre caption="Setup">
628     DEV=eth1 <comment>NIC connected to WAN</comment>
629     RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment>
630     RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment>
631    
632     <comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment>
633     ip link set dev ${DEV} qlen 30
634     tc qdisc add dev ${DEV} root handle 1: htb default 45
635     tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit
636     </pre>
637    
638     <p>
639     Here we initialized the system which will be used to prioritize all of
640     our network traffic. We created our queue, told it to use the HTB
641     algorithm, and set the default classification level to '45'. The
642     default is completely arbitrary, as are the levels we choose from
643     here on out. The only thing that matters is how the levels compare
644     relatively; a level '10' packet will be given preference over a
645     level '45' packet. Let's move on to declaring different levels.
646     </p>
647    
648     <pre caption="Declaring levels">
649     tc class add dev $DEV parent 1:1 classid 1:10 htb rate $rkbit ceil $tkbit prio $p
650     tc qdisc add dev $DEV parent 1:10 handle 10: sfq
651     </pre>
652     </body>
653     </section>
654     -->
655    
656 vapier 1.3 <section>
657 vapier 1.9 <title>Time Server</title>
658     <body>
659 neysx 1.23
660 vapier 1.9 <p>
661 vapier 1.24 Keeping your system time correct is essential in maintaining a healthy system.
662 neysx 1.23 One of the most common ways of accomplishing this is with the Network Time
663     Protocol (NTP) and the ntp package (which provides implementations for both
664     server and client).
665 vapier 1.9 </p>
666    
667     <p>
668 neysx 1.23 Many people run ntp clients on their computers. Obviously, the more clients in
669     the world, the larger the load the ntp servers need to shoulder. In
670     environments like home networks though, we can help keep the load down on
671     public servers while still providing the proper time to all our computers. As
672     an added bonus, our private updates will be a lot faster for the clients too!
673     All we have to do is run a ntp server on our router that synchronizes itself
674     with the public internet servers while providing the time to the rest of the
675     computers in the network. To get started, simply <c>emerge ntp</c> on the
676 vapier 1.9 router.
677     </p>
678    
679     <pre caption="Setting up the NTP server">
680     # <i>nano /etc/conf.d/ntp-client</i>
681     <comment>Customize if you wish but the defaults should be fine</comment>
682     # <i>rc-update add ntp-client default</i>
683    
684     # <i>nano /etc/ntp.conf</i>
685 neysx 1.23 <comment>Add the follwing lines:</comment>
686 vapier 1.9 restrict default ignore
687     restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
688 neysx 1.23 <comment>These will allow only ntp clients with an IP
689     address in the 192.168.0.xxx range to use your ntp server</comment>
690 vapier 1.9 # <i>nano /etc/conf.d/ntpd</i>
691     <comment>Customize if you wish but the defaults should be fine</comment>
692 vapier 1.17 # <i>rc-update add ntpd default</i>
693 vapier 1.9
694     # <i>/etc/init.d/ntp-client start</i>
695     # <i>/etc/init.d/ntpd start</i>
696     </pre>
697    
698 vapier 1.22 <note>
699 neysx 1.23 You should make sure that you allow inbound and outbound communication on the
700     ntp port (123/udp) when setting up the server. The client just needs outbound
701     access on port 123 over udp.
702 vapier 1.22 </note>
703    
704 vapier 1.9 <p>
705 neysx 1.23 Now, on your clients, have them <c>emerge ntp</c> also. However, we will just
706     run the ntp client so setup is a lot simpler.
707 vapier 1.9 </p>
708    
709     <pre caption="Setting up a NTP client">
710     # <i>nano /etc/conf.d/ntp-client</i>
711     <comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment>
712     # <i>rc-update add ntp-client default</i>
713     # <i>/etc/init.d/ntp-client start</i>
714     </pre>
715 neysx 1.23
716 vapier 1.9 </body>
717     </section>
718    
719     <section>
720 vapier 1.29 <title>Rsync Server</title>
721     <body>
722    
723     <p>
724     For those who run multiple Gentoo boxes on the same lan, you often want to
725     keep from having every machine running <c>emerge sync</c> with remote
726     servers. By setting up a local rsync, you save on both your bandwidth and
727     the Gentoo rsync servers' bandwidth. It's pretty simple to do.
728     </p>
729 neysx 1.45
730 vapier 1.29 <note>
731 neysx 1.45 For a much more in-depth rsync guide, please see the official <uri
732     link="/doc/en/rsync.xml#local">rsync guide</uri>.
733 vapier 1.29 </note>
734    
735     <p>
736     Since every Gentoo machine requires rsync, theres no need to emerge it. Edit
737     the default <path>/etc/rsyncd.conf</path> config file, uncomment the
738     <c>[gentoo-portage]</c> section, and make sure you add an <c>address</c>
739     option. All the other defaults should be fine.
740     </p>
741    
742     <pre caption="Rsync server config">
743     pid file = /var/run/rsyncd.pid
744     use chroot = yes
745     read only = yes
746     address = 192.168.0.1
747    
748     [gentoo-portage]
749 neysx 1.41 path = /mnt/space/portage
750     comment = Gentoo Linux Portage tree
751     exclude = /distfiles /packages
752 vapier 1.29 </pre>
753    
754     <p>
755     Then you need to start the service (again, the defaults are OK).
756     </p>
757    
758     <pre caption="Starting the rsync server">
759     # <i>/etc/init.d/rsyncd start</i>
760     # <i>rc-update add rsyncd default</i>
761     </pre>
762    
763     <p>
764     Only thing left is to set tell your clients to sync against the router.
765     </p>
766    
767     <pre caption="Client SYNC settings in make.conf">
768     SYNC="rsync://192.168.0.1/gentoo-portage"
769     </pre>
770    
771     </body>
772     </section>
773    
774     <section>
775 vapier 1.3 <title>Mail Server</title>
776     <body>
777 neysx 1.23
778 vapier 1.3 <p>
779 neysx 1.23 Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server
780     on the router. You may have your own reason for wanting to do so, but I run it
781     so that the users see mail as being sent instantly and the work of
782     retrying/routing is left up to the mail server. Some ISPs also don't allow for
783     mail relaying for accounts that aren't part of their network (like Verizon).
784     Also, you can easily throttle the delivery of mail so that large attachments
785     won't seriously lag your connection for half an hour.
786 vapier 1.4 </p>
787    
788     <pre caption="Setting up SMTP">
789     # <i>emerge qmail</i>
790     <comment>make sure the output of `hostname` is correct</comment>
791     # <i>ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config</i>
792 vapier 1.30 # <i>iptables -I INPUT -p tcp --dport smtp -i ! ${LAN} -j REJECT</i>
793 vapier 1.4 # <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i>
794 vapier 1.10 # <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i>
795 vapier 1.13 <!--
796 vapier 1.4 # <i>cd /etc/tcprules.d</i>
797     # <i>nano tcp.qmail-smtp</i>
798 vapier 1.13 -->
799     # <i>cd /etc</i>
800     # <i>nano tcp.smtp</i>
801 neysx 1.23 <comment>Add an entry like so to the allow section:</comment>
802     192.168.0.:allow,RELAYCLIENT=""
803 vapier 1.13 <!--
804 vapier 1.4 # <i>tcprules tcp.qmail-qmtp.cdb rules.tmp &lt; tcp.qmail-smtp</i>
805 vapier 1.13 -->
806     # <i>tcprules tcp.smtp.cdb rules.tmp &lt; tcp.smtp</i>
807 vapier 1.4 # <i>rc-update add svscan default</i>
808     # <i>/etc/init.d/svscan start</i>
809     </pre>
810    
811     <p>
812 neysx 1.23 I'm a huge fan of qmail, but you're free to use a different mta :). When you
813     setup e-mail on the hosts in your network, tell them that their SMTP server is
814     192.168.0.1 and everything should be peachy. You might want to visit the <uri
815     link="http://qmail.org/">qmail homepage</uri> for more documentation.
816 vapier 1.3 </p>
817 neysx 1.23
818 vapier 1.3 </body>
819     </section>
820    
821 vapier 1.4 <!--
822 vapier 1.3 <section>
823 vapier 1.4 <title>E-mail Virus Scanning</title>
824 vapier 1.3 <body>
825     <p>
826 vapier 1.4 If you'd like to provide e-mail virus scanning for your users, but
827     don't want to have to install a virus scanner on every single machine,
828     then <c>pop3vscan</c> may just be the thing for you; a transparent
829     Post Office Protocol (POP) scanner.
830 vapier 1.3 </p>
831 vapier 1.4
832     <pre caption="Setting up pop3vscan">
833     TODO
834     </pre>
835    
836 vapier 1.3 </body>
837     </section>
838 vapier 1.4 -->
839 vapier 1.3
840 vapier 1.33 <section>
841     <title>Full DHCP Server</title>
842     <body>
843    
844     <p>
845     Earlier we used dnsmasq to provide DHCP service to all our clients. For most
846     people with a simple small LAN, this is perfect. But you may need something
847     with more features. Thus we turn to a full-featured DHCP server as provided
848     by the <uri link="http://www.isc.org/products/DHCP">ISC</uri> folks.
849     </p>
850    
851     <pre caption="Setting up dhcpd">
852     # <i>emerge dhcp</i>
853     # <i>nano /etc/dhcp/dhcpd.conf</i>
854     <comment>(Here is a sample configuration file:)</comment>
855     authoritative;
856     ddns-update-style interim;
857     subnet 192.168.0.0 netmask 255.255.255.0 {
858     range 192.168.0.100 192.168.0.250;
859     default-lease-time 259200;
860     max-lease-time 518400;
861     option subnet-mask 255.255.255.0;
862     option broadcast-address 192.168.0.255;
863     option routers 192.168.0.1;
864     option domain-name-servers 192.168.0.1;
865     }
866 vapier 1.44 # <i>nano /etc/conf.d/dhcpd</i>
867 vapier 1.33 <comment>(Set IFACE="eth0")</comment>
868 vapier 1.44 # <i>rc-update add dhcpd default</i>
869     # <i>/etc/init.d/dhcpd start</i>
870 vapier 1.33 </pre>
871    
872     <p>
873     This is the minimal setup required to replace the dnsmasq DHCP functionality
874     that we used earlier. Speaking of which, you did remember to disable the DHCP
875     features in dnsmasq didn't you? If not, you should do so now (just comment
876     out the <c>dhcp-range</c> setting in <path>/etc/dnsmasq.conf</path> and restart
877     the service).
878     </p>
879    
880     </body>
881     </section>
882    
883 vapier 1.38 <section>
884     <title>Connect Another LAN (or two or three or ...)</title>
885     <body>
886    
887     <p>
888     Sometimes you have need of connecting the router to another LAN. Maybe you
889     want to hook up a group of friends temporarily, or you're a neat freak and
890     want to section off different groups of computers, or you're just really
891     really bored. Whatever the reasons, extending the router to other LAN
892     networks should be pretty straightforward. In the following examples, I will
893     assume that this new network is connected via a third ethernet card, namely
894     <c>eth2</c>.
895     </p>
896    
897     <p>
898     First you need to configure the interface. Just take the instructions in the
899     <uri link="#doc_chap4_pre1">4.1 code listing</uri> and replace <c>eth0</c>
900     with <c>eth2</c> and <c>192.168.0</c> with <c>192.168.1</c>.
901     </p>
902    
903     <p>
904     Then you need to tweak dnsmasq to service the new interface. Just edit the
905     <path>/etc/conf.d/dnsmasq</path> file again and append <c>-i eth2</c> to
906     DNSMASQ_OPTS; using -i multiple times is OK. Then edit
907     <path>/etc/dnsmasq.conf</path> and add another line like the dhcp-range line
908     in the <uri link="#doc_chap5_pre1">5.1 code listing</uri>, replacing
909     <c>192.168.0</c> with <c>192.168.1</c>. Having multiple dhcp-range lines is
910     OK too.
911     </p>
912    
913     <p>
914     Finally, see the rules in the <uri link="#doc_chap5_pre2">5.2 code
915     listing</uri> and duplicate the rules that have <c>-i ${LAN}</c> in them. You
916     may want to create another variable, say <c>LAN2</c>, to make things easier.
917     </p>
918    
919     </body>
920     </section>
921    
922 vapier 1.4 </chapter>
923    
924     <chapter>
925 vapier 1.30 <title>Troubleshooting</title>
926 vapier 1.27
927     <section>
928     <title>Useful Tools</title>
929     <body>
930    
931     <p>
932     If you're having trouble getting your computers to communicate, you may way to
933     try out the following tools (they can all be found in the <c>net-analyzer</c>
934     portage category):
935     </p>
936    
937     <table>
938     <tr>
939     <th>Utility</th>
940     <th>Description</th>
941     </tr>
942     <tr>
943 vapier 1.53 <ti>wireshark</ti>
944 vapier 1.27 <ti>GUI tool to view all raw network data according to filters</ti>
945     </tr>
946     <tr>
947     <ti>tcpdump</ti>
948     <ti>Console tool to dump all raw network data according to filters</ti>
949     </tr>
950     <tr>
951     <ti>iptraf</ti>
952     <ti>ncurses based IP LAN monitor</ti>
953     </tr>
954     <tr>
955     <ti>ettercap</ti>
956     <ti>ncurses based network monitor/control</ti>
957     </tr>
958     </table>
959    
960     </body>
961     </section>
962    
963     <section>
964 vapier 1.31 <title>DHCP Fails To Start</title>
965     <body>
966    
967     <p>
968     When starting the dhcp init.d script for the first time, it may fail to load
969     but neglect to give you any useful info.
970     </p>
971    
972     <pre caption="DHCP Failing Example">
973     # <i>/etc/init.d/dhcp start</i>
974     * Setting ownership on dhcp.leases ... [ ok ]
975     * Starting dhcpd ... [ !! ]
976     </pre>
977    
978     <p>
979 vapier 1.49 The trick is to know where dhcpd is sending its output. Simply browse to
980     <path>/var/log</path> and read the log files. Since the exact log file depends
981 rane 1.46 on the package you are using as a syslog, try running <c>grep -Rl dhcpd
982 vapier 1.49 /var/log</c> to narrow down the possibilities. Chances are you made a typo in
983     your config file. You could also try running <c>dhcpd -d -f</c> (short for
984 rane 1.46 debug / foreground) and debug the error based upon the output.
985 vapier 1.31 </p>
986    
987     </body>
988     </section>
989    
990     <section>
991 vapier 1.27 <title>Incorrect MTU Value</title>
992     <body>
993    
994     <p>
995 vapier 1.52 If you experience odd errors (such as not being able to access some webpages
996     while others load fine), you may be having Path MTU Discovery trouble. The
997     quick way to test is to run this iptables command:
998 vapier 1.27 </p>
999    
1000     <pre caption="Circumvent MTU issues">
1001     # <i>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</i>
1002     </pre>
1003    
1004     <p>
1005     This will affect all new connections, so just refresh the website you're
1006     having problems with in order to test. In case it helps, the standard MTU
1007     value for 100mbit ethernet connections is <c>1500</c> while for PPPoE
1008     connections it is <c>1492</c>. For more info, you should read Chapter 15
1009     of the <uri link="http://lartc.org/howto/">Linux Advanced Routing &amp;
1010     Traffic Control HOWTO</uri>.
1011     </p>
1012    
1013     </body>
1014     </section>
1015    
1016 vapier 1.47 <section>
1017     <title>Unable to connect two machines directly</title>
1018     <body>
1019    
1020     <p>
1021     If (for whatever reason) you want to connect two machines directly together
1022 jkt 1.48 without a hub or switch, a regular ethernet cable will likely not work, unless
1023     you have an Auto MDI/MDI-X (also known as "autosensing") capable network
1024     adapter. You will need a different cable called a crossover cable. This <uri
1025 vapier 1.47 link="http://en.wikipedia.org/wiki/Ethernet_crossover_cable">Wikipedia</uri>
1026     page explains the low level details.
1027     </p>
1028    
1029     </body>
1030     </section>
1031    
1032 vapier 1.27 </chapter>
1033    
1034     <chapter>
1035 vapier 1.4 <title>Final Notes</title>
1036 vapier 1.3 <section>
1037     <body>
1038 neysx 1.23
1039 vapier 1.3 <p>
1040 neysx 1.23 I have no final notes other than if you experience any troubles with the guide,
1041     please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with <uri
1042     link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have
1043     some interesting bits you think would enhance this guide, by all means send it
1044     my way for inclusion.
1045 vapier 1.3 </p>
1046 neysx 1.23
1047 vapier 1.1 </body>
1048     </section>
1049     </chapter>
1050     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20