/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Contents of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.56 - (hide annotations) (download) (as text)
Wed Mar 7 21:30:18 2007 UTC (7 years, 6 months ago) by nightmorph
Branch: MAIN
Changes since 1.55: +7 -7 lines
File MIME type: application/xml
qmail --> netqmail migration, bug 165874

1 vapier 1.1 <?xml version='1.0' encoding='UTF-8'?>
2     <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
3 nightmorph 1.56 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.55 2007/01/28 22:36:37 vapier Exp $ -->
4 vapier 1.1
5 vapier 1.36 <guide link="/doc/en/home-router-howto.xml" lang="en">
6 vapier 1.1 <title>Home Router Guide</title>
7    
8     <author title="Author">
9     <mail link="vapier@gentoo.org">Mike Frysinger</mail>
10     </author>
11    
12     <abstract>
13     This document details how to turn an old Gentoo machine into a router
14     for connecting your home network to the internet.
15     </abstract>
16    
17 vapier 1.36 <!-- The content of this document is released into the public domain -->
18     <license/>
19    
20 nightmorph 1.56 <version>1.35</version>
21     <date>2007-03-07</date>
22 vapier 1.1
23     <chapter>
24     <title>Introduction</title>
25     <section>
26     <body>
27    
28     <p>
29 neysx 1.23 Building your own router out of old spare parts has many advantages over buying
30     a pre-made canned router by say Linksys. The biggest one by far is control
31     over the connection. The other advantages are left up to your imagination;
32     just about anything can be done in this scenario, it's just a matter of needing
33     it.
34 vapier 1.1 </p>
35    
36     <p>
37 neysx 1.23 This guide will show you how to setup Network Address Translation (NAT) on the
38     router (kernel and iptables), add and configure common services (Domain Name
39     System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via rp-pppoe), and conclude
40     with more elaborate and fun things that can be done (port forwarding, traffic
41     shaping, proxies/caching, etc...).
42 vapier 1.1 </p>
43    
44     <p>
45 neysx 1.23 Before getting started, there's a few basic requirements you must meet. First,
46     you'll need a computer that has at least 2 Network Interface Cards (NICs) in
47     it. Next, you'll need the configuration settings for your internet connection
48     (may include things like IP/DNS/Gateway/username/password). Finally, you'll
49     need a bit of spare time and some Gentoo loving.
50 vapier 1.1 </p>
51    
52     <p>
53     The conventions used in this guide are:
54     </p>
55 neysx 1.23
56 vapier 1.1 <ul>
57     <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
58     <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
59     <li>LAN utilizes the private 192.168.0.xxx network</li>
60     <li>router is hardcoded to the standard 192.168.0.1 IP</li>
61 vapier 1.3 <li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li>
62 vapier 1.1 </ul>
63    
64     <impo>
65 neysx 1.23 Due to security precautions, I would highly suggest you shut down any unneeded
66     services on the router until we have a chance to get the firewall up and
67     rolling. To view the currently running services, just run <c>rc-status</c>.
68 vapier 1.1 </impo>
69    
70     </body>
71     </section>
72     </chapter>
73    
74     <chapter>
75     <title>Kernel setup (know thyself first)</title>
76     <section>
77     <body>
78    
79     <p>
80 neysx 1.23 Your kernel needs to have the drivers running for both your NICs. To see if
81     your cards are already setup, just run <c>ifconfig</c>. Your output may differ
82     slightly from the following, that's fine. What matters is that the interface
83     shows up at all.
84 vapier 1.1 </p>
85 neysx 1.23
86 vapier 1.1 <pre caption="Checking NICs">
87     # <i>ifconfig -a</i>
88     eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
89     BROADCAST MULTICAST MTU:1500 Metric:1
90     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
91     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
92     collisions:0 txqueuelen:1000
93     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
94     Interrupt:11 Base address:0x9800
95    
96     eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
97     BROADCAST MULTICAST MTU:1500 Metric:1
98     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
99     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
100     collisions:0 txqueuelen:1000
101     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
102     Interrupt:10 Base address:0x9400
103     </pre>
104 neysx 1.23
105 vapier 1.1 <p>
106 neysx 1.23 If you do not see your two cards showing up and you're not sure what kind of
107 vapier 1.49 cards you have, try running <c>lspci | grep Ethernet</c>. You can get that
108     from <c>emerge pciutils</c>. Once you have this information, go into your
109     kernel and add support for the correct drivers.
110 vapier 1.1 </p>
111    
112     <p>
113 neysx 1.23 The next thing you'll need is support for iptables and NAT (and packet shaping
114 vapier 1.35 if you want). The following list is split up into always required (*),
115     required only for adsl via PPPoE (a), suggested for everyone (x), and only
116     for shaper (s) features. It does not matter whether you build the features
117     into the kernel or as a module so long as when the feature is needed, the
118     correct module(s) are loaded (module loading is left to the reader as a fun
119 neysx 1.23 exercise however).
120 vapier 1.1 </p>
121 neysx 1.23
122 vapier 1.1 <pre caption="Network Options">
123 neysx 1.23 Networking options ---&gt;
124     [*] TCP/IP networking
125     [*] IP: advanced router
126     [*] Network packet filtering (replaces ipchains)
127 vapier 1.20 <comment>If you use 2.4.x, you have to enable the following for DHCP:</comment>
128 neysx 1.23 [*] Socket Filtering
129 vapier 1.1
130 neysx 1.23 IP: Netfilter Configuration ---&gt;
131     [*] Connection tracking (required for masq/NAT)
132     [x] FTP protocol support
133     [x] IRC protocol support
134     [*] IP tables support (required for filtering/masq/NAT)
135     [*] IP range match support
136     [x] MAC address match support
137     [*] Multiple port match support
138     [*] Packet filtering
139     [*] REJECT target support
140     [x] REDIRECT target support
141     [*] Full NAT
142     [*] MASQUERADE target support
143     [s] Packet mangling
144     [s] MARK target support
145     [x] LOG target support
146    
147     QoS and/or fair queueing ---&gt;
148     [s] QoS and/or fair queueing
149     [s] HTB packet scheduler
150     [s] Ingress Qdisc
151 vapier 1.35
152     [a] PPP (point-to-point protocol) support
153     [a] PPP filtering
154     [a] PPP support for async serial ports
155     [a] PPP support for sync tty ports
156     [a] PPP Deflate compression
157     [a] PPP BSD-Compress compression
158     [a] PPP over Ethernet
159 vapier 1.1 </pre>
160 neysx 1.23
161 vapier 1.1 <note>
162 vapier 1.51 Some things may be slightly different in a 2.4 vs 2.6 kernel, but you should be
163     able to figure it out :). Even among 2.6 kernels, these options have a
164     tendency to move around. Good luck!
165 vapier 1.1 </note>
166    
167     </body>
168     </section>
169     </chapter>
170    
171     <chapter>
172     <title>Hug the WAN (a.k.a. The Internet)</title>
173    
174     <section>
175     <title>Intro</title>
176     <body>
177 neysx 1.23
178 vapier 1.1 <p>
179 neysx 1.23 There are many ways to connect to the internet so I'll just cover the ones I'm
180     familiar with. That leaves us with ADSL (PPPoE) and cable modems
181     (static/dynamic). If there are other methods out there, feel free to write up
182     a little blurb and e-mail me. Feel free to skip any of the following sections
183     in this chapter that don't apply to you. This chapter is just about getting
184     the router connected to the internet via eth1.
185 vapier 1.1 </p>
186 neysx 1.23
187 vapier 1.1 </body>
188     </section>
189     <section>
190     <title>ADSL and PPPoE</title>
191     <body>
192    
193     <p>
194 neysx 1.23 All the fancy PPPoE software has been bundled up into one little nice package
195     nowadays called <uri link="http://www.roaringpenguin.com/">Roaring
196     Penguin</uri>. Simply <c>emerge rp-pppoe</c> and you'll be on your way.
197     Remember how I said you'll need username/password information? Well I wasn't
198     lying so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
199 vapier 1.1 your favorite editor and set it up.
200     </p>
201    
202 vapier 1.8 <note>
203 vapier 1.39 In order for the following net settings to work, you must have
204     baselayout-1.11.14 or later installed on your system.
205 vapier 1.8 </note>
206    
207 vapier 1.1 <pre caption="Setting up eth1">
208     <comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
209    
210     # <i>nano /etc/ppp/pap-secrets</i>
211 neysx 1.23 <comment># client server secret</comment>
212     "vla9h924" * "password"
213 vapier 1.1 # <i>nano /etc/conf.d/net</i>
214 vapier 1.39 <comment>Tell baselayout to use adsl for your eth1:</comment>
215 vapier 1.25 config_eth1=( "adsl" )
216 vapier 1.39 user_eth1=( "vla9h924" )
217 vapier 1.30 # <i>ln -s net.lo /etc/init.d/net.eth1</i>
218 vapier 1.1 # <i>rc-update add net.eth1 default</i>
219     # <i>/etc/init.d/net.eth1 start</i>
220     </pre>
221    
222 vapier 1.3 <warn>
223 vapier 1.39 When the DSL interface comes up, it will create ppp0. Although your NIC is
224     called eth1, the IP is actually bound to ppp0. From now on, when you see
225     examples that utilize 'eth1', substitute with 'ppp0'.
226 vapier 1.3 </warn>
227 vapier 1.1
228     </body>
229     </section>
230    
231     <section>
232     <title>Cable and/or dynamic/static IP</title>
233     <body>
234    
235     <p>
236 vapier 1.4 If you have a static IP then you will need a few more details than if
237 vapier 1.1 you have a dynamic IP. For static users, you will need your IP,
238     gateway, and DNS servers.
239     </p>
240    
241     <pre caption="Setting up eth1">
242     <comment>Dynamic IP Users:</comment>
243     # <i>emerge dhcpcd</i>
244     # <i>nano /etc/conf.d/net</i>
245 neysx 1.23 <comment>You'll need an entry like so:</comment>
246 vapier 1.25 config_eth1=( "dhcp" )
247 vapier 1.1
248     <comment>Static IP Users:</comment>
249     # <i>nano /etc/conf.d/net</i>
250 neysx 1.23 <comment>You'll need entries like so:</comment>
251 vapier 1.43 config_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
252 neysx 1.23 routes_eth1=( "default gw 66.92.78.1" )
253 vapier 1.1 # <i>nano /etc/resolv.conf</i>
254 neysx 1.23 <comment>Add one line per DNS server:</comment>
255     nameserver 123.123.123.123
256 vapier 1.1
257     <comment>Dynamic and Static Setup:</comment>
258 vapier 1.30 # <i>ln -s net.lo /etc/init.d/net.eth1</i>
259 vapier 1.1 # <i>rc-update add net.eth1 default</i>
260     # <i>/etc/init.d/net.eth1 start</i>
261     </pre>
262    
263     <p>
264     You should be all set to go now.
265     </p>
266    
267     </body>
268     </section>
269     </chapter>
270    
271     <chapter>
272     <title>Hug the LAN (bring along some friends)</title>
273     <section>
274     <body>
275    
276     <p>
277     This step is a breeze compared to the previous one.
278     </p>
279    
280     <pre caption="Setting up eth0">
281     # <i>nano /etc/conf.d/net</i>
282 neysx 1.23 <comment>Add a line like the following:</comment>
283 vapier 1.43 config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
284 vapier 1.1 # <i>rc-update add net.eth0 default</i>
285     # <i>/etc/init.d/net.eth0 start</i>
286     </pre>
287    
288     </body>
289     </section>
290     </chapter>
291    
292     <chapter>
293     <title>LAN Services (because we're nice people)</title>
294    
295     <section>
296     <title>DHCP Server</title>
297     <body>
298 neysx 1.23
299 vapier 1.1 <p>
300 neysx 1.23 I bet it'd be nice if everyone else in your house could just plug their
301     computers into the network and things would just work. No need to remember
302     mind-numbing details or make them stare at confusing configuration screens!
303     Life would be grand eh? Introducing the Dynamic Host Configuration Protocol
304     (DHCP) and why you should care.
305 vapier 1.1 </p>
306    
307 vapier 1.2 <p>
308     DHCP is exactly what its name implies. It's a protocol that allows you
309 neysx 1.23 to dynamically configure other hosts automatically. You run a DHCP server on
310 vapier 1.33 the router, give it all the information about your network (valid IPs,
311 neysx 1.23 DNS servers, gateways, etc...), and then when the other hosts start up, they
312     run a DHCP client to automatically configure themselves. No fuss, no muss!
313     For more information about DHCP, you can always visit <uri
314     link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
315 vapier 1.2 </p>
316    
317 vapier 1.33 <p>
318     We'll use a package called dnsmasq which provides both DHCP and DNS services.
319     For now lets just focus on the DHCP aspect. Note that if you want to run a
320     different DHCP server, you can find another example in the Fun Things chapter.
321     Also, if you wish to tinker with the DHCP server settings, just read the
322     comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine
323     though.
324     </p>
325    
326     <pre caption="Setting up a DHCP server">
327     # <i>emerge dnsmasq</i>
328     # <i>nano /etc/dnsmasq.conf</i>
329 vapier 1.43 <comment>Add this line to enable dhcp:</comment>
330 vapier 1.33 dhcp-range=192.168.0.100,192.168.0.250,72h
331 vapier 1.43 <comment>Restrict dnsmasq to just the LAN interface</comment>
332     interface=eth0
333 vapier 1.33
334     # <i>rc-update add dnsmasq default</i>
335     # <i>/etc/init.d/dnsmasq start</i>
336 vapier 1.1 </pre>
337    
338     <p>
339 neysx 1.23 Now your little router is a bona-fide DHCP server! Plugin those computers and
340     watch them work! With Windows systems you should go into the TCP/IP Properties
341     and select the 'Obtain an IP address automatically' and 'Obtain DNS server
342     address automatically' options. Sometimes the changes aren't instantaneous, so
343 vapier 1.31 you may have to open a command prompt and run <c>ipconfig /release</c> and
344 neysx 1.23 <c>ipconfig /renew</c>. But enough about Windows, let's get back to our
345     favorite penguin.
346 vapier 1.1 </p>
347 neysx 1.23
348 vapier 1.1 </body>
349     </section>
350    
351     <section>
352     <title>DNS Server</title>
353     <body>
354 neysx 1.23
355 vapier 1.2 <p>
356 neysx 1.23 When people want to visit a place on the internet, they remember names, not a
357 vapier 1.33 string of funky numbers. After all, what's easier to remember, ebay.com or
358 neysx 1.23 66.135.192.87? This is where the DNS steps in. DNS servers run all over the
359     internet, and whenever someone wants to visit 'ebay.com', these servers turn
360     'ebay.com' (what we understand) into '66.135.192.87' (what our computers
361     understand). For more information about DNS, you can always visit <uri
362     link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
363 vapier 1.2 </p>
364 vapier 1.1
365     <p>
366 vapier 1.33 Since we're using dnsmasq for our DHCP server, and it includes a DNS server,
367     you've got nothing left to do here! Your little router is already providing
368     DNS to its DHCP clients. Bet you wish everything was this easy ;).
369 vapier 1.1 </p>
370    
371     <p>
372 vapier 1.33 You're welcome to choose other DNS servers if you're more comfortable with
373     them, but the reason dnsmasq is great is because it was designed to do exactly
374     what we want and nothing more. It's a little DNS caching/forwarding server for
375     local networks. We're not looking to provide DNS for our own domain here, just
376     offer simple DNS services to everyone else on our LAN.
377 vapier 1.1 </p>
378    
379     </body>
380     </section>
381    
382     <section>
383 vapier 1.4 <title>NAT (a.k.a. IP-masquerading)</title>
384 vapier 1.1 <body>
385    
386     <p>
387 neysx 1.23 At this point, people on your network can talk to each other and they can look
388     up hostnames via DNS, but they still can't actually connect to the internet.
389     While you may think that's great (more bandwidth for you!), I bet they're not
390     too happy just yet.
391 vapier 1.1 </p>
392    
393 vapier 1.2 <p>
394 vapier 1.33 This is where Network Address Translation (NAT) steps in. NAT is a way of
395     connecting multiple computers in a private LAN to the internet when you have a
396     smaller number of public IP addresses available to you. Typically you are given
397     1 IP by your ISP, but you want to let your whole house connect to the internet.
398     NAT is the magic that makes this possible. For more information about NAT, you
399     can always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
400 vapier 1.2 </p>
401    
402     <note>
403 neysx 1.23 Before we get started, make sure you have iptables on your system. Although it
404     is automatically installed on most systems, you may not have it. If you don't,
405     just run <c>emerge iptables</c>.
406 vapier 1.2 </note>
407    
408 vapier 1.1 <pre caption="Setting up iptables">
409     <comment>First we flush our current rules</comment>
410     # <i>iptables -F</i>
411     # <i>iptables -t nat -F</i>
412    
413 vapier 1.33 <comment>Setup default policies to handle unmatched traffic</comment>
414 vapier 1.32 # <i>iptables -P INPUT ACCEPT</i>
415     # <i>iptables -P OUTPUT ACCEPT</i>
416     # <i>iptables -P FORWARD DROP</i>
417    
418 vapier 1.30 <comment>Copy and paste these examples ...</comment>
419     # <i>export LAN=eth0</i>
420     # <i>export WAN=eth1</i>
421    
422 vapier 1.1 <comment>Then we lock our services so they only work from the LAN</comment>
423 vapier 1.30 # <i>iptables -I INPUT 1 -i ${LAN} -j ACCEPT</i>
424 vapier 1.1 # <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
425 vapier 1.30 # <i>iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT</i>
426     # <i>iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT</i>
427 vapier 1.1
428 vapier 1.21 <comment>(Optional) Allow access to our ssh server from the WAN</comment>
429 vapier 1.30 # <i>iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</i>
430 vapier 1.21
431 vapier 1.1 <comment>Drop TCP / UDP packets to privileged ports</comment>
432 vapier 1.30 # <i>iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i>
433     # <i>iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i>
434 vapier 1.1
435     <comment>Finally we add the rules for NAT</comment>
436 vapier 1.30 # <i>iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP</i>
437     # <i>iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
438     # <i>iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
439     # <i>iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</i>
440 vapier 1.1 <comment>Tell the kernel that ip forwarding is OK</comment>
441     # <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
442     # <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>
443    
444     <comment>This is so when we boot we don't have to run the rules by hand</comment>
445     # <i>/etc/init.d/iptables save</i>
446     # <i>rc-update add iptables default</i>
447 vapier 1.14 # <i>nano /etc/sysctl.conf</i>
448 vapier 1.50 <comment>Add/Uncomment the following lines:</comment>
449 vapier 1.14 net.ipv4.ip_forward = 1
450 vapier 1.50 net.ipv4.conf.default.rp_filter = 1
451    
452     <comment>If you have a dynamic internet address you probably want to enable this:</comment>
453     net.ipv4.ip_dynaddr = 1
454 vapier 1.1 </pre>
455    
456     <p>
457 neysx 1.23 Once you've typed out all of that, the rest of your network should now be able
458     to use the internet as if they were directly connected themselves.
459 vapier 1.1 </p>
460    
461 vapier 1.50 <p>
462     The ip_dynaddr option is useful for dial on demand systems or when your ISP
463     gives out dynamic addresses. This works around the problem where a connection
464     is attempted before the internet interface is fully setup. Really this just
465     provides for a smoother network experience for users behind your router.
466     </p>
467    
468 vapier 1.3 </body>
469     </section>
470     </chapter>
471    
472     <chapter>
473     <title>Fun Things (for a rainy day)</title>
474    
475     <section>
476     <title>Intro</title>
477     <body>
478 neysx 1.23
479 vapier 1.1 <p>
480 neysx 1.23 Believe it or not, you're done :). From here on out, I'll cover a bunch of
481     common topics that may interest you. Everything in this chapter is completely
482     optional.
483 vapier 1.1 </p>
484 neysx 1.23
485 vapier 1.3 </body>
486     </section>
487 vapier 1.1
488 vapier 1.3 <section>
489     <title>Port Forwarding</title>
490     <body>
491 neysx 1.23
492 vapier 1.3 <p>
493 neysx 1.23 Sometimes you would like to be able to host services on a computer behind the
494     router, or just to make your life easier when connecting remotely. Perhaps you
495     want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your
496     router and be able to connect to them all. The only caveat is that you can
497     only have one service/machine combo per port. For example, there is no
498     practical way to setup three FTP servers behind your router and then try to
499     connect to them all through port 21; only one can be on port 21 while the
500     others would have to be on say port 123 and port 567.
501 vapier 1.3 </p>
502    
503     <p>
504 neysx 1.23 All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
505 vapier 1.30 [-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port
506 vapier 1.33 to forward to]</c>. Unfortunately, iptables does not accept hostnames when port
507     forwarding. If you are forwarding an external port to the same port on the
508     internal machine, you can omit the destination port. See the iptables(8) man
509     page for more information.
510 vapier 1.3 </p>
511    
512 swift 1.28 <pre caption="Running the iptables commands">
513 vapier 1.30 <comment>Copy and paste these examples ...</comment>
514     # <i>export LAN=eth0</i>
515     # <i>export WAN=eth1</i>
516    
517 vapier 1.3 <comment>Forward port 2 to ssh on an internal host</comment>
518 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2:22</i>
519 vapier 1.3
520     <comment>FTP forwarding to an internal host</comment>
521 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56</i>
522 vapier 1.3
523     <comment>HTTP forwarding to an internal host</comment>
524 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56</i>
525 vapier 1.3
526     <comment>VNC forwarding for internal hosts</comment>
527 vapier 1.30 # <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.2</i>
528     # <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.168.0.3:5900</i>
529 vapier 1.3 <comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment>
530    
531 vapier 1.55 <comment>SAMBA forwarding to an internal host (excess ports to cover Windows)</comment>
532     # <i>iptables -t nat -I PREROUTING -p tcp --dport 135 -i ${WAN} -j DNAT --to 192.168.0.2</i>
533     # <i>iptables -t nat -I PREROUTING -p tcp --dport 139 -i ${WAN} -j DNAT --to 192.168.0.2</i>
534     # <i>iptables -t nat -I PREROUTING -p tcp --dport 445 -i ${WAN} -j DNAT --to 192.168.0.2</i>
535     # <i>iptables -t nat -I PREROUTING -p udp --dport 137:138 -i ${WAN} -j DNAT --to 192.168.0.2</i>
536     # <i>iptables -t nat -I PREROUTING -p udp --dport 445 -i ${WAN} -j DNAT --to 192.168.0.2</i>
537    
538 vapier 1.3 <comment>Bittorrent forwarding</comment>
539 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i>
540 vapier 1.15
541 vapier 1.33 <comment>eDonkey/eMule forwarding</comment>
542     # <i>iptables -t nat -A PREROUTING -p tcp --dport 4662 -i ${WAN} -j DNAT --to 192.168.0.55</i>
543    
544 vapier 1.15 <comment>Game Cube Warp Pipe support</comment>
545 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i>
546 vapier 1.15
547 vapier 1.33 <comment>Playstation 2 Online support</comment>
548 vapier 1.30 # <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
549     # <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
550 vapier 1.34
551     <comment>Xbox Live</comment>
552     # <i>iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i>
553     # <i>iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i>
554     # <i>iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.0.69</i>
555 vapier 1.3 </pre>
556    
557     <note>
558 neysx 1.37 If you have other common / cool examples, please <mail
559     link="vapier@gentoo.org">e-mail me</mail>.
560 vapier 1.3 </note>
561 neysx 1.23
562 vapier 1.3 </body>
563     </section>
564    
565     <section>
566     <title>Identd (for IRC)</title>
567     <body>
568 neysx 1.23
569 vapier 1.3 <p>
570 neysx 1.23 Internet Relay Chat utilizes the ident service pretty heavily. Now that the
571     IRC clients are behind the router, we need a way to host ident for both the
572     router and the clients. One such server has been created called
573     <c>midentd</c>.
574 vapier 1.3 </p>
575    
576     <pre caption="Setting up ident">
577     # <i>emerge midentd</i>
578     # <i>rc-update add midentd default</i>
579     # <i>/etc/init.d/midentd start</i>
580     </pre>
581    
582     <p>
583 neysx 1.23 There are a few other ident servers in portage. Depending on your needs, I
584     would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
585 vapier 1.3 </p>
586 neysx 1.23
587 vapier 1.3 </body>
588     </section>
589    
590 vapier 1.5 <!--
591     <section>
592     <title>Traffic Shaping</title>
593     <body>
594     <p>
595     This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri>
596     found over at the TLDP. Feel free to refer to the original document
597     for more details.
598     </p>
599    
600     <p>
601     Here we will be setting up what some people refer to as a "Packet Shaper",
602     <uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>,
603     or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>.
604     Simply put, we want to setup rules on our router that will slow down
605     certain activities (like sending large e-mails or downloading from P2P
606     networks) while keeping other activities (like browsing the web or playing
607     online video games) reasonably fast. A 30 second difference in a video
608     game is a lot worse than a 30 second difference in downloading large
609     files :).
610     </p>
611    
612     <p>
613     The first thing is to make sure your kernel has all the features added to
614     it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more
615     information. Next, you will need to <c>emerge iptables iputils</c> so that
616     you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c>
617     commands.
618     </p>
619    
620     <p>
621     Before we jump into the commands, let's cover a little of the theory. The
622     way this whole system works is to classify common network streams and then
623     to prioritize them. You use iptables to classify network streams, iputils
624     to define the different priority levels, and the kernel to adjust speeds.
625     Just remember that although you can control outbound traffic pretty tightly
626     (from the LAN to the WAN), your ability to control inbound traffic (from
627     the WAN to the LAN) is somewhat limited. Just remember that the following
628     examples are to get your feet wet; if you want more then I'd suggest
629     reading up on the subject. In this example, we will be using the
630     <uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri>
631     packet scheduling algorithm. Still with me? Great, let's start shaping :).
632     </p>
633    
634     <pre caption="Setup">
635     DEV=eth1 <comment>NIC connected to WAN</comment>
636     RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment>
637     RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment>
638    
639     <comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment>
640     ip link set dev ${DEV} qlen 30
641     tc qdisc add dev ${DEV} root handle 1: htb default 45
642     tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit
643     </pre>
644    
645     <p>
646     Here we initialized the system which will be used to prioritize all of
647     our network traffic. We created our queue, told it to use the HTB
648     algorithm, and set the default classification level to '45'. The
649     default is completely arbitrary, as are the levels we choose from
650     here on out. The only thing that matters is how the levels compare
651     relatively; a level '10' packet will be given preference over a
652     level '45' packet. Let's move on to declaring different levels.
653     </p>
654    
655     <pre caption="Declaring levels">
656     tc class add dev $DEV parent 1:1 classid 1:10 htb rate $rkbit ceil $tkbit prio $p
657     tc qdisc add dev $DEV parent 1:10 handle 10: sfq
658     </pre>
659     </body>
660     </section>
661     -->
662    
663 vapier 1.3 <section>
664 vapier 1.9 <title>Time Server</title>
665     <body>
666 neysx 1.23
667 vapier 1.9 <p>
668 vapier 1.24 Keeping your system time correct is essential in maintaining a healthy system.
669 neysx 1.23 One of the most common ways of accomplishing this is with the Network Time
670     Protocol (NTP) and the ntp package (which provides implementations for both
671     server and client).
672 vapier 1.9 </p>
673    
674     <p>
675 neysx 1.23 Many people run ntp clients on their computers. Obviously, the more clients in
676     the world, the larger the load the ntp servers need to shoulder. In
677     environments like home networks though, we can help keep the load down on
678     public servers while still providing the proper time to all our computers. As
679     an added bonus, our private updates will be a lot faster for the clients too!
680     All we have to do is run a ntp server on our router that synchronizes itself
681     with the public internet servers while providing the time to the rest of the
682     computers in the network. To get started, simply <c>emerge ntp</c> on the
683 vapier 1.9 router.
684     </p>
685    
686     <pre caption="Setting up the NTP server">
687     # <i>nano /etc/conf.d/ntp-client</i>
688     <comment>Customize if you wish but the defaults should be fine</comment>
689     # <i>rc-update add ntp-client default</i>
690    
691     # <i>nano /etc/ntp.conf</i>
692 neysx 1.23 <comment>Add the follwing lines:</comment>
693 vapier 1.9 restrict default ignore
694     restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
695 neysx 1.23 <comment>These will allow only ntp clients with an IP
696     address in the 192.168.0.xxx range to use your ntp server</comment>
697 vapier 1.9 # <i>nano /etc/conf.d/ntpd</i>
698     <comment>Customize if you wish but the defaults should be fine</comment>
699 vapier 1.17 # <i>rc-update add ntpd default</i>
700 vapier 1.9
701     # <i>/etc/init.d/ntp-client start</i>
702     # <i>/etc/init.d/ntpd start</i>
703     </pre>
704    
705 vapier 1.22 <note>
706 neysx 1.23 You should make sure that you allow inbound and outbound communication on the
707     ntp port (123/udp) when setting up the server. The client just needs outbound
708     access on port 123 over udp.
709 vapier 1.22 </note>
710    
711 vapier 1.9 <p>
712 neysx 1.23 Now, on your clients, have them <c>emerge ntp</c> also. However, we will just
713     run the ntp client so setup is a lot simpler.
714 vapier 1.9 </p>
715    
716     <pre caption="Setting up a NTP client">
717     # <i>nano /etc/conf.d/ntp-client</i>
718     <comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment>
719     # <i>rc-update add ntp-client default</i>
720     # <i>/etc/init.d/ntp-client start</i>
721     </pre>
722 neysx 1.23
723 vapier 1.9 </body>
724     </section>
725    
726     <section>
727 vapier 1.29 <title>Rsync Server</title>
728     <body>
729    
730     <p>
731     For those who run multiple Gentoo boxes on the same lan, you often want to
732     keep from having every machine running <c>emerge sync</c> with remote
733     servers. By setting up a local rsync, you save on both your bandwidth and
734     the Gentoo rsync servers' bandwidth. It's pretty simple to do.
735     </p>
736 neysx 1.45
737 vapier 1.29 <note>
738 neysx 1.45 For a much more in-depth rsync guide, please see the official <uri
739     link="/doc/en/rsync.xml#local">rsync guide</uri>.
740 vapier 1.29 </note>
741    
742     <p>
743     Since every Gentoo machine requires rsync, theres no need to emerge it. Edit
744     the default <path>/etc/rsyncd.conf</path> config file, uncomment the
745     <c>[gentoo-portage]</c> section, and make sure you add an <c>address</c>
746     option. All the other defaults should be fine.
747     </p>
748    
749     <pre caption="Rsync server config">
750     pid file = /var/run/rsyncd.pid
751     use chroot = yes
752     read only = yes
753     address = 192.168.0.1
754    
755     [gentoo-portage]
756 neysx 1.41 path = /mnt/space/portage
757     comment = Gentoo Linux Portage tree
758     exclude = /distfiles /packages
759 vapier 1.29 </pre>
760    
761     <p>
762     Then you need to start the service (again, the defaults are OK).
763     </p>
764    
765     <pre caption="Starting the rsync server">
766     # <i>/etc/init.d/rsyncd start</i>
767     # <i>rc-update add rsyncd default</i>
768     </pre>
769    
770     <p>
771     Only thing left is to set tell your clients to sync against the router.
772     </p>
773    
774     <pre caption="Client SYNC settings in make.conf">
775     SYNC="rsync://192.168.0.1/gentoo-portage"
776     </pre>
777    
778     </body>
779     </section>
780    
781     <section>
782 vapier 1.3 <title>Mail Server</title>
783     <body>
784 neysx 1.23
785 vapier 1.3 <p>
786 neysx 1.23 Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server
787     on the router. You may have your own reason for wanting to do so, but I run it
788     so that the users see mail as being sent instantly and the work of
789     retrying/routing is left up to the mail server. Some ISPs also don't allow for
790     mail relaying for accounts that aren't part of their network (like Verizon).
791     Also, you can easily throttle the delivery of mail so that large attachments
792     won't seriously lag your connection for half an hour.
793 vapier 1.4 </p>
794    
795     <pre caption="Setting up SMTP">
796 nightmorph 1.56 # <i>emerge netqmail</i>
797 vapier 1.4 <comment>make sure the output of `hostname` is correct</comment>
798 nightmorph 1.56 # <i>emerge --config netqmail</i>
799 vapier 1.30 # <i>iptables -I INPUT -p tcp --dport smtp -i ! ${LAN} -j REJECT</i>
800 vapier 1.4 # <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i>
801 vapier 1.10 # <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i>
802 vapier 1.13 <!--
803 vapier 1.4 # <i>cd /etc/tcprules.d</i>
804     # <i>nano tcp.qmail-smtp</i>
805 vapier 1.13 -->
806     # <i>cd /etc</i>
807     # <i>nano tcp.smtp</i>
808 neysx 1.23 <comment>Add an entry like so to the allow section:</comment>
809     192.168.0.:allow,RELAYCLIENT=""
810 vapier 1.13 <!--
811 vapier 1.4 # <i>tcprules tcp.qmail-qmtp.cdb rules.tmp &lt; tcp.qmail-smtp</i>
812 vapier 1.13 -->
813     # <i>tcprules tcp.smtp.cdb rules.tmp &lt; tcp.smtp</i>
814 vapier 1.4 # <i>rc-update add svscan default</i>
815     # <i>/etc/init.d/svscan start</i>
816     </pre>
817    
818     <p>
819 nightmorph 1.56 I'm a huge fan of netqmail, but you're free to use a different mta :). When you
820 neysx 1.23 setup e-mail on the hosts in your network, tell them that their SMTP server is
821     192.168.0.1 and everything should be peachy. You might want to visit the <uri
822 nightmorph 1.56 link="http://netqmail.org/">netqmail homepage</uri> for more documentation.
823 vapier 1.3 </p>
824 neysx 1.23
825 vapier 1.3 </body>
826     </section>
827    
828 vapier 1.4 <!--
829 vapier 1.3 <section>
830 vapier 1.4 <title>E-mail Virus Scanning</title>
831 vapier 1.3 <body>
832     <p>
833 vapier 1.4 If you'd like to provide e-mail virus scanning for your users, but
834     don't want to have to install a virus scanner on every single machine,
835     then <c>pop3vscan</c> may just be the thing for you; a transparent
836     Post Office Protocol (POP) scanner.
837 vapier 1.3 </p>
838 vapier 1.4
839     <pre caption="Setting up pop3vscan">
840     TODO
841     </pre>
842    
843 vapier 1.3 </body>
844     </section>
845 vapier 1.4 -->
846 vapier 1.3
847 vapier 1.33 <section>
848     <title>Full DHCP Server</title>
849     <body>
850    
851     <p>
852     Earlier we used dnsmasq to provide DHCP service to all our clients. For most
853     people with a simple small LAN, this is perfect. But you may need something
854     with more features. Thus we turn to a full-featured DHCP server as provided
855     by the <uri link="http://www.isc.org/products/DHCP">ISC</uri> folks.
856     </p>
857    
858     <pre caption="Setting up dhcpd">
859     # <i>emerge dhcp</i>
860     # <i>nano /etc/dhcp/dhcpd.conf</i>
861     <comment>(Here is a sample configuration file:)</comment>
862     authoritative;
863     ddns-update-style interim;
864     subnet 192.168.0.0 netmask 255.255.255.0 {
865     range 192.168.0.100 192.168.0.250;
866     default-lease-time 259200;
867     max-lease-time 518400;
868     option subnet-mask 255.255.255.0;
869     option broadcast-address 192.168.0.255;
870     option routers 192.168.0.1;
871     option domain-name-servers 192.168.0.1;
872     }
873 vapier 1.44 # <i>nano /etc/conf.d/dhcpd</i>
874 vapier 1.33 <comment>(Set IFACE="eth0")</comment>
875 vapier 1.44 # <i>rc-update add dhcpd default</i>
876     # <i>/etc/init.d/dhcpd start</i>
877 vapier 1.33 </pre>
878    
879     <p>
880     This is the minimal setup required to replace the dnsmasq DHCP functionality
881     that we used earlier. Speaking of which, you did remember to disable the DHCP
882     features in dnsmasq didn't you? If not, you should do so now (just comment
883     out the <c>dhcp-range</c> setting in <path>/etc/dnsmasq.conf</path> and restart
884     the service).
885     </p>
886    
887     </body>
888     </section>
889    
890 vapier 1.38 <section>
891     <title>Connect Another LAN (or two or three or ...)</title>
892     <body>
893    
894     <p>
895     Sometimes you have need of connecting the router to another LAN. Maybe you
896     want to hook up a group of friends temporarily, or you're a neat freak and
897     want to section off different groups of computers, or you're just really
898     really bored. Whatever the reasons, extending the router to other LAN
899     networks should be pretty straightforward. In the following examples, I will
900     assume that this new network is connected via a third ethernet card, namely
901     <c>eth2</c>.
902     </p>
903    
904     <p>
905     First you need to configure the interface. Just take the instructions in the
906     <uri link="#doc_chap4_pre1">4.1 code listing</uri> and replace <c>eth0</c>
907     with <c>eth2</c> and <c>192.168.0</c> with <c>192.168.1</c>.
908     </p>
909    
910     <p>
911     Then you need to tweak dnsmasq to service the new interface. Just edit the
912     <path>/etc/conf.d/dnsmasq</path> file again and append <c>-i eth2</c> to
913     DNSMASQ_OPTS; using -i multiple times is OK. Then edit
914     <path>/etc/dnsmasq.conf</path> and add another line like the dhcp-range line
915     in the <uri link="#doc_chap5_pre1">5.1 code listing</uri>, replacing
916     <c>192.168.0</c> with <c>192.168.1</c>. Having multiple dhcp-range lines is
917     OK too.
918     </p>
919    
920     <p>
921     Finally, see the rules in the <uri link="#doc_chap5_pre2">5.2 code
922     listing</uri> and duplicate the rules that have <c>-i ${LAN}</c> in them. You
923     may want to create another variable, say <c>LAN2</c>, to make things easier.
924     </p>
925    
926     </body>
927     </section>
928    
929 vapier 1.4 </chapter>
930    
931     <chapter>
932 vapier 1.30 <title>Troubleshooting</title>
933 vapier 1.27
934     <section>
935     <title>Useful Tools</title>
936     <body>
937    
938     <p>
939     If you're having trouble getting your computers to communicate, you may way to
940     try out the following tools (they can all be found in the <c>net-analyzer</c>
941     portage category):
942     </p>
943    
944     <table>
945     <tr>
946     <th>Utility</th>
947     <th>Description</th>
948     </tr>
949     <tr>
950 vapier 1.53 <ti>wireshark</ti>
951 vapier 1.27 <ti>GUI tool to view all raw network data according to filters</ti>
952     </tr>
953     <tr>
954     <ti>tcpdump</ti>
955     <ti>Console tool to dump all raw network data according to filters</ti>
956     </tr>
957     <tr>
958     <ti>iptraf</ti>
959     <ti>ncurses based IP LAN monitor</ti>
960     </tr>
961     <tr>
962     <ti>ettercap</ti>
963     <ti>ncurses based network monitor/control</ti>
964     </tr>
965     </table>
966    
967     </body>
968     </section>
969    
970     <section>
971 vapier 1.31 <title>DHCP Fails To Start</title>
972     <body>
973    
974     <p>
975     When starting the dhcp init.d script for the first time, it may fail to load
976     but neglect to give you any useful info.
977     </p>
978    
979     <pre caption="DHCP Failing Example">
980     # <i>/etc/init.d/dhcp start</i>
981     * Setting ownership on dhcp.leases ... [ ok ]
982     * Starting dhcpd ... [ !! ]
983     </pre>
984    
985     <p>
986 vapier 1.49 The trick is to know where dhcpd is sending its output. Simply browse to
987     <path>/var/log</path> and read the log files. Since the exact log file depends
988 rane 1.46 on the package you are using as a syslog, try running <c>grep -Rl dhcpd
989 vapier 1.49 /var/log</c> to narrow down the possibilities. Chances are you made a typo in
990     your config file. You could also try running <c>dhcpd -d -f</c> (short for
991 rane 1.46 debug / foreground) and debug the error based upon the output.
992 vapier 1.31 </p>
993    
994     </body>
995     </section>
996    
997     <section>
998 vapier 1.27 <title>Incorrect MTU Value</title>
999     <body>
1000    
1001     <p>
1002 vapier 1.52 If you experience odd errors (such as not being able to access some webpages
1003     while others load fine), you may be having Path MTU Discovery trouble. The
1004     quick way to test is to run this iptables command:
1005 vapier 1.27 </p>
1006    
1007     <pre caption="Circumvent MTU issues">
1008     # <i>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</i>
1009     </pre>
1010    
1011     <p>
1012 nightmorph 1.54 This will affect all new connections, so just refresh the website you're having
1013     problems with in order to test. In case it helps, the standard MTU value for
1014     100mbit ethernet connections is <c>1500</c>; this value also applies to PPPoA.
1015     For PPPoE connections it is <c>1492</c>. For more info, you should read Chapter
1016     15 of the <uri link="http://lartc.org/howto/">Linux Advanced Routing &amp;
1017 vapier 1.27 Traffic Control HOWTO</uri>.
1018     </p>
1019    
1020     </body>
1021     </section>
1022    
1023 vapier 1.47 <section>
1024     <title>Unable to connect two machines directly</title>
1025     <body>
1026    
1027     <p>
1028     If (for whatever reason) you want to connect two machines directly together
1029 jkt 1.48 without a hub or switch, a regular ethernet cable will likely not work, unless
1030     you have an Auto MDI/MDI-X (also known as "autosensing") capable network
1031     adapter. You will need a different cable called a crossover cable. This <uri
1032 vapier 1.47 link="http://en.wikipedia.org/wiki/Ethernet_crossover_cable">Wikipedia</uri>
1033     page explains the low level details.
1034     </p>
1035    
1036     </body>
1037     </section>
1038    
1039 vapier 1.27 </chapter>
1040    
1041     <chapter>
1042 vapier 1.4 <title>Final Notes</title>
1043 vapier 1.3 <section>
1044     <body>
1045 neysx 1.23
1046 vapier 1.3 <p>
1047 neysx 1.23 I have no final notes other than if you experience any troubles with the guide,
1048     please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with <uri
1049     link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have
1050     some interesting bits you think would enhance this guide, by all means send it
1051     my way for inclusion.
1052 vapier 1.3 </p>
1053 neysx 1.23
1054 vapier 1.1 </body>
1055     </section>
1056     </chapter>
1057     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20