/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Diff of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.2 Revision 1.3
1<?xml version='1.0' encoding='UTF-8'?> 1<?xml version='1.0' encoding='UTF-8'?>
2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.2 2004/07/22 14:32:26 vapier Exp $ --> 2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.3 2004/07/22 16:09:18 vapier Exp $ -->
3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4 4
5<guide link="/doc/en/home-router-howto.xml"> 5<guide link="/doc/en/home-router-howto.xml">
6 6
7<title>Home Router Guide</title> 7<title>Home Router Guide</title>
34<p> 34<p>
35This guide will show you how to setup Network Address Translation (NAT) 35This guide will show you how to setup Network Address Translation (NAT)
36on the router (kernel and iptables), add and configure common services 36on the router (kernel and iptables), add and configure common services
37(Domain Name System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via 37(Domain Name System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via
38rp-pppoe), and conclude with more elaborate and fun things that can be 38rp-pppoe), and conclude with more elaborate and fun things that can be
39done (port forwarding, traffic shaping, http/ftp hosting, caching, etc...). 39done (port forwarding, traffic shaping, proxies/caching, etc...).
40</p> 40</p>
41 41
42<p> 42<p>
43Before getting started, there's a few basic requirements you must meet. 43Before getting started, there's a few basic requirements you must meet.
44First, you'll need a computer that has at least 2 Network Interface 44First, you'll need a computer that has at least 2 Network Interface
54<ul> 54<ul>
55 <li>eth0 - NIC connected to the Local Area Network (LAN)</li> 55 <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
56 <li>eth1 - NIC connected to the Wide Area Network (WAN)</li> 56 <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
57 <li>LAN utilizes the private 192.168.0.xxx network</li> 57 <li>LAN utilizes the private 192.168.0.xxx network</li>
58 <li>router is hardcoded to the standard 192.168.0.1 IP</li> 58 <li>router is hardcoded to the standard 192.168.0.1 IP</li>
59 <li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li>
59</ul> 60</ul>
60 61
61<impo> 62<impo>
62Due to security precautions, I would highly suggest you shut down any 63Due to security precautions, I would highly suggest you shut down any
63unneeded services on the router until we have a chance to get the 64unneeded services on the router until we have a chance to get the
142<i> [s] HTB packet scheduler</i> 143<i> [s] HTB packet scheduler</i>
143<i> [s] Ingress Qdisc</i> 144<i> [s] Ingress Qdisc</i>
144</pre> 145</pre>
145<note> 146<note>
146Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you 147Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you
147should be able to figure it out :). 2.2 + ipchains is not covered here. 148should be able to figure it out :).
148</note> 149</note>
149 150
150</body> 151</body>
151</section> 152</section>
152</chapter> 153</chapter>
199# <i>ln -s net.eth0 /etc/init.d/net.eth1</i> 200# <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
200# <i>rc-update add net.eth1 default</i> 201# <i>rc-update add net.eth1 default</i>
201# <i>/etc/init.d/net.eth1 start</i> 202# <i>/etc/init.d/net.eth1 start</i>
202</pre> 203</pre>
203 204
204<p> 205<warn>
205You should be all set to go now. 206When the DSL interface comes up, it will create ppp0. Although your NIC
206</p> 207is called eth1, the IP is actually bound to ppp0. From now on, when you
208see examples that utilize 'eth1', substitute with 'ppp0'.
209</warn>
207 210
208</body> 211</body>
209</section> 212</section>
210 213
211<section> 214<section>
424</pre> 427</pre>
425 428
426<p> 429<p>
427Once you've typed out all of that, the rest of your network should now 430Once you've typed out all of that, the rest of your network should now
428be able to use the internet as if they were directly connected 431be able to use the internet as if they were directly connected
429themselves. 432themselves.
430</p>
431
432<p> 433</p>
433Believe it or not, you're done :). The only thing left involves adding
434extra services to make your life (or the lives of your users) easier.
435</p>
436 434
437</body> 435</body>
438</section> 436</section>
439
440</chapter> 437</chapter>
441 438
439<chapter>
440<title>Fun Things (for a rainy day)</title>
441
442<section>
443<title>Intro</title>
444<body>
445<p>
446Believe it or not, you're done :). From here on out, I'll cover a bunch
447of common topics that may interest you. Everything in this chapter is
448completely optional.
449</p>
450</body>
451</section>
452
453<section>
454<title>Port Forwarding</title>
455<body>
456<p>
457Sometimes you would like to be able to host services on a computer behind
458the router, or just to make your life easier when connecting remotely.
459Perhaps you want to run a FTP, HTTP, SSH, or VNC server on one or more
460machines behind your router and be able to connect to them all. The only
461caveat is that you can only have one service/machine combo per port.
462For example, there is no practical way to setup three FTP servers behind
463your router and then try to connect to them all through port 21; only one
464can be on port 21 while the others would have to be on say port 123 and
465port 567.
466</p>
467
468<p>
469All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
470[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port
471to forward to]</c>. iptables does not accept hostnames when port forwarding.
472If you are forwarding an external port to the same port on the internal machine,
473you can omit the destination port. See the iptables(8) page for more information.
474</p>
475
476<pre>
477<comment>Forward port 2 to ssh on an internal host</comment>
478# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i>
479
480<comment>FTP forwarding to an internal host</comment>
481# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.56</i>
482
483<comment>HTTP forwarding to an internal host</comment>
484# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.56</i>
485
486<comment>VNC forwarding for internal hosts</comment>
487# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i eth1 -j DNAT --to 192.168.0.2</i>
488# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i eth1 -j DNAT --to 192.168.0.3:5900</i>
489<comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment>
490
491<comment>Bittorrent forwarding</comment>
492# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i eth1 -j DNAT --to 192.168.0.2</i>
493</pre>
494
495<note>
496If you have other common / cool examples, please <uri link="mailto:vapier@gentoo.org">e-mail me</uri>.
497</note>
498</body>
499</section>
500
501<section>
502<title>Traffic Shaping</title>
503<body>
504<p>
505</p>
506</body>
507</section>
508
509<section>
510<title>Identd (for IRC)</title>
511<body>
512<p>
513Internet Relay Chat utilizes the ident service pretty heavily. Now that
514the IRC clients are behind the router, we need a way to host ident for
515both the router and the clients. One such server has been created
516called <c>midentd</c>.
517</p>
518
519<pre caption="Setting up ident">
520# <i>emerge midentd</i>
521# <i>rc-update add midentd default</i>
522# <i>/etc/init.d/midentd start</i>
523</pre>
524
525<p>
526There are a few other ident servers in portage. Depending on your needs,
527I would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
528</p>
529</body>
530</section>
531
532<section>
533<title>Mail Server</title>
534<body>
535<p>
536</p>
537</body>
538</section>
539
540<section>
541<title>HTTP Proxy</title>
542<body>
543<p>
544</p>
545</body>
546</section>
547
548<section>
549<title>POP Scanning</title>
550<body>
551<p>
552</p>
553</body>
554</section>
555
556</chapter>
557
442</guide> 558</guide>

Legend:
Removed from v.1.2  
changed lines
  Added in v.1.3

  ViewVC Help
Powered by ViewVC 1.1.20