/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Diff of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.22 Revision 1.23
1<?xml version='1.0' encoding='UTF-8'?> 1<?xml version='1.0' encoding='UTF-8'?>
2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.22 2005/02/16 02:43:01 vapier Exp $ --> 2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.23 2005/03/07 12:59:56 neysx Exp $ -->
3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4 4
5<guide link="/doc/en/home-router-howto.xml"> 5<guide link="/doc/en/home-router-howto.xml">
6 6
7<title>Home Router Guide</title> 7<title>Home Router Guide</title>
13<abstract> 13<abstract>
14This document details how to turn an old Gentoo machine into a router 14This document details how to turn an old Gentoo machine into a router
15for connecting your home network to the internet. 15for connecting your home network to the internet.
16</abstract> 16</abstract>
17 17
18<version>1.3</version> 18<version>1.4</version>
19<date>Feb 15 2005</date> 19<date>2005-03-07</date>
20 20
21<chapter> 21<chapter>
22<title>Introduction</title> 22<title>Introduction</title>
23<section> 23<section>
24<body> 24<body>
25 25
26<p> 26<p>
27Building your own router out of old spare parts has many advantages 27Building your own router out of old spare parts has many advantages over buying
28over buying a pre-made canned router by say Linksys. The biggest one by 28a pre-made canned router by say Linksys. The biggest one by far is control
29far is control over the connection. The other advantages are left up to 29over the connection. The other advantages are left up to your imagination;
30your imagination; just about anything can be done in this scenario, 30just about anything can be done in this scenario, it's just a matter of needing
31it's just a matter of needing it. 31it.
32</p>
33
34<p> 32</p>
33
34<p>
35This guide will show you how to setup Network Address Translation (NAT) 35This guide will show you how to setup Network Address Translation (NAT) on the
36on the router (kernel and iptables), add and configure common services 36router (kernel and iptables), add and configure common services (Domain Name
37(Domain Name System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via 37System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via rp-pppoe), and conclude
38rp-pppoe), and conclude with more elaborate and fun things that can be 38with more elaborate and fun things that can be done (port forwarding, traffic
39done (port forwarding, traffic shaping, proxies/caching, etc...). 39shaping, proxies/caching, etc...).
40</p>
41
42<p> 40</p>
41
42<p>
43Before getting started, there's a few basic requirements you must meet. 43Before getting started, there's a few basic requirements you must meet. First,
44First, you'll need a computer that has at least 2 Network Interface 44you'll need a computer that has at least 2 Network Interface Cards (NICs) in
45Cards (NICs) in it. Next, you'll need the configuration settings for 45it. Next, you'll need the configuration settings for your internet connection
46your internet connection (may include things like 46(may include things like IP/DNS/Gateway/username/password). Finally, you'll
47IP/DNS/Gateway/username/password). Finally, you'll need a bit of spare 47need a bit of spare time and some Gentoo loving.
48time and some Gentoo loving.
49</p> 48</p>
50 49
51<p> 50<p>
52The conventions used in this guide are: 51The conventions used in this guide are:
53</p> 52</p>
53
54<ul> 54<ul>
55 <li>eth0 - NIC connected to the Local Area Network (LAN)</li> 55 <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
56 <li>eth1 - NIC connected to the Wide Area Network (WAN)</li> 56 <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
57 <li>LAN utilizes the private 192.168.0.xxx network</li> 57 <li>LAN utilizes the private 192.168.0.xxx network</li>
58 <li>router is hardcoded to the standard 192.168.0.1 IP</li> 58 <li>router is hardcoded to the standard 192.168.0.1 IP</li>
59 <li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li> 59 <li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li>
60</ul> 60</ul>
61 61
62<impo> 62<impo>
63Due to security precautions, I would highly suggest you shut down any 63Due to security precautions, I would highly suggest you shut down any unneeded
64unneeded services on the router until we have a chance to get the 64services on the router until we have a chance to get the firewall up and
65firewall up and rolling. To view the currently running services, just 65rolling. To view the currently running services, just run <c>rc-status</c>.
66run <c>rc-status</c>.
67</impo> 66</impo>
68 67
69</body> 68</body>
70</section> 69</section>
71</chapter> 70</chapter>
74<title>Kernel setup (know thyself first)</title> 73<title>Kernel setup (know thyself first)</title>
75<section> 74<section>
76<body> 75<body>
77 76
78<p> 77<p>
79Your kernel needs to have the drivers running for both your NICs. To 78Your kernel needs to have the drivers running for both your NICs. To see if
80see if your cards are already setup, just run <c>ifconfig</c>. Your 79your cards are already setup, just run <c>ifconfig</c>. Your output may differ
81output may differ slightly from the following, that's fine. What 80slightly from the following, that's fine. What matters is that the interface
82matters is that the interface shows up at all. 81shows up at all.
83</p> 82</p>
83
84<pre caption="Checking NICs"> 84<pre caption="Checking NICs">
85# <i>ifconfig -a</i> 85# <i>ifconfig -a</i>
86eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8 86eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
87 BROADCAST MULTICAST MTU:1500 Metric:1 87 BROADCAST MULTICAST MTU:1500 Metric:1
88 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 88 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
97 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 97 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
98 collisions:0 txqueuelen:1000 98 collisions:0 txqueuelen:1000
99 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 99 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
100 Interrupt:10 Base address:0x9400 100 Interrupt:10 Base address:0x9400
101</pre> 101</pre>
102
102<p> 103<p>
103If you do not see your two cards showing up and you're not sure what 104If you do not see your two cards showing up and you're not sure what kind of
104kind of cards you have, try running <c>lspci</c>. You can get that from 105cards you have, try running <c>lspci</c>. You can get that from <c>emerge
105<c>emerge pciutils</c>. Look for "Ethernet controller" in the output. 106pciutils</c>. Look for "Ethernet controller" in the output. Once you have
106Once you have this information, go into your kernel and add support for 107this information, go into your kernel and add support for the correct drivers.
107the correct drivers.
108</p>
109
110<p> 108</p>
109
110<p>
111The next thing you'll need is support for iptables and NAT (and packet 111The next thing you'll need is support for iptables and NAT (and packet shaping
112shaping if you want). The following list is split up into required 112if you want). The following list is split up into required (*), suggested (x),
113(*), suggested (x), and shaper (s) features. It does not matter whether 113and shaper (s) features. It does not matter whether you build the features
114you build the features into the kernel or as a module so long as when 114into the kernel or as a module so long as when the feature is needed, the
115the feature is needed, the correct module(s) are loaded (module loading 115correct module(s) are loaded (module loading is left to the reader as a fun
116is left to the reader as a fun exercise however). 116exercise however).
117</p> 117</p>
118
118<pre caption="Network Options"> 119<pre caption="Network Options">
119<i>Networking options ---&gt;</i> 120Networking options ---&gt;
120<i> [*] TCP/IP networking</i> 121 [*] TCP/IP networking
121<i> [*] IP: advanced router</i> 122 [*] IP: advanced router
122<i> [*] Network packet filtering (replaces ipchains)</i> 123 [*] Network packet filtering (replaces ipchains)
123<comment>If you use 2.4.x, you have to enable the following for DHCP:</comment> 124<comment>If you use 2.4.x, you have to enable the following for DHCP:</comment>
124<i> [*] Socket Filtering</i> 125 [*] Socket Filtering
125 126
126<i> IP: Netfilter Configuration ---&gt;</i> 127 IP: Netfilter Configuration ---&gt;
127<i> [*] Connection tracking (required for masq/NAT)</i> 128 [*] Connection tracking (required for masq/NAT)
128<i> [x] FTP protocol support</i> 129 [x] FTP protocol support
129<i> [x] IRC protocol support</i> 130 [x] IRC protocol support
130<i> [*] IP tables support (required for filtering/masq/NAT)</i> 131 [*] IP tables support (required for filtering/masq/NAT)
131<i> [*] IP range match support</i> 132 [*] IP range match support
132<i> [x] MAC address match support</i> 133 [x] MAC address match support
133<i> [*] Multiple port match support</i> 134 [*] Multiple port match support
134<i> [*] Packet filtering</i> 135 [*] Packet filtering
135<i> [*] REJECT target support</i> 136 [*] REJECT target support
136<i> [x] REDIRECT target support</i> 137 [x] REDIRECT target support
137<i> [*] Full NAT</i> 138 [*] Full NAT
138<i> [*] MASQUERADE target support</i> 139 [*] MASQUERADE target support
139<i> [s] Packet mangling</i> 140 [s] Packet mangling
140<i> [s] MARK target support</i> 141 [s] MARK target support
141<i> [x] LOG target support</i> 142 [x] LOG target support
142 143
143<i> QoS and/or fair queueing ---&gt;</i> 144 QoS and/or fair queueing ---&gt;
144<i> [s] QoS and/or fair queueing</i> 145 [s] QoS and/or fair queueing
145<i> [s] HTB packet scheduler</i> 146 [s] HTB packet scheduler
146<i> [s] Ingress Qdisc</i> 147 [s] Ingress Qdisc
147</pre> 148</pre>
149
148<note> 150<note>
149Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you 151Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you should be
150should be able to figure it out :). 152able to figure it out :).
151</note> 153</note>
152 154
153</body> 155</body>
154</section> 156</section>
155</chapter> 157</chapter>
158<title>Hug the WAN (a.k.a. The Internet)</title> 160<title>Hug the WAN (a.k.a. The Internet)</title>
159 161
160<section> 162<section>
161<title>Intro</title> 163<title>Intro</title>
162<body> 164<body>
165
163<p> 166<p>
164There are many ways to connect to the internet so I'll just cover the 167There are many ways to connect to the internet so I'll just cover the ones I'm
165ones I'm familiar with. That leaves us with ADSL (PPPoE) and cable 168familiar with. That leaves us with ADSL (PPPoE) and cable modems
166modems (static/dynamic). If there are other methods out there, feel 169(static/dynamic). If there are other methods out there, feel free to write up
167free to write up a little blurb and e-mail me. Feel free to skip any of 170a little blurb and e-mail me. Feel free to skip any of the following sections
168the following sections in this chapter that don't apply to you. This 171in this chapter that don't apply to you. This chapter is just about getting
169chapter is just about getting the router connected to the internet via 172the router connected to the internet via eth1.
170eth1.
171</p> 173</p>
172</body>
173</section>
174 174
175</body>
176</section>
175<section> 177<section>
176<title>ADSL and PPPoE</title> 178<title>ADSL and PPPoE</title>
177<body> 179<body>
178 180
179<p> 181<p>
180All the fancy PPPoE software has been bundled up into one little nice 182All the fancy PPPoE software has been bundled up into one little nice package
181package nowadays called <uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>. 183nowadays called <uri link="http://www.roaringpenguin.com/">Roaring
182Simply <c>emerge rp-pppoe</c> and you'll be on your way. Remember how 184Penguin</uri>. Simply <c>emerge rp-pppoe</c> and you'll be on your way.
183I said you'll need username/password information? Well I wasn't lying 185Remember how I said you'll need username/password information? Well I wasn't
184so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in 186lying so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
185your favorite editor and set it up. 187your favorite editor and set it up.
186</p> 188</p>
187 189
188<note> 190<note>
189In order for the following net.eth1 settings to work, you must have 191In order for the following net.eth1 settings to work, you must have
192 194
193<pre caption="Setting up eth1"> 195<pre caption="Setting up eth1">
194<comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment> 196<comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
195 197
196# <i>nano /etc/ppp/pppoe.conf</i> 198# <i>nano /etc/ppp/pppoe.conf</i>
197<comment># Ethernet card connected to ADSL modem 199<comment># Ethernet card connected to ADSL modem</comment>
198ETH=eth1 200ETH=eth1
199# ADSL user name. 201<comment># ADSL user name.</comment>
200USER=vla9h924</comment> 202USER=vla9h924
201# <i>nano /etc/ppp/pap-secrets</i> 203# <i>nano /etc/ppp/pap-secrets</i>
202<comment># client server secret 204<comment># client server secret</comment>
203"vla9h924" * "password"</comment> 205"vla9h924" * "password"
204# <i>nano /etc/conf.d/net</i> 206# <i>nano /etc/conf.d/net</i>
205<comment>Add an entry for ifconfig_eth1 and set it to adsl: 207<comment>Add an entry for ifconfig_eth1 and set it to adsl:</comment>
206ifconfig_eth1=( "adsl" )</comment> 208ifconfig_eth1=( "adsl" )
207# <i>ln -s net.eth0 /etc/init.d/net.eth1</i> 209# <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
208# <i>rc-update add net.eth1 default</i> 210# <i>rc-update add net.eth1 default</i>
209# <i>/etc/init.d/net.eth1 start</i> 211# <i>/etc/init.d/net.eth1 start</i>
210</pre> 212</pre>
211 213
230 232
231<pre caption="Setting up eth1"> 233<pre caption="Setting up eth1">
232<comment>Dynamic IP Users:</comment> 234<comment>Dynamic IP Users:</comment>
233# <i>emerge dhcpcd</i> 235# <i>emerge dhcpcd</i>
234# <i>nano /etc/conf.d/net</i> 236# <i>nano /etc/conf.d/net</i>
235<comment>You'll need an entry like so: 237<comment>You'll need an entry like so:</comment>
236ifconfig_eth1=( "dhcp" )</comment> 238ifconfig_eth1=( "dhcp" )
237 239
238<comment>Static IP Users:</comment> 240<comment>Static IP Users:</comment>
239# <i>nano /etc/conf.d/net</i> 241# <i>nano /etc/conf.d/net</i>
240<comment>You'll need entries like so: 242<comment>You'll need entries like so:</comment>
241ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" ) 243ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
242routes_eth1=( "default gw 66.92.78.1" )</comment> 244routes_eth1=( "default gw 66.92.78.1" )
243# <i>nano /etc/resolv.conf</i> 245# <i>nano /etc/resolv.conf</i>
244<comment>Add one line per DNS server: 246<comment>Add one line per DNS server:</comment>
245nameserver 123.123.123.123</comment> 247nameserver 123.123.123.123
246 248
247<comment>Dynamic and Static Setup:</comment> 249<comment>Dynamic and Static Setup:</comment>
248# <i>ln -s net.eth0 /etc/init.d/net.eth1</i> 250# <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
249# <i>rc-update add net.eth1 default</i> 251# <i>rc-update add net.eth1 default</i>
250# <i>/etc/init.d/net.eth1 start</i> 252# <i>/etc/init.d/net.eth1 start</i>
267This step is a breeze compared to the previous one. 269This step is a breeze compared to the previous one.
268</p> 270</p>
269 271
270<pre caption="Setting up eth0"> 272<pre caption="Setting up eth0">
271# <i>nano /etc/conf.d/net</i> 273# <i>nano /etc/conf.d/net</i>
272<comment>Add a line like the following: 274<comment>Add a line like the following:</comment>
273ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )</comment> 275ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
274# <i>rc-update add net.eth0 default</i> 276# <i>rc-update add net.eth0 default</i>
275# <i>/etc/init.d/net.eth0 start</i> 277# <i>/etc/init.d/net.eth0 start</i>
276</pre> 278</pre>
277 279
278</body> 280</body>
283<title>LAN Services (because we're nice people)</title> 285<title>LAN Services (because we're nice people)</title>
284 286
285<section> 287<section>
286<title>DHCP Server</title> 288<title>DHCP Server</title>
287<body> 289<body>
290
288<p> 291<p>
289I bet it'd be nice if everyone else in your house could just plug 292I bet it'd be nice if everyone else in your house could just plug their
290their computers into the network and things would just work. No need to 293computers into the network and things would just work. No need to remember
291remember mind-numbing details or make them stare at confusing 294mind-numbing details or make them stare at confusing configuration screens!
292configuration screens! Life would be grand eh? Introducing the Dynamic 295Life would be grand eh? Introducing the Dynamic Host Configuration Protocol
293Host Configuration Protocol (DHCP) and why you should care. 296(DHCP) and why you should care.
294</p> 297</p>
295 298
296<p> 299<p>
297DHCP is exactly what its name implies. It's a protocol that allows you 300DHCP is exactly what its name implies. It's a protocol that allows you
298to dynamically configure other hosts automatically. You run a DHCP 301to dynamically configure other hosts automatically. You run a DHCP server on
299server on the router (dhcpd), give it all the information about your 302the router (dhcpd), give it all the information about your network (valid IPs,
300network (valid IPs, DNS servers, gateways, etc...), and then when the 303DNS servers, gateways, etc...), and then when the other hosts start up, they
301other hosts start up, they run a DHCP client to automatically configure 304run a DHCP client to automatically configure themselves. No fuss, no muss!
302themselves. No fuss, no muss! For more information about DHCP, you can 305For more information about DHCP, you can always visit <uri
303always visit <uri link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>. 306link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
304</p> 307</p>
305 308
306<pre caption="Setting up dhcpd"> 309<pre caption="Setting up dhcpd">
307# <i>emerge dhcp</i> 310# <i>emerge dhcp</i>
308# <i>nano /etc/dhcp/dhcpd.conf</i> 311# <i>nano /etc/dhcp/dhcpd.conf</i>
309<comment>Here is a sample configuration file: 312<comment>(Here is a sample configuration file:)</comment>
310authoritative; 313authoritative;
311ddns-update-style ad-hoc; 314ddns-update-style ad-hoc;
312subnet 192.168.0.0 netmask 255.255.255.0 { 315subnet 192.168.0.0 netmask 255.255.255.0 {
313 range 192.168.0.100 192.168.0.250; 316 range 192.168.0.100 192.168.0.250;
314 default-lease-time 259200; 317 default-lease-time 259200;
315 max-lease-time 518400; 318 max-lease-time 518400;
316 option subnet-mask 255.255.255.0; 319 option subnet-mask 255.255.255.0;
317 option broadcast-address 192.168.0.255; 320 option broadcast-address 192.168.0.255;
318 option routers 192.168.0.1; 321 option routers 192.168.0.1;
319 option domain-name-servers 192.168.0.1; 322 option domain-name-servers 192.168.0.1;
320} 323}
321</comment>
322# <i>nano /etc/conf.d/dhcp</i> 324# <i>nano /etc/conf.d/dhcp</i>
323<comment>Set IFACE="eth0"</comment> 325<comment>(Set IFACE="eth0")</comment>
324# <i>rc-update add dhcp default</i> 326# <i>rc-update add dhcp default</i>
325# <i>/etc/init.d/dhcp start</i> 327# <i>/etc/init.d/dhcp start</i>
326</pre> 328</pre>
327 329
328<p> 330<p>
329Now your little router is a bona-fide DHCP server! Plugin those 331Now your little router is a bona-fide DHCP server! Plugin those computers and
330computers and watch them work! With Windows systems you should go into 332watch them work! With Windows systems you should go into the TCP/IP Properties
331the TCP/IP Properties and select the 'Obtain an IP address 333and select the 'Obtain an IP address automatically' and 'Obtain DNS server
332automatically' and 'Obtain DNS server address automatically' options. 334address automatically' options. Sometimes the changes aren't instantaneous, so
333Sometimes the changes aren't instantaneous, so you may have to run a 335you may have to run a command prompt and run <c>ipconfig /release</c> and
334command prompt and run <c>ipconfig /release</c> and <c>ipconfig
335/renew</c>. But enough about Windows, let's get back to our favorite 336<c>ipconfig /renew</c>. But enough about Windows, let's get back to our
336penguin. 337favorite penguin.
337</p> 338</p>
339
338</body> 340</body>
339</section> 341</section>
340 342
341<section> 343<section>
342<title>DNS Server</title> 344<title>DNS Server</title>
343<body> 345<body>
346
344<p> 347<p>
345When people want to visit a place on the internet, they remember names, 348When people want to visit a place on the internet, they remember names, not a
346not a string of useless numbers. After all, what's easier to remember, 349string of useless numbers. After all, what's easier to remember, ebay.com or
347ebay.com or 66.135.192.87? This is where the DNS steps in. DNS servers 35066.135.192.87? This is where the DNS steps in. DNS servers run all over the
348run all over the internet, and whenever someone wants to visit 'ebay.com', 351internet, and whenever someone wants to visit 'ebay.com', these servers turn
349these servers turn 'ebay.com' (what we understand) into '66.135.192.87' 352'ebay.com' (what we understand) into '66.135.192.87' (what our computers
350(what our computers understand). For more information about DNS, you can 353understand). For more information about DNS, you can always visit <uri
351always visit <uri link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>. 354link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
352</p>
353
354<p> 355</p>
356
357<p>
355You may have noticed in the previous section that we told the DHCP 358You may have noticed in the previous section that we told the DHCP clients we
356clients we have a DNS server at 192.168.0.1. You may also remember that 359have a DNS server at 192.168.0.1. You may also remember that 192.168.0.1 is
357192.168.0.1 is our little router that we're making. I don't remember 360our little router that we're making. I don't remember setting up a DNS server
358setting up a DNS server ... so let's do so now! 361... so let's do so now!
359</p> 362</p>
360 363
361<pre caption="Setting up dnsmasq"> 364<pre caption="Setting up dnsmasq">
362# <i>emerge dnsmasq</i> 365# <i>emerge dnsmasq</i>
363# <i>nano /etc/conf.d/dnsmasq</i> 366# <i>nano /etc/conf.d/dnsmasq</i>
365# <i>rc-update add dnsmasq default</i> 368# <i>rc-update add dnsmasq default</i>
366# <i>/etc/init.d/dnsmasq start</i> 369# <i>/etc/init.d/dnsmasq start</i>
367</pre> 370</pre>
368 371
369<p> 372<p>
370Well that was quick, but what did we do? The great thing is, we didn't 373Well that was quick, but what did we do? The great thing is, we didn't have to
371have to do very much! You're welcome to choose other DNS servers if 374do very much! You're welcome to choose other DNS servers if you're more
372you're more comfortable with them, but the reason dnsmasq is great is 375comfortable with them, but the reason dnsmasq is great is because it was
373because it was designed to do exactly what we want and nothing more. 376designed to do exactly what we want and nothing more. It's a little DNS
374It's a little DNS caching/forwarding server for local networks. We're 377caching/forwarding server for local networks. We're not looking to provide DNS
375not looking to provide DNS for our own domain here, just offer simple DNS 378for our own domain here, just offer simple DNS services to everyone else on our
376services to everyone else on our LAN. 379LAN.
377</p> 380</p>
378 381
379</body> 382</body>
380</section> 383</section>
381 384
382<section> 385<section>
383<title>NAT (a.k.a. IP-masquerading)</title> 386<title>NAT (a.k.a. IP-masquerading)</title>
384<body> 387<body>
385 388
386<p> 389<p>
387At this point, people on your network can talk to each other and they 390At this point, people on your network can talk to each other and they can look
388can look up hostnames via DNS, but they still can't actually connect to 391up hostnames via DNS, but they still can't actually connect to the internet.
389the internet. While you may think that's great (more bandwidth for 392While you may think that's great (more bandwidth for you!), I bet they're not
390you!), I bet they're not too happy just yet. 393too happy just yet.
391</p>
392
393<p> 394</p>
395
396<p>
394This is where NAT steps in. NAT is a way of connecting multiple computers 397This is where NAT steps in. NAT is a way of connecting multiple computers in a
395in a private LAN to the internet when you only have a smaller number of 398private LAN to the internet when you only have a smaller number of IP addresses
396IP addresses availabe to you. Typically you were given 1 IP by your ISP, 399availabe to you. Typically you were given 1 IP by your ISP, but you want to
397but you want to let your whole house connect to the internet. NAT is the 400let your whole house connect to the internet. NAT is the magic that makes this
398magic that makes this possible. For more information about NAT, you can 401possible. For more information about NAT, you can always visit <uri
399always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>. 402link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
400</p> 403</p>
401 404
402<note> 405<note>
403Before we get started, make sure you have iptables on your system. Although 406Before we get started, make sure you have iptables on your system. Although it
404it is automatically installed on most systems, you may not have it. If you 407is automatically installed on most systems, you may not have it. If you don't,
405don't, just run <c>emerge iptables</c>. 408just run <c>emerge iptables</c>.
406</note> 409</note>
407 410
408<pre caption="Setting up iptables"> 411<pre caption="Setting up iptables">
409<comment>First we flush our current rules</comment> 412<comment>First we flush our current rules</comment>
410# <i>iptables -F</i> 413# <i>iptables -F</i>
440net.ipv4.ip_forward = 1 443net.ipv4.ip_forward = 1
441net.ipv4.conf.default.rp_filter = 1</comment> 444net.ipv4.conf.default.rp_filter = 1</comment>
442</pre> 445</pre>
443 446
444<p> 447<p>
445Once you've typed out all of that, the rest of your network should now 448Once you've typed out all of that, the rest of your network should now be able
446be able to use the internet as if they were directly connected 449to use the internet as if they were directly connected themselves.
447themselves.
448</p> 450</p>
449 451
450</body> 452</body>
451</section> 453</section>
452</chapter> 454</chapter>
455<title>Fun Things (for a rainy day)</title> 457<title>Fun Things (for a rainy day)</title>
456 458
457<section> 459<section>
458<title>Intro</title> 460<title>Intro</title>
459<body> 461<body>
462
460<p> 463<p>
461Believe it or not, you're done :). From here on out, I'll cover a bunch 464Believe it or not, you're done :). From here on out, I'll cover a bunch of
462of common topics that may interest you. Everything in this chapter is 465common topics that may interest you. Everything in this chapter is completely
463completely optional. 466optional.
464</p> 467</p>
468
465</body> 469</body>
466</section> 470</section>
467 471
468<section> 472<section>
469<title>Port Forwarding</title> 473<title>Port Forwarding</title>
470<body> 474<body>
475
471<p> 476<p>
472Sometimes you would like to be able to host services on a computer behind 477Sometimes you would like to be able to host services on a computer behind the
473the router, or just to make your life easier when connecting remotely. 478router, or just to make your life easier when connecting remotely. Perhaps you
474Perhaps you want to run a FTP, HTTP, SSH, or VNC server on one or more 479want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your
475machines behind your router and be able to connect to them all. The only 480router and be able to connect to them all. The only caveat is that you can
476caveat is that you can only have one service/machine combo per port. 481only have one service/machine combo per port. For example, there is no
477For example, there is no practical way to setup three FTP servers behind 482practical way to setup three FTP servers behind your router and then try to
478your router and then try to connect to them all through port 21; only one 483connect to them all through port 21; only one can be on port 21 while the
479can be on port 21 while the others would have to be on say port 123 and 484others would have to be on say port 123 and port 567.
480port 567.
481</p>
482
483<p> 485</p>
486
487<p>
484All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING 488All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
485[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port 489[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port
486to forward to]</c>. iptables does not accept hostnames when port forwarding. 490to forward to]</c>. iptables does not accept hostnames when port forwarding.
487If you are forwarding an external port to the same port on the internal machine, 491If you are forwarding an external port to the same port on the internal
488you can omit the destination port. See the iptables(8) page for more information. 492machine, you can omit the destination port. See the iptables(8) page for more
493information.
489</p> 494</p>
490 495
491<pre> 496<pre>
492<comment>Forward port 2 to ssh on an internal host</comment> 497<comment>Forward port 2 to ssh on an internal host</comment>
493# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i> 498# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i>
513# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i> 518# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i>
514# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i> 519# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i>
515</pre> 520</pre>
516 521
517<note> 522<note>
518If you have other common / cool examples, please <uri link="mailto:vapier@gentoo.org">e-mail me</uri>. 523If you have other common / cool examples, please <uri
524link="mailto:vapier@gentoo.org">e-mail me</uri>.
519</note> 525</note>
526
520</body> 527</body>
521</section> 528</section>
522 529
523<section> 530<section>
524<title>Identd (for IRC)</title> 531<title>Identd (for IRC)</title>
525<body> 532<body>
533
526<p> 534<p>
527Internet Relay Chat utilizes the ident service pretty heavily. Now that 535Internet Relay Chat utilizes the ident service pretty heavily. Now that the
528the IRC clients are behind the router, we need a way to host ident for 536IRC clients are behind the router, we need a way to host ident for both the
529both the router and the clients. One such server has been created 537router and the clients. One such server has been created called
530called <c>midentd</c>. 538<c>midentd</c>.
531</p> 539</p>
532 540
533<pre caption="Setting up ident"> 541<pre caption="Setting up ident">
534# <i>emerge midentd</i> 542# <i>emerge midentd</i>
535# <i>rc-update add midentd default</i> 543# <i>rc-update add midentd default</i>
536# <i>/etc/init.d/midentd start</i> 544# <i>/etc/init.d/midentd start</i>
537</pre> 545</pre>
538 546
539<p> 547<p>
540There are a few other ident servers in portage. Depending on your needs, 548There are a few other ident servers in portage. Depending on your needs, I
541I would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>. 549would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
542</p> 550</p>
551
543</body> 552</body>
544</section> 553</section>
545 554
546<!-- 555<!--
547<section> 556<section>
617--> 626-->
618 627
619<section> 628<section>
620<title>Time Server</title> 629<title>Time Server</title>
621<body> 630<body>
631
622<p> 632<p>
623Keeping your system time correct is essential in maintaing a healthy 633Keeping your system time correct is essential in maintaing a healthy system.
624system. One of the most common ways of accomplishing this is with 634One of the most common ways of accomplishing this is with the Network Time
625the Network Time Protocol (NTP) and the ntp package (which provides 635Protocol (NTP) and the ntp package (which provides implementations for both
626implementations for both server and client). 636server and client).
627</p>
628
629<p> 637</p>
638
639<p>
630Many people run ntp clients on their computers. Obviously, the more 640Many people run ntp clients on their computers. Obviously, the more clients in
631clients in the world, the larger the load the ntp servers need to 641the world, the larger the load the ntp servers need to shoulder. In
632shoulder. In environments like home networks though, we can help 642environments like home networks though, we can help keep the load down on
633keep the load down on public servers while still providing the proper 643public servers while still providing the proper time to all our computers. As
634time to all our computers. As an added bonus, our private updates 644an added bonus, our private updates will be a lot faster for the clients too!
635will be a lot faster for the clients too! All we have to do is run 645All we have to do is run a ntp server on our router that synchronizes itself
636a ntp server on our router that synchronizes itself with the public
637internet servers while providing the time to the rest of the computers 646with the public internet servers while providing the time to the rest of the
638in the network. To get started, simply <c>emerge ntp</c> on the 647computers in the network. To get started, simply <c>emerge ntp</c> on the
639router. 648router.
640</p> 649</p>
641 650
642<pre caption="Setting up the NTP server"> 651<pre caption="Setting up the NTP server">
643# <i>nano /etc/conf.d/ntp-client</i> 652# <i>nano /etc/conf.d/ntp-client</i>
644<comment>Customize if you wish but the defaults should be fine</comment> 653<comment>Customize if you wish but the defaults should be fine</comment>
645# <i>rc-update add ntp-client default</i> 654# <i>rc-update add ntp-client default</i>
646 655
647# <i>nano /etc/ntp.conf</i> 656# <i>nano /etc/ntp.conf</i>
648<comment>Add the follwing lines: 657<comment>Add the follwing lines:</comment>
649restrict default ignore 658restrict default ignore
650restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap 659restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
651These will allow only ntp clients with an IP address in the 192.168.0.xxx range to use your ntp server</comment> 660<comment>These will allow only ntp clients with an IP
661address in the 192.168.0.xxx range to use your ntp server</comment>
652# <i>nano /etc/conf.d/ntpd</i> 662# <i>nano /etc/conf.d/ntpd</i>
653<comment>Customize if you wish but the defaults should be fine</comment> 663<comment>Customize if you wish but the defaults should be fine</comment>
654# <i>rc-update add ntpd default</i> 664# <i>rc-update add ntpd default</i>
655 665
656# <i>/etc/init.d/ntp-client start</i> 666# <i>/etc/init.d/ntp-client start</i>
657# <i>/etc/init.d/ntpd start</i> 667# <i>/etc/init.d/ntpd start</i>
658</pre> 668</pre>
659 669
660<note> 670<note>
661You should make sure that you allow inbound and outbound communication 671You should make sure that you allow inbound and outbound communication on the
662on the ntp port (123/udp) when setting up the server. The client just 672ntp port (123/udp) when setting up the server. The client just needs outbound
663needs outbound access on port 123 over udp. 673access on port 123 over udp.
664</note> 674</note>
665 675
666<p> 676<p>
667Now, on your clients, have them <c>emerge ntp</c> also. However, 677Now, on your clients, have them <c>emerge ntp</c> also. However, we will just
668we will just run the ntp client so setup is a lot simpler. 678run the ntp client so setup is a lot simpler.
669</p> 679</p>
670 680
671<pre caption="Setting up a NTP client"> 681<pre caption="Setting up a NTP client">
672# <i>nano /etc/conf.d/ntp-client</i> 682# <i>nano /etc/conf.d/ntp-client</i>
673<comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment> 683<comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment>
674# <i>rc-update add ntp-client default</i> 684# <i>rc-update add ntp-client default</i>
675# <i>/etc/init.d/ntp-client start</i> 685# <i>/etc/init.d/ntp-client start</i>
676</pre> 686</pre>
687
677</body> 688</body>
678</section> 689</section>
679 690
680<section> 691<section>
681<title>Mail Server</title> 692<title>Mail Server</title>
682<body> 693<body>
694
683<p> 695<p>
684Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) 696Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server
685server on the router. You may have your own reason for wanting to do so, 697on the router. You may have your own reason for wanting to do so, but I run it
686but I run it so that the users see mail as being sent instantly and the 698so that the users see mail as being sent instantly and the work of
687work of retrying/routing is left up to the mail server. Some ISPs also 699retrying/routing is left up to the mail server. Some ISPs also don't allow for
688don't allow for mail relaying for accounts that aren't part of their 700mail relaying for accounts that aren't part of their network (like Verizon).
689network (like Verizon). Also, you can easily throttle the delivery of 701Also, you can easily throttle the delivery of mail so that large attachments
690mail so that large attachments won't seriously lag your connection for 702won't seriously lag your connection for half an hour.
691half an hour.
692</p> 703</p>
693 704
694<pre caption="Setting up SMTP"> 705<pre caption="Setting up SMTP">
695# <i>emerge qmail</i> 706# <i>emerge qmail</i>
696<comment>make sure the output of `hostname` is correct</comment> 707<comment>make sure the output of `hostname` is correct</comment>
702# <i>cd /etc/tcprules.d</i> 713# <i>cd /etc/tcprules.d</i>
703# <i>nano tcp.qmail-smtp</i> 714# <i>nano tcp.qmail-smtp</i>
704--> 715-->
705# <i>cd /etc</i> 716# <i>cd /etc</i>
706# <i>nano tcp.smtp</i> 717# <i>nano tcp.smtp</i>
707<comment>Add an entry like so to the allow section: 718<comment>Add an entry like so to the allow section:</comment>
708192.168.0.:allow,RELAYCLIENT=""</comment> 719192.168.0.:allow,RELAYCLIENT=""
709<!-- 720<!--
710# <i>tcprules tcp.qmail-qmtp.cdb rules.tmp &lt; tcp.qmail-smtp</i> 721# <i>tcprules tcp.qmail-qmtp.cdb rules.tmp &lt; tcp.qmail-smtp</i>
711--> 722-->
712# <i>tcprules tcp.smtp.cdb rules.tmp &lt; tcp.smtp</i> 723# <i>tcprules tcp.smtp.cdb rules.tmp &lt; tcp.smtp</i>
713# <i>rc-update add svscan default</i> 724# <i>rc-update add svscan default</i>
714# <i>/etc/init.d/svscan start</i> 725# <i>/etc/init.d/svscan start</i>
715</pre> 726</pre>
716 727
717<p> 728<p>
718I'm a huge fan of qmail, but you're free to use a different mta :). 729I'm a huge fan of qmail, but you're free to use a different mta :). When you
719When you setup e-mail on the hosts in your network, tell them that 730setup e-mail on the hosts in your network, tell them that their SMTP server is
720their SMTP server is 192.168.0.1 and everything should be peachy. 731192.168.0.1 and everything should be peachy. You might want to visit the <uri
721You might want to visit the <uri link="http://qmail.org/">qmail 732link="http://qmail.org/">qmail homepage</uri> for more documentation.
722homepage</uri> for more documentation.
723</p> 733</p>
734
724</body> 735</body>
725</section> 736</section>
726 737
727<!-- 738<!--
728<section> 739<section>
747 758
748<chapter> 759<chapter>
749<title>Final Notes</title> 760<title>Final Notes</title>
750<section> 761<section>
751<body> 762<body>
763
752<p> 764<p>
753I have no final notes other than if you experience any troubles with the guide, 765I have no final notes other than if you experience any troubles with the guide,
754please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with 766please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with <uri
755<uri link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If 767link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have
756you have some interesting bits you think would enhance this guide, by all means 768some interesting bits you think would enhance this guide, by all means send it
757send it my way for inclusion. 769my way for inclusion.
758</p> 770</p>
771
759</body> 772</body>
760</section> 773</section>
761</chapter> 774</chapter>
762</guide> 775</guide>

Legend:
Removed from v.1.22  
changed lines
  Added in v.1.23

  ViewVC Help
Powered by ViewVC 1.1.20