/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml

Diff of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory | Revision Log | View Patch Patch

Revision 1.22		Revision 1.23
1	<?xml version='1.0' encoding='UTF-8'?>	1	<?xml version='1.0' encoding='UTF-8'?>
2	<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.22 2005/02/16 02:43:01 vapier Exp $ -->	2	<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.23 2005/03/07 12:59:56 neysx Exp $ -->
3	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">	3	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4		4
5	<guide link="/doc/en/home-router-howto.xml">	5	<guide link="/doc/en/home-router-howto.xml">
6		6
7	<title>Home Router Guide</title>	7	<title>Home Router Guide</title>
…		…
13	<abstract>	13	<abstract>
14	This document details how to turn an old Gentoo machine into a router	14	This document details how to turn an old Gentoo machine into a router
15	for connecting your home network to the internet.	15	for connecting your home network to the internet.
16	</abstract>	16	</abstract>
17		17
18	<version>1.3</version>	18	<version>1.4</version>
19	<date>Feb 15 2005</date>	19	<date>2005-03-07</date>
20		20
21	<chapter>	21	<chapter>
22	<title>Introduction</title>	22	<title>Introduction</title>
23	<section>	23	<section>
24	<body>	24	<body>
25		25
26	<p>	26	<p>
27	Building your own router out of old spare parts has many advantages	27	Building your own router out of old spare parts has many advantages over buying
28	over buying a pre-made canned router by say Linksys. The biggest one by	28	a pre-made canned router by say Linksys. The biggest one by far is control
29	far is control over the connection. The other advantages are left up to	29	over the connection. The other advantages are left up to your imagination;
30	your imagination; just about anything can be done in this scenario,	30	just about anything can be done in this scenario, it's just a matter of needing
31	it's just a matter of needing it.	31	it.
32	</p>
33
34	<p>	32	</p>
		33
		34	<p>
35	This guide will show you how to setup Network Address Translation (NAT)	35	This guide will show you how to setup Network Address Translation (NAT) on the
36	on the router (kernel and iptables), add and configure common services	36	router (kernel and iptables), add and configure common services (Domain Name
37	(Domain Name System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via	37	System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via rp-pppoe), and conclude
38	rp-pppoe), and conclude with more elaborate and fun things that can be	38	with more elaborate and fun things that can be done (port forwarding, traffic
39	done (port forwarding, traffic shaping, proxies/caching, etc...).	39	shaping, proxies/caching, etc...).
40	</p>
41
42	<p>	40	</p>
		41
		42	<p>
43	Before getting started, there's a few basic requirements you must meet.	43	Before getting started, there's a few basic requirements you must meet. First,
44	First, you'll need a computer that has at least 2 Network Interface	44	you'll need a computer that has at least 2 Network Interface Cards (NICs) in
45	Cards (NICs) in it. Next, you'll need the configuration settings for	45	it. Next, you'll need the configuration settings for your internet connection
46	your internet connection (may include things like	46	(may include things like IP/DNS/Gateway/username/password). Finally, you'll
47	IP/DNS/Gateway/username/password). Finally, you'll need a bit of spare	47	need a bit of spare time and some Gentoo loving.
48	time and some Gentoo loving.
49	</p>	48	</p>
50		49
51	<p>	50	<p>
52	The conventions used in this guide are:	51	The conventions used in this guide are:
53	</p>	52	</p>
		53
54	<ul>	54	<ul>
55	<li>eth0 - NIC connected to the Local Area Network (LAN)</li>	55	<li>eth0 - NIC connected to the Local Area Network (LAN)</li>
56	<li>eth1 - NIC connected to the Wide Area Network (WAN)</li>	56	<li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
57	<li>LAN utilizes the private 192.168.0.xxx network</li>	57	<li>LAN utilizes the private 192.168.0.xxx network</li>
58	<li>router is hardcoded to the standard 192.168.0.1 IP</li>	58	<li>router is hardcoded to the standard 192.168.0.1 IP</li>
59	<li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li>	59	<li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li>
60	</ul>	60	</ul>
61		61
62	<impo>	62	<impo>
63	Due to security precautions, I would highly suggest you shut down any	63	Due to security precautions, I would highly suggest you shut down any unneeded
64	unneeded services on the router until we have a chance to get the	64	services on the router until we have a chance to get the firewall up and
65	firewall up and rolling. To view the currently running services, just	65	rolling. To view the currently running services, just run <c>rc-status</c>.
66	run <c>rc-status</c>.
67	</impo>	66	</impo>
68		67
69	</body>	68	</body>
70	</section>	69	</section>
71	</chapter>	70	</chapter>
…		…
74	<title>Kernel setup (know thyself first)</title>	73	<title>Kernel setup (know thyself first)</title>
75	<section>	74	<section>
76	<body>	75	<body>
77		76
78	<p>	77	<p>
79	Your kernel needs to have the drivers running for both your NICs. To	78	Your kernel needs to have the drivers running for both your NICs. To see if
80	see if your cards are already setup, just run <c>ifconfig</c>. Your	79	your cards are already setup, just run <c>ifconfig</c>. Your output may differ
81	output may differ slightly from the following, that's fine. What	80	slightly from the following, that's fine. What matters is that the interface
82	matters is that the interface shows up at all.	81	shows up at all.
83	</p>	82	</p>
		83
84	<pre caption="Checking NICs">	84	<pre caption="Checking NICs">
85	# <i>ifconfig -a</i>	85	# <i>ifconfig -a</i>
86	eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8	86	eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
87	BROADCAST MULTICAST MTU:1500 Metric:1	87	BROADCAST MULTICAST MTU:1500 Metric:1
88	RX packets:0 errors:0 dropped:0 overruns:0 frame:0	88	RX packets:0 errors:0 dropped:0 overruns:0 frame:0
…		…
97	TX packets:0 errors:0 dropped:0 overruns:0 carrier:0	97	TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
98	collisions:0 txqueuelen:1000	98	collisions:0 txqueuelen:1000
99	RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)	99	RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
100	Interrupt:10 Base address:0x9400	100	Interrupt:10 Base address:0x9400
101	</pre>	101	</pre>
		102
102	<p>	103	<p>
103	If you do not see your two cards showing up and you're not sure what	104	If you do not see your two cards showing up and you're not sure what kind of
104	kind of cards you have, try running <c>lspci</c>. You can get that from	105	cards you have, try running <c>lspci</c>. You can get that from <c>emerge
105	<c>emerge pciutils</c>. Look for "Ethernet controller" in the output.	106	pciutils</c>. Look for "Ethernet controller" in the output. Once you have
106	Once you have this information, go into your kernel and add support for	107	this information, go into your kernel and add support for the correct drivers.
107	the correct drivers.
108	</p>
109
110	<p>	108	</p>
		109
		110	<p>
111	The next thing you'll need is support for iptables and NAT (and packet	111	The next thing you'll need is support for iptables and NAT (and packet shaping
112	shaping if you want). The following list is split up into required	112	if you want). The following list is split up into required (*), suggested (x),
113	(*), suggested (x), and shaper (s) features. It does not matter whether	113	and shaper (s) features. It does not matter whether you build the features
114	you build the features into the kernel or as a module so long as when	114	into the kernel or as a module so long as when the feature is needed, the
115	the feature is needed, the correct module(s) are loaded (module loading	115	correct module(s) are loaded (module loading is left to the reader as a fun
116	is left to the reader as a fun exercise however).	116	exercise however).
117	</p>	117	</p>
		118
118	<pre caption="Network Options">	119	<pre caption="Network Options">
119	<i>Networking options ---></i>	120	Networking options --->
120	<i> [*] TCP/IP networking</i>	121	[*] TCP/IP networking
121	<i> [*] IP: advanced router</i>	122	[*] IP: advanced router
122	<i> [*] Network packet filtering (replaces ipchains)</i>	123	[*] Network packet filtering (replaces ipchains)
123	<comment>If you use 2.4.x, you have to enable the following for DHCP:</comment>	124	<comment>If you use 2.4.x, you have to enable the following for DHCP:</comment>
124	<i> [*] Socket Filtering</i>	125	[*] Socket Filtering
125		126
126	<i> IP: Netfilter Configuration ---></i>	127	IP: Netfilter Configuration --->
127	<i> [*] Connection tracking (required for masq/NAT)</i>	128	[*] Connection tracking (required for masq/NAT)
128	<i> [x] FTP protocol support</i>	129	[x] FTP protocol support
129	<i> [x] IRC protocol support</i>	130	[x] IRC protocol support
130	<i> [*] IP tables support (required for filtering/masq/NAT)</i>	131	[*] IP tables support (required for filtering/masq/NAT)
131	<i> [*] IP range match support</i>	132	[*] IP range match support
132	<i> [x] MAC address match support</i>	133	[x] MAC address match support
133	<i> [*] Multiple port match support</i>	134	[*] Multiple port match support
134	<i> [*] Packet filtering</i>	135	[*] Packet filtering
135	<i> [*] REJECT target support</i>	136	[*] REJECT target support
136	<i> [x] REDIRECT target support</i>	137	[x] REDIRECT target support
137	<i> [*] Full NAT</i>	138	[*] Full NAT
138	<i> [*] MASQUERADE target support</i>	139	[*] MASQUERADE target support
139	<i> [s] Packet mangling</i>	140	[s] Packet mangling
140	<i> [s] MARK target support</i>	141	[s] MARK target support
141	<i> [x] LOG target support</i>	142	[x] LOG target support
142		143
143	<i> QoS and/or fair queueing ---></i>	144	QoS and/or fair queueing --->
144	<i> [s] QoS and/or fair queueing</i>	145	[s] QoS and/or fair queueing
145	<i> [s] HTB packet scheduler</i>	146	[s] HTB packet scheduler
146	<i> [s] Ingress Qdisc</i>	147	[s] Ingress Qdisc
147	</pre>	148	</pre>
		149
148	<note>	150	<note>
149	Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you	151	Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you should be
150	should be able to figure it out :).	152	able to figure it out :).
151	</note>	153	</note>
152		154
153	</body>	155	</body>
154	</section>	156	</section>
155	</chapter>	157	</chapter>
…		…
158	<title>Hug the WAN (a.k.a. The Internet)</title>	160	<title>Hug the WAN (a.k.a. The Internet)</title>
159		161
160	<section>	162	<section>
161	<title>Intro</title>	163	<title>Intro</title>
162	<body>	164	<body>
		165
163	<p>	166	<p>
164	There are many ways to connect to the internet so I'll just cover the	167	There are many ways to connect to the internet so I'll just cover the ones I'm
165	ones I'm familiar with. That leaves us with ADSL (PPPoE) and cable	168	familiar with. That leaves us with ADSL (PPPoE) and cable modems
166	modems (static/dynamic). If there are other methods out there, feel	169	(static/dynamic). If there are other methods out there, feel free to write up
167	free to write up a little blurb and e-mail me. Feel free to skip any of	170	a little blurb and e-mail me. Feel free to skip any of the following sections
168	the following sections in this chapter that don't apply to you. This	171	in this chapter that don't apply to you. This chapter is just about getting
169	chapter is just about getting the router connected to the internet via	172	the router connected to the internet via eth1.
170	eth1.
171	</p>	173	</p>
172	</body>
173	</section>
174		174
		175	</body>
		176	</section>
175	<section>	177	<section>
176	<title>ADSL and PPPoE</title>	178	<title>ADSL and PPPoE</title>
177	<body>	179	<body>
178		180
179	<p>	181	<p>
180	All the fancy PPPoE software has been bundled up into one little nice	182	All the fancy PPPoE software has been bundled up into one little nice package
181	package nowadays called <uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>.	183	nowadays called <uri link="http://www.roaringpenguin.com/">Roaring
182	Simply <c>emerge rp-pppoe</c> and you'll be on your way. Remember how	184	Penguin</uri>. Simply <c>emerge rp-pppoe</c> and you'll be on your way.
183	I said you'll need username/password information? Well I wasn't lying	185	Remember how I said you'll need username/password information? Well I wasn't
184	so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in	186	lying so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
185	your favorite editor and set it up.	187	your favorite editor and set it up.
186	</p>	188	</p>
187		189
188	<note>	190	<note>
189	In order for the following net.eth1 settings to work, you must have	191	In order for the following net.eth1 settings to work, you must have
…		…
192		194
193	<pre caption="Setting up eth1">	195	<pre caption="Setting up eth1">
194	<comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>	196	<comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
195		197
196	# <i>nano /etc/ppp/pppoe.conf</i>	198	# <i>nano /etc/ppp/pppoe.conf</i>
197	<comment># Ethernet card connected to ADSL modem	199	<comment># Ethernet card connected to ADSL modem</comment>
198	ETH=eth1	200	ETH=eth1
199	# ADSL user name.	201	<comment># ADSL user name.</comment>
200	USER=vla9h924</comment>	202	USER=vla9h924
201	# <i>nano /etc/ppp/pap-secrets</i>	203	# <i>nano /etc/ppp/pap-secrets</i>
202	<comment># client server secret	204	<comment># client server secret</comment>
203	"vla9h924" * "password"</comment>	205	"vla9h924" * "password"
204	# <i>nano /etc/conf.d/net</i>	206	# <i>nano /etc/conf.d/net</i>
205	<comment>Add an entry for ifconfig_eth1 and set it to adsl:	207	<comment>Add an entry for ifconfig_eth1 and set it to adsl:</comment>
206	ifconfig_eth1=( "adsl" )</comment>	208	ifconfig_eth1=( "adsl" )
207	# <i>ln -s net.eth0 /etc/init.d/net.eth1</i>	209	# <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
208	# <i>rc-update add net.eth1 default</i>	210	# <i>rc-update add net.eth1 default</i>
209	# <i>/etc/init.d/net.eth1 start</i>	211	# <i>/etc/init.d/net.eth1 start</i>
210	</pre>	212	</pre>
211		213
…		…
230		232
231	<pre caption="Setting up eth1">	233	<pre caption="Setting up eth1">
232	<comment>Dynamic IP Users:</comment>	234	<comment>Dynamic IP Users:</comment>
233	# <i>emerge dhcpcd</i>	235	# <i>emerge dhcpcd</i>
234	# <i>nano /etc/conf.d/net</i>	236	# <i>nano /etc/conf.d/net</i>
235	<comment>You'll need an entry like so:	237	<comment>You'll need an entry like so:</comment>
236	ifconfig_eth1=( "dhcp" )</comment>	238	ifconfig_eth1=( "dhcp" )
237		239
238	<comment>Static IP Users:</comment>	240	<comment>Static IP Users:</comment>
239	# <i>nano /etc/conf.d/net</i>	241	# <i>nano /etc/conf.d/net</i>
240	<comment>You'll need entries like so:	242	<comment>You'll need entries like so:</comment>
241	ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )	243	ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
242	routes_eth1=( "default gw 66.92.78.1" )</comment>	244	routes_eth1=( "default gw 66.92.78.1" )
243	# <i>nano /etc/resolv.conf</i>	245	# <i>nano /etc/resolv.conf</i>
244	<comment>Add one line per DNS server:	246	<comment>Add one line per DNS server:</comment>
245	nameserver 123.123.123.123</comment>	247	nameserver 123.123.123.123
246		248
247	<comment>Dynamic and Static Setup:</comment>	249	<comment>Dynamic and Static Setup:</comment>
248	# <i>ln -s net.eth0 /etc/init.d/net.eth1</i>	250	# <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
249	# <i>rc-update add net.eth1 default</i>	251	# <i>rc-update add net.eth1 default</i>
250	# <i>/etc/init.d/net.eth1 start</i>	252	# <i>/etc/init.d/net.eth1 start</i>
…		…
267	This step is a breeze compared to the previous one.	269	This step is a breeze compared to the previous one.
268	</p>	270	</p>
269		271
270	<pre caption="Setting up eth0">	272	<pre caption="Setting up eth0">
271	# <i>nano /etc/conf.d/net</i>	273	# <i>nano /etc/conf.d/net</i>
272	<comment>Add a line like the following:	274	<comment>Add a line like the following:</comment>
273	ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )</comment>	275	ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
274	# <i>rc-update add net.eth0 default</i>	276	# <i>rc-update add net.eth0 default</i>
275	# <i>/etc/init.d/net.eth0 start</i>	277	# <i>/etc/init.d/net.eth0 start</i>
276	</pre>	278	</pre>
277		279
278	</body>	280	</body>
…		…
283	<title>LAN Services (because we're nice people)</title>	285	<title>LAN Services (because we're nice people)</title>
284		286
285	<section>	287	<section>
286	<title>DHCP Server</title>	288	<title>DHCP Server</title>
287	<body>	289	<body>
		290
288	<p>	291	<p>
289	I bet it'd be nice if everyone else in your house could just plug	292	I bet it'd be nice if everyone else in your house could just plug their
290	their computers into the network and things would just work. No need to	293	computers into the network and things would just work. No need to remember
291	remember mind-numbing details or make them stare at confusing	294	mind-numbing details or make them stare at confusing configuration screens!
292	configuration screens! Life would be grand eh? Introducing the Dynamic	295	Life would be grand eh? Introducing the Dynamic Host Configuration Protocol
293	Host Configuration Protocol (DHCP) and why you should care.	296	(DHCP) and why you should care.
294	</p>	297	</p>
295		298
296	<p>	299	<p>
297	DHCP is exactly what its name implies. It's a protocol that allows you	300	DHCP is exactly what its name implies. It's a protocol that allows you
298	to dynamically configure other hosts automatically. You run a DHCP	301	to dynamically configure other hosts automatically. You run a DHCP server on
299	server on the router (dhcpd), give it all the information about your	302	the router (dhcpd), give it all the information about your network (valid IPs,
300	network (valid IPs, DNS servers, gateways, etc...), and then when the	303	DNS servers, gateways, etc...), and then when the other hosts start up, they
301	other hosts start up, they run a DHCP client to automatically configure	304	run a DHCP client to automatically configure themselves. No fuss, no muss!
302	themselves. No fuss, no muss! For more information about DHCP, you can	305	For more information about DHCP, you can always visit <uri
303	always visit <uri link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.	306	link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
304	</p>	307	</p>
305		308
306	<pre caption="Setting up dhcpd">	309	<pre caption="Setting up dhcpd">
307	# <i>emerge dhcp</i>	310	# <i>emerge dhcp</i>
308	# <i>nano /etc/dhcp/dhcpd.conf</i>	311	# <i>nano /etc/dhcp/dhcpd.conf</i>
309	<comment>Here is a sample configuration file:	312	<comment>(Here is a sample configuration file:)</comment>
310	authoritative;	313	authoritative;
311	ddns-update-style ad-hoc;	314	ddns-update-style ad-hoc;
312	subnet 192.168.0.0 netmask 255.255.255.0 {	315	subnet 192.168.0.0 netmask 255.255.255.0 {
313	range 192.168.0.100 192.168.0.250;	316	range 192.168.0.100 192.168.0.250;
314	default-lease-time 259200;	317	default-lease-time 259200;
315	max-lease-time 518400;	318	max-lease-time 518400;
316	option subnet-mask 255.255.255.0;	319	option subnet-mask 255.255.255.0;
317	option broadcast-address 192.168.0.255;	320	option broadcast-address 192.168.0.255;
318	option routers 192.168.0.1;	321	option routers 192.168.0.1;
319	option domain-name-servers 192.168.0.1;	322	option domain-name-servers 192.168.0.1;
320	}	323	}
321	</comment>
322	# <i>nano /etc/conf.d/dhcp</i>	324	# <i>nano /etc/conf.d/dhcp</i>
323	<comment>Set IFACE="eth0"</comment>	325	<comment>(Set IFACE="eth0")</comment>
324	# <i>rc-update add dhcp default</i>	326	# <i>rc-update add dhcp default</i>
325	# <i>/etc/init.d/dhcp start</i>	327	# <i>/etc/init.d/dhcp start</i>
326	</pre>	328	</pre>
327		329
328	<p>	330	<p>
329	Now your little router is a bona-fide DHCP server! Plugin those	331	Now your little router is a bona-fide DHCP server! Plugin those computers and
330	computers and watch them work! With Windows systems you should go into	332	watch them work! With Windows systems you should go into the TCP/IP Properties
331	the TCP/IP Properties and select the 'Obtain an IP address	333	and select the 'Obtain an IP address automatically' and 'Obtain DNS server
332	automatically' and 'Obtain DNS server address automatically' options.	334	address automatically' options. Sometimes the changes aren't instantaneous, so
333	Sometimes the changes aren't instantaneous, so you may have to run a	335	you may have to run a command prompt and run <c>ipconfig /release</c> and
334	command prompt and run <c>ipconfig /release</c> and <c>ipconfig
335	/renew</c>. But enough about Windows, let's get back to our favorite	336	<c>ipconfig /renew</c>. But enough about Windows, let's get back to our
336	penguin.	337	favorite penguin.
337	</p>	338	</p>
		339
338	</body>	340	</body>
339	</section>	341	</section>
340		342
341	<section>	343	<section>
342	<title>DNS Server</title>	344	<title>DNS Server</title>
343	<body>	345	<body>
		346
344	<p>	347	<p>
345	When people want to visit a place on the internet, they remember names,	348	When people want to visit a place on the internet, they remember names, not a
346	not a string of useless numbers. After all, what's easier to remember,	349	string of useless numbers. After all, what's easier to remember, ebay.com or
347	ebay.com or 66.135.192.87? This is where the DNS steps in. DNS servers	350	66.135.192.87? This is where the DNS steps in. DNS servers run all over the
348	run all over the internet, and whenever someone wants to visit 'ebay.com',	351	internet, and whenever someone wants to visit 'ebay.com', these servers turn
349	these servers turn 'ebay.com' (what we understand) into '66.135.192.87'	352	'ebay.com' (what we understand) into '66.135.192.87' (what our computers
350	(what our computers understand). For more information about DNS, you can	353	understand). For more information about DNS, you can always visit <uri
351	always visit <uri link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.	354	link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
352	</p>
353
354	<p>	355	</p>
		356
		357	<p>
355	You may have noticed in the previous section that we told the DHCP	358	You may have noticed in the previous section that we told the DHCP clients we
356	clients we have a DNS server at 192.168.0.1. You may also remember that	359	have a DNS server at 192.168.0.1. You may also remember that 192.168.0.1 is
357	192.168.0.1 is our little router that we're making. I don't remember	360	our little router that we're making. I don't remember setting up a DNS server
358	setting up a DNS server ... so let's do so now!	361	... so let's do so now!
359	</p>	362	</p>
360		363
361	<pre caption="Setting up dnsmasq">	364	<pre caption="Setting up dnsmasq">
362	# <i>emerge dnsmasq</i>	365	# <i>emerge dnsmasq</i>
363	# <i>nano /etc/conf.d/dnsmasq</i>	366	# <i>nano /etc/conf.d/dnsmasq</i>
…		…
365	# <i>rc-update add dnsmasq default</i>	368	# <i>rc-update add dnsmasq default</i>
366	# <i>/etc/init.d/dnsmasq start</i>	369	# <i>/etc/init.d/dnsmasq start</i>
367	</pre>	370	</pre>
368		371
369	<p>	372	<p>
370	Well that was quick, but what did we do? The great thing is, we didn't	373	Well that was quick, but what did we do? The great thing is, we didn't have to
371	have to do very much! You're welcome to choose other DNS servers if	374	do very much! You're welcome to choose other DNS servers if you're more
372	you're more comfortable with them, but the reason dnsmasq is great is	375	comfortable with them, but the reason dnsmasq is great is because it was
373	because it was designed to do exactly what we want and nothing more.	376	designed to do exactly what we want and nothing more. It's a little DNS
374	It's a little DNS caching/forwarding server for local networks. We're	377	caching/forwarding server for local networks. We're not looking to provide DNS
375	not looking to provide DNS for our own domain here, just offer simple DNS	378	for our own domain here, just offer simple DNS services to everyone else on our
376	services to everyone else on our LAN.	379	LAN.
377	</p>	380	</p>
378		381
379	</body>	382	</body>
380	</section>	383	</section>
381		384
382	<section>	385	<section>
383	<title>NAT (a.k.a. IP-masquerading)</title>	386	<title>NAT (a.k.a. IP-masquerading)</title>
384	<body>	387	<body>
385		388
386	<p>	389	<p>
387	At this point, people on your network can talk to each other and they	390	At this point, people on your network can talk to each other and they can look
388	can look up hostnames via DNS, but they still can't actually connect to	391	up hostnames via DNS, but they still can't actually connect to the internet.
389	the internet. While you may think that's great (more bandwidth for	392	While you may think that's great (more bandwidth for you!), I bet they're not
390	you!), I bet they're not too happy just yet.	393	too happy just yet.
391	</p>
392
393	<p>	394	</p>
		395
		396	<p>
394	This is where NAT steps in. NAT is a way of connecting multiple computers	397	This is where NAT steps in. NAT is a way of connecting multiple computers in a
395	in a private LAN to the internet when you only have a smaller number of	398	private LAN to the internet when you only have a smaller number of IP addresses
396	IP addresses availabe to you. Typically you were given 1 IP by your ISP,	399	availabe to you. Typically you were given 1 IP by your ISP, but you want to
397	but you want to let your whole house connect to the internet. NAT is the	400	let your whole house connect to the internet. NAT is the magic that makes this
398	magic that makes this possible. For more information about NAT, you can	401	possible. For more information about NAT, you can always visit <uri
399	always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.	402	link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
400	</p>	403	</p>
401		404
402	<note>	405	<note>
403	Before we get started, make sure you have iptables on your system. Although	406	Before we get started, make sure you have iptables on your system. Although it
404	it is automatically installed on most systems, you may not have it. If you	407	is automatically installed on most systems, you may not have it. If you don't,
405	don't, just run <c>emerge iptables</c>.	408	just run <c>emerge iptables</c>.
406	</note>	409	</note>
407		410
408	<pre caption="Setting up iptables">	411	<pre caption="Setting up iptables">
409	<comment>First we flush our current rules</comment>	412	<comment>First we flush our current rules</comment>
410	# <i>iptables -F</i>	413	# <i>iptables -F</i>
…		…
440	net.ipv4.ip_forward = 1	443	net.ipv4.ip_forward = 1
441	net.ipv4.conf.default.rp_filter = 1</comment>	444	net.ipv4.conf.default.rp_filter = 1</comment>
442	</pre>	445	</pre>
443		446
444	<p>	447	<p>
445	Once you've typed out all of that, the rest of your network should now	448	Once you've typed out all of that, the rest of your network should now be able
446	be able to use the internet as if they were directly connected	449	to use the internet as if they were directly connected themselves.
447	themselves.
448	</p>	450	</p>
449		451
450	</body>	452	</body>
451	</section>	453	</section>
452	</chapter>	454	</chapter>
…		…
455	<title>Fun Things (for a rainy day)</title>	457	<title>Fun Things (for a rainy day)</title>
456		458
457	<section>	459	<section>
458	<title>Intro</title>	460	<title>Intro</title>
459	<body>	461	<body>
		462
460	<p>	463	<p>
461	Believe it or not, you're done :). From here on out, I'll cover a bunch	464	Believe it or not, you're done :). From here on out, I'll cover a bunch of
462	of common topics that may interest you. Everything in this chapter is	465	common topics that may interest you. Everything in this chapter is completely
463	completely optional.	466	optional.
464	</p>	467	</p>
		468
465	</body>	469	</body>
466	</section>	470	</section>
467		471
468	<section>	472	<section>
469	<title>Port Forwarding</title>	473	<title>Port Forwarding</title>
470	<body>	474	<body>
		475
471	<p>	476	<p>
472	Sometimes you would like to be able to host services on a computer behind	477	Sometimes you would like to be able to host services on a computer behind the
473	the router, or just to make your life easier when connecting remotely.	478	router, or just to make your life easier when connecting remotely. Perhaps you
474	Perhaps you want to run a FTP, HTTP, SSH, or VNC server on one or more	479	want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your
475	machines behind your router and be able to connect to them all. The only	480	router and be able to connect to them all. The only caveat is that you can
476	caveat is that you can only have one service/machine combo per port.	481	only have one service/machine combo per port. For example, there is no
477	For example, there is no practical way to setup three FTP servers behind	482	practical way to setup three FTP servers behind your router and then try to
478	your router and then try to connect to them all through port 21; only one	483	connect to them all through port 21; only one can be on port 21 while the
479	can be on port 21 while the others would have to be on say port 123 and	484	others would have to be on say port 123 and port 567.
480	port 567.
481	</p>
482
483	<p>	485	</p>
		486
		487	<p>
484	All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING	488	All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
485	[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port	489	[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port
486	to forward to]</c>. iptables does not accept hostnames when port forwarding.	490	to forward to]</c>. iptables does not accept hostnames when port forwarding.
487	If you are forwarding an external port to the same port on the internal machine,	491	If you are forwarding an external port to the same port on the internal
488	you can omit the destination port. See the iptables(8) page for more information.	492	machine, you can omit the destination port. See the iptables(8) page for more
		493	information.
489	</p>	494	</p>
490		495
491	<pre>	496	<pre>
492	<comment>Forward port 2 to ssh on an internal host</comment>	497	<comment>Forward port 2 to ssh on an internal host</comment>
493	# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i>	498	# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i>
…		…
513	# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i>	518	# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i>
514	# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i>	519	# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i>
515	</pre>	520	</pre>
516		521
517	<note>	522	<note>
518	If you have other common / cool examples, please <uri link="mailto:vapier@gentoo.org">e-mail me</uri>.	523	If you have other common / cool examples, please <uri
		524	link="mailto:vapier@gentoo.org">e-mail me</uri>.
519	</note>	525	</note>
		526
520	</body>	527	</body>
521	</section>	528	</section>
522		529
523	<section>	530	<section>
524	<title>Identd (for IRC)</title>	531	<title>Identd (for IRC)</title>
525	<body>	532	<body>
		533
526	<p>	534	<p>
527	Internet Relay Chat utilizes the ident service pretty heavily. Now that	535	Internet Relay Chat utilizes the ident service pretty heavily. Now that the
528	the IRC clients are behind the router, we need a way to host ident for	536	IRC clients are behind the router, we need a way to host ident for both the
529	both the router and the clients. One such server has been created	537	router and the clients. One such server has been created called
530	called <c>midentd</c>.	538	<c>midentd</c>.
531	</p>	539	</p>
532		540
533	<pre caption="Setting up ident">	541	<pre caption="Setting up ident">
534	# <i>emerge midentd</i>	542	# <i>emerge midentd</i>
535	# <i>rc-update add midentd default</i>	543	# <i>rc-update add midentd default</i>
536	# <i>/etc/init.d/midentd start</i>	544	# <i>/etc/init.d/midentd start</i>
537	</pre>	545	</pre>
538		546
539	<p>	547	<p>
540	There are a few other ident servers in portage. Depending on your needs,	548	There are a few other ident servers in portage. Depending on your needs, I
541	I would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.	549	would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
542	</p>	550	</p>
		551
543	</body>	552	</body>
544	</section>	553	</section>
545		554
546	<!--	555	<!--
547	<section>	556	<section>
…		…
617	-->	626	-->
618		627
619	<section>	628	<section>
620	<title>Time Server</title>	629	<title>Time Server</title>
621	<body>	630	<body>
		631
622	<p>	632	<p>
623	Keeping your system time correct is essential in maintaing a healthy	633	Keeping your system time correct is essential in maintaing a healthy system.
624	system. One of the most common ways of accomplishing this is with	634	One of the most common ways of accomplishing this is with the Network Time
625	the Network Time Protocol (NTP) and the ntp package (which provides	635	Protocol (NTP) and the ntp package (which provides implementations for both
626	implementations for both server and client).	636	server and client).
627	</p>
628
629	<p>	637	</p>
		638
		639	<p>
630	Many people run ntp clients on their computers. Obviously, the more	640	Many people run ntp clients on their computers. Obviously, the more clients in
631	clients in the world, the larger the load the ntp servers need to	641	the world, the larger the load the ntp servers need to shoulder. In
632	shoulder. In environments like home networks though, we can help	642	environments like home networks though, we can help keep the load down on
633	keep the load down on public servers while still providing the proper	643	public servers while still providing the proper time to all our computers. As
634	time to all our computers. As an added bonus, our private updates	644	an added bonus, our private updates will be a lot faster for the clients too!
635	will be a lot faster for the clients too! All we have to do is run	645	All we have to do is run a ntp server on our router that synchronizes itself
636	a ntp server on our router that synchronizes itself with the public
637	internet servers while providing the time to the rest of the computers	646	with the public internet servers while providing the time to the rest of the
638	in the network. To get started, simply <c>emerge ntp</c> on the	647	computers in the network. To get started, simply <c>emerge ntp</c> on the
639	router.	648	router.
640	</p>	649	</p>
641		650
642	<pre caption="Setting up the NTP server">	651	<pre caption="Setting up the NTP server">
643	# <i>nano /etc/conf.d/ntp-client</i>	652	# <i>nano /etc/conf.d/ntp-client</i>
644	<comment>Customize if you wish but the defaults should be fine</comment>	653	<comment>Customize if you wish but the defaults should be fine</comment>
645	# <i>rc-update add ntp-client default</i>	654	# <i>rc-update add ntp-client default</i>
646		655
647	# <i>nano /etc/ntp.conf</i>	656	# <i>nano /etc/ntp.conf</i>
648	<comment>Add the follwing lines:	657	<comment>Add the follwing lines:</comment>
649	restrict default ignore	658	restrict default ignore
650	restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap	659	restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
651	These will allow only ntp clients with an IP address in the 192.168.0.xxx range to use your ntp server</comment>	660	<comment>These will allow only ntp clients with an IP
		661	address in the 192.168.0.xxx range to use your ntp server</comment>
652	# <i>nano /etc/conf.d/ntpd</i>	662	# <i>nano /etc/conf.d/ntpd</i>
653	<comment>Customize if you wish but the defaults should be fine</comment>	663	<comment>Customize if you wish but the defaults should be fine</comment>
654	# <i>rc-update add ntpd default</i>	664	# <i>rc-update add ntpd default</i>
655		665
656	# <i>/etc/init.d/ntp-client start</i>	666	# <i>/etc/init.d/ntp-client start</i>
657	# <i>/etc/init.d/ntpd start</i>	667	# <i>/etc/init.d/ntpd start</i>
658	</pre>	668	</pre>
659		669
660	<note>	670	<note>
661	You should make sure that you allow inbound and outbound communication	671	You should make sure that you allow inbound and outbound communication on the
662	on the ntp port (123/udp) when setting up the server. The client just	672	ntp port (123/udp) when setting up the server. The client just needs outbound
663	needs outbound access on port 123 over udp.	673	access on port 123 over udp.
664	</note>	674	</note>
665		675
666	<p>	676	<p>
667	Now, on your clients, have them <c>emerge ntp</c> also. However,	677	Now, on your clients, have them <c>emerge ntp</c> also. However, we will just
668	we will just run the ntp client so setup is a lot simpler.	678	run the ntp client so setup is a lot simpler.
669	</p>	679	</p>
670		680
671	<pre caption="Setting up a NTP client">	681	<pre caption="Setting up a NTP client">
672	# <i>nano /etc/conf.d/ntp-client</i>	682	# <i>nano /etc/conf.d/ntp-client</i>
673	<comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment>	683	<comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment>
674	# <i>rc-update add ntp-client default</i>	684	# <i>rc-update add ntp-client default</i>
675	# <i>/etc/init.d/ntp-client start</i>	685	# <i>/etc/init.d/ntp-client start</i>
676	</pre>	686	</pre>
		687
677	</body>	688	</body>
678	</section>	689	</section>
679		690
680	<section>	691	<section>
681	<title>Mail Server</title>	692	<title>Mail Server</title>
682	<body>	693	<body>
		694
683	<p>	695	<p>
684	Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP)	696	Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server
685	server on the router. You may have your own reason for wanting to do so,	697	on the router. You may have your own reason for wanting to do so, but I run it
686	but I run it so that the users see mail as being sent instantly and the	698	so that the users see mail as being sent instantly and the work of
687	work of retrying/routing is left up to the mail server. Some ISPs also	699	retrying/routing is left up to the mail server. Some ISPs also don't allow for
688	don't allow for mail relaying for accounts that aren't part of their	700	mail relaying for accounts that aren't part of their network (like Verizon).
689	network (like Verizon). Also, you can easily throttle the delivery of	701	Also, you can easily throttle the delivery of mail so that large attachments
690	mail so that large attachments won't seriously lag your connection for	702	won't seriously lag your connection for half an hour.
691	half an hour.
692	</p>	703	</p>
693		704
694	<pre caption="Setting up SMTP">	705	<pre caption="Setting up SMTP">
695	# <i>emerge qmail</i>	706	# <i>emerge qmail</i>
696	<comment>make sure the output of `hostname` is correct</comment>	707	<comment>make sure the output of `hostname` is correct</comment>
…		…
702	# <i>cd /etc/tcprules.d</i>	713	# <i>cd /etc/tcprules.d</i>
703	# <i>nano tcp.qmail-smtp</i>	714	# <i>nano tcp.qmail-smtp</i>
704	-->	715	-->
705	# <i>cd /etc</i>	716	# <i>cd /etc</i>
706	# <i>nano tcp.smtp</i>	717	# <i>nano tcp.smtp</i>
707	<comment>Add an entry like so to the allow section:	718	<comment>Add an entry like so to the allow section:</comment>
708	192.168.0.:allow,RELAYCLIENT=""</comment>	719	192.168.0.:allow,RELAYCLIENT=""
709	<!--	720	<!--
710	# <i>tcprules tcp.qmail-qmtp.cdb rules.tmp < tcp.qmail-smtp</i>	721	# <i>tcprules tcp.qmail-qmtp.cdb rules.tmp < tcp.qmail-smtp</i>
711	-->	722	-->
712	# <i>tcprules tcp.smtp.cdb rules.tmp < tcp.smtp</i>	723	# <i>tcprules tcp.smtp.cdb rules.tmp < tcp.smtp</i>
713	# <i>rc-update add svscan default</i>	724	# <i>rc-update add svscan default</i>
714	# <i>/etc/init.d/svscan start</i>	725	# <i>/etc/init.d/svscan start</i>
715	</pre>	726	</pre>
716		727
717	<p>	728	<p>
718	I'm a huge fan of qmail, but you're free to use a different mta :).	729	I'm a huge fan of qmail, but you're free to use a different mta :). When you
719	When you setup e-mail on the hosts in your network, tell them that	730	setup e-mail on the hosts in your network, tell them that their SMTP server is
720	their SMTP server is 192.168.0.1 and everything should be peachy.	731	192.168.0.1 and everything should be peachy. You might want to visit the <uri
721	You might want to visit the <uri link="http://qmail.org/">qmail	732	link="http://qmail.org/">qmail homepage</uri> for more documentation.
722	homepage</uri> for more documentation.
723	</p>	733	</p>
		734
724	</body>	735	</body>
725	</section>	736	</section>
726		737
727	<!--	738	<!--
728	<section>	739	<section>
…		…
747		758
748	<chapter>	759	<chapter>
749	<title>Final Notes</title>	760	<title>Final Notes</title>
750	<section>	761	<section>
751	<body>	762	<body>
		763
752	<p>	764	<p>
753	I have no final notes other than if you experience any troubles with the guide,	765	I have no final notes other than if you experience any troubles with the guide,
754	please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with	766	please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with <uri
755	<uri link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If	767	link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have
756	you have some interesting bits you think would enhance this guide, by all means	768	some interesting bits you think would enhance this guide, by all means send it
757	send it my way for inclusion.	769	my way for inclusion.
758	</p>	770	</p>
		771
759	</body>	772	</body>
760	</section>	773	</section>
761	</chapter>	774	</chapter>
762	</guide>	775	</guide>

 Legend:



Removed from v.1.22
 


changed lines


 
Added in v.1.23
 Legend:



Removed from v.1.22
 


changed lines


 
Added in v.1.23
-Removed from v.1.22
+Added in v.1.23

	ViewVC Help
Powered by ViewVC 1.1.13