/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Diff of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.29 Revision 1.30
1<?xml version='1.0' encoding='UTF-8'?> 1<?xml version='1.0' encoding='UTF-8'?>
2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.29 2005/08/04 00:18:20 vapier Exp $ --> 2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.30 2005/08/14 04:38:48 vapier Exp $ -->
3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4 4
5<guide link="/doc/en/home-router-howto.xml"> 5<guide link="/doc/en/home-router-howto.xml">
6 6
7<title>Home Router Guide</title> 7<title>Home Router Guide</title>
13<abstract> 13<abstract>
14This document details how to turn an old Gentoo machine into a router 14This document details how to turn an old Gentoo machine into a router
15for connecting your home network to the internet. 15for connecting your home network to the internet.
16</abstract> 16</abstract>
17 17
18<version>1.9</version> 18<version>1.10</version>
19<date>2005-08-03</date> 19<date>2005-08-14</date>
20 20
21<chapter> 21<chapter>
22<title>Introduction</title> 22<title>Introduction</title>
23<section> 23<section>
24<body> 24<body>
204<comment># client server secret</comment> 204<comment># client server secret</comment>
205"vla9h924" * "password" 205"vla9h924" * "password"
206# <i>nano /etc/conf.d/net</i> 206# <i>nano /etc/conf.d/net</i>
207<comment>Add an entry for config_eth1 and set it to adsl:</comment> 207<comment>Add an entry for config_eth1 and set it to adsl:</comment>
208config_eth1=( "adsl" ) 208config_eth1=( "adsl" )
209# <i>ln -s net.eth0 /etc/init.d/net.eth1</i> 209# <i>ln -s net.lo /etc/init.d/net.eth1</i>
210# <i>rc-update add net.eth1 default</i> 210# <i>rc-update add net.eth1 default</i>
211# <i>/etc/init.d/net.eth1 start</i> 211# <i>/etc/init.d/net.eth1 start</i>
212</pre> 212</pre>
213 213
214<warn> 214<warn>
245# <i>nano /etc/resolv.conf</i> 245# <i>nano /etc/resolv.conf</i>
246<comment>Add one line per DNS server:</comment> 246<comment>Add one line per DNS server:</comment>
247nameserver 123.123.123.123 247nameserver 123.123.123.123
248 248
249<comment>Dynamic and Static Setup:</comment> 249<comment>Dynamic and Static Setup:</comment>
250# <i>ln -s net.eth0 /etc/init.d/net.eth1</i> 250# <i>ln -s net.lo /etc/init.d/net.eth1</i>
251# <i>rc-update add net.eth1 default</i> 251# <i>rc-update add net.eth1 default</i>
252# <i>/etc/init.d/net.eth1 start</i> 252# <i>/etc/init.d/net.eth1 start</i>
253</pre> 253</pre>
254 254
255<p> 255<p>
411<pre caption="Setting up iptables"> 411<pre caption="Setting up iptables">
412<comment>First we flush our current rules</comment> 412<comment>First we flush our current rules</comment>
413# <i>iptables -F</i> 413# <i>iptables -F</i>
414# <i>iptables -t nat -F</i> 414# <i>iptables -t nat -F</i>
415 415
416<comment>Copy and paste these examples ...</comment>
417# <i>export LAN=eth0</i>
418# <i>export WAN=eth1</i>
419
416<comment>Then we lock our services so they only work from the LAN</comment> 420<comment>Then we lock our services so they only work from the LAN</comment>
417# <i>iptables -I INPUT 1 -i eth0 -j ACCEPT</i> 421# <i>iptables -I INPUT 1 -i ${LAN} -j ACCEPT</i>
418# <i>iptables -I INPUT 1 -i lo -j ACCEPT</i> 422# <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
419# <i>iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT</i> 423# <i>iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT</i>
420# <i>iptables -A INPUT -p UDP --dport domain -i ! eth0 -j REJECT</i> 424# <i>iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT</i>
421 425
422<comment>(Optional) Allow access to our ssh server from the WAN</comment> 426<comment>(Optional) Allow access to our ssh server from the WAN</comment>
423# <i>iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT</i> 427# <i>iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</i>
424 428
425<comment>Drop TCP / UDP packets to privileged ports</comment> 429<comment>Drop TCP / UDP packets to privileged ports</comment>
426# <i>iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i> 430# <i>iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i>
427# <i>iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i> 431# <i>iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i>
428 432
429<comment>Finally we add the rules for NAT</comment> 433<comment>Finally we add the rules for NAT</comment>
430# <i>iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP</i> 434# <i>iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP</i>
431# <i>iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT</i> 435# <i>iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
432# <i>iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT</i> 436# <i>iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
433# <i>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE</i> 437# <i>iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</i>
434<comment>Tell the kernel that ip forwarding is OK</comment> 438<comment>Tell the kernel that ip forwarding is OK</comment>
435# <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i> 439# <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
436# <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i> 440# <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>
437 441
438<comment>This is so when we boot we don't have to run the rules by hand</comment> 442<comment>This is so when we boot we don't have to run the rules by hand</comment>
484others would have to be on say port 123 and port 567. 488others would have to be on say port 123 and port 567.
485</p> 489</p>
486 490
487<p> 491<p>
488All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING 492All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
489[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port 493[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port
490to forward to]</c>. iptables does not accept hostnames when port forwarding. 494to forward to]</c>. iptables does not accept hostnames when port forwarding.
491If you are forwarding an external port to the same port on the internal 495If you are forwarding an external port to the same port on the internal
492machine, you can omit the destination port. See the iptables(8) page for more 496machine, you can omit the destination port. See the iptables(8) page for more
493information. 497information.
494</p> 498</p>
495 499
496<pre caption="Running the iptables commands"> 500<pre caption="Running the iptables commands">
501<comment>Copy and paste these examples ...</comment>
502# <i>export LAN=eth0</i>
503# <i>export WAN=eth1</i>
504
497<comment>Forward port 2 to ssh on an internal host</comment> 505<comment>Forward port 2 to ssh on an internal host</comment>
498# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i> 506# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2:22</i>
499 507
500<comment>FTP forwarding to an internal host</comment> 508<comment>FTP forwarding to an internal host</comment>
501# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.56</i> 509# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56</i>
502 510
503<comment>HTTP forwarding to an internal host</comment> 511<comment>HTTP forwarding to an internal host</comment>
504# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.56</i> 512# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56</i>
505 513
506<comment>VNC forwarding for internal hosts</comment> 514<comment>VNC forwarding for internal hosts</comment>
507# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i eth1 -j DNAT --to 192.168.0.2</i> 515# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.2</i>
508# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i eth1 -j DNAT --to 192.168.0.3:5900</i> 516# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.168.0.3:5900</i>
509<comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment> 517<comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment>
510 518
511<comment>Bittorrent forwarding</comment> 519<comment>Bittorrent forwarding</comment>
512# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i eth1 -j DNAT --to 192.168.0.2</i> 520# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i>
513 521
514<comment>Game Cube Warp Pipe support</comment> 522<comment>Game Cube Warp Pipe support</comment>
515# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i eth1 -j DNAT --to 192.168.0.56</i> 523# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i>
516 524
517<comment>Playstation2 Online support</comment> 525<comment>Playstation2 Online support</comment>
518# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i> 526# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
519# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i eth1 -j DNAT --to 192.168.0.11</i> 527# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
520</pre> 528</pre>
521 529
522<note> 530<note>
523If you have other common / cool examples, please <uri 531If you have other common / cool examples, please <uri
524link="mailto:vapier@gentoo.org">e-mail me</uri>. 532link="mailto:vapier@gentoo.org">e-mail me</uri>.
758 766
759<pre caption="Setting up SMTP"> 767<pre caption="Setting up SMTP">
760# <i>emerge qmail</i> 768# <i>emerge qmail</i>
761<comment>make sure the output of `hostname` is correct</comment> 769<comment>make sure the output of `hostname` is correct</comment>
762# <i>ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config</i> 770# <i>ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config</i>
763# <i>iptables -I INPUT -p tcp --dport smtp -i ! eth0 -j REJECT</i> 771# <i>iptables -I INPUT -p tcp --dport smtp -i ! ${LAN} -j REJECT</i>
764# <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i> 772# <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i>
765# <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i> 773# <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i>
766<!-- 774<!--
767# <i>cd /etc/tcprules.d</i> 775# <i>cd /etc/tcprules.d</i>
768# <i>nano tcp.qmail-smtp</i> 776# <i>nano tcp.qmail-smtp</i>
809--> 817-->
810 818
811</chapter> 819</chapter>
812 820
813<chapter> 821<chapter>
814<title>Debugging</title> 822<title>Troubleshooting</title>
815 823
816<section> 824<section>
817<title>Useful Tools</title> 825<title>Useful Tools</title>
818<body> 826<body>
819 827

Legend:
Removed from v.1.29  
changed lines
  Added in v.1.30

  ViewVC Help
Powered by ViewVC 1.1.20