/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Diff of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.32 Revision 1.33
1<?xml version='1.0' encoding='UTF-8'?> 1<?xml version='1.0' encoding='UTF-8'?>
2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.32 2005/09/06 03:03:19 vapier Exp $ --> 2<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.33 2005/09/17 07:40:13 vapier Exp $ -->
3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4 4
5<guide link="/doc/en/home-router-howto.xml"> 5<guide link="/doc/en/home-router-howto.xml">
6 6
7<title>Home Router Guide</title> 7<title>Home Router Guide</title>
13<abstract> 13<abstract>
14This document details how to turn an old Gentoo machine into a router 14This document details how to turn an old Gentoo machine into a router
15for connecting your home network to the internet. 15for connecting your home network to the internet.
16</abstract> 16</abstract>
17 17
18<version>1.12</version> 18<version>1.20</version>
19<date>2005-09-05</date> 19<date>2005-09-17</date>
20 20
21<chapter> 21<chapter>
22<title>Introduction</title> 22<title>Introduction</title>
23<section> 23<section>
24<body> 24<body>
297</p> 297</p>
298 298
299<p> 299<p>
300DHCP is exactly what its name implies. It's a protocol that allows you 300DHCP is exactly what its name implies. It's a protocol that allows you
301to dynamically configure other hosts automatically. You run a DHCP server on 301to dynamically configure other hosts automatically. You run a DHCP server on
302the router (dhcpd), give it all the information about your network (valid IPs, 302the router, give it all the information about your network (valid IPs,
303DNS servers, gateways, etc...), and then when the other hosts start up, they 303DNS servers, gateways, etc...), and then when the other hosts start up, they
304run a DHCP client to automatically configure themselves. No fuss, no muss! 304run a DHCP client to automatically configure themselves. No fuss, no muss!
305For more information about DHCP, you can always visit <uri 305For more information about DHCP, you can always visit <uri
306link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>. 306link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
307</p> 307</p>
308 308
309<p>
310We'll use a package called dnsmasq which provides both DHCP and DNS services.
311For now lets just focus on the DHCP aspect. Note that if you want to run a
312different DHCP server, you can find another example in the Fun Things chapter.
313Also, if you wish to tinker with the DHCP server settings, just read the
314comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine
315though.
316</p>
317
309<pre caption="Setting up dhcpd"> 318<pre caption="Setting up a DHCP server">
310# <i>emerge dhcp</i> 319# <i>emerge dnsmasq</i>
311# <i>nano /etc/dhcp/dhcpd.conf</i> 320# <i>nano /etc/dnsmasq.conf</i>
312<comment>(Here is a sample configuration file:)</comment> 321<comment>You should need to just add this one line:</comment>
313authoritative;
314ddns-update-style interim;
315subnet 192.168.0.0 netmask 255.255.255.0 {
316 range 192.168.0.100 192.168.0.250; 322dhcp-range=192.168.0.100,192.168.0.250,72h
317 default-lease-time 259200; 323
318 max-lease-time 518400;
319 option subnet-mask 255.255.255.0;
320 option broadcast-address 192.168.0.255;
321 option routers 192.168.0.1;
322 option domain-name-servers 192.168.0.1;
323}
324# <i>nano /etc/conf.d/dhcp</i> 324# <i>nano /etc/conf.d/dnsmasq</i>
325<comment>(Set IFACE="eth0")</comment> 325<comment>Add "-i eth0" to DNSMASQ_OPTS</comment>
326# <i>rc-update add dhcp default</i> 326# <i>rc-update add dnsmasq default</i>
327# <i>/etc/init.d/dhcp start</i> 327# <i>/etc/init.d/dnsmasq start</i>
328</pre> 328</pre>
329 329
330<p> 330<p>
331Now your little router is a bona-fide DHCP server! Plugin those computers and 331Now your little router is a bona-fide DHCP server! Plugin those computers and
332watch them work! With Windows systems you should go into the TCP/IP Properties 332watch them work! With Windows systems you should go into the TCP/IP Properties
344<title>DNS Server</title> 344<title>DNS Server</title>
345<body> 345<body>
346 346
347<p> 347<p>
348When people want to visit a place on the internet, they remember names, not a 348When people want to visit a place on the internet, they remember names, not a
349string of useless numbers. After all, what's easier to remember, ebay.com or 349string of funky numbers. After all, what's easier to remember, ebay.com or
35066.135.192.87? This is where the DNS steps in. DNS servers run all over the 35066.135.192.87? This is where the DNS steps in. DNS servers run all over the
351internet, and whenever someone wants to visit 'ebay.com', these servers turn 351internet, and whenever someone wants to visit 'ebay.com', these servers turn
352'ebay.com' (what we understand) into '66.135.192.87' (what our computers 352'ebay.com' (what we understand) into '66.135.192.87' (what our computers
353understand). For more information about DNS, you can always visit <uri 353understand). For more information about DNS, you can always visit <uri
354link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>. 354link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
355</p> 355</p>
356 356
357<p> 357<p>
358You may have noticed in the previous section that we told the DHCP clients we 358Since we're using dnsmasq for our DHCP server, and it includes a DNS server,
359have a DNS server at 192.168.0.1. You may also remember that 192.168.0.1 is 359you've got nothing left to do here! Your little router is already providing
360our little router that we're making. I don't remember setting up a DNS server 360DNS to its DHCP clients. Bet you wish everything was this easy ;).
361... so let's do so now!
362</p>
363
364<pre caption="Setting up dnsmasq">
365# <i>emerge dnsmasq</i>
366# <i>nano /etc/conf.d/dnsmasq</i>
367<comment>Add "-i eth0" to DNSMASQ_OPTS</comment>
368# <i>rc-update add dnsmasq default</i>
369# <i>/etc/init.d/dnsmasq start</i>
370</pre>
371
372<p> 361</p>
373Well that was quick, but what did we do? The great thing is, we didn't have to 362
363<p>
374do very much! You're welcome to choose other DNS servers if you're more 364You're welcome to choose other DNS servers if you're more comfortable with
375comfortable with them, but the reason dnsmasq is great is because it was 365them, but the reason dnsmasq is great is because it was designed to do exactly
376designed to do exactly what we want and nothing more. It's a little DNS 366what we want and nothing more. It's a little DNS caching/forwarding server for
377caching/forwarding server for local networks. We're not looking to provide DNS 367local networks. We're not looking to provide DNS for our own domain here, just
378for our own domain here, just offer simple DNS services to everyone else on our 368offer simple DNS services to everyone else on our LAN.
379LAN.
380</p> 369</p>
381 370
382</body> 371</body>
383</section> 372</section>
384 373
392While you may think that's great (more bandwidth for you!), I bet they're not 381While you may think that's great (more bandwidth for you!), I bet they're not
393too happy just yet. 382too happy just yet.
394</p> 383</p>
395 384
396<p> 385<p>
397This is where NAT steps in. NAT is a way of connecting multiple computers in a 386This is where Network Address Translation (NAT) steps in. NAT is a way of
398private LAN to the internet when you only have a smaller number of IP addresses 387connecting multiple computers in a private LAN to the internet when you have a
399availabe to you. Typically you were given 1 IP by your ISP, but you want to 388smaller number of public IP addresses available to you. Typically you are given
400let your whole house connect to the internet. NAT is the magic that makes this 3891 IP by your ISP, but you want to let your whole house connect to the internet.
401possible. For more information about NAT, you can always visit <uri 390NAT is the magic that makes this possible. For more information about NAT, you
402link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>. 391can always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
403</p> 392</p>
404 393
405<note> 394<note>
406Before we get started, make sure you have iptables on your system. Although it 395Before we get started, make sure you have iptables on your system. Although it
407is automatically installed on most systems, you may not have it. If you don't, 396is automatically installed on most systems, you may not have it. If you don't,
411<pre caption="Setting up iptables"> 400<pre caption="Setting up iptables">
412<comment>First we flush our current rules</comment> 401<comment>First we flush our current rules</comment>
413# <i>iptables -F</i> 402# <i>iptables -F</i>
414# <i>iptables -t nat -F</i> 403# <i>iptables -t nat -F</i>
415 404
416<comment>Setup default policies to handle not matched by any rules</comment> 405<comment>Setup default policies to handle unmatched traffic</comment>
417# <i>iptables -P INPUT ACCEPT</i> 406# <i>iptables -P INPUT ACCEPT</i>
418# <i>iptables -P OUTPUT ACCEPT</i> 407# <i>iptables -P OUTPUT ACCEPT</i>
419# <i>iptables -P FORWARD DROP</i> 408# <i>iptables -P FORWARD DROP</i>
420 409
421<comment>Copy and paste these examples ...</comment> 410<comment>Copy and paste these examples ...</comment>
494</p> 483</p>
495 484
496<p> 485<p>
497All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING 486All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
498[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port 487[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port
499to forward to]</c>. iptables does not accept hostnames when port forwarding. 488to forward to]</c>. Unfortunately, iptables does not accept hostnames when port
500If you are forwarding an external port to the same port on the internal 489forwarding. If you are forwarding an external port to the same port on the
501machine, you can omit the destination port. See the iptables(8) page for more 490internal machine, you can omit the destination port. See the iptables(8) man
502information. 491page for more information.
503</p> 492</p>
504 493
505<pre caption="Running the iptables commands"> 494<pre caption="Running the iptables commands">
506<comment>Copy and paste these examples ...</comment> 495<comment>Copy and paste these examples ...</comment>
507# <i>export LAN=eth0</i> 496# <i>export LAN=eth0</i>
522<comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment> 511<comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment>
523 512
524<comment>Bittorrent forwarding</comment> 513<comment>Bittorrent forwarding</comment>
525# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i> 514# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i>
526 515
516<comment>eDonkey/eMule forwarding</comment>
517# <i>iptables -t nat -A PREROUTING -p tcp --dport 4662 -i ${WAN} -j DNAT --to 192.168.0.55</i>
518
527<comment>Game Cube Warp Pipe support</comment> 519<comment>Game Cube Warp Pipe support</comment>
528# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i> 520# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i>
529 521
530<comment>Playstation2 Online support</comment> 522<comment>Playstation 2 Online support</comment>
531# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> 523# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
532# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> 524# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i>
533</pre> 525</pre>
534 526
535<note> 527<note>
818</pre> 810</pre>
819 811
820</body> 812</body>
821</section> 813</section>
822--> 814-->
815
816<section>
817<title>Full DHCP Server</title>
818<body>
819
820<p>
821Earlier we used dnsmasq to provide DHCP service to all our clients. For most
822people with a simple small LAN, this is perfect. But you may need something
823with more features. Thus we turn to a full-featured DHCP server as provided
824by the <uri link="http://www.isc.org/products/DHCP">ISC</uri> folks.
825</p>
826
827<pre caption="Setting up dhcpd">
828# <i>emerge dhcp</i>
829# <i>nano /etc/dhcp/dhcpd.conf</i>
830<comment>(Here is a sample configuration file:)</comment>
831authoritative;
832ddns-update-style interim;
833subnet 192.168.0.0 netmask 255.255.255.0 {
834 range 192.168.0.100 192.168.0.250;
835 default-lease-time 259200;
836 max-lease-time 518400;
837 option subnet-mask 255.255.255.0;
838 option broadcast-address 192.168.0.255;
839 option routers 192.168.0.1;
840 option domain-name-servers 192.168.0.1;
841}
842# <i>nano /etc/conf.d/dhcp</i>
843<comment>(Set IFACE="eth0")</comment>
844# <i>rc-update add dhcp default</i>
845# <i>/etc/init.d/dhcp start</i>
846</pre>
847
848<p>
849This is the minimal setup required to replace the dnsmasq DHCP functionality
850that we used earlier. Speaking of which, you did remember to disable the DHCP
851features in dnsmasq didn't you? If not, you should do so now (just comment
852out the <c>dhcp-range</c> setting in <path>/etc/dnsmasq.conf</path> and restart
853the service).
854</p>
855
856</body>
857</section>
823 858
824</chapter> 859</chapter>
825 860
826<chapter> 861<chapter>
827<title>Troubleshooting</title> 862<title>Troubleshooting</title>

Legend:
Removed from v.1.32  
changed lines
  Added in v.1.33

  ViewVC Help
Powered by ViewVC 1.1.20