/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Contents of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.1 - (show annotations) (download) (as text)
Thu Jul 22 05:53:40 2004 UTC (8 years, 10 months ago) by vapier
Branch: MAIN
File MIME type: application/xml 
initial draft
1 <?xml version='1.0' encoding='UTF-8'?>
2 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/qmail-howto.xml,v 1.26 2004/06/25 22:28:55 vapier Exp $ -->
3 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4
5 <guide link="/doc/en/home-router-howto.xml">
6
7 <title>Home Router Guide</title>
8
9 <author title="Author">
10 <mail link="vapier@gentoo.org">Mike Frysinger</mail>
11 </author>
12
13 <abstract>
14 This document details how to turn an old Gentoo machine into a router
15 for connecting your home network to the internet.
16 </abstract>
17
18 <version>1.1</version>
19 <date>July 21, 2004</date>
20
21 <chapter>
22 <title>Introduction</title>
23 <section>
24 <body>
25
26 <p>
27 Building your own router out of old spare parts has many advantages
28 over buying a pre-made canned router by say Linksys. The biggest one by
29 far is control over the connection. The other advantages are left up to
30 your imagination; just about anything can be done in this scenario,
31 it's just a matter of needing it.
32 </p>
33
34 <p>
35 This guide will show you how to setup Network Address Translation (NAT)
36 on the router (kernel and iptables), add and configure common services
37 (DNS via dnsmasq, dhcp via dhcpcd, ADSL via rp-pppoe), and conclude
38 with more elaborate and fun things that can be done (mail caching, port
39 forwarding, traffic shaping, http/ftp hosting).
40 </p>
41
42 <p>
43 Before getting started, there's a few basic requirements you must meet.
44 First, you'll need a computer that has at least 2 Network Interface
45 Cards (NICs) in it. Next, you'll need the configuration settings for
46 your internet connection (may include things like
47 IP/DNS/Gateway/username/password). Finally, you'll need a bit of spare
48 time and some Gentoo loving.
49 </p>
50
51 <p>
52 The conventions used in this guide are:
53 </p>
54 <ul>
55 <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
56 <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
57 <li>LAN utilizes the private 192.168.0.xxx network</li>
58 <li>router is hardcoded to the standard 192.168.0.1 IP</li>
59 </ul>
60
61 <impo>
62 Due to security precautions, I would highly suggest you shut down any
63 unneeded services on the router until we have a chance to get the
64 firewall up and rolling. To view the currently running services, just
65 run <c>rc-status</c>.
66 </impo>
67
68 </body>
69 </section>
70 </chapter>
71
72 <chapter>
73 <title>Kernel setup (know thyself first)</title>
74 <section>
75 <body>
76
77 <p>
78 Your kernel needs to have the drivers running for both your NICs. To
79 see if your cards are already setup, just run <c>ifconfig</c>. Your
80 output may differ slightly from the following, that's fine. What
81 matters is that the interface shows up at all.
82 </p>
83 <pre caption="Checking NICs">
84 # <i>ifconfig -a</i>
85 eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
86 BROADCAST MULTICAST MTU:1500 Metric:1
87 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
88 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
89 collisions:0 txqueuelen:1000
90 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
91 Interrupt:11 Base address:0x9800
92
93 eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
94 BROADCAST MULTICAST MTU:1500 Metric:1
95 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
96 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
97 collisions:0 txqueuelen:1000
98 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
99 Interrupt:10 Base address:0x9400
100 </pre>
101 <p>
102 If you do not see your two cards showing up and you're not sure what
103 kind of cards you have, try running <c>lspci</c>. You can get that from
104 <c>emerge sys-apps/pciutils</c>. Look for "Ethernet controller" in the
105 output. Once you have this information, go into your kernel and add
106 support for the correct drivers.
107 </p>
108
109 <p>
110 The next thing you'll need is support for iptables and NAT (and packet
111 shaping if you want). The following list is split up into required
112 (*), suggested (x), and shaper (s) features. It does not matter whether
113 you build the features into the kernel or as a module so long as when
114 the feature is need, the correct module(s) are loaded (module loading
115 is left to the reader as a fun exercise however).
116 </p>
117 <pre caption="Network Options">
118 <i>Networking options ---&gt;</i>
119 <i> [*] TCP/IP networking</i>
120 <i> [*] IP: advanced router</i>
121 <i> [*] Network packet filtering (replaces ipchains)</i>
122
123 <i> IP: Netfilter Configuration ---&gt;</i>
124 <i> [*] Connection tracking (required for masq/NAT)</i>
125 <i> [x] FTP protocol support</i>
126 <i> [x] IRC protocol support</i>
127 <i> [*] IP tables support (required for filtering/masq/NAT)</i>
128 <i> [*] IP range match support</i>
129 <i> [x] MAC address match support</i>
130 <i> [*] Multiple port match support</i>
131 <i> [*] Packet filtering</i>
132 <i> [*] REJECT target support</i>
133 <i> [x] REDIRECT target support</i>
134 <i> [*] Full NAT</i>
135 <i> [*] MASQUERADE target support</i>
136 <i> [s] Packet mangling</i>
137 <i> [s] MARK target support</i>
138 <i> [x] LOG target support</i>
139
140 <i> QoS and/or fair queueing ---&gt;</i>
141 <i> [s] QoS and/or fair queueing</i>
142 <i> [s] HTB packet scheduler</i>
143 <i> [s] Ingress Qdisc</i>
144 </pre>
145 <note>
146 Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you
147 should be able to figure it out :). 2.2 + ipchains is not covered here.
148 </note>
149
150 </body>
151 </section>
152 </chapter>
153
154 <chapter>
155 <title>Hug the WAN (a.k.a. The Internet)</title>
156
157 <section>
158 <title>Intro</title>
159 <body>
160 <p>
161 There are many ways to connect to the internet so I'll just cover the
162 ones I'm familiar with. That leaves us with ADSL (PPPoE) and cable
163 modems (static/dynamic). If there are other methods out there, feel
164 free to write up a little blurb and e-mail me. Feel free to skip any of
165 the following sections in this chapter that don't apply to you. This
166 chapter is just about getting the router connected to the internet via
167 eth1.
168 </p>
169 </body>
170 </section>
171
172 <section>
173 <title>ADSL and PPPoE</title>
174 <body>
175
176 <p>
177 All the fancy PPPoE software has been bundled up into one little nice
178 package nowadays called <uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>.
179 Simply <c>emerge rp-pppoe</c> and you'll be on your way. Remember how
180 I said you'll need username/password information? Well I wasn't lying
181 so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
182 your favorite editor and set it up.
183 </p>
184
185 <pre caption="Setting up eth1">
186 <comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
187
188 # <i>nano /etc/ppp/pppoe.conf</i>
189 <comment># Ethernet card connected to ADSL modem
190 ETH=eth1
191 # ADSL user name.
192 USER=vla9h924</comment>
193 # <i>nano /etc/ppp/pap-secrets</i>
194 <comment># client server secret
195 "vla9h924" * "password"</comment>
196 # <i>nano /etc/conf.d/net</i>
197 <comment>Add an entry for ifconfig_eth1 and set it to adsl:
198 ifconfig_eth1=( "adsl" )</comment>
199 # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
200 # <i>rc-update add net.eth1 default</i>
201 # <i>/etc/init.d/net.eth1 start</i>
202 </pre>
203
204 <p>
205 You should be all set to go now.
206 </p>
207
208 </body>
209 </section>
210
211 <section>
212 <title>Cable and/or dynamic/static IP</title>
213 <body>
214
215 <p>
216 If you have a static IP then you will need the few more details than if
217 you have a dynamic IP. For static users, you will need your IP,
218 gateway, and DNS servers.
219 </p>
220
221 <pre caption="Setting up eth1">
222 <comment>Dynamic IP Users:</comment>
223 # <i>emerge dhcpcd</i>
224 # <i>nano /etc/conf.d/net</i>
225 <comment>You'll need an entry like so:
226 ifconfig_eth1=( "dhcp" )</comment>
227
228 <comment>Static IP Users:</comment>
229 # <i>nano /etc/conf.d/net</i>
230 <comment>You'll need entries like so:
231 ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
232 routes_eth1=( "default gw 66.92.78.1" )</comment>
233 # <i>nano /etc/resolv.conf</i>
234 <comment>Add one line per DNS server:
235 nameserver 123.123.123.123</comment>
236
237 <comment>Dynamic and Static Setup:</comment>
238 # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
239 # <i>rc-update add net.eth1 default</i>
240 # <i>/etc/init.d/net.eth1 start</i>
241 </pre>
242
243 <p>
244 You should be all set to go now.
245 </p>
246
247 </body>
248 </section>
249 </chapter>
250
251 <chapter>
252 <title>Hug the LAN (bring along some friends)</title>
253 <section>
254 <body>
255
256 <p>
257 This step is a breeze compared to the previous one.
258 </p>
259
260 <pre caption="Setting up eth0">
261 # <i>nano /etc/conf.d/net</i>
262 <comment>Add a line like the following:
263 ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )</comment>
264 # <i>rc-update add net.eth0 default</i>
265 # <i>/etc/init.d/net.eth0 start</i>
266 </pre>
267
268 </body>
269 </section>
270 </chapter>
271
272 <chapter>
273 <title>LAN Services (because we're nice people)</title>
274
275 <section>
276 <title>DHCP Server</title>
277 <body>
278 <p>
279 I bet it'd be nice if everyone else in your house could just plug
280 their computers into the network and things would just work. No need to
281 remember mind-numbing details or make them stare at confusing
282 configuration screens! Life would be grand eh? Introducing the Dynamic
283 Host Configuration Protocol (DHCP) and why you should care.
284 </p>
285
286 <pre caption="Setting up dhcpd">
287 # <i>emerge dhcp</i>
288 # <i>nano /etc/dhcp/dhcpd.conf</i>
289 <comment>Here is a sample configuration file:
290 authoritative;
291 subnet 192.168.0.0 netmask 255.255.255.0 {
292 range 192.168.0.100 192.168.0.250;
293 default-lease-time 259200;
294 max-lease-time 518400;
295 option subnet-mask 255.255.255.0;
296 option broadcast-address 192.168.0.255;
297 option routers 192.168.0.1;
298 option domain-name-servers 192.168.0.1;
299 }
300 </comment>
301 # <i>nano /etc/conf.d/dhcp</i>
302 <comment>Set IFACE="eth0"</comment>
303 # <i>rc-update add dhcp default</i>
304 # <i>/etc/init.d/dhcp start</i>
305 </pre>
306
307 <p>
308 Now your little router is a bona-fide DHCP server! Plugin those
309 computers and watch them work! With Windows systems you should go into
310 the TCP/IP Properties and select the 'Obtain an IP address
311 automatically' and 'Obtain DNS server address automatically' options.
312 Sometimes the changes aren't instantaneous, so you may have to run a
313 command prompt and run <c>ipconfig /release</c> and <c>ipconfig
314 /renew</c>. But enough about Windows, let's get back to our favorite
315 penguin.
316 </p>
317 </body>
318 </section>
319
320 <section>
321 <title>DNS Server</title>
322 <body>
323
324 <p>
325 You may have noticed in the previous section that we told the DHCP
326 clients we have a DNS server at 192.168.0.1. You may also remember that
327 192.168.0.1 is our little router that we're making. I don't remember
328 setting up a DNS server ... so let's do so now!
329 </p>
330
331 <pre caption="Setting up dnsmasq">
332 # <i>emerge dnsmasq</i>
333 # <i>nano /etc/conf.d/dnsmasq</i>
334 <comment>Add "-i eth1" to DNSMASQ_OPTS</comment>
335 # <i>rc-update add dnsmasq</i>
336 # <i>/etc/init.d/dnsmasq start</i>
337 </pre>
338
339 <p>
340 Well that was quick, but what did we do? The great thing is, we didn't
341 have to do very much! You're welcome to choose other DNS servers if
342 you're more comfortable with them, but the reason dnsmasq is great is
343 because it was designed to do exactly what we want it for. It's a
344 little DNS caching/forwarding server for local networks. We're not
345 looking to provide our own DNS server here, just offer simple DNS
346 services to everyone else on our LAN.
347 </p>
348
349 </body>
350 </section>
351
352 <section>
353 <title>NAT</title>
354 <body>
355
356 <p>
357 At this point, people on your network can talk to each other and they
358 can look up hostnames via DNS, but they still can't actually connect to
359 the internet. While you may think that's great (more bandwidth for
360 you!), I bet they're not too happy just yet.
361 </p>
362
363 <pre caption="Setting up iptables">
364 <comment>First we flush our current rules</comment>
365 # <i>iptables -F</i>
366 # <i>iptables -t nat -F</i>
367
368 <comment>Then we lock our services so they only work from the LAN</comment>
369 # <i>iptables -I INPUT 1 -i eth0 -j ACCEPT</i>
370 # <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
371 # <i>iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT</i>
372 # <i>iptables -A INPUT -p UDP --dport dns -i ! eth0 -j REJECT</i>
373
374 <comment>Drop TCP / UDP packets to privileged ports</comment>
375 # <i>iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
376 # <i>iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
377
378 <comment>Finally we add the rules for NAT</comment>
379 # <i>iptables -I FORWARD -i 192.168.0.0/255.255.0.0 -j DROP</i>
380 # <i>iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
381 # <i>iptables -A FORWARD -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
382 # <i>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE</i>
383 <comment>Tell the kernel that ip forwarding is OK</comment>
384 # <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
385 # <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>
386
387 <comment>This is so when we boot we don't have to run the rules by hand</comment>
388 # <i>/etc/init.d/iptables save</i>
389 # <i>rc-update add iptables default</i>
390 </pre>
391
392 <p>
393 Once you've typed out all of that, the rest of your network should now
394 be able to use the internet as if they were directly connected
395 themselves.
396 </p>
397
398 <p>
399 Believe it or not, you're done :). The only thing left involves adding
400 extra services to make your life (or the lives of your users) easier.
401 </p>
402
403 </body>
404 </section>
405
406 </chapter>
407
408 </guide>
  ViewVC Help
Powered by ViewVC 1.1.20