/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Contents of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations) (download) (as text)
Thu Jul 22 14:32:26 2004 UTC (9 years, 11 months ago) by vapier
Branch: MAIN
Changes since 1.1: +38 -4 lines
File MIME type: application/xml
explain a few more terms

1 <?xml version='1.0' encoding='UTF-8'?>
2 <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.1 2004/07/22 05:53:40 vapier Exp $ -->
3 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4
5 <guide link="/doc/en/home-router-howto.xml">
6
7 <title>Home Router Guide</title>
8
9 <author title="Author">
10 <mail link="vapier@gentoo.org">Mike Frysinger</mail>
11 </author>
12
13 <abstract>
14 This document details how to turn an old Gentoo machine into a router
15 for connecting your home network to the internet.
16 </abstract>
17
18 <version>1.1</version>
19 <date>July 21, 2004</date>
20
21 <chapter>
22 <title>Introduction</title>
23 <section>
24 <body>
25
26 <p>
27 Building your own router out of old spare parts has many advantages
28 over buying a pre-made canned router by say Linksys. The biggest one by
29 far is control over the connection. The other advantages are left up to
30 your imagination; just about anything can be done in this scenario,
31 it's just a matter of needing it.
32 </p>
33
34 <p>
35 This guide will show you how to setup Network Address Translation (NAT)
36 on the router (kernel and iptables), add and configure common services
37 (Domain Name System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via
38 rp-pppoe), and conclude with more elaborate and fun things that can be
39 done (port forwarding, traffic shaping, http/ftp hosting, caching, etc...).
40 </p>
41
42 <p>
43 Before getting started, there's a few basic requirements you must meet.
44 First, you'll need a computer that has at least 2 Network Interface
45 Cards (NICs) in it. Next, you'll need the configuration settings for
46 your internet connection (may include things like
47 IP/DNS/Gateway/username/password). Finally, you'll need a bit of spare
48 time and some Gentoo loving.
49 </p>
50
51 <p>
52 The conventions used in this guide are:
53 </p>
54 <ul>
55 <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
56 <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
57 <li>LAN utilizes the private 192.168.0.xxx network</li>
58 <li>router is hardcoded to the standard 192.168.0.1 IP</li>
59 </ul>
60
61 <impo>
62 Due to security precautions, I would highly suggest you shut down any
63 unneeded services on the router until we have a chance to get the
64 firewall up and rolling. To view the currently running services, just
65 run <c>rc-status</c>.
66 </impo>
67
68 </body>
69 </section>
70 </chapter>
71
72 <chapter>
73 <title>Kernel setup (know thyself first)</title>
74 <section>
75 <body>
76
77 <p>
78 Your kernel needs to have the drivers running for both your NICs. To
79 see if your cards are already setup, just run <c>ifconfig</c>. Your
80 output may differ slightly from the following, that's fine. What
81 matters is that the interface shows up at all.
82 </p>
83 <pre caption="Checking NICs">
84 # <i>ifconfig -a</i>
85 eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
86 BROADCAST MULTICAST MTU:1500 Metric:1
87 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
88 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
89 collisions:0 txqueuelen:1000
90 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
91 Interrupt:11 Base address:0x9800
92
93 eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
94 BROADCAST MULTICAST MTU:1500 Metric:1
95 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
96 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
97 collisions:0 txqueuelen:1000
98 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
99 Interrupt:10 Base address:0x9400
100 </pre>
101 <p>
102 If you do not see your two cards showing up and you're not sure what
103 kind of cards you have, try running <c>lspci</c>. You can get that from
104 <c>emerge sys-apps/pciutils</c>. Look for "Ethernet controller" in the
105 output. Once you have this information, go into your kernel and add
106 support for the correct drivers.
107 </p>
108
109 <p>
110 The next thing you'll need is support for iptables and NAT (and packet
111 shaping if you want). The following list is split up into required
112 (*), suggested (x), and shaper (s) features. It does not matter whether
113 you build the features into the kernel or as a module so long as when
114 the feature is need, the correct module(s) are loaded (module loading
115 is left to the reader as a fun exercise however).
116 </p>
117 <pre caption="Network Options">
118 <i>Networking options ---&gt;</i>
119 <i> [*] TCP/IP networking</i>
120 <i> [*] IP: advanced router</i>
121 <i> [*] Network packet filtering (replaces ipchains)</i>
122
123 <i> IP: Netfilter Configuration ---&gt;</i>
124 <i> [*] Connection tracking (required for masq/NAT)</i>
125 <i> [x] FTP protocol support</i>
126 <i> [x] IRC protocol support</i>
127 <i> [*] IP tables support (required for filtering/masq/NAT)</i>
128 <i> [*] IP range match support</i>
129 <i> [x] MAC address match support</i>
130 <i> [*] Multiple port match support</i>
131 <i> [*] Packet filtering</i>
132 <i> [*] REJECT target support</i>
133 <i> [x] REDIRECT target support</i>
134 <i> [*] Full NAT</i>
135 <i> [*] MASQUERADE target support</i>
136 <i> [s] Packet mangling</i>
137 <i> [s] MARK target support</i>
138 <i> [x] LOG target support</i>
139
140 <i> QoS and/or fair queueing ---&gt;</i>
141 <i> [s] QoS and/or fair queueing</i>
142 <i> [s] HTB packet scheduler</i>
143 <i> [s] Ingress Qdisc</i>
144 </pre>
145 <note>
146 Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you
147 should be able to figure it out :). 2.2 + ipchains is not covered here.
148 </note>
149
150 </body>
151 </section>
152 </chapter>
153
154 <chapter>
155 <title>Hug the WAN (a.k.a. The Internet)</title>
156
157 <section>
158 <title>Intro</title>
159 <body>
160 <p>
161 There are many ways to connect to the internet so I'll just cover the
162 ones I'm familiar with. That leaves us with ADSL (PPPoE) and cable
163 modems (static/dynamic). If there are other methods out there, feel
164 free to write up a little blurb and e-mail me. Feel free to skip any of
165 the following sections in this chapter that don't apply to you. This
166 chapter is just about getting the router connected to the internet via
167 eth1.
168 </p>
169 </body>
170 </section>
171
172 <section>
173 <title>ADSL and PPPoE</title>
174 <body>
175
176 <p>
177 All the fancy PPPoE software has been bundled up into one little nice
178 package nowadays called <uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>.
179 Simply <c>emerge rp-pppoe</c> and you'll be on your way. Remember how
180 I said you'll need username/password information? Well I wasn't lying
181 so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in
182 your favorite editor and set it up.
183 </p>
184
185 <pre caption="Setting up eth1">
186 <comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>
187
188 # <i>nano /etc/ppp/pppoe.conf</i>
189 <comment># Ethernet card connected to ADSL modem
190 ETH=eth1
191 # ADSL user name.
192 USER=vla9h924</comment>
193 # <i>nano /etc/ppp/pap-secrets</i>
194 <comment># client server secret
195 "vla9h924" * "password"</comment>
196 # <i>nano /etc/conf.d/net</i>
197 <comment>Add an entry for ifconfig_eth1 and set it to adsl:
198 ifconfig_eth1=( "adsl" )</comment>
199 # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
200 # <i>rc-update add net.eth1 default</i>
201 # <i>/etc/init.d/net.eth1 start</i>
202 </pre>
203
204 <p>
205 You should be all set to go now.
206 </p>
207
208 </body>
209 </section>
210
211 <section>
212 <title>Cable and/or dynamic/static IP</title>
213 <body>
214
215 <p>
216 If you have a static IP then you will need the few more details than if
217 you have a dynamic IP. For static users, you will need your IP,
218 gateway, and DNS servers.
219 </p>
220
221 <pre caption="Setting up eth1">
222 <comment>Dynamic IP Users:</comment>
223 # <i>emerge dhcpcd</i>
224 # <i>nano /etc/conf.d/net</i>
225 <comment>You'll need an entry like so:
226 ifconfig_eth1=( "dhcp" )</comment>
227
228 <comment>Static IP Users:</comment>
229 # <i>nano /etc/conf.d/net</i>
230 <comment>You'll need entries like so:
231 ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
232 routes_eth1=( "default gw 66.92.78.1" )</comment>
233 # <i>nano /etc/resolv.conf</i>
234 <comment>Add one line per DNS server:
235 nameserver 123.123.123.123</comment>
236
237 <comment>Dynamic and Static Setup:</comment>
238 # <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
239 # <i>rc-update add net.eth1 default</i>
240 # <i>/etc/init.d/net.eth1 start</i>
241 </pre>
242
243 <p>
244 You should be all set to go now.
245 </p>
246
247 </body>
248 </section>
249 </chapter>
250
251 <chapter>
252 <title>Hug the LAN (bring along some friends)</title>
253 <section>
254 <body>
255
256 <p>
257 This step is a breeze compared to the previous one.
258 </p>
259
260 <pre caption="Setting up eth0">
261 # <i>nano /etc/conf.d/net</i>
262 <comment>Add a line like the following:
263 ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )</comment>
264 # <i>rc-update add net.eth0 default</i>
265 # <i>/etc/init.d/net.eth0 start</i>
266 </pre>
267
268 </body>
269 </section>
270 </chapter>
271
272 <chapter>
273 <title>LAN Services (because we're nice people)</title>
274
275 <section>
276 <title>DHCP Server</title>
277 <body>
278 <p>
279 I bet it'd be nice if everyone else in your house could just plug
280 their computers into the network and things would just work. No need to
281 remember mind-numbing details or make them stare at confusing
282 configuration screens! Life would be grand eh? Introducing the Dynamic
283 Host Configuration Protocol (DHCP) and why you should care.
284 </p>
285
286 <p>
287 DHCP is exactly what its name implies. It's a protocol that allows you
288 to dynamically configure other hosts automatically. You run a DHCP
289 server on the router (dhcpd), give it all the information about your
290 network (valid IPs, DNS servers, gateways, etc...), and then when the
291 other hosts start up, they run a DHCP client to automatically configure
292 themselves. No fuss, no muss! For even more information, you can
293 always visit <uri link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
294 </p>
295
296 <pre caption="Setting up dhcpd">
297 # <i>emerge dhcp</i>
298 # <i>nano /etc/dhcp/dhcpd.conf</i>
299 <comment>Here is a sample configuration file:
300 authoritative;
301 subnet 192.168.0.0 netmask 255.255.255.0 {
302 range 192.168.0.100 192.168.0.250;
303 default-lease-time 259200;
304 max-lease-time 518400;
305 option subnet-mask 255.255.255.0;
306 option broadcast-address 192.168.0.255;
307 option routers 192.168.0.1;
308 option domain-name-servers 192.168.0.1;
309 }
310 </comment>
311 # <i>nano /etc/conf.d/dhcp</i>
312 <comment>Set IFACE="eth0"</comment>
313 # <i>rc-update add dhcp default</i>
314 # <i>/etc/init.d/dhcp start</i>
315 </pre>
316
317 <p>
318 Now your little router is a bona-fide DHCP server! Plugin those
319 computers and watch them work! With Windows systems you should go into
320 the TCP/IP Properties and select the 'Obtain an IP address
321 automatically' and 'Obtain DNS server address automatically' options.
322 Sometimes the changes aren't instantaneous, so you may have to run a
323 command prompt and run <c>ipconfig /release</c> and <c>ipconfig
324 /renew</c>. But enough about Windows, let's get back to our favorite
325 penguin.
326 </p>
327 </body>
328 </section>
329
330 <section>
331 <title>DNS Server</title>
332 <body>
333 <p>
334 When people want to visit a place on the internet, they remember names,
335 not a string of useless numbers. After all, what's easier to remember,
336 ebay.com or 66.135.192.87? This is where the DNS steps in. DNS servers
337 run all over the internet, and whenever someone wants to visit 'ebay.com',
338 these servers turn 'ebay.com' (what we understand) into '66.135.192.87'
339 (what our computers understand). For even more information, you can
340 always visit <uri link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
341 </p>
342
343 <p>
344 You may have noticed in the previous section that we told the DHCP
345 clients we have a DNS server at 192.168.0.1. You may also remember that
346 192.168.0.1 is our little router that we're making. I don't remember
347 setting up a DNS server ... so let's do so now!
348 </p>
349
350 <pre caption="Setting up dnsmasq">
351 # <i>emerge dnsmasq</i>
352 # <i>nano /etc/conf.d/dnsmasq</i>
353 <comment>Add "-i eth1" to DNSMASQ_OPTS</comment>
354 # <i>rc-update add dnsmasq</i>
355 # <i>/etc/init.d/dnsmasq start</i>
356 </pre>
357
358 <p>
359 Well that was quick, but what did we do? The great thing is, we didn't
360 have to do very much! You're welcome to choose other DNS servers if
361 you're more comfortable with them, but the reason dnsmasq is great is
362 because it was designed to do exactly what we want it for. It's a
363 little DNS caching/forwarding server for local networks. We're not
364 looking to provide our own DNS server here, just offer simple DNS
365 services to everyone else on our LAN.
366 </p>
367
368 </body>
369 </section>
370
371 <section>
372 <title>NAT</title>
373 <body>
374
375 <p>
376 At this point, people on your network can talk to each other and they
377 can look up hostnames via DNS, but they still can't actually connect to
378 the internet. While you may think that's great (more bandwidth for
379 you!), I bet they're not too happy just yet.
380 </p>
381
382 <p>
383 This is where NAT steps in. NAT is a way of connecting multiple computers
384 in a private LAN to the internet when you only have a smaller number of
385 IP addresses availabe to you. Typically you were given 1 IP by your ISP,
386 but you want to let your whole house connect to the internet. NAT is the
387 magic that makes this possible. For even more information, you can
388 always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
389 </p>
390
391 <note>
392 Before we get started, make sure you have iptables on your system. Although
393 it is automatically installed on most systems, you may not have it. If you
394 don't, just run <c>emerge iptables</c>.
395 </note>
396
397 <pre caption="Setting up iptables">
398 <comment>First we flush our current rules</comment>
399 # <i>iptables -F</i>
400 # <i>iptables -t nat -F</i>
401
402 <comment>Then we lock our services so they only work from the LAN</comment>
403 # <i>iptables -I INPUT 1 -i eth0 -j ACCEPT</i>
404 # <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
405 # <i>iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT</i>
406 # <i>iptables -A INPUT -p UDP --dport dns -i ! eth0 -j REJECT</i>
407
408 <comment>Drop TCP / UDP packets to privileged ports</comment>
409 # <i>iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
410 # <i>iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
411
412 <comment>Finally we add the rules for NAT</comment>
413 # <i>iptables -I FORWARD -i 192.168.0.0/255.255.0.0 -j DROP</i>
414 # <i>iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
415 # <i>iptables -A FORWARD -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
416 # <i>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE</i>
417 <comment>Tell the kernel that ip forwarding is OK</comment>
418 # <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
419 # <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>
420
421 <comment>This is so when we boot we don't have to run the rules by hand</comment>
422 # <i>/etc/init.d/iptables save</i>
423 # <i>rc-update add iptables default</i>
424 </pre>
425
426 <p>
427 Once you've typed out all of that, the rest of your network should now
428 be able to use the internet as if they were directly connected
429 themselves.
430 </p>
431
432 <p>
433 Believe it or not, you're done :). The only thing left involves adding
434 extra services to make your life (or the lives of your users) easier.
435 </p>
436
437 </body>
438 </section>
439
440 </chapter>
441
442 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20