doc/en/home-router-howto.xml

<?xml version='1.0' encoding='UTF-8'?>
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.8 2004/08/06 14:46:25 vapier Exp $ -->
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

<guide link="/doc/en/home-router-howto.xml">

<title>Home Router Guide</title>

<author title="Author">
  <mail link="vapier@gentoo.org">Mike Frysinger</mail>
</author>

<abstract>
This document details how to turn an old Gentoo machine into a router 
for connecting your home network to the internet.
</abstract>

<version>1.1</version>
<date>July 21, 2004</date>

<chapter>
<title>Introduction</title>
<section>
<body>

<p>
Building your own router out of old spare parts has many advantages 
over buying a pre-made canned router by say Linksys.  The biggest one by 
far is control over the connection.  The other advantages are left up to 
your imagination; just about anything can be done in this scenario, 
it's just a matter of needing it.
</p>

<p>
This guide will show you how to setup Network Address Translation (NAT) 
on the router (kernel and iptables), add and configure common services 
(Domain Name System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via 
rp-pppoe), and conclude with more elaborate and fun things that can be 
done (port forwarding, traffic shaping, proxies/caching, etc...).
</p>

<p>
Before getting started, there's a few basic requirements you must meet.  
First, you'll need a computer that has at least 2 Network Interface 
Cards (NICs) in it.  Next, you'll need the configuration settings for 
your internet connection (may include things like 
IP/DNS/Gateway/username/password).  Finally, you'll need a bit of spare 
time and some Gentoo loving.
</p>

<p>
The conventions used in this guide are:
</p>
<ul>
 <li>eth0 - NIC connected to the Local Area Network (LAN)</li>
 <li>eth1 - NIC connected to the Wide Area Network (WAN)</li>
 <li>LAN utilizes the private 192.168.0.xxx network</li>
 <li>router is hardcoded to the standard 192.168.0.1 IP</li>
 <li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li>
</ul>

<impo>
Due to security precautions, I would highly suggest you shut down any 
unneeded services on the router until we have a chance to get the 
firewall up and rolling.  To view the currently running services, just 
run <c>rc-status</c>.
</impo>

</body>
</section>
</chapter>

<chapter>
<title>Kernel setup (know thyself first)</title>
<section>
<body>

<p>
Your kernel needs to have the drivers running for both your NICs.  To 
see if your cards are already setup, just run <c>ifconfig</c>.  Your 
output may differ slightly from the following, that's fine.  What 
matters is that the interface shows up at all.
</p>
<pre caption="Checking NICs">
# <i>ifconfig -a</i>
eth0      Link encap:Ethernet  HWaddr 00:60:F5:07:07:B8
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:11 Base address:0x9800 

eth1      Link encap:Ethernet  HWaddr 00:60:F5:07:07:B9
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:10 Base address:0x9400 
</pre>
<p>
If you do not see your two cards showing up and you're not sure what 
kind of cards you have, try running <c>lspci</c>.  You can get that from 
<c>emerge pciutils</c>.  Look for "Ethernet controller" in the output.  
Once you have this information, go into your kernel and add support for 
the correct drivers.
</p>

<p>
The next thing you'll need is support for iptables and NAT (and packet 
shaping if you want).  The following list is split up into required 
(*), suggested (x), and shaper (s) features.  It does not matter whether 
you build the features into the kernel or as a module so long as when 
the feature is needed, the correct module(s) are loaded (module loading 
is left to the reader as a fun exercise however).
</p>
<pre caption="Network Options">
<i>Networking options  ---&gt;</i>
<i>   [*] TCP/IP networking</i>
<i>      [*] IP: advanced router</i>
<i>   [*] Network packet filtering (replaces ipchains)</i>

<i>   IP: Netfilter Configuration  ---&gt;</i>
<i>      [*] Connection tracking (required for masq/NAT)</i>
<i>         [x] FTP protocol support</i>
<i>         [x] IRC protocol support</i>
<i>      [*] IP tables support (required for filtering/masq/NAT)</i>
<i>         [*] IP range match support</i>
<i>         [x] MAC address match support</i>
<i>         [*] Multiple port match support</i>
<i>         [*] Packet filtering</i>
<i>            [*] REJECT target support</i>
<i>            [x] REDIRECT target support</i>
<i>         [*] Full NAT</i>
<i>            [*] MASQUERADE target support</i>
<i>         [s] Packet mangling</i>
<i>            [s] MARK target support</i>
<i>         [x] LOG target support</i>

<i>   QoS and/or fair queueing  ---&gt;</i>
<i>      [s] QoS and/or fair queueing</i>
<i>         [s] HTB packet scheduler</i>
<i>         [s] Ingress Qdisc</i>
</pre>
<note>
Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you 
should be able to figure it out :).
</note>

</body>
</section>
</chapter>

<chapter>
<title>Hug the WAN (a.k.a. The Internet)</title>

<section>
<title>Intro</title>
<body>
<p>
There are many ways to connect to the internet so I'll just cover the 
ones I'm familiar with.  That leaves us with ADSL (PPPoE) and cable 
modems (static/dynamic).  If there are other methods out there, feel 
free to write up a little blurb and e-mail me.  Feel free to skip any of 
the following sections in this chapter that don't apply to you.  This 
chapter is just about getting the router connected to the internet via 
eth1.
</p>
</body>
</section>

<section>
<title>ADSL and PPPoE</title>
<body>

<p>
All the fancy PPPoE software has been bundled up into one little nice 
package nowadays called <uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>.  
Simply <c>emerge rp-pppoe</c> and you'll be on your way.  Remember how 
I said you'll need username/password information?  Well I wasn't lying 
so I hope you have it now!  Load up <path>/etc/ppp/pppoe.conf</path> in 
your favorite editor and set it up.
</p>

<note>
In order for the following net.eth1 settings to work, you must have 
baselayout-1.10.1 or later installed on your system.
</note>

<pre caption="Setting up eth1">
<comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment>

# <i>nano /etc/ppp/pppoe.conf</i>
<comment># Ethernet card connected to ADSL modem
ETH=eth1
# ADSL user name.
USER=vla9h924</comment>
# <i>nano /etc/ppp/pap-secrets</i>
<comment># client    server  secret
"vla9h924" * "password"</comment>
# <i>nano /etc/conf.d/net</i>
<comment>Add an entry for ifconfig_eth1 and set it to adsl:
ifconfig_eth1=( "adsl" )</comment>
# <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
# <i>rc-update add net.eth1 default</i>
# <i>/etc/init.d/net.eth1 start</i>
</pre>

<warn>
When the DSL interface comes up, it will create ppp0.  Although your NIC 
is called eth1, the IP is actually bound to ppp0.  From now on, when you 
see examples that utilize 'eth1', substitute with 'ppp0'.
</warn>

</body>
</section>

<section>
<title>Cable and/or dynamic/static IP</title>
<body>

<p>
If you have a static IP then you will need a few more details than if 
you have a dynamic IP.  For static users, you will need your IP, 
gateway, and DNS servers.
</p>

<pre caption="Setting up eth1">
<comment>Dynamic IP Users:</comment>
# <i>emerge dhcpcd</i>
# <i>nano /etc/conf.d/net</i>
<comment>You'll need an entry like so:
ifconfig_eth1=( "dhcp" )</comment>

<comment>Static IP Users:</comment>
# <i>nano /etc/conf.d/net</i>
<comment>You'll need entries like so:
ifconfig_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" )
routes_eth1=( "default gw 66.92.78.1" )</comment>
# <i>nano /etc/resolv.conf</i>
<comment>Add one line per DNS server:
nameserver 123.123.123.123</comment>

<comment>Dynamic and Static Setup:</comment>
# <i>ln -s net.eth0 /etc/init.d/net.eth1</i>
# <i>rc-update add net.eth1 default</i>
# <i>/etc/init.d/net.eth1 start</i>
</pre>

<p>
You should be all set to go now.
</p>

</body>
</section>
</chapter>

<chapter>
<title>Hug the LAN (bring along some friends)</title>
<section>
<body>

<p>
This step is a breeze compared to the previous one.
</p>

<pre caption="Setting up eth0">
# <i>nano /etc/conf.d/net</i>
<comment>Add a line like the following:
ifconfig_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )</comment>
# <i>rc-update add net.eth0 default</i>
# <i>/etc/init.d/net.eth0 start</i>
</pre>

</body>
</section>
</chapter>

<chapter>
<title>LAN Services (because we're nice people)</title>

<section>
<title>DHCP Server</title>
<body>
<p>
I bet it'd be nice if everyone else in your house could just plug 
their computers into the network and things would just work.  No need to 
remember mind-numbing details or make them stare at confusing 
configuration screens!  Life would be grand eh?  Introducing the Dynamic 
Host Configuration Protocol (DHCP) and why you should care.
</p>

<p>
DHCP is exactly what its name implies.  It's a protocol that allows you 
to dynamically configure other hosts automatically.  You run a DHCP 
server on the router (dhcpd), give it all the information about your 
network (valid IPs, DNS servers, gateways, etc...), and then when the 
other hosts start up, they run a DHCP client to automatically configure 
themselves.  No fuss, no muss!  For more information about DHCP, you can 
always visit <uri link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
</p>

<pre caption="Setting up dhcpd">
# <i>emerge dhcp</i>
# <i>nano /etc/dhcp/dhcpd.conf</i>
<comment>Here is a sample configuration file:
authoritative;
subnet 192.168.0.0 netmask 255.255.255.0 {
        range 192.168.0.100 192.168.0.250;
        default-lease-time 259200;
        max-lease-time 518400;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.0.255;
        option routers 192.168.0.1;
        option domain-name-servers 192.168.0.1;
}
</comment>
# <i>nano /etc/conf.d/dhcp</i>
<comment>Set IFACE="eth0"</comment>
# <i>rc-update add dhcp default</i>
# <i>/etc/init.d/dhcp start</i>
</pre>

<p>
Now your little router is a bona-fide DHCP server!  Plugin those 
computers and watch them work!  With Windows systems you should go into 
the TCP/IP Properties and select the 'Obtain an IP address 
automatically' and 'Obtain DNS server address automatically' options.  
Sometimes the changes aren't instantaneous, so you may have to run a 
command prompt and run <c>ipconfig /release</c> and <c>ipconfig 
/renew</c>.  But enough about Windows, let's get back to our favorite 
penguin.
</p>
</body>
</section>

<section>
<title>DNS Server</title>
<body>
<p>
When people want to visit a place on the internet, they remember names, 
not a string of useless numbers.  After all, what's easier to remember, 
ebay.com or 66.135.192.87?  This is where the DNS steps in.  DNS servers 
run all over the internet, and whenever someone wants to visit 'ebay.com', 
these servers turn 'ebay.com' (what we understand) into '66.135.192.87' 
(what our computers understand).  For more information about DNS, you can 
always visit <uri link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
</p>

<p>
You may have noticed in the previous section that we told the DHCP 
clients we have a DNS server at 192.168.0.1.  You may also remember that 
192.168.0.1 is our little router that we're making.  I don't remember 
setting up a DNS server ... so let's do so now!
</p>

<pre caption="Setting up dnsmasq">
# <i>emerge dnsmasq</i>
# <i>nano /etc/conf.d/dnsmasq</i>
<comment>Add "-i eth1" to DNSMASQ_OPTS</comment>
# <i>rc-update add dnsmasq</i>
# <i>/etc/init.d/dnsmasq start</i>
</pre>

<p>
Well that was quick, but what did we do?  The great thing is, we didn't 
have to do very much!  You're welcome to choose other DNS servers if 
you're more comfortable with them, but the reason dnsmasq is great is 
because it was designed to do exactly what we want and nothing more.  
It's a little DNS caching/forwarding server for local networks.  We're 
not looking to provide DNS for our own domain here, just offer simple DNS 
services to everyone else on our LAN.
</p>

</body>
</section>

<section>
<title>NAT (a.k.a. IP-masquerading)</title>
<body>

<p>
At this point, people on your network can talk to each other and they 
can look up hostnames via DNS, but they still can't actually connect to 
the internet.  While you may think that's great (more bandwidth for 
you!), I bet they're not too happy just yet.
</p>

<p>
This is where NAT steps in.  NAT is a way of connecting multiple computers 
in a private LAN to the internet when you only have a smaller number of 
IP addresses availabe to you.  Typically you were given 1 IP by your ISP, 
but you want to let your whole house connect to the internet.  NAT is the 
magic that makes this possible.  For more information about NAT, you can 
always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
</p>

<note>
Before we get started, make sure you have iptables on your system.  Although 
it is automatically installed on most systems, you may not have it.  If you 
don't, just run <c>emerge iptables</c>.
</note>

<pre caption="Setting up iptables">
<comment>First we flush our current rules</comment>
# <i>iptables -F</i>
# <i>iptables -t nat -F</i>

<comment>Then we lock our services so they only work from the LAN</comment>
# <i>iptables -I INPUT 1 -i eth0 -j ACCEPT</i>
# <i>iptables -I INPUT 1 -i lo -j ACCEPT</i>
# <i>iptables -A INPUT -p UDP --dport bootps -i ! eth0 -j REJECT</i>
# <i>iptables -A INPUT -p UDP --dport dns -i ! eth0 -j REJECT</i>

<comment>Drop TCP / UDP packets to privileged ports</comment>
# <i>iptables -A INPUT -p TCP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>
# <i>iptables -A INPUT -p UDP -i ! eth0 -d 0/0 --dport 0:1023 -j DROP</i>

<comment>Finally we add the rules for NAT</comment>
# <i>iptables -I FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j DROP</i>
# <i>iptables -A FORWARD -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT</i>
# <i>iptables -A FORWARD -i eth1 -d 192.168.0.0/255.255.0.0 -j ACCEPT</i>
# <i>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE</i>
<comment>Tell the kernel that ip forwarding is OK</comment>
# <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i>
# <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i>

<comment>This is so when we boot we don't have to run the rules by hand</comment>
# <i>/etc/init.d/iptables save</i>
# <i>rc-update add iptables default</i>
</pre>

<p>
Once you've typed out all of that, the rest of your network should now 
be able to use the internet as if they were directly connected 
themselves.  
</p>

</body>
</section>
</chapter>

<chapter>
<title>Fun Things (for a rainy day)</title>

<section>
<title>Intro</title>
<body>
<p>
Believe it or not, you're done :).  From here on out, I'll cover a bunch 
of common topics that may interest you.  Everything in this chapter is 
completely optional.
</p>
</body>
</section>

<section>
<title>Port Forwarding</title>
<body>
<p>
Sometimes you would like to be able to host services on a computer behind 
the router, or just to make your life easier when connecting remotely.  
Perhaps you want to run a FTP, HTTP, SSH, or VNC server on one or more 
machines behind your router and be able to connect to them all.  The only 
caveat is that you can only have one service/machine combo per port.  
For example, there is no practical way to setup three FTP servers behind 
your router and then try to connect to them all through port 21; only one 
can be on port 21 while the others would have to be on say port 123 and 
port 567.
</p>

<p>
All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING 
[-p protocol] --dport [external port on router] -i eth1 -j DNAT --to [ip/port 
to forward to]</c>.  iptables does not accept hostnames when port forwarding.  
If you are forwarding an external port to the same port on the internal machine, 
you can omit the destination port.  See the iptables(8) page for more information.
</p>

<pre>
<comment>Forward port 2 to ssh on an internal host</comment>
# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i eth1 -j DNAT --to 192.168.0.2:22</i>

<comment>FTP forwarding to an internal host</comment>
# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.56</i>

<comment>HTTP forwarding to an internal host</comment>
# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 192.168.0.56</i>

<comment>VNC forwarding for internal hosts</comment>
# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i eth1 -j DNAT --to 192.168.0.2</i>
# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i eth1 -j DNAT --to 192.168.0.3:5900</i>
<comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment>

<comment>Bittorrent forwarding</comment>
# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i eth1 -j DNAT --to 192.168.0.2</i>
</pre>

<note>
If you have other common / cool examples, please <uri link="mailto:vapier@gentoo.org">e-mail me</uri>.
</note>
</body>
</section>

<section>
<title>Identd (for IRC)</title>
<body>
<p>
Internet Relay Chat utilizes the ident service pretty heavily.  Now that 
the IRC clients are behind the router, we need a way to host ident for 
both the router and the clients.  One such server has been created 
called <c>midentd</c>.
</p>

<pre caption="Setting up ident">
# <i>emerge midentd</i>
# <i>rc-update add midentd default</i>
# <i>/etc/init.d/midentd start</i>
</pre>

<p>
There are a few other ident servers in portage.  Depending on your needs, 
I would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
</p>
</body>
</section>

<!--
<section>
<title>Traffic Shaping</title>
<body>
<p>
This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri> 
found over at the TLDP.  Feel free to refer to the original document 
for more details.
</p>

<p>
Here we will be setting up what some people refer to as a "Packet Shaper", 
<uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>, 
or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>.  
Simply put, we want to setup rules on our router that will slow down 
certain activities (like sending large e-mails or downloading from P2P 
networks) while keeping other activities (like browsing the web or playing 
online video games) reasonably fast.  A 30 second difference in a video 
game is a lot worse than a 30 second difference in downloading large 
files :).
</p>

<p>
The first thing is to make sure your kernel has all the features added to 
it.  See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more 
information.  Next, you will need to <c>emerge iptables iputils</c> so that 
you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c> 
commands.
</p>

<p>
Before we jump into the commands, let's cover a little of the theory.  The 
way this whole system works is to classify common network streams and then 
to prioritize them.  You use iptables to classify network streams, iputils 
to define the different priority levels, and the kernel to adjust speeds.  
Just remember that although you can control outbound traffic pretty tightly 
(from the LAN to the WAN), your ability to control inbound traffic (from 
the WAN to the LAN) is somewhat limited.  Just remember that the following 
examples are to get your feet wet; if you want more then I'd suggest 
reading up on the subject.  In this example, we will be using the 
<uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri> 
packet scheduling algorithm.  Still with me?  Great, let's start shaping :).
</p>

<pre caption="Setup">
DEV=eth1 <comment>NIC connected to WAN</comment>
RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment>
RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment>

<comment>Here we initialize the priority system.  The 45 is used to set the default classification level.</comment>
ip link set dev ${DEV} qlen 30
tc qdisc add dev ${DEV} root handle 1: htb default 45
tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit
</pre>

<p>
Here we initialized the system which will be used to prioritize all of 
our network traffic.  We created our queue, told it to use the HTB 
algorithm, and set the default classification level to '45'.  The 
default is completely arbitrary, as are the levels we choose from 
here on out.  The only thing that matters is how the levels compare 
relatively; a level '10' packet will be given preference over a 
level '45' packet.  Let's move on to declaring different levels.
</p>

<pre caption="Declaring levels">
tc class add dev $DEV parent 1:1 classid 1:10 htb rate $rkbit ceil $tkbit prio $p
tc qdisc add dev $DEV parent 1:10 handle 10: sfq
</pre>
</body>
</section>
-->

<section>
<title>Time Server</title>
<body>
<p>
Keeping your system time correct is essential in maintaing a healthy 
system.  One of the most common ways of accomplishing this is with 
the Network Time Protocol [NTP] and the ntp package (which provides 
implementations for both server and client).
</p>

<p>
Many people run ntp clients on their computers.  Obviously, the more 
clients in the world, the larger the load the ntp servers need to 
shoulder.  In environments like home networks though, we can help 
keep the load down on public servers while still providing the proper 
time to all our computers.  As an added bonus, our private updates 
will be a lot faster for the clients too!  All we have to do is run 
a ntp server on our router that synchronizes itself with the public 
internet servers while providing the time to the rest of the computers 
in the network.  To get started, simply <c>emerge ntp</c> on the 
router.
</p>

<pre caption="Setting up the NTP server">
# <i>nano /etc/conf.d/ntp-client</i>
<comment>Customize if you wish but the defaults should be fine</comment>
# <i>rc-update add ntp-client default</i>

# <i>nano /etc/ntp.conf</i>
<comment>Add the follwing lines:
restrict default ignore
restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
These will allow only ntp clients with an IP address in the 192.168.0.xxx range to use your ntp server</comment>
# <i>nano /etc/conf.d/ntpd</i>
<comment>Customize if you wish but the defaults should be fine</comment>

# <i>/etc/init.d/ntp-client start</i>
# <i>/etc/init.d/ntpd start</i>
</pre>

<p>
Now, on your clients, have them <c>emerge ntp</c> also.  However, 
we will just run the ntp client so setup is a lot simpler.
</p>

<pre caption="Setting up a NTP client">
# <i>nano /etc/conf.d/ntp-client</i>
<comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment>
# <i>rc-update add ntp-client default</i>
# <i>/etc/init.d/ntp-client start</i>
</pre>
</body>
</section>

<section>
<title>Mail Server</title>
<body>
<p>
Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) 
server on the router.  You may have your own reason for wanting to do so, 
but I run it so that the users see mail as being sent instantly and the 
work of retrying/routing is left up to the mail server.  Some ISPs also 
don't allow for mail relaying for accounts that aren't part of their 
network (like Verizon).  Also, you can easily throttle the delivery of 
mail so that large attachments won't seriously lag your connection for 
half an hour.
</p>

<pre caption="Setting up SMTP">
# <i>emerge qmail</i>
<comment>make sure the output of `hostname` is correct</comment>
# <i>ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config</i>
# <i>iptables -I INPUT -p tcp --dport smtp -i ! eth1 -j REJECT</i>
# <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i>
# <i>ln -s /var/qmail/supervise/qmail-smtp /service/qmail-smtp</i>
# <i>cd /etc/tcprules.d</i>
# <i>nano tcp.qmail-smtp</i>
<comment>Add an entry like so to the allow section:
192.168.0.:allow,RELAYCLIENT=""</comment>
# <i>tcprules tcp.qmail-qmtp.cdb rules.tmp &lt; tcp.qmail-smtp</i>
# <i>rc-update add svscan default</i>
# <i>/etc/init.d/svscan start</i>
</pre>

<p>
I'm a huge fan of qmail, but you're free to use a different mta :).  
When you setup e-mail on the hosts in your network, tell them that 
their SMTP server is 192.168.0.1 and everything should be peachy.  
You might want to visit the <uri link="http://qmail.org/">qmail 
homepage</uri> for more documentation.
</p>
</body>
</section>

<!--
<section>
<title>E-mail Virus Scanning</title>
<body>
<p>
If you'd like to provide e-mail virus scanning for your users, but 
don't want to have to install a virus scanner on every single machine, 
then <c>pop3vscan</c> may just be the thing for you; a transparent 
Post Office Protocol (POP) scanner.
</p>

<pre caption="Setting up pop3vscan">
TODO
</pre>

</body>
</section>
-->

</chapter>

<chapter>
<title>Final Notes</title>
<section>
<body>
<p>
I have no final notes other than if you experience any troubles with the guide, 
please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with 
<uri link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>.  If 
you have some interesting bits you think would enhance this guide, by all means 
send it my way for inclusion.
</p>
</body>
</section>
</chapter>
</guide>