1 |
<?xml version='1.0' encoding='UTF-8'?> |
2 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
3 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.43 2006/03/29 01:30:31 vapier Exp $ --> |
4 |
|
5 |
<guide link="/doc/en/home-router-howto.xml" lang="en"> |
6 |
<title>Home Router Guide</title> |
7 |
|
8 |
<author title="Author"> |
9 |
<mail link="vapier@gentoo.org">Mike Frysinger</mail> |
10 |
</author> |
11 |
|
12 |
<abstract> |
13 |
This document details how to turn an old Gentoo machine into a router |
14 |
for connecting your home network to the internet. |
15 |
</abstract> |
16 |
|
17 |
<!-- The content of this document is released into the public domain --> |
18 |
<license/> |
19 |
|
20 |
<version>1.27</version> |
21 |
<date>2006-04-09</date> |
22 |
|
23 |
<chapter> |
24 |
<title>Introduction</title> |
25 |
<section> |
26 |
<body> |
27 |
|
28 |
<p> |
29 |
Building your own router out of old spare parts has many advantages over buying |
30 |
a pre-made canned router by say Linksys. The biggest one by far is control |
31 |
over the connection. The other advantages are left up to your imagination; |
32 |
just about anything can be done in this scenario, it's just a matter of needing |
33 |
it. |
34 |
</p> |
35 |
|
36 |
<p> |
37 |
This guide will show you how to setup Network Address Translation (NAT) on the |
38 |
router (kernel and iptables), add and configure common services (Domain Name |
39 |
System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via rp-pppoe), and conclude |
40 |
with more elaborate and fun things that can be done (port forwarding, traffic |
41 |
shaping, proxies/caching, etc...). |
42 |
</p> |
43 |
|
44 |
<p> |
45 |
Before getting started, there's a few basic requirements you must meet. First, |
46 |
you'll need a computer that has at least 2 Network Interface Cards (NICs) in |
47 |
it. Next, you'll need the configuration settings for your internet connection |
48 |
(may include things like IP/DNS/Gateway/username/password). Finally, you'll |
49 |
need a bit of spare time and some Gentoo loving. |
50 |
</p> |
51 |
|
52 |
<p> |
53 |
The conventions used in this guide are: |
54 |
</p> |
55 |
|
56 |
<ul> |
57 |
<li>eth0 - NIC connected to the Local Area Network (LAN)</li> |
58 |
<li>eth1 - NIC connected to the Wide Area Network (WAN)</li> |
59 |
<li>LAN utilizes the private 192.168.0.xxx network</li> |
60 |
<li>router is hardcoded to the standard 192.168.0.1 IP</li> |
61 |
<li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li> |
62 |
</ul> |
63 |
|
64 |
<impo> |
65 |
Due to security precautions, I would highly suggest you shut down any unneeded |
66 |
services on the router until we have a chance to get the firewall up and |
67 |
rolling. To view the currently running services, just run <c>rc-status</c>. |
68 |
</impo> |
69 |
|
70 |
</body> |
71 |
</section> |
72 |
</chapter> |
73 |
|
74 |
<chapter> |
75 |
<title>Kernel setup (know thyself first)</title> |
76 |
<section> |
77 |
<body> |
78 |
|
79 |
<p> |
80 |
Your kernel needs to have the drivers running for both your NICs. To see if |
81 |
your cards are already setup, just run <c>ifconfig</c>. Your output may differ |
82 |
slightly from the following, that's fine. What matters is that the interface |
83 |
shows up at all. |
84 |
</p> |
85 |
|
86 |
<pre caption="Checking NICs"> |
87 |
# <i>ifconfig -a</i> |
88 |
eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8 |
89 |
BROADCAST MULTICAST MTU:1500 Metric:1 |
90 |
RX packets:0 errors:0 dropped:0 overruns:0 frame:0 |
91 |
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 |
92 |
collisions:0 txqueuelen:1000 |
93 |
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) |
94 |
Interrupt:11 Base address:0x9800 |
95 |
|
96 |
eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9 |
97 |
BROADCAST MULTICAST MTU:1500 Metric:1 |
98 |
RX packets:0 errors:0 dropped:0 overruns:0 frame:0 |
99 |
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 |
100 |
collisions:0 txqueuelen:1000 |
101 |
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) |
102 |
Interrupt:10 Base address:0x9400 |
103 |
</pre> |
104 |
|
105 |
<p> |
106 |
If you do not see your two cards showing up and you're not sure what kind of |
107 |
cards you have, try running <c>lspci | grep Ethernet</c>. You can get that from |
108 |
<c>emerge pciutils</c>. Once you have this information, go into your kernel and |
109 |
add support for the correct drivers. |
110 |
</p> |
111 |
|
112 |
<p> |
113 |
The next thing you'll need is support for iptables and NAT (and packet shaping |
114 |
if you want). The following list is split up into always required (*), |
115 |
required only for adsl via PPPoE (a), suggested for everyone (x), and only |
116 |
for shaper (s) features. It does not matter whether you build the features |
117 |
into the kernel or as a module so long as when the feature is needed, the |
118 |
correct module(s) are loaded (module loading is left to the reader as a fun |
119 |
exercise however). |
120 |
</p> |
121 |
|
122 |
<pre caption="Network Options"> |
123 |
Networking options ---> |
124 |
[*] TCP/IP networking |
125 |
[*] IP: advanced router |
126 |
[*] Network packet filtering (replaces ipchains) |
127 |
<comment>If you use 2.4.x, you have to enable the following for DHCP:</comment> |
128 |
[*] Socket Filtering |
129 |
|
130 |
IP: Netfilter Configuration ---> |
131 |
[*] Connection tracking (required for masq/NAT) |
132 |
[x] FTP protocol support |
133 |
[x] IRC protocol support |
134 |
[*] IP tables support (required for filtering/masq/NAT) |
135 |
[*] IP range match support |
136 |
[x] MAC address match support |
137 |
[*] Multiple port match support |
138 |
[*] Packet filtering |
139 |
[*] REJECT target support |
140 |
[x] REDIRECT target support |
141 |
[*] Full NAT |
142 |
[*] MASQUERADE target support |
143 |
[s] Packet mangling |
144 |
[s] MARK target support |
145 |
[x] LOG target support |
146 |
|
147 |
QoS and/or fair queueing ---> |
148 |
[s] QoS and/or fair queueing |
149 |
[s] HTB packet scheduler |
150 |
[s] Ingress Qdisc |
151 |
|
152 |
[a] PPP (point-to-point protocol) support |
153 |
[a] PPP filtering |
154 |
[a] PPP support for async serial ports |
155 |
[a] PPP support for sync tty ports |
156 |
[a] PPP Deflate compression |
157 |
[a] PPP BSD-Compress compression |
158 |
[a] PPP over Ethernet |
159 |
</pre> |
160 |
|
161 |
<note> |
162 |
Somethings may be slightly different in a 2.4 vs 2.6 kernel, but you should be |
163 |
able to figure it out :). |
164 |
</note> |
165 |
|
166 |
</body> |
167 |
</section> |
168 |
</chapter> |
169 |
|
170 |
<chapter> |
171 |
<title>Hug the WAN (a.k.a. The Internet)</title> |
172 |
|
173 |
<section> |
174 |
<title>Intro</title> |
175 |
<body> |
176 |
|
177 |
<p> |
178 |
There are many ways to connect to the internet so I'll just cover the ones I'm |
179 |
familiar with. That leaves us with ADSL (PPPoE) and cable modems |
180 |
(static/dynamic). If there are other methods out there, feel free to write up |
181 |
a little blurb and e-mail me. Feel free to skip any of the following sections |
182 |
in this chapter that don't apply to you. This chapter is just about getting |
183 |
the router connected to the internet via eth1. |
184 |
</p> |
185 |
|
186 |
</body> |
187 |
</section> |
188 |
<section> |
189 |
<title>ADSL and PPPoE</title> |
190 |
<body> |
191 |
|
192 |
<p> |
193 |
All the fancy PPPoE software has been bundled up into one little nice package |
194 |
nowadays called <uri link="http://www.roaringpenguin.com/">Roaring |
195 |
Penguin</uri>. Simply <c>emerge rp-pppoe</c> and you'll be on your way. |
196 |
Remember how I said you'll need username/password information? Well I wasn't |
197 |
lying so I hope you have it now! Load up <path>/etc/ppp/pppoe.conf</path> in |
198 |
your favorite editor and set it up. |
199 |
</p> |
200 |
|
201 |
<note> |
202 |
In order for the following net settings to work, you must have |
203 |
baselayout-1.11.14 or later installed on your system. |
204 |
</note> |
205 |
|
206 |
<pre caption="Setting up eth1"> |
207 |
<comment>(Replace 'vla9h924' with your username and 'password' with your password)</comment> |
208 |
|
209 |
# <i>nano /etc/ppp/pap-secrets</i> |
210 |
<comment># client server secret</comment> |
211 |
"vla9h924" * "password" |
212 |
# <i>nano /etc/conf.d/net</i> |
213 |
<comment>Tell baselayout to use adsl for your eth1:</comment> |
214 |
config_eth1=( "adsl" ) |
215 |
user_eth1=( "vla9h924" ) |
216 |
# <i>ln -s net.lo /etc/init.d/net.eth1</i> |
217 |
# <i>rc-update add net.eth1 default</i> |
218 |
# <i>/etc/init.d/net.eth1 start</i> |
219 |
</pre> |
220 |
|
221 |
<warn> |
222 |
When the DSL interface comes up, it will create ppp0. Although your NIC is |
223 |
called eth1, the IP is actually bound to ppp0. From now on, when you see |
224 |
examples that utilize 'eth1', substitute with 'ppp0'. |
225 |
</warn> |
226 |
|
227 |
</body> |
228 |
</section> |
229 |
|
230 |
<section> |
231 |
<title>Cable and/or dynamic/static IP</title> |
232 |
<body> |
233 |
|
234 |
<p> |
235 |
If you have a static IP then you will need a few more details than if |
236 |
you have a dynamic IP. For static users, you will need your IP, |
237 |
gateway, and DNS servers. |
238 |
</p> |
239 |
|
240 |
<pre caption="Setting up eth1"> |
241 |
<comment>Dynamic IP Users:</comment> |
242 |
# <i>emerge dhcpcd</i> |
243 |
# <i>nano /etc/conf.d/net</i> |
244 |
<comment>You'll need an entry like so:</comment> |
245 |
config_eth1=( "dhcp" ) |
246 |
|
247 |
<comment>Static IP Users:</comment> |
248 |
# <i>nano /etc/conf.d/net</i> |
249 |
<comment>You'll need entries like so:</comment> |
250 |
config_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" ) |
251 |
routes_eth1=( "default gw 66.92.78.1" ) |
252 |
# <i>nano /etc/resolv.conf</i> |
253 |
<comment>Add one line per DNS server:</comment> |
254 |
nameserver 123.123.123.123 |
255 |
|
256 |
<comment>Dynamic and Static Setup:</comment> |
257 |
# <i>ln -s net.lo /etc/init.d/net.eth1</i> |
258 |
# <i>rc-update add net.eth1 default</i> |
259 |
# <i>/etc/init.d/net.eth1 start</i> |
260 |
</pre> |
261 |
|
262 |
<p> |
263 |
You should be all set to go now. |
264 |
</p> |
265 |
|
266 |
</body> |
267 |
</section> |
268 |
</chapter> |
269 |
|
270 |
<chapter> |
271 |
<title>Hug the LAN (bring along some friends)</title> |
272 |
<section> |
273 |
<body> |
274 |
|
275 |
<p> |
276 |
This step is a breeze compared to the previous one. |
277 |
</p> |
278 |
|
279 |
<pre caption="Setting up eth0"> |
280 |
# <i>nano /etc/conf.d/net</i> |
281 |
<comment>Add a line like the following:</comment> |
282 |
config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" ) |
283 |
# <i>rc-update add net.eth0 default</i> |
284 |
# <i>/etc/init.d/net.eth0 start</i> |
285 |
</pre> |
286 |
|
287 |
</body> |
288 |
</section> |
289 |
</chapter> |
290 |
|
291 |
<chapter> |
292 |
<title>LAN Services (because we're nice people)</title> |
293 |
|
294 |
<section> |
295 |
<title>DHCP Server</title> |
296 |
<body> |
297 |
|
298 |
<p> |
299 |
I bet it'd be nice if everyone else in your house could just plug their |
300 |
computers into the network and things would just work. No need to remember |
301 |
mind-numbing details or make them stare at confusing configuration screens! |
302 |
Life would be grand eh? Introducing the Dynamic Host Configuration Protocol |
303 |
(DHCP) and why you should care. |
304 |
</p> |
305 |
|
306 |
<p> |
307 |
DHCP is exactly what its name implies. It's a protocol that allows you |
308 |
to dynamically configure other hosts automatically. You run a DHCP server on |
309 |
the router, give it all the information about your network (valid IPs, |
310 |
DNS servers, gateways, etc...), and then when the other hosts start up, they |
311 |
run a DHCP client to automatically configure themselves. No fuss, no muss! |
312 |
For more information about DHCP, you can always visit <uri |
313 |
link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>. |
314 |
</p> |
315 |
|
316 |
<p> |
317 |
We'll use a package called dnsmasq which provides both DHCP and DNS services. |
318 |
For now lets just focus on the DHCP aspect. Note that if you want to run a |
319 |
different DHCP server, you can find another example in the Fun Things chapter. |
320 |
Also, if you wish to tinker with the DHCP server settings, just read the |
321 |
comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine |
322 |
though. |
323 |
</p> |
324 |
|
325 |
<pre caption="Setting up a DHCP server"> |
326 |
# <i>emerge dnsmasq</i> |
327 |
# <i>nano /etc/dnsmasq.conf</i> |
328 |
<comment>Add this line to enable dhcp:</comment> |
329 |
dhcp-range=192.168.0.100,192.168.0.250,72h |
330 |
<comment>Restrict dnsmasq to just the LAN interface</comment> |
331 |
interface=eth0 |
332 |
|
333 |
# <i>rc-update add dnsmasq default</i> |
334 |
# <i>/etc/init.d/dnsmasq start</i> |
335 |
</pre> |
336 |
|
337 |
<p> |
338 |
Now your little router is a bona-fide DHCP server! Plugin those computers and |
339 |
watch them work! With Windows systems you should go into the TCP/IP Properties |
340 |
and select the 'Obtain an IP address automatically' and 'Obtain DNS server |
341 |
address automatically' options. Sometimes the changes aren't instantaneous, so |
342 |
you may have to open a command prompt and run <c>ipconfig /release</c> and |
343 |
<c>ipconfig /renew</c>. But enough about Windows, let's get back to our |
344 |
favorite penguin. |
345 |
</p> |
346 |
|
347 |
</body> |
348 |
</section> |
349 |
|
350 |
<section> |
351 |
<title>DNS Server</title> |
352 |
<body> |
353 |
|
354 |
<p> |
355 |
When people want to visit a place on the internet, they remember names, not a |
356 |
string of funky numbers. After all, what's easier to remember, ebay.com or |
357 |
66.135.192.87? This is where the DNS steps in. DNS servers run all over the |
358 |
internet, and whenever someone wants to visit 'ebay.com', these servers turn |
359 |
'ebay.com' (what we understand) into '66.135.192.87' (what our computers |
360 |
understand). For more information about DNS, you can always visit <uri |
361 |
link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>. |
362 |
</p> |
363 |
|
364 |
<p> |
365 |
Since we're using dnsmasq for our DHCP server, and it includes a DNS server, |
366 |
you've got nothing left to do here! Your little router is already providing |
367 |
DNS to its DHCP clients. Bet you wish everything was this easy ;). |
368 |
</p> |
369 |
|
370 |
<p> |
371 |
You're welcome to choose other DNS servers if you're more comfortable with |
372 |
them, but the reason dnsmasq is great is because it was designed to do exactly |
373 |
what we want and nothing more. It's a little DNS caching/forwarding server for |
374 |
local networks. We're not looking to provide DNS for our own domain here, just |
375 |
offer simple DNS services to everyone else on our LAN. |
376 |
</p> |
377 |
|
378 |
</body> |
379 |
</section> |
380 |
|
381 |
<section> |
382 |
<title>NAT (a.k.a. IP-masquerading)</title> |
383 |
<body> |
384 |
|
385 |
<p> |
386 |
At this point, people on your network can talk to each other and they can look |
387 |
up hostnames via DNS, but they still can't actually connect to the internet. |
388 |
While you may think that's great (more bandwidth for you!), I bet they're not |
389 |
too happy just yet. |
390 |
</p> |
391 |
|
392 |
<p> |
393 |
This is where Network Address Translation (NAT) steps in. NAT is a way of |
394 |
connecting multiple computers in a private LAN to the internet when you have a |
395 |
smaller number of public IP addresses available to you. Typically you are given |
396 |
1 IP by your ISP, but you want to let your whole house connect to the internet. |
397 |
NAT is the magic that makes this possible. For more information about NAT, you |
398 |
can always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>. |
399 |
</p> |
400 |
|
401 |
<note> |
402 |
Before we get started, make sure you have iptables on your system. Although it |
403 |
is automatically installed on most systems, you may not have it. If you don't, |
404 |
just run <c>emerge iptables</c>. |
405 |
</note> |
406 |
|
407 |
<pre caption="Setting up iptables"> |
408 |
<comment>First we flush our current rules</comment> |
409 |
# <i>iptables -F</i> |
410 |
# <i>iptables -t nat -F</i> |
411 |
|
412 |
<comment>Setup default policies to handle unmatched traffic</comment> |
413 |
# <i>iptables -P INPUT ACCEPT</i> |
414 |
# <i>iptables -P OUTPUT ACCEPT</i> |
415 |
# <i>iptables -P FORWARD DROP</i> |
416 |
|
417 |
<comment>Copy and paste these examples ...</comment> |
418 |
# <i>export LAN=eth0</i> |
419 |
# <i>export WAN=eth1</i> |
420 |
|
421 |
<comment>Then we lock our services so they only work from the LAN</comment> |
422 |
# <i>iptables -I INPUT 1 -i ${LAN} -j ACCEPT</i> |
423 |
# <i>iptables -I INPUT 1 -i lo -j ACCEPT</i> |
424 |
# <i>iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT</i> |
425 |
# <i>iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT</i> |
426 |
|
427 |
<comment>(Optional) Allow access to our ssh server from the WAN</comment> |
428 |
# <i>iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</i> |
429 |
|
430 |
<comment>Drop TCP / UDP packets to privileged ports</comment> |
431 |
# <i>iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i> |
432 |
# <i>iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i> |
433 |
|
434 |
<comment>Finally we add the rules for NAT</comment> |
435 |
# <i>iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP</i> |
436 |
# <i>iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT</i> |
437 |
# <i>iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT</i> |
438 |
# <i>iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</i> |
439 |
<comment>Tell the kernel that ip forwarding is OK</comment> |
440 |
# <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i> |
441 |
# <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i> |
442 |
|
443 |
<comment>This is so when we boot we don't have to run the rules by hand</comment> |
444 |
# <i>/etc/init.d/iptables save</i> |
445 |
# <i>rc-update add iptables default</i> |
446 |
# <i>nano /etc/sysctl.conf</i> |
447 |
<comment>Add/Uncomment the following lines: |
448 |
net.ipv4.ip_forward = 1 |
449 |
net.ipv4.conf.default.rp_filter = 1</comment> |
450 |
</pre> |
451 |
|
452 |
<p> |
453 |
Once you've typed out all of that, the rest of your network should now be able |
454 |
to use the internet as if they were directly connected themselves. |
455 |
</p> |
456 |
|
457 |
</body> |
458 |
</section> |
459 |
</chapter> |
460 |
|
461 |
<chapter> |
462 |
<title>Fun Things (for a rainy day)</title> |
463 |
|
464 |
<section> |
465 |
<title>Intro</title> |
466 |
<body> |
467 |
|
468 |
<p> |
469 |
Believe it or not, you're done :). From here on out, I'll cover a bunch of |
470 |
common topics that may interest you. Everything in this chapter is completely |
471 |
optional. |
472 |
</p> |
473 |
|
474 |
</body> |
475 |
</section> |
476 |
|
477 |
<section> |
478 |
<title>Port Forwarding</title> |
479 |
<body> |
480 |
|
481 |
<p> |
482 |
Sometimes you would like to be able to host services on a computer behind the |
483 |
router, or just to make your life easier when connecting remotely. Perhaps you |
484 |
want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your |
485 |
router and be able to connect to them all. The only caveat is that you can |
486 |
only have one service/machine combo per port. For example, there is no |
487 |
practical way to setup three FTP servers behind your router and then try to |
488 |
connect to them all through port 21; only one can be on port 21 while the |
489 |
others would have to be on say port 123 and port 567. |
490 |
</p> |
491 |
|
492 |
<p> |
493 |
All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING |
494 |
[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port |
495 |
to forward to]</c>. Unfortunately, iptables does not accept hostnames when port |
496 |
forwarding. If you are forwarding an external port to the same port on the |
497 |
internal machine, you can omit the destination port. See the iptables(8) man |
498 |
page for more information. |
499 |
</p> |
500 |
|
501 |
<pre caption="Running the iptables commands"> |
502 |
<comment>Copy and paste these examples ...</comment> |
503 |
# <i>export LAN=eth0</i> |
504 |
# <i>export WAN=eth1</i> |
505 |
|
506 |
<comment>Forward port 2 to ssh on an internal host</comment> |
507 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2:22</i> |
508 |
|
509 |
<comment>FTP forwarding to an internal host</comment> |
510 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56</i> |
511 |
|
512 |
<comment>HTTP forwarding to an internal host</comment> |
513 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56</i> |
514 |
|
515 |
<comment>VNC forwarding for internal hosts</comment> |
516 |
# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
517 |
# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.168.0.3:5900</i> |
518 |
<comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment> |
519 |
|
520 |
<comment>Bittorrent forwarding</comment> |
521 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
522 |
|
523 |
<comment>eDonkey/eMule forwarding</comment> |
524 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 4662 -i ${WAN} -j DNAT --to 192.168.0.55</i> |
525 |
|
526 |
<comment>Game Cube Warp Pipe support</comment> |
527 |
# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i> |
528 |
|
529 |
<comment>Playstation 2 Online support</comment> |
530 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> |
531 |
# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> |
532 |
|
533 |
<comment>Xbox Live</comment> |
534 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i> |
535 |
# <i>iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i> |
536 |
# <i>iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.0.69</i> |
537 |
</pre> |
538 |
|
539 |
<note> |
540 |
If you have other common / cool examples, please <mail |
541 |
link="vapier@gentoo.org">e-mail me</mail>. |
542 |
</note> |
543 |
|
544 |
</body> |
545 |
</section> |
546 |
|
547 |
<section> |
548 |
<title>Identd (for IRC)</title> |
549 |
<body> |
550 |
|
551 |
<p> |
552 |
Internet Relay Chat utilizes the ident service pretty heavily. Now that the |
553 |
IRC clients are behind the router, we need a way to host ident for both the |
554 |
router and the clients. One such server has been created called |
555 |
<c>midentd</c>. |
556 |
</p> |
557 |
|
558 |
<pre caption="Setting up ident"> |
559 |
# <i>emerge midentd</i> |
560 |
# <i>rc-update add midentd default</i> |
561 |
# <i>/etc/init.d/midentd start</i> |
562 |
</pre> |
563 |
|
564 |
<p> |
565 |
There are a few other ident servers in portage. Depending on your needs, I |
566 |
would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>. |
567 |
</p> |
568 |
|
569 |
</body> |
570 |
</section> |
571 |
|
572 |
<!-- |
573 |
<section> |
574 |
<title>Traffic Shaping</title> |
575 |
<body> |
576 |
<p> |
577 |
This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri> |
578 |
found over at the TLDP. Feel free to refer to the original document |
579 |
for more details. |
580 |
</p> |
581 |
|
582 |
<p> |
583 |
Here we will be setting up what some people refer to as a "Packet Shaper", |
584 |
<uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>, |
585 |
or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>. |
586 |
Simply put, we want to setup rules on our router that will slow down |
587 |
certain activities (like sending large e-mails or downloading from P2P |
588 |
networks) while keeping other activities (like browsing the web or playing |
589 |
online video games) reasonably fast. A 30 second difference in a video |
590 |
game is a lot worse than a 30 second difference in downloading large |
591 |
files :). |
592 |
</p> |
593 |
|
594 |
<p> |
595 |
The first thing is to make sure your kernel has all the features added to |
596 |
it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more |
597 |
information. Next, you will need to <c>emerge iptables iputils</c> so that |
598 |
you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c> |
599 |
commands. |
600 |
</p> |
601 |
|
602 |
<p> |
603 |
Before we jump into the commands, let's cover a little of the theory. The |
604 |
way this whole system works is to classify common network streams and then |
605 |
to prioritize them. You use iptables to classify network streams, iputils |
606 |
to define the different priority levels, and the kernel to adjust speeds. |
607 |
Just remember that although you can control outbound traffic pretty tightly |
608 |
(from the LAN to the WAN), your ability to control inbound traffic (from |
609 |
the WAN to the LAN) is somewhat limited. Just remember that the following |
610 |
examples are to get your feet wet; if you want more then I'd suggest |
611 |
reading up on the subject. In this example, we will be using the |
612 |
<uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri> |
613 |
packet scheduling algorithm. Still with me? Great, let's start shaping :). |
614 |
</p> |
615 |
|
616 |
<pre caption="Setup"> |
617 |
DEV=eth1 <comment>NIC connected to WAN</comment> |
618 |
RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment> |
619 |
RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment> |
620 |
|
621 |
<comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment> |
622 |
ip link set dev ${DEV} qlen 30 |
623 |
tc qdisc add dev ${DEV} root handle 1: htb default 45 |
624 |
tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit |
625 |
</pre> |
626 |
|
627 |
<p> |
628 |
Here we initialized the system which will be used to prioritize all of |
629 |
our network traffic. We created our queue, told it to use the HTB |
630 |
algorithm, and set the default classification level to '45'. The |
631 |
default is completely arbitrary, as are the levels we choose from |
632 |
here on out. The only thing that matters is how the levels compare |
633 |
relatively; a level '10' packet will be given preference over a |
634 |
level '45' packet. Let's move on to declaring different levels. |
635 |
</p> |
636 |
|
637 |
<pre caption="Declaring levels"> |
638 |
tc class add dev $DEV parent 1:1 classid 1:10 htb rate $rkbit ceil $tkbit prio $p |
639 |
tc qdisc add dev $DEV parent 1:10 handle 10: sfq |
640 |
</pre> |
641 |
</body> |
642 |
</section> |
643 |
--> |
644 |
|
645 |
<section> |
646 |
<title>Time Server</title> |
647 |
<body> |
648 |
|
649 |
<p> |
650 |
Keeping your system time correct is essential in maintaining a healthy system. |
651 |
One of the most common ways of accomplishing this is with the Network Time |
652 |
Protocol (NTP) and the ntp package (which provides implementations for both |
653 |
server and client). |
654 |
</p> |
655 |
|
656 |
<p> |
657 |
Many people run ntp clients on their computers. Obviously, the more clients in |
658 |
the world, the larger the load the ntp servers need to shoulder. In |
659 |
environments like home networks though, we can help keep the load down on |
660 |
public servers while still providing the proper time to all our computers. As |
661 |
an added bonus, our private updates will be a lot faster for the clients too! |
662 |
All we have to do is run a ntp server on our router that synchronizes itself |
663 |
with the public internet servers while providing the time to the rest of the |
664 |
computers in the network. To get started, simply <c>emerge ntp</c> on the |
665 |
router. |
666 |
</p> |
667 |
|
668 |
<pre caption="Setting up the NTP server"> |
669 |
# <i>nano /etc/conf.d/ntp-client</i> |
670 |
<comment>Customize if you wish but the defaults should be fine</comment> |
671 |
# <i>rc-update add ntp-client default</i> |
672 |
|
673 |
# <i>nano /etc/ntp.conf</i> |
674 |
<comment>Add the follwing lines:</comment> |
675 |
restrict default ignore |
676 |
restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap |
677 |
<comment>These will allow only ntp clients with an IP |
678 |
address in the 192.168.0.xxx range to use your ntp server</comment> |
679 |
# <i>nano /etc/conf.d/ntpd</i> |
680 |
<comment>Customize if you wish but the defaults should be fine</comment> |
681 |
# <i>rc-update add ntpd default</i> |
682 |
|
683 |
# <i>/etc/init.d/ntp-client start</i> |
684 |
# <i>/etc/init.d/ntpd start</i> |
685 |
</pre> |
686 |
|
687 |
<note> |
688 |
You should make sure that you allow inbound and outbound communication on the |
689 |
ntp port (123/udp) when setting up the server. The client just needs outbound |
690 |
access on port 123 over udp. |
691 |
</note> |
692 |
|
693 |
<p> |
694 |
Now, on your clients, have them <c>emerge ntp</c> also. However, we will just |
695 |
run the ntp client so setup is a lot simpler. |
696 |
</p> |
697 |
|
698 |
<pre caption="Setting up a NTP client"> |
699 |
# <i>nano /etc/conf.d/ntp-client</i> |
700 |
<comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment> |
701 |
# <i>rc-update add ntp-client default</i> |
702 |
# <i>/etc/init.d/ntp-client start</i> |
703 |
</pre> |
704 |
|
705 |
</body> |
706 |
</section> |
707 |
|
708 |
<section> |
709 |
<title>Rsync Server</title> |
710 |
<body> |
711 |
|
712 |
<p> |
713 |
For those who run multiple Gentoo boxes on the same lan, you often want to |
714 |
keep from having every machine running <c>emerge sync</c> with remote |
715 |
servers. By setting up a local rsync, you save on both your bandwidth and |
716 |
the Gentoo rsync servers' bandwidth. It's pretty simple to do. |
717 |
</p> |
718 |
<note> |
719 |
For a much more in-depth rsync guide, please see the official <uri |
720 |
link="/doc/en/rsync.xml#doc_chap4">rsync guide</uri> |
721 |
</note> |
722 |
|
723 |
<p> |
724 |
Since every Gentoo machine requires rsync, theres no need to emerge it. Edit |
725 |
the default <path>/etc/rsyncd.conf</path> config file, uncomment the |
726 |
<c>[gentoo-portage]</c> section, and make sure you add an <c>address</c> |
727 |
option. All the other defaults should be fine. |
728 |
</p> |
729 |
|
730 |
<pre caption="Rsync server config"> |
731 |
pid file = /var/run/rsyncd.pid |
732 |
use chroot = yes |
733 |
read only = yes |
734 |
address = 192.168.0.1 |
735 |
|
736 |
[gentoo-portage] |
737 |
path = /mnt/space/portage |
738 |
comment = Gentoo Linux Portage tree |
739 |
exclude = /distfiles /packages |
740 |
</pre> |
741 |
|
742 |
<p> |
743 |
Then you need to start the service (again, the defaults are OK). |
744 |
</p> |
745 |
|
746 |
<pre caption="Starting the rsync server"> |
747 |
# <i>/etc/init.d/rsyncd start</i> |
748 |
# <i>rc-update add rsyncd default</i> |
749 |
</pre> |
750 |
|
751 |
<p> |
752 |
Only thing left is to set tell your clients to sync against the router. |
753 |
</p> |
754 |
|
755 |
<pre caption="Client SYNC settings in make.conf"> |
756 |
SYNC="rsync://192.168.0.1/gentoo-portage" |
757 |
</pre> |
758 |
|
759 |
</body> |
760 |
</section> |
761 |
|
762 |
<section> |
763 |
<title>Mail Server</title> |
764 |
<body> |
765 |
|
766 |
<p> |
767 |
Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server |
768 |
on the router. You may have your own reason for wanting to do so, but I run it |
769 |
so that the users see mail as being sent instantly and the work of |
770 |
retrying/routing is left up to the mail server. Some ISPs also don't allow for |
771 |
mail relaying for accounts that aren't part of their network (like Verizon). |
772 |
Also, you can easily throttle the delivery of mail so that large attachments |
773 |
won't seriously lag your connection for half an hour. |
774 |
</p> |
775 |
|
776 |
<pre caption="Setting up SMTP"> |
777 |
# <i>emerge qmail</i> |
778 |
<comment>make sure the output of `hostname` is correct</comment> |
779 |
# <i>ebuild /var/db/pkg/*-*/qmail-1.03-r*/*.ebuild config</i> |
780 |
# <i>iptables -I INPUT -p tcp --dport smtp -i ! ${LAN} -j REJECT</i> |
781 |
# <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i> |
782 |
# <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i> |
783 |
<!-- |
784 |
# <i>cd /etc/tcprules.d</i> |
785 |
# <i>nano tcp.qmail-smtp</i> |
786 |
--> |
787 |
# <i>cd /etc</i> |
788 |
# <i>nano tcp.smtp</i> |
789 |
<comment>Add an entry like so to the allow section:</comment> |
790 |
192.168.0.:allow,RELAYCLIENT="" |
791 |
<!-- |
792 |
# <i>tcprules tcp.qmail-qmtp.cdb rules.tmp < tcp.qmail-smtp</i> |
793 |
--> |
794 |
# <i>tcprules tcp.smtp.cdb rules.tmp < tcp.smtp</i> |
795 |
# <i>rc-update add svscan default</i> |
796 |
# <i>/etc/init.d/svscan start</i> |
797 |
</pre> |
798 |
|
799 |
<p> |
800 |
I'm a huge fan of qmail, but you're free to use a different mta :). When you |
801 |
setup e-mail on the hosts in your network, tell them that their SMTP server is |
802 |
192.168.0.1 and everything should be peachy. You might want to visit the <uri |
803 |
link="http://qmail.org/">qmail homepage</uri> for more documentation. |
804 |
</p> |
805 |
|
806 |
</body> |
807 |
</section> |
808 |
|
809 |
<!-- |
810 |
<section> |
811 |
<title>E-mail Virus Scanning</title> |
812 |
<body> |
813 |
<p> |
814 |
If you'd like to provide e-mail virus scanning for your users, but |
815 |
don't want to have to install a virus scanner on every single machine, |
816 |
then <c>pop3vscan</c> may just be the thing for you; a transparent |
817 |
Post Office Protocol (POP) scanner. |
818 |
</p> |
819 |
|
820 |
<pre caption="Setting up pop3vscan"> |
821 |
TODO |
822 |
</pre> |
823 |
|
824 |
</body> |
825 |
</section> |
826 |
--> |
827 |
|
828 |
<section> |
829 |
<title>Full DHCP Server</title> |
830 |
<body> |
831 |
|
832 |
<p> |
833 |
Earlier we used dnsmasq to provide DHCP service to all our clients. For most |
834 |
people with a simple small LAN, this is perfect. But you may need something |
835 |
with more features. Thus we turn to a full-featured DHCP server as provided |
836 |
by the <uri link="http://www.isc.org/products/DHCP">ISC</uri> folks. |
837 |
</p> |
838 |
|
839 |
<pre caption="Setting up dhcpd"> |
840 |
# <i>emerge dhcp</i> |
841 |
# <i>nano /etc/dhcp/dhcpd.conf</i> |
842 |
<comment>(Here is a sample configuration file:)</comment> |
843 |
authoritative; |
844 |
ddns-update-style interim; |
845 |
subnet 192.168.0.0 netmask 255.255.255.0 { |
846 |
range 192.168.0.100 192.168.0.250; |
847 |
default-lease-time 259200; |
848 |
max-lease-time 518400; |
849 |
option subnet-mask 255.255.255.0; |
850 |
option broadcast-address 192.168.0.255; |
851 |
option routers 192.168.0.1; |
852 |
option domain-name-servers 192.168.0.1; |
853 |
} |
854 |
# <i>nano /etc/conf.d/dhcpd</i> |
855 |
<comment>(Set IFACE="eth0")</comment> |
856 |
# <i>rc-update add dhcpd default</i> |
857 |
# <i>/etc/init.d/dhcpd start</i> |
858 |
</pre> |
859 |
|
860 |
<p> |
861 |
This is the minimal setup required to replace the dnsmasq DHCP functionality |
862 |
that we used earlier. Speaking of which, you did remember to disable the DHCP |
863 |
features in dnsmasq didn't you? If not, you should do so now (just comment |
864 |
out the <c>dhcp-range</c> setting in <path>/etc/dnsmasq.conf</path> and restart |
865 |
the service). |
866 |
</p> |
867 |
|
868 |
</body> |
869 |
</section> |
870 |
|
871 |
<section> |
872 |
<title>Connect Another LAN (or two or three or ...)</title> |
873 |
<body> |
874 |
|
875 |
<p> |
876 |
Sometimes you have need of connecting the router to another LAN. Maybe you |
877 |
want to hook up a group of friends temporarily, or you're a neat freak and |
878 |
want to section off different groups of computers, or you're just really |
879 |
really bored. Whatever the reasons, extending the router to other LAN |
880 |
networks should be pretty straightforward. In the following examples, I will |
881 |
assume that this new network is connected via a third ethernet card, namely |
882 |
<c>eth2</c>. |
883 |
</p> |
884 |
|
885 |
<p> |
886 |
First you need to configure the interface. Just take the instructions in the |
887 |
<uri link="#doc_chap4_pre1">4.1 code listing</uri> and replace <c>eth0</c> |
888 |
with <c>eth2</c> and <c>192.168.0</c> with <c>192.168.1</c>. |
889 |
</p> |
890 |
|
891 |
<p> |
892 |
Then you need to tweak dnsmasq to service the new interface. Just edit the |
893 |
<path>/etc/conf.d/dnsmasq</path> file again and append <c>-i eth2</c> to |
894 |
DNSMASQ_OPTS; using -i multiple times is OK. Then edit |
895 |
<path>/etc/dnsmasq.conf</path> and add another line like the dhcp-range line |
896 |
in the <uri link="#doc_chap5_pre1">5.1 code listing</uri>, replacing |
897 |
<c>192.168.0</c> with <c>192.168.1</c>. Having multiple dhcp-range lines is |
898 |
OK too. |
899 |
</p> |
900 |
|
901 |
<p> |
902 |
Finally, see the rules in the <uri link="#doc_chap5_pre2">5.2 code |
903 |
listing</uri> and duplicate the rules that have <c>-i ${LAN}</c> in them. You |
904 |
may want to create another variable, say <c>LAN2</c>, to make things easier. |
905 |
</p> |
906 |
|
907 |
</body> |
908 |
</section> |
909 |
|
910 |
</chapter> |
911 |
|
912 |
<chapter> |
913 |
<title>Troubleshooting</title> |
914 |
|
915 |
<section> |
916 |
<title>Useful Tools</title> |
917 |
<body> |
918 |
|
919 |
<p> |
920 |
If you're having trouble getting your computers to communicate, you may way to |
921 |
try out the following tools (they can all be found in the <c>net-analyzer</c> |
922 |
portage category): |
923 |
</p> |
924 |
|
925 |
<table> |
926 |
<tr> |
927 |
<th>Utility</th> |
928 |
<th>Description</th> |
929 |
</tr> |
930 |
<tr> |
931 |
<ti>ethereal</ti> |
932 |
<ti>GUI tool to view all raw network data according to filters</ti> |
933 |
</tr> |
934 |
<tr> |
935 |
<ti>tcpdump</ti> |
936 |
<ti>Console tool to dump all raw network data according to filters</ti> |
937 |
</tr> |
938 |
<tr> |
939 |
<ti>iptraf</ti> |
940 |
<ti>ncurses based IP LAN monitor</ti> |
941 |
</tr> |
942 |
<tr> |
943 |
<ti>ettercap</ti> |
944 |
<ti>ncurses based network monitor/control</ti> |
945 |
</tr> |
946 |
</table> |
947 |
|
948 |
</body> |
949 |
</section> |
950 |
|
951 |
<section> |
952 |
<title>DHCP Fails To Start</title> |
953 |
<body> |
954 |
|
955 |
<p> |
956 |
When starting the dhcp init.d script for the first time, it may fail to load |
957 |
but neglect to give you any useful info. |
958 |
</p> |
959 |
|
960 |
<pre caption="DHCP Failing Example"> |
961 |
# <i>/etc/init.d/dhcp start</i> |
962 |
* Setting ownership on dhcp.leases ... [ ok ] |
963 |
* Starting dhcpd ... [ !! ] |
964 |
</pre> |
965 |
|
966 |
<p> |
967 |
The trick is to know where dhcpd is sending its output. Simply browse to |
968 |
/var/log and read the log files. Since the exact log file depends on the |
969 |
package you are using as a syslog, try running <c>grep -Rl dhcpd /var/log</c> |
970 |
to narrow down the possibilities. Chances are you made a typo in your config |
971 |
file. You could also try running <c>dhcpd -d -f</c> (short for debug / |
972 |
foreground) and debug the error based upon the output. |
973 |
</p> |
974 |
|
975 |
</body> |
976 |
</section> |
977 |
|
978 |
<section> |
979 |
<title>Incorrect MTU Value</title> |
980 |
<body> |
981 |
|
982 |
<p> |
983 |
If you experience odd errors (such as not being some webpages while others |
984 |
load fine), you may be having Path MTU Discovery trouble. The quick way to |
985 |
test is to run this iptables command: |
986 |
</p> |
987 |
|
988 |
<pre caption="Circumvent MTU issues"> |
989 |
# <i>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</i> |
990 |
</pre> |
991 |
|
992 |
<p> |
993 |
This will affect all new connections, so just refresh the website you're |
994 |
having problems with in order to test. In case it helps, the standard MTU |
995 |
value for 100mbit ethernet connections is <c>1500</c> while for PPPoE |
996 |
connections it is <c>1492</c>. For more info, you should read Chapter 15 |
997 |
of the <uri link="http://lartc.org/howto/">Linux Advanced Routing & |
998 |
Traffic Control HOWTO</uri>. |
999 |
</p> |
1000 |
|
1001 |
</body> |
1002 |
</section> |
1003 |
|
1004 |
</chapter> |
1005 |
|
1006 |
<chapter> |
1007 |
<title>Final Notes</title> |
1008 |
<section> |
1009 |
<body> |
1010 |
|
1011 |
<p> |
1012 |
I have no final notes other than if you experience any troubles with the guide, |
1013 |
please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with <uri |
1014 |
link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have |
1015 |
some interesting bits you think would enhance this guide, by all means send it |
1016 |
my way for inclusion. |
1017 |
</p> |
1018 |
|
1019 |
</body> |
1020 |
</section> |
1021 |
</chapter> |
1022 |
</guide> |