1 |
<?xml version='1.0' encoding='UTF-8'?> |
2 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
3 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.58 2007/04/07 02:16:43 vapier Exp $ --> |
4 |
|
5 |
<guide link="/doc/en/home-router-howto.xml" lang="en"> |
6 |
<title>Home Router Guide</title> |
7 |
|
8 |
<author title="Author"> |
9 |
<mail link="vapier@gentoo.org">Mike Frysinger</mail> |
10 |
</author> |
11 |
|
12 |
<abstract> |
13 |
This document details how to turn an old Gentoo machine into a router |
14 |
for connecting your home network to the internet. |
15 |
</abstract> |
16 |
|
17 |
<!-- The content of this document is released into the public domain --> |
18 |
<license/> |
19 |
|
20 |
<version>1.38</version> |
21 |
<date>2007-07-27</date> |
22 |
|
23 |
<chapter> |
24 |
<title>Introduction</title> |
25 |
<section> |
26 |
<body> |
27 |
|
28 |
<p> |
29 |
Building your own router out of old spare parts has many advantages over buying |
30 |
a pre-made canned router by say Linksys. The biggest one by far is control |
31 |
over the connection. The other advantages are left up to your imagination; |
32 |
just about anything can be done in this scenario, it's just a matter of needing |
33 |
it. |
34 |
</p> |
35 |
|
36 |
<p> |
37 |
This guide will show you how to setup Network Address Translation (NAT) on the |
38 |
router (kernel and iptables), add and configure common services (Domain Name |
39 |
System (DNS) via dnsmasq, dhcp via dhcpcd, ADSL via ppp), and conclude |
40 |
with more elaborate and fun things that can be done (port forwarding, traffic |
41 |
shaping, proxies/caching, etc...). |
42 |
</p> |
43 |
|
44 |
<p> |
45 |
Before getting started, there's a few basic requirements you must meet. First, |
46 |
you'll need a computer that has at least 2 Network Interface Cards (NICs) in |
47 |
it. Next, you'll need the configuration settings for your internet connection |
48 |
(may include things like IP/DNS/Gateway/username/password). Finally, you'll |
49 |
need a bit of spare time and some Gentoo loving. |
50 |
</p> |
51 |
|
52 |
<p> |
53 |
The conventions used in this guide are: |
54 |
</p> |
55 |
|
56 |
<ul> |
57 |
<li>eth0 - NIC connected to the Local Area Network (LAN)</li> |
58 |
<li>eth1 - NIC connected to the Wide Area Network (WAN)</li> |
59 |
<li>LAN utilizes the private 192.168.0.xxx network</li> |
60 |
<li>router is hardcoded to the standard 192.168.0.1 IP</li> |
61 |
<li>router is running Linux 2.4 or 2.6; you're on your own with 2.0/2.2</li> |
62 |
</ul> |
63 |
|
64 |
<impo> |
65 |
Due to security precautions, I would highly suggest you shut down any unneeded |
66 |
services on the router until we have a chance to get the firewall up and |
67 |
rolling. To view the currently running services, just run <c>rc-status</c>. |
68 |
</impo> |
69 |
|
70 |
</body> |
71 |
</section> |
72 |
</chapter> |
73 |
|
74 |
<chapter> |
75 |
<title>Kernel setup (know thyself first)</title> |
76 |
<section> |
77 |
<body> |
78 |
|
79 |
<p> |
80 |
Your kernel needs to have the drivers running for both your NICs. To see if |
81 |
your cards are already setup, just run <c>ifconfig</c>. Your output may differ |
82 |
slightly from the following, that's fine. What matters is that the interface |
83 |
shows up at all. |
84 |
</p> |
85 |
|
86 |
<pre caption="Checking NICs"> |
87 |
# <i>ifconfig -a</i> |
88 |
eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8 |
89 |
BROADCAST MULTICAST MTU:1500 Metric:1 |
90 |
RX packets:0 errors:0 dropped:0 overruns:0 frame:0 |
91 |
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 |
92 |
collisions:0 txqueuelen:1000 |
93 |
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) |
94 |
Interrupt:11 Base address:0x9800 |
95 |
|
96 |
eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9 |
97 |
BROADCAST MULTICAST MTU:1500 Metric:1 |
98 |
RX packets:0 errors:0 dropped:0 overruns:0 frame:0 |
99 |
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 |
100 |
collisions:0 txqueuelen:1000 |
101 |
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) |
102 |
Interrupt:10 Base address:0x9400 |
103 |
</pre> |
104 |
|
105 |
<p> |
106 |
If you do not see your two cards showing up and you're not sure what kind of |
107 |
cards you have, try running <c>lspci | grep Ethernet</c>. You can get that |
108 |
from <c>emerge pciutils</c>. Once you have this information, go into your |
109 |
kernel and add support for the correct drivers. |
110 |
</p> |
111 |
|
112 |
<p> |
113 |
The next thing you'll need is support for iptables and NAT (and packet shaping |
114 |
if you want). The following list is split up into always required (*), |
115 |
required only for adsl via PPPoE (a), suggested for everyone (x), and only |
116 |
for shaper (s) features. It does not matter whether you build the features |
117 |
into the kernel or as a module so long as when the feature is needed, the |
118 |
correct module(s) are loaded (module loading is left to the reader as a fun |
119 |
exercise however). |
120 |
</p> |
121 |
|
122 |
<pre caption="Network Options"> |
123 |
Networking options ---> |
124 |
[*] TCP/IP networking |
125 |
[*] IP: advanced router |
126 |
[*] Network packet filtering (replaces ipchains) |
127 |
<comment>If you use 2.4.x, you have to enable the following for DHCP:</comment> |
128 |
[*] Socket Filtering |
129 |
|
130 |
IP: Netfilter Configuration ---> |
131 |
[*] Connection tracking (required for masq/NAT) |
132 |
[x] FTP protocol support |
133 |
[x] IRC protocol support |
134 |
[*] IP tables support (required for filtering/masq/NAT) |
135 |
[*] IP range match support |
136 |
[x] MAC address match support |
137 |
[*] Multiple port match support |
138 |
[*] Packet filtering |
139 |
[*] REJECT target support |
140 |
[x] REDIRECT target support |
141 |
[*] Full NAT |
142 |
[*] MASQUERADE target support |
143 |
[s] Packet mangling |
144 |
[s] MARK target support |
145 |
[x] LOG target support |
146 |
|
147 |
QoS and/or fair queueing ---> |
148 |
[s] QoS and/or fair queueing |
149 |
[s] HTB packet scheduler |
150 |
[s] Ingress Qdisc |
151 |
|
152 |
[a] PPP (point-to-point protocol) support |
153 |
[a] PPP filtering |
154 |
[a] PPP support for async serial ports |
155 |
[a] PPP support for sync tty ports |
156 |
[a] PPP Deflate compression |
157 |
[a] PPP BSD-Compress compression |
158 |
[a] PPP over Ethernet |
159 |
</pre> |
160 |
|
161 |
<note> |
162 |
Some things may be slightly different in a 2.4 vs 2.6 kernel, but you should be |
163 |
able to figure it out :). Even among 2.6 kernels, these options have a |
164 |
tendency to move around. Good luck! |
165 |
</note> |
166 |
|
167 |
</body> |
168 |
</section> |
169 |
</chapter> |
170 |
|
171 |
<chapter> |
172 |
<title>Hug the WAN (a.k.a. The Internet)</title> |
173 |
|
174 |
<section> |
175 |
<title>Intro</title> |
176 |
<body> |
177 |
|
178 |
<p> |
179 |
There are many ways to connect to the internet so I'll just cover the ones I'm |
180 |
familiar with. That leaves us with ADSL (PPPoE) and cable modems |
181 |
(static/dynamic). If there are other methods out there, feel free to write up |
182 |
a little blurb and e-mail me. Feel free to skip any of the following sections |
183 |
in this chapter that don't apply to you. This chapter is just about getting |
184 |
the router connected to the internet via eth1. |
185 |
</p> |
186 |
|
187 |
</body> |
188 |
</section> |
189 |
<section> |
190 |
<title>ADSL and PPPoE</title> |
191 |
<body> |
192 |
|
193 |
<p> |
194 |
All the fancy PPPoE software that used to be provided by rp-pppoe |
195 |
(<uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>) has been |
196 |
integrated into the <uri link="http://samba.org/ppp/">standard PPP |
197 |
package</uri>. Simply <c>emerge ppp</c> and you'll be on your way. Remember |
198 |
how I said you'll need username/password information? Well I wasn't lying so |
199 |
I hope you have it now! Load up <path>/etc/conf.d/net</path> in your favorite |
200 |
editor and set it up. |
201 |
</p> |
202 |
|
203 |
<note> |
204 |
In order for the following net settings to work, you must have |
205 |
baselayout-1.12.9 or later installed on your system. |
206 |
</note> |
207 |
|
208 |
<pre caption="Setting up eth1"> |
209 |
<comment>(Replace 'vla9h924' with your username and 'boogie' with your password)</comment> |
210 |
|
211 |
# <i>nano /etc/conf.d/net</i> |
212 |
<comment>Tell baselayout to use adsl over eth1 for ppp0:</comment> |
213 |
config_ppp0=( "ppp" ) |
214 |
link_ppp0="eth1" |
215 |
plugins_ppp0=( "pppoe" ) |
216 |
pppd_ppp0=( |
217 |
"defaultroute" |
218 |
"usepeerdns" |
219 |
<comment>There may be other settings you want, see /etc/conf.d/net.example</comment> |
220 |
) |
221 |
username_ppp0="vla9h924" |
222 |
password_ppp0="boogie" |
223 |
|
224 |
# <i>ln -s net.lo /etc/init.d/net.ppp0</i> |
225 |
# <i>rc-update add net.ppp0 default</i> |
226 |
# <i>/etc/init.d/net.ppp0 start</i> |
227 |
</pre> |
228 |
|
229 |
<warn> |
230 |
When the DSL interface comes up, it will create ppp0. Although your NIC is |
231 |
called eth1, the IP is actually bound to ppp0. From now on, when you see |
232 |
examples that utilize 'eth1', substitute with 'ppp0'. |
233 |
</warn> |
234 |
|
235 |
<warn> |
236 |
Make sure you change the permissions of the /etc/conf.d/net file so that only |
237 |
root can read/write it since you're sticking your username/password in it. |
238 |
</warn> |
239 |
|
240 |
<warn> |
241 |
For people transitioning from the <c>rp-pppoe</c> package, or for people who |
242 |
hit weird connection resets, see the MTU section in the Troubleshooting |
243 |
chapter. |
244 |
</warn> |
245 |
|
246 |
</body> |
247 |
</section> |
248 |
|
249 |
<section> |
250 |
<title>Cable and/or dynamic/static IP</title> |
251 |
<body> |
252 |
|
253 |
<p> |
254 |
If you have a static IP then you will need a few more details than if |
255 |
you have a dynamic IP. For static users, you will need your IP, |
256 |
gateway, and DNS servers. |
257 |
</p> |
258 |
|
259 |
<pre caption="Setting up eth1"> |
260 |
<comment>Dynamic IP Users:</comment> |
261 |
# <i>emerge dhcpcd</i> |
262 |
# <i>nano /etc/conf.d/net</i> |
263 |
<comment>You'll need an entry like so:</comment> |
264 |
config_eth1=( "dhcp" ) |
265 |
|
266 |
<comment>Static IP Users:</comment> |
267 |
# <i>nano /etc/conf.d/net</i> |
268 |
<comment>You'll need entries like so:</comment> |
269 |
config_eth1=( "66.92.78.102 broadcast 66.92.78.255 netmask 255.255.255.0" ) |
270 |
routes_eth1=( "default gw 66.92.78.1" ) |
271 |
# <i>nano /etc/resolv.conf</i> |
272 |
<comment>Add one line per DNS server:</comment> |
273 |
nameserver 123.123.123.123 |
274 |
|
275 |
<comment>Dynamic and Static Setup:</comment> |
276 |
# <i>ln -s net.lo /etc/init.d/net.eth1</i> |
277 |
# <i>rc-update add net.eth1 default</i> |
278 |
# <i>/etc/init.d/net.eth1 start</i> |
279 |
</pre> |
280 |
|
281 |
<p> |
282 |
You should be all set to go now. |
283 |
</p> |
284 |
|
285 |
</body> |
286 |
</section> |
287 |
</chapter> |
288 |
|
289 |
<chapter> |
290 |
<title>Hug the LAN (bring along some friends)</title> |
291 |
<section> |
292 |
<body> |
293 |
|
294 |
<p> |
295 |
This step is a breeze compared to the previous one. |
296 |
</p> |
297 |
|
298 |
<pre caption="Setting up eth0"> |
299 |
# <i>nano /etc/conf.d/net</i> |
300 |
<comment>Add a line like the following:</comment> |
301 |
config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" ) |
302 |
# <i>rc-update add net.eth0 default</i> |
303 |
# <i>/etc/init.d/net.eth0 start</i> |
304 |
</pre> |
305 |
|
306 |
</body> |
307 |
</section> |
308 |
</chapter> |
309 |
|
310 |
<chapter> |
311 |
<title>LAN Services (because we're nice people)</title> |
312 |
|
313 |
<section> |
314 |
<title>DHCP Server</title> |
315 |
<body> |
316 |
|
317 |
<p> |
318 |
I bet it'd be nice if everyone else in your house could just plug their |
319 |
computers into the network and things would just work. No need to remember |
320 |
mind-numbing details or make them stare at confusing configuration screens! |
321 |
Life would be grand eh? Introducing the Dynamic Host Configuration Protocol |
322 |
(DHCP) and why you should care. |
323 |
</p> |
324 |
|
325 |
<p> |
326 |
DHCP is exactly what its name implies. It's a protocol that allows you |
327 |
to dynamically configure other hosts automatically. You run a DHCP server on |
328 |
the router, give it all the information about your network (valid IPs, |
329 |
DNS servers, gateways, etc...), and then when the other hosts start up, they |
330 |
run a DHCP client to automatically configure themselves. No fuss, no muss! |
331 |
For more information about DHCP, you can always visit <uri |
332 |
link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>. |
333 |
</p> |
334 |
|
335 |
<p> |
336 |
We'll use a package called dnsmasq which provides both DHCP and DNS services. |
337 |
For now lets just focus on the DHCP aspect. Note that if you want to run a |
338 |
different DHCP server, you can find another example in the Fun Things chapter. |
339 |
Also, if you wish to tinker with the DHCP server settings, just read the |
340 |
comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine |
341 |
though. |
342 |
</p> |
343 |
|
344 |
<pre caption="Setting up a DHCP server"> |
345 |
# <i>emerge dnsmasq</i> |
346 |
# <i>nano /etc/dnsmasq.conf</i> |
347 |
<comment>Add this line to enable dhcp:</comment> |
348 |
dhcp-range=192.168.0.100,192.168.0.250,72h |
349 |
<comment>Restrict dnsmasq to just the LAN interface</comment> |
350 |
interface=eth0 |
351 |
|
352 |
# <i>rc-update add dnsmasq default</i> |
353 |
# <i>/etc/init.d/dnsmasq start</i> |
354 |
</pre> |
355 |
|
356 |
<p> |
357 |
Now your little router is a bona-fide DHCP server! Plugin those computers and |
358 |
watch them work! With Windows systems you should go into the TCP/IP Properties |
359 |
and select the 'Obtain an IP address automatically' and 'Obtain DNS server |
360 |
address automatically' options. Sometimes the changes aren't instantaneous, so |
361 |
you may have to open a command prompt and run <c>ipconfig /release</c> and |
362 |
<c>ipconfig /renew</c>. But enough about Windows, let's get back to our |
363 |
favorite penguin. |
364 |
</p> |
365 |
|
366 |
</body> |
367 |
</section> |
368 |
|
369 |
<section> |
370 |
<title>DNS Server</title> |
371 |
<body> |
372 |
|
373 |
<p> |
374 |
When people want to visit a place on the internet, they remember names, not a |
375 |
string of funky numbers. After all, what's easier to remember, ebay.com or |
376 |
66.135.192.87? This is where the DNS steps in. DNS servers run all over the |
377 |
internet, and whenever someone wants to visit 'ebay.com', these servers turn |
378 |
'ebay.com' (what we understand) into '66.135.192.87' (what our computers |
379 |
understand). For more information about DNS, you can always visit <uri |
380 |
link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>. |
381 |
</p> |
382 |
|
383 |
<p> |
384 |
Since we're using dnsmasq for our DHCP server, and it includes a DNS server, |
385 |
you've got nothing left to do here! Your little router is already providing |
386 |
DNS to its DHCP clients. Bet you wish everything was this easy ;). |
387 |
</p> |
388 |
|
389 |
<p> |
390 |
You're welcome to choose other DNS servers if you're more comfortable with |
391 |
them, but the reason dnsmasq is great is because it was designed to do exactly |
392 |
what we want and nothing more. It's a little DNS caching/forwarding server for |
393 |
local networks. We're not looking to provide DNS for our own domain here, just |
394 |
offer simple DNS services to everyone else on our LAN. |
395 |
</p> |
396 |
|
397 |
</body> |
398 |
</section> |
399 |
|
400 |
<section> |
401 |
<title>NAT (a.k.a. IP-masquerading)</title> |
402 |
<body> |
403 |
|
404 |
<p> |
405 |
At this point, people on your network can talk to each other and they can look |
406 |
up hostnames via DNS, but they still can't actually connect to the internet. |
407 |
While you may think that's great (more bandwidth for you!), I bet they're not |
408 |
too happy just yet. |
409 |
</p> |
410 |
|
411 |
<p> |
412 |
This is where Network Address Translation (NAT) steps in. NAT is a way of |
413 |
connecting multiple computers in a private LAN to the internet when you have a |
414 |
smaller number of public IP addresses available to you. Typically you are given |
415 |
1 IP by your ISP, but you want to let your whole house connect to the internet. |
416 |
NAT is the magic that makes this possible. For more information about NAT, you |
417 |
can always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>. |
418 |
</p> |
419 |
|
420 |
<note> |
421 |
Before we get started, make sure you have iptables on your system. Although it |
422 |
is automatically installed on most systems, you may not have it. If you don't, |
423 |
just run <c>emerge iptables</c>. |
424 |
</note> |
425 |
|
426 |
<pre caption="Setting up iptables"> |
427 |
<comment>First we flush our current rules</comment> |
428 |
# <i>iptables -F</i> |
429 |
# <i>iptables -t nat -F</i> |
430 |
|
431 |
<comment>Setup default policies to handle unmatched traffic</comment> |
432 |
# <i>iptables -P INPUT ACCEPT</i> |
433 |
# <i>iptables -P OUTPUT ACCEPT</i> |
434 |
# <i>iptables -P FORWARD DROP</i> |
435 |
|
436 |
<comment>Copy and paste these examples ...</comment> |
437 |
# <i>export LAN=eth0</i> |
438 |
# <i>export WAN=eth1</i> |
439 |
|
440 |
<comment>Then we lock our services so they only work from the LAN</comment> |
441 |
# <i>iptables -I INPUT 1 -i ${LAN} -j ACCEPT</i> |
442 |
# <i>iptables -I INPUT 1 -i lo -j ACCEPT</i> |
443 |
# <i>iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT</i> |
444 |
# <i>iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT</i> |
445 |
|
446 |
<comment>(Optional) Allow access to our ssh server from the WAN</comment> |
447 |
# <i>iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</i> |
448 |
|
449 |
<comment>Drop TCP / UDP packets to privileged ports</comment> |
450 |
# <i>iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i> |
451 |
# <i>iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</i> |
452 |
|
453 |
<comment>Finally we add the rules for NAT</comment> |
454 |
# <i>iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP</i> |
455 |
# <i>iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT</i> |
456 |
# <i>iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT</i> |
457 |
# <i>iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</i> |
458 |
<comment>Tell the kernel that ip forwarding is OK</comment> |
459 |
# <i>echo 1 > /proc/sys/net/ipv4/ip_forward</i> |
460 |
# <i>for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</i> |
461 |
|
462 |
<comment>This is so when we boot we don't have to run the rules by hand</comment> |
463 |
# <i>/etc/init.d/iptables save</i> |
464 |
# <i>rc-update add iptables default</i> |
465 |
# <i>nano /etc/sysctl.conf</i> |
466 |
<comment>Add/Uncomment the following lines:</comment> |
467 |
net.ipv4.ip_forward = 1 |
468 |
net.ipv4.conf.default.rp_filter = 1 |
469 |
|
470 |
<comment>If you have a dynamic internet address you probably want to enable this:</comment> |
471 |
net.ipv4.ip_dynaddr = 1 |
472 |
</pre> |
473 |
|
474 |
<p> |
475 |
Once you've typed out all of that, the rest of your network should now be able |
476 |
to use the internet as if they were directly connected themselves. |
477 |
</p> |
478 |
|
479 |
<p> |
480 |
The ip_dynaddr option is useful for dial on demand systems or when your ISP |
481 |
gives out dynamic addresses. This works around the problem where a connection |
482 |
is attempted before the internet interface is fully setup. Really this just |
483 |
provides for a smoother network experience for users behind your router. |
484 |
</p> |
485 |
|
486 |
</body> |
487 |
</section> |
488 |
</chapter> |
489 |
|
490 |
<chapter> |
491 |
<title>Fun Things (for a rainy day)</title> |
492 |
|
493 |
<section> |
494 |
<title>Intro</title> |
495 |
<body> |
496 |
|
497 |
<p> |
498 |
Believe it or not, you're done :). From here on out, I'll cover a bunch of |
499 |
common topics that may interest you. Everything in this chapter is completely |
500 |
optional. |
501 |
</p> |
502 |
|
503 |
</body> |
504 |
</section> |
505 |
|
506 |
<section> |
507 |
<title>Port Forwarding</title> |
508 |
<body> |
509 |
|
510 |
<p> |
511 |
Sometimes you would like to be able to host services on a computer behind the |
512 |
router, or just to make your life easier when connecting remotely. Perhaps you |
513 |
want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your |
514 |
router and be able to connect to them all. The only caveat is that you can |
515 |
only have one service/machine combo per port. For example, there is no |
516 |
practical way to setup three FTP servers behind your router and then try to |
517 |
connect to them all through port 21; only one can be on port 21 while the |
518 |
others would have to be on say port 123 and port 567. |
519 |
</p> |
520 |
|
521 |
<p> |
522 |
All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING |
523 |
[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port |
524 |
to forward to]</c>. Unfortunately, iptables does not accept hostnames when port |
525 |
forwarding. If you are forwarding an external port to the same port on the |
526 |
internal machine, you can omit the destination port. See the iptables(8) man |
527 |
page for more information. |
528 |
</p> |
529 |
|
530 |
<pre caption="Running the iptables commands"> |
531 |
<comment>Copy and paste these examples ...</comment> |
532 |
# <i>export LAN=eth0</i> |
533 |
# <i>export WAN=eth1</i> |
534 |
|
535 |
<comment>Forward port 2 to ssh on an internal host</comment> |
536 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2:22</i> |
537 |
|
538 |
<comment>FTP forwarding to an internal host</comment> |
539 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56</i> |
540 |
|
541 |
<comment>HTTP forwarding to an internal host</comment> |
542 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56</i> |
543 |
|
544 |
<comment>VNC forwarding for internal hosts</comment> |
545 |
# <i>iptables -t nat -I PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
546 |
# <i>iptables -t nat -I PREROUTING -p tcp --dport 5901 -i ${WAN} -j DNAT --to 192.168.0.3:5900</i> |
547 |
<comment>If you want to VNC in to 192.168.0.3, then just add ':1' to the router's hostname</comment> |
548 |
|
549 |
<comment>SAMBA forwarding to an internal host (excess ports to cover Windows)</comment> |
550 |
# <i>iptables -t nat -I PREROUTING -p tcp --dport 135 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
551 |
# <i>iptables -t nat -I PREROUTING -p tcp --dport 139 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
552 |
# <i>iptables -t nat -I PREROUTING -p tcp --dport 445 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
553 |
# <i>iptables -t nat -I PREROUTING -p udp --dport 137:138 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
554 |
# <i>iptables -t nat -I PREROUTING -p udp --dport 445 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
555 |
|
556 |
<comment>Bittorrent forwarding</comment> |
557 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i ${WAN} -j DNAT --to 192.168.0.2</i> |
558 |
|
559 |
<comment>eDonkey/eMule forwarding</comment> |
560 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 4662 -i ${WAN} -j DNAT --to 192.168.0.55</i> |
561 |
|
562 |
<comment>Game Cube Warp Pipe support</comment> |
563 |
# <i>iptables -t nat -A PREROUTING -p udp --dport 4000 -i ${WAN} -j DNAT --to 192.168.0.56</i> |
564 |
|
565 |
<comment>Playstation 2 Online support</comment> |
566 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> |
567 |
# <i>iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.0.11</i> |
568 |
|
569 |
<comment>Xbox Live</comment> |
570 |
# <i>iptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i> |
571 |
# <i>iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to 192.168.0.69</i> |
572 |
# <i>iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.0.69</i> |
573 |
</pre> |
574 |
|
575 |
<note> |
576 |
If you have other common / cool examples, please <mail |
577 |
link="vapier@gentoo.org">e-mail me</mail>. |
578 |
</note> |
579 |
|
580 |
</body> |
581 |
</section> |
582 |
|
583 |
<section> |
584 |
<title>Identd (for IRC)</title> |
585 |
<body> |
586 |
|
587 |
<p> |
588 |
Internet Relay Chat utilizes the ident service pretty heavily. Now that the |
589 |
IRC clients are behind the router, we need a way to host ident for both the |
590 |
router and the clients. One such server has been created called |
591 |
<c>midentd</c>. |
592 |
</p> |
593 |
|
594 |
<pre caption="Setting up ident"> |
595 |
# <i>emerge midentd</i> |
596 |
# <i>rc-update add midentd default</i> |
597 |
# <i>/etc/init.d/midentd start</i> |
598 |
</pre> |
599 |
|
600 |
<p> |
601 |
There are a few other ident servers in portage. Depending on your needs, I |
602 |
would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>. |
603 |
</p> |
604 |
|
605 |
</body> |
606 |
</section> |
607 |
|
608 |
<!-- |
609 |
<section> |
610 |
<title>Traffic Shaping</title> |
611 |
<body> |
612 |
<p> |
613 |
This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri> |
614 |
found over at the TLDP. Feel free to refer to the original document |
615 |
for more details. |
616 |
</p> |
617 |
|
618 |
<p> |
619 |
Here we will be setting up what some people refer to as a "Packet Shaper", |
620 |
<uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>, |
621 |
or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>. |
622 |
Simply put, we want to setup rules on our router that will slow down |
623 |
certain activities (like sending large e-mails or downloading from P2P |
624 |
networks) while keeping other activities (like browsing the web or playing |
625 |
online video games) reasonably fast. A 30 second difference in a video |
626 |
game is a lot worse than a 30 second difference in downloading large |
627 |
files :). |
628 |
</p> |
629 |
|
630 |
<p> |
631 |
The first thing is to make sure your kernel has all the features added to |
632 |
it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more |
633 |
information. Next, you will need to <c>emerge iptables iputils</c> so that |
634 |
you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c> |
635 |
commands. |
636 |
</p> |
637 |
|
638 |
<p> |
639 |
Before we jump into the commands, let's cover a little of the theory. The |
640 |
way this whole system works is to classify common network streams and then |
641 |
to prioritize them. You use iptables to classify network streams, iputils |
642 |
to define the different priority levels, and the kernel to adjust speeds. |
643 |
Just remember that although you can control outbound traffic pretty tightly |
644 |
(from the LAN to the WAN), your ability to control inbound traffic (from |
645 |
the WAN to the LAN) is somewhat limited. Just remember that the following |
646 |
examples are to get your feet wet; if you want more then I'd suggest |
647 |
reading up on the subject. In this example, we will be using the |
648 |
<uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri> |
649 |
packet scheduling algorithm. Still with me? Great, let's start shaping :). |
650 |
</p> |
651 |
|
652 |
<pre caption="Setup"> |
653 |
DEV=eth1 <comment>NIC connected to WAN</comment> |
654 |
RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment> |
655 |
RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment> |
656 |
|
657 |
<comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment> |
658 |
ip link set dev ${DEV} qlen 30 |
659 |
tc qdisc add dev ${DEV} root handle 1: htb default 45 |
660 |
tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit |
661 |
</pre> |
662 |
|
663 |
<p> |
664 |
Here we initialized the system which will be used to prioritize all of |
665 |
our network traffic. We created our queue, told it to use the HTB |
666 |
algorithm, and set the default classification level to '45'. The |
667 |
default is completely arbitrary, as are the levels we choose from |
668 |
here on out. The only thing that matters is how the levels compare |
669 |
relatively; a level '10' packet will be given preference over a |
670 |
level '45' packet. Let's move on to declaring different levels. |
671 |
</p> |
672 |
|
673 |
<pre caption="Declaring levels"> |
674 |
tc class add dev $DEV parent 1:1 classid 1:10 htb rate $rkbit ceil $tkbit prio $p |
675 |
tc qdisc add dev $DEV parent 1:10 handle 10: sfq |
676 |
</pre> |
677 |
</body> |
678 |
</section> |
679 |
--> |
680 |
|
681 |
<section> |
682 |
<title>Time Server</title> |
683 |
<body> |
684 |
|
685 |
<p> |
686 |
Keeping your system time correct is essential in maintaining a healthy system. |
687 |
One of the most common ways of accomplishing this is with the Network Time |
688 |
Protocol (NTP) and the ntp package (which provides implementations for both |
689 |
server and client). |
690 |
</p> |
691 |
|
692 |
<p> |
693 |
Many people run ntp clients on their computers. Obviously, the more clients in |
694 |
the world, the larger the load the ntp servers need to shoulder. In |
695 |
environments like home networks though, we can help keep the load down on |
696 |
public servers while still providing the proper time to all our computers. As |
697 |
an added bonus, our private updates will be a lot faster for the clients too! |
698 |
All we have to do is run a ntp server on our router that synchronizes itself |
699 |
with the public internet servers while providing the time to the rest of the |
700 |
computers in the network. To get started, simply <c>emerge ntp</c> on the |
701 |
router. |
702 |
</p> |
703 |
|
704 |
<pre caption="Setting up the NTP server"> |
705 |
# <i>nano /etc/conf.d/ntp-client</i> |
706 |
<comment>Customize if you wish but the defaults should be fine</comment> |
707 |
# <i>rc-update add ntp-client default</i> |
708 |
|
709 |
# <i>nano /etc/ntp.conf</i> |
710 |
<comment>Add the follwing lines:</comment> |
711 |
restrict default ignore |
712 |
restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap |
713 |
<comment>These will allow only ntp clients with an IP |
714 |
address in the 192.168.0.xxx range to use your ntp server</comment> |
715 |
# <i>nano /etc/conf.d/ntpd</i> |
716 |
<comment>Customize if you wish but the defaults should be fine</comment> |
717 |
# <i>rc-update add ntpd default</i> |
718 |
|
719 |
# <i>/etc/init.d/ntp-client start</i> |
720 |
# <i>/etc/init.d/ntpd start</i> |
721 |
</pre> |
722 |
|
723 |
<note> |
724 |
You should make sure that you allow inbound and outbound communication on the |
725 |
ntp port (123/udp) when setting up the server. The client just needs outbound |
726 |
access on port 123 over udp. |
727 |
</note> |
728 |
|
729 |
<p> |
730 |
Now, on your clients, have them <c>emerge ntp</c> also. However, we will just |
731 |
run the ntp client so setup is a lot simpler. |
732 |
</p> |
733 |
|
734 |
<pre caption="Setting up a NTP client"> |
735 |
# <i>nano /etc/conf.d/ntp-client</i> |
736 |
<comment>Change the 'pool.ntp.org' server in the NTPCLIENT_OPTS variable to '192.168.0.1'</comment> |
737 |
# <i>rc-update add ntp-client default</i> |
738 |
# <i>/etc/init.d/ntp-client start</i> |
739 |
</pre> |
740 |
|
741 |
</body> |
742 |
</section> |
743 |
|
744 |
<section> |
745 |
<title>Rsync Server</title> |
746 |
<body> |
747 |
|
748 |
<p> |
749 |
For those who run multiple Gentoo boxes on the same lan, you often want to |
750 |
keep from having every machine running <c>emerge sync</c> with remote |
751 |
servers. By setting up a local rsync, you save on both your bandwidth and |
752 |
the Gentoo rsync servers' bandwidth. It's pretty simple to do. |
753 |
</p> |
754 |
|
755 |
<note> |
756 |
For a much more in-depth rsync guide, please see the official <uri |
757 |
link="/doc/en/rsync.xml#local">rsync guide</uri>. |
758 |
</note> |
759 |
|
760 |
<p> |
761 |
Since every Gentoo machine requires rsync, theres no need to emerge it. Edit |
762 |
the default <path>/etc/rsyncd.conf</path> config file, uncomment the |
763 |
<c>[gentoo-portage]</c> section, and make sure you add an <c>address</c> |
764 |
option. All the other defaults should be fine. |
765 |
</p> |
766 |
|
767 |
<pre caption="Rsync server config"> |
768 |
pid file = /var/run/rsyncd.pid |
769 |
use chroot = yes |
770 |
read only = yes |
771 |
address = 192.168.0.1 |
772 |
|
773 |
[gentoo-portage] |
774 |
path = /mnt/space/portage |
775 |
comment = Gentoo Linux Portage tree |
776 |
exclude = /distfiles /packages |
777 |
</pre> |
778 |
|
779 |
<p> |
780 |
Then you need to start the service (again, the defaults are OK). |
781 |
</p> |
782 |
|
783 |
<pre caption="Starting the rsync server"> |
784 |
# <i>/etc/init.d/rsyncd start</i> |
785 |
# <i>rc-update add rsyncd default</i> |
786 |
</pre> |
787 |
|
788 |
<p> |
789 |
Only thing left is to set tell your clients to sync against the router. |
790 |
</p> |
791 |
|
792 |
<pre caption="Client SYNC settings in make.conf"> |
793 |
SYNC="rsync://192.168.0.1/gentoo-portage" |
794 |
</pre> |
795 |
|
796 |
</body> |
797 |
</section> |
798 |
|
799 |
<section> |
800 |
<title>Mail Server</title> |
801 |
<body> |
802 |
|
803 |
<p> |
804 |
Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server |
805 |
on the router. You may have your own reason for wanting to do so, but I run it |
806 |
so that the users see mail as being sent instantly and the work of |
807 |
retrying/routing is left up to the mail server. Some ISPs also don't allow for |
808 |
mail relaying for accounts that aren't part of their network (like Verizon). |
809 |
Also, you can easily throttle the delivery of mail so that large attachments |
810 |
won't seriously lag your connection for half an hour. |
811 |
</p> |
812 |
|
813 |
<pre caption="Setting up SMTP"> |
814 |
# <i>emerge netqmail</i> |
815 |
<comment>make sure the output of `hostname` is correct</comment> |
816 |
# <i>emerge --config netqmail</i> |
817 |
# <i>iptables -I INPUT -p tcp --dport smtp -i ! ${LAN} -j REJECT</i> |
818 |
# <i>ln -s /var/qmail/supervise/qmail-send /service/qmail-send</i> |
819 |
# <i>ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd</i> |
820 |
# <i>cd /etc/tcprules.d</i> |
821 |
# <i>nano tcp.qmail-smtp</i> |
822 |
<!-- |
823 |
# <i>cd /etc</i> |
824 |
# <i>nano tcp.smtp</i> |
825 |
--> |
826 |
<comment>Add an entry like so to the allow section:</comment> |
827 |
192.168.0.:allow,RELAYCLIENT="" |
828 |
<!-- |
829 |
# <i>tcprules tcp.qmail-qmtp.cdb rules.tmp < tcp.qmail-smtp</i> |
830 |
# <i>tcprules tcp.smtp.cdb rules.tmp < tcp.smtp</i> |
831 |
--> |
832 |
# <i>make</i> |
833 |
# <i>rc-update add svscan default</i> |
834 |
# <i>/etc/init.d/svscan start</i> |
835 |
</pre> |
836 |
|
837 |
<p> |
838 |
I'm a huge fan of qmail, but you're free to use a different mta :). When you |
839 |
setup e-mail on the hosts in your network, tell them that their SMTP server is |
840 |
192.168.0.1 and everything should be peachy. You might want to visit the <uri |
841 |
link="http://netqmail.org/">netqmail homepage</uri> for more documentation. |
842 |
</p> |
843 |
|
844 |
</body> |
845 |
</section> |
846 |
|
847 |
<!-- |
848 |
<section> |
849 |
<title>E-mail Virus Scanning</title> |
850 |
<body> |
851 |
<p> |
852 |
If you'd like to provide e-mail virus scanning for your users, but |
853 |
don't want to have to install a virus scanner on every single machine, |
854 |
then <c>pop3vscan</c> may just be the thing for you; a transparent |
855 |
Post Office Protocol (POP) scanner. |
856 |
</p> |
857 |
|
858 |
<pre caption="Setting up pop3vscan"> |
859 |
TODO |
860 |
</pre> |
861 |
|
862 |
</body> |
863 |
</section> |
864 |
--> |
865 |
|
866 |
<section> |
867 |
<title>Full DHCP Server</title> |
868 |
<body> |
869 |
|
870 |
<p> |
871 |
Earlier we used dnsmasq to provide DHCP service to all our clients. For most |
872 |
people with a simple small LAN, this is perfect. But you may need something |
873 |
with more features. Thus we turn to a full-featured DHCP server as provided |
874 |
by the <uri link="http://www.isc.org/products/DHCP">ISC</uri> folks. |
875 |
</p> |
876 |
|
877 |
<pre caption="Setting up dhcpd"> |
878 |
# <i>emerge dhcp</i> |
879 |
# <i>nano /etc/dhcp/dhcpd.conf</i> |
880 |
<comment>(Here is a sample configuration file:)</comment> |
881 |
authoritative; |
882 |
ddns-update-style interim; |
883 |
subnet 192.168.0.0 netmask 255.255.255.0 { |
884 |
range 192.168.0.100 192.168.0.250; |
885 |
default-lease-time 259200; |
886 |
max-lease-time 518400; |
887 |
option subnet-mask 255.255.255.0; |
888 |
option broadcast-address 192.168.0.255; |
889 |
option routers 192.168.0.1; |
890 |
option domain-name-servers 192.168.0.1; |
891 |
} |
892 |
# <i>nano /etc/conf.d/dhcpd</i> |
893 |
<comment>(Set IFACE="eth0")</comment> |
894 |
# <i>rc-update add dhcpd default</i> |
895 |
# <i>/etc/init.d/dhcpd start</i> |
896 |
</pre> |
897 |
|
898 |
<p> |
899 |
This is the minimal setup required to replace the dnsmasq DHCP functionality |
900 |
that we used earlier. Speaking of which, you did remember to disable the DHCP |
901 |
features in dnsmasq didn't you? If not, you should do so now (just comment |
902 |
out the <c>dhcp-range</c> setting in <path>/etc/dnsmasq.conf</path> and restart |
903 |
the service). |
904 |
</p> |
905 |
|
906 |
</body> |
907 |
</section> |
908 |
|
909 |
<section> |
910 |
<title>Connect Another LAN (or two or three or ...)</title> |
911 |
<body> |
912 |
|
913 |
<p> |
914 |
Sometimes you have need of connecting the router to another LAN. Maybe you |
915 |
want to hook up a group of friends temporarily, or you're a neat freak and |
916 |
want to section off different groups of computers, or you're just really |
917 |
really bored. Whatever the reasons, extending the router to other LAN |
918 |
networks should be pretty straightforward. In the following examples, I will |
919 |
assume that this new network is connected via a third ethernet card, namely |
920 |
<c>eth2</c>. |
921 |
</p> |
922 |
|
923 |
<p> |
924 |
First you need to configure the interface. Just take the instructions in the |
925 |
<uri link="#doc_chap4_pre1">4.1 code listing</uri> and replace <c>eth0</c> |
926 |
with <c>eth2</c> and <c>192.168.0</c> with <c>192.168.1</c>. |
927 |
</p> |
928 |
|
929 |
<p> |
930 |
Then you need to tweak dnsmasq to service the new interface. Just edit the |
931 |
<path>/etc/conf.d/dnsmasq</path> file again and append <c>-i eth2</c> to |
932 |
DNSMASQ_OPTS; using -i multiple times is OK. Then edit |
933 |
<path>/etc/dnsmasq.conf</path> and add another line like the dhcp-range line |
934 |
in the <uri link="#doc_chap5_pre1">5.1 code listing</uri>, replacing |
935 |
<c>192.168.0</c> with <c>192.168.1</c>. Having multiple dhcp-range lines is |
936 |
OK too. |
937 |
</p> |
938 |
|
939 |
<p> |
940 |
Finally, see the rules in the <uri link="#doc_chap5_pre2">5.2 code |
941 |
listing</uri> and duplicate the rules that have <c>-i ${LAN}</c> in them. You |
942 |
may want to create another variable, say <c>LAN2</c>, to make things easier. |
943 |
</p> |
944 |
|
945 |
</body> |
946 |
</section> |
947 |
|
948 |
</chapter> |
949 |
|
950 |
<chapter> |
951 |
<title>Troubleshooting</title> |
952 |
|
953 |
<section> |
954 |
<title>Useful Tools</title> |
955 |
<body> |
956 |
|
957 |
<p> |
958 |
If you're having trouble getting your computers to communicate, you may way to |
959 |
try out the following tools (they can all be found in the <c>net-analyzer</c> |
960 |
portage category): |
961 |
</p> |
962 |
|
963 |
<table> |
964 |
<tr> |
965 |
<th>Utility</th> |
966 |
<th>Description</th> |
967 |
</tr> |
968 |
<tr> |
969 |
<ti>wireshark</ti> |
970 |
<ti>GUI tool to view all raw network data according to filters</ti> |
971 |
</tr> |
972 |
<tr> |
973 |
<ti>tcpdump</ti> |
974 |
<ti>Console tool to dump all raw network data according to filters</ti> |
975 |
</tr> |
976 |
<tr> |
977 |
<ti>iptraf</ti> |
978 |
<ti>ncurses based IP LAN monitor</ti> |
979 |
</tr> |
980 |
<tr> |
981 |
<ti>ettercap</ti> |
982 |
<ti>ncurses based network monitor/control</ti> |
983 |
</tr> |
984 |
</table> |
985 |
|
986 |
</body> |
987 |
</section> |
988 |
|
989 |
<section> |
990 |
<title>DHCP Fails To Start</title> |
991 |
<body> |
992 |
|
993 |
<p> |
994 |
When starting the dhcp init.d script for the first time, it may fail to load |
995 |
but neglect to give you any useful info. |
996 |
</p> |
997 |
|
998 |
<pre caption="DHCP Failing Example"> |
999 |
# <i>/etc/init.d/dhcp start</i> |
1000 |
* Setting ownership on dhcp.leases ... [ ok ] |
1001 |
* Starting dhcpd ... [ !! ] |
1002 |
</pre> |
1003 |
|
1004 |
<p> |
1005 |
The trick is to know where dhcpd is sending its output. Simply browse to |
1006 |
<path>/var/log</path> and read the log files. Since the exact log file depends |
1007 |
on the package you are using as a syslog, try running <c>grep -Rl dhcpd |
1008 |
/var/log</c> to narrow down the possibilities. Chances are you made a typo in |
1009 |
your config file. You could also try running <c>dhcpd -d -f</c> (short for |
1010 |
debug / foreground) and debug the error based upon the output. |
1011 |
</p> |
1012 |
|
1013 |
</body> |
1014 |
</section> |
1015 |
|
1016 |
<section> |
1017 |
<title>Incorrect MTU Value</title> |
1018 |
<body> |
1019 |
|
1020 |
<p> |
1021 |
If you experience odd errors (such as not being able to access some webpages |
1022 |
while others load fine), you may be having Path MTU Discovery trouble. The |
1023 |
quick way to test is to run this iptables command: |
1024 |
</p> |
1025 |
|
1026 |
<pre caption="Circumvent MTU issues"> |
1027 |
# <i>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</i> |
1028 |
</pre> |
1029 |
|
1030 |
<p> |
1031 |
This will affect all new connections, so just refresh the website you're having |
1032 |
problems with in order to test. In case it helps, the standard MTU value for |
1033 |
100mbit ethernet connections is <c>1500</c>; this value also applies to PPPoA. |
1034 |
For PPPoE connections it is <c>1492</c>. For more info, you should read Chapter |
1035 |
15 of the <uri link="http://lartc.org/howto/">Linux Advanced Routing & |
1036 |
Traffic Control HOWTO</uri>. |
1037 |
</p> |
1038 |
|
1039 |
</body> |
1040 |
</section> |
1041 |
|
1042 |
<section> |
1043 |
<title>Unable to connect two machines directly</title> |
1044 |
<body> |
1045 |
|
1046 |
<p> |
1047 |
If (for whatever reason) you want to connect two machines directly together |
1048 |
without a hub or switch, a regular ethernet cable will likely not work, unless |
1049 |
you have an Auto MDI/MDI-X (also known as "autosensing") capable network |
1050 |
adapter. You will need a different cable called a crossover cable. This <uri |
1051 |
link="http://en.wikipedia.org/wiki/Ethernet_crossover_cable">Wikipedia</uri> |
1052 |
page explains the low level details. |
1053 |
</p> |
1054 |
|
1055 |
</body> |
1056 |
</section> |
1057 |
|
1058 |
</chapter> |
1059 |
|
1060 |
<chapter> |
1061 |
<title>Final Notes</title> |
1062 |
<section> |
1063 |
<body> |
1064 |
|
1065 |
<p> |
1066 |
I have no final notes other than if you experience any troubles with the guide, |
1067 |
please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with <uri |
1068 |
link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have |
1069 |
some interesting bits you think would enhance this guide, by all means send it |
1070 |
my way for inclusion. |
1071 |
</p> |
1072 |
|
1073 |
</body> |
1074 |
</section> |
1075 |
</chapter> |
1076 |
</guide> |