Difference between revisions of "Router"

From ArchWiki
Jump to: navigation, search
m (wording)
m (IP configuration : add systemd info)
(39 intermediate revisions by 16 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]]
+
[[Category:Networking]]
[[Category:Security (English)]]
+
[[Category:Security]]
[[Category:HOWTOs (English)]]
+
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.
{{Article summary start}}
+
{{Article summary text|Provides instructions on setting up router using iptables.}}
+
{{Article summary heading|Related articles}}
+
{{Article summary wiki|iptables}}
+
{{Article summary wiki|Firewalls}}
+
{{Article summary end}}
+
This article is a tutorial for turning a computer into an internet gateway/router.
+
  
This article is focused on ''security'', since the gateway is connected directly to the Internet. It shouldn't run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run HTTPd, FTPd, Samba, NFSd, etc. those belong on a server on the LAN or DMZ (if you want to make these services available to the outside world) as they can introduce security flaws.
+
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].
 
+
This document is it not suited to set up a shared connection between 2 PCs using cross-over cables. At the conclusion of this tutorial, the server will not be usable as a ''desktop'' computer for normal use. If you are looking for a solution to share internet using a desktop computer, see [[Internet_Share|Internet share]].
+
  
 
==Hardware Requirements==
 
==Hardware Requirements==
Line 34: Line 25:
 
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.
 
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.
  
Your home and root partitions can be much smaller than a regular install since this isn't a desktop machine. /var should be the largest partition - it's where  databases, logs and long-term caches are stored. If you a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary.
+
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where  databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.
  
 
===Post-Installation===
 
===Post-Installation===
 +
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].
  
After installation boot Arch and upgrade all the packages to their latest version:
+
==Network interface configuration==
# pacman -Syu
+
  
Install [[sudo]]:
+
===Persistent naming===
# pacman -S sudo
+
When you let udev handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1.
  
Now, add a normal user. Be sure to add the user to the '''wheel''' group. This will allow the user to use '''sudo'''. Logging in as root is unsafe, it is much better to use sudo.
+
To fix this problem, see [[Udev#Mixed_Up_Devices.2C_Sound.2FNetwork_Cards_Changing_Order_Each_Boot|here]].
  
After sudo is installed and configured, it's possible to lock to root account and prevent login directly to root.
+
===IP configuration===
 +
Now you will need to configure the network interfaces. The best way to do so is using [[netcfg]] profiles, instead of the regular [[network]] daemon. You will need to create two profiles.
  
# passwd -l root
+
* /etc/network.d/extern0-profile
 +
CONNECTION='ethernet'
 +
DESCRIPTION='Public Interface.'
 +
INTERFACE='extern0'
 +
IP='dhcp'
  
==Network interface configuration==
+
* /etc/network.d/intern0-profile
 +
CONNECTION='ethernet'
 +
DESCRIPTION='Private Interface.'
 +
INTERFACE='intern0'
 +
IP='static'
 +
ADDR='10.0.0.1'
 +
NETMASK='255.255.255.0'
 +
BROADCAST='10.0.0.255'
  
===Persistent naming===
+
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.}}
When you let udev handle loading the modules, you'll notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it's eth1.
+
  
To fix this problem, see [[Udev#Mixed_Up_Devices.2C_Sound.2FNetwork_Cards_Changing_Order_Each_Boot|here]].
+
Next up is to set up the interfaces.
  
===IP configuration===
+
* Define the profiles in {{ic|/etc/conf.d/netcfg}}:
Open /etc/rc.conf once more and scroll down to the network config section. Here's where you define how your network cards should obtain their IP. The LAN card will have a static IP, I'm going with 10.0.0.1 because it's easy to type. I'm building a gateway for a small student home with 4 rooms so I'm keeping the subnet fairly small: 4 bits allow 16 IP's.  
+
NETWORKS=(extern0-profile intern0-profile)
 +
 
 +
* Replace the {{ic|network}} daemon with {{ic|net-profiles}} in {{ic|/etc/[[rc.conf]]}}:
 +
DAEMONS=( ... net-profiles ... )
  
16 - 3 IP's:
+
* If using [[systemd]], net-profiles.service is a symlink to netcfg.service. So you may do:
* one for the network address: 10.0.0.0
+
# systemctl enable net-profiles.service
* the gateway: 10.0.0.1
+
or if that fails:
* and the broadcast address: 10.0.0.15 leaves 13 IP's for computers on the LAN. This translates into:
+
  # systemctl enable netcfg.service
  lo="lo 127.0.0.1"
+
intern1="eth0 10.0.0.1 netmask 255.255.255.240 broadcast 10.0.0.15"
+
extern0="dhcp"
+
  
 
==ADSL connection==
 
==ADSL connection==
Using rp-pppoe, we can connect an ADSL modem to the eth1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.
+
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.
 
  # pacman -S rp-pppoe
 
  # pacman -S rp-pppoe
  
 
===Configuration: rp-pppoe===
 
===Configuration: rp-pppoe===
 
  /usr/sbin/pppoe-setup  
 
  /usr/sbin/pppoe-setup  
The questions are all documented. You can select "no firewall" because we'll let Shorewall / iptables handle that part.
+
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.
 
+
There's a bug in the package, so we need to manually create a symbolic link:
+
ln -s /usr/sbin/pppd /sbin/pppd
+
 
+
Everything should be in place.
+
/etc/rc.d/adsl start
+
  
 
==DNS and DHCP==
 
==DNS and DHCP==
===dnsmasq===
+
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.
We'll use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.
+
  
 
First, install '''dnsmasq''':
 
First, install '''dnsmasq''':
Line 92: Line 87:
  
 
Edit /etc/dnsmasq.conf and add the following lines
 
Edit /etc/dnsmasq.conf and add the following lines
  interface=intern1 # make dnsmasq listen for requests only on intern1 (our LAN)
+
  interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)
 
  expand-hosts      # add a domain to simple hostnames in /etc/hosts
 
  expand-hosts      # add a domain to simple hostnames in /etc/hosts
 
  domain=foo.bar    # allow fully qualified domain names for DHCP hosts (needed when
 
  domain=foo.bar    # allow fully qualified domain names for DHCP hosts (needed when
 
                   # "expand-hosts" is used)
 
                   # "expand-hosts" is used)
  dhcp-range=10.0.0.2,10.0.0.14,255.255.255.240,1h # defines a DHCP-range for the LAN:  
+
  dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN:  
                   # from 10.0.0.2 to .14 with a subnet mask of 255.255.255.240 and a
+
                   # from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a
 
                   # DHCP lease of 1 hour (change to your own preferences)
 
                   # DHCP lease of 1 hour (change to your own preferences)
  
Somewhere below, you'll notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it'll get the same IP. That's very useful for network servers with a DNS record. You can also deny certain MAC's from getting an IP. Evil!! ^_^
+
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.
Now start dnsmasq
+
 
 +
Now start dnsmasq:
 
  # /etc/rc.d/dnsmasq start
 
  # /etc/rc.d/dnsmasq start
 
and add the daemon to the DAEMONS list in /etc/rc.conf.
 
and add the daemon to the DAEMONS list in /etc/rc.conf.
Line 120: Line 116:
 
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.
 
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.
 
  SUBSYSLOCK=/var/run
 
  SUBSYSLOCK=/var/run
  IP_FORWARDING=On : it's a gateway, remember! ;)
+
  IP_FORWARDING=On : it is a gateway, remember! ;)
  STARTUP_ENABLED=Yes # when you're done editing
+
  STARTUP_ENABLED=Yes # when you are done editing
  
 
After installing shorewall, run
 
After installing shorewall, run
Line 128: Line 124:
 
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.
 
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.
  
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you're using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you've followed it thoroughly, make the following changes:
+
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:
 
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server
 
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server
 
* /etc/shorewall/rules : add
 
* /etc/shorewall/rules : add
Line 137: Line 133:
 
  # /etc/rc.d/shorewall start
 
  # /etc/rc.d/shorewall start
  
From here on, the Arch box is operational. Connect a hub or switch to eth0 and a computer to the LAN to test it.
+
From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.
  
 
=====Port forwarding (DNAT)=====
 
=====Port forwarding (DNAT)=====
* /etc/shorewall/rules : here's an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.
+
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.
 
  DNAT        net        loc:10.0.0.85:80        tcp        5000
 
  DNAT        net        loc:10.0.0.85:80        tcp        5000
  
Line 155: Line 151:
 
  $ pacman -Qet
 
  $ pacman -Qet
  
Completely remove the packages you don't need along with their configuration files and dependencies:
+
Completely remove the packages you do not need along with their configuration files and dependencies:
  
 
  # pacman -Rsn package1 package2 package3
 
  # pacman -Rsn package1 package2 package3
Line 161: Line 157:
 
== Logrotate ==
 
== Logrotate ==
  
You should review the [[logrotate]] configuration to make sure the box isn't brought down by lack of diskspace due to logging.
+
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.
  
Logrotate is installed by default, so you won't have to install it.
+
Logrotate is installed by default, so you will not have to install it.
  
 
==Optional additions==
 
==Optional additions==
 +
 +
===UPnP===
 +
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.
 +
 +
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information
  
 
===Remote administration===
 
===Remote administration===
Line 179: Line 180:
  
 
Then, configure shorewall or iptables to allow NTP traffic in and out.
 
Then, configure shorewall or iptables to allow NTP traffic in and out.
 
# nano /etc/shorewall/rules
 
 
NTP/ACCEPT      loc      $FW
 
NTP/ACCEPT      $FW      net
 
 
# /etc/rc.d/shorewall/restart
 
  
 
=== Content filtering ===
 
=== Content filtering ===
Line 193: Line 187:
 
=== Traffic shaping ===
 
=== Traffic shaping ===
  
Traffic shaping is very useful, especially when you're not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there's everything in between.
+
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.
  
 
==== Traffic shaping with shorewall ====
 
==== Traffic shaping with shorewall ====
Line 199: Line 193:
 
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.
 
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.
  
Here's my config as an example:
+
Here is my config as an example:
* /etc/shorewall/tcdevices : here's where you define the interface you want to have shaped and its rates. I've got a ADSL connection with a 4MBit down/256KBit up profile.
+
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.
 
  ppp0        4mbit        256kbit  
 
  ppp0        4mbit        256kbit  
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You'll assign each one to a type of traffic to shape.
+
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.
 
  # interactive traffic (ssh)
 
  # interactive traffic (ssh)
 
  ppp0            1      full    full    0
 
  ppp0            1      full    full    0
Line 217: Line 211:
 
  3      0.0.0.0/0      0.0.0.0/0      tcp    https
 
  3      0.0.0.0/0      0.0.0.0/0      tcp    https
 
  4      0.0.0.0/0      0.0.0.0/0      all
 
  4      0.0.0.0/0      0.0.0.0/0      all
I've split it up my traffic in 4 groups:  
+
I have split it up my traffic in 4 groups:  
# interactive traffic or ssh: although it takes up almost no bandwidth, it's very annoying if it lags due to leechers on the LAN. This get the highest priority.
+
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.
# online gaming: needless to say you can't play when your ping sucks. ;)
+
# online gaming: needless to say you ca not play when your ping sucks. ;)
 
# webtraffic: can be a bit slower
 
# webtraffic: can be a bit slower
# everything else: every sort of download, they're the cause of the lag anyway.
+
# everything else: every sort of download, they are the cause of the lag anyway.
  
 
===Intrusion detection and prevention with snort===
 
===Intrusion detection and prevention with snort===
According to the site's homepage title, Snort is "the de facto standard for intrusion detection/prevention".
 
# pacman -S snort
 
 
====Snort configuration====
 
The main configuration file is {{Filename|/etc/snort/snort.conf}}.
 
 
Read it carefully, as usual it's very well documented.
 
var HOME_NET        10.0.0.0/28          # Change to the subnet of your LAN.
 
var EXTERNAL_NET    !$HOME_NET
 
var DNS_SERVERS    $HOME_NET
 
var SMTP_SERVERS    $HOME_NET            # Comment these if you're not running any servers on the LAN.
 
var HTTP_SERVERS    $HOME_NET
 
var SQL_SERVERS    $HOME_NET
 
var TELNET_SERVERS  $HOME_NET
 
var HTTP_PORTS      80
 
var SHELLCODE_PORTS !80
 
var ORACLE_PORTS    1521
 
var AIM_SERVERS    [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/
 
                      24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
 
var RULE_PATH      /etc/snort/rules
 
var HTTP_PORTS      80:5000              # For HTTPd's running on port 80 and 5000. Change appropriately
 
                                          # to the ports you are using on your LAN.
 
config detection:  search-method lowmem  # If you're using a machine "with very limited resources".
 
 
At the bottom of the file, there's a list of includes. These define which rules you want to enforce. (Un)comment as you please. You should check that the corresponding file exists, as for me, none of the rules files were present.
 
groupadd snort
 
mkdir -p /var/log/snort
 
useradd -g snort -d /var/log/snort snort
 
chown -R snort:snort /var/log/snort
 
 
{{Note|Under review -- I'm not sure about this yet.}}
 
 
Edit {{Filename|/etc/conf.d/snort}}:
 
SNORT_ARGS="-u snort -g snort -l /var/log/snort -K ascii -c /etc/snort/snort.conf -D -h 10.0.0.0/28 -A full
 
 
Replace 10.0.0.0/28 with the CIDR of your LAN.
 
 
Now Snort will run as user snort in group snort. Should improve security. The other options make it log to ''/var/log/snort'' in ASCII mode. Run ''snort -h'' to see other available options.
 
 
I've been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I didn't know what to do with all the logs anyway.
 
 
=====Update the rules: Oinkmaster=====
 
If you want to be able to download Snort's latest rules, you'll need a subscription. This costs money. If you're happy enough with 5 days old rules, you just need to register for free. If you don't, the only updates you'll get are the new rules distributed with a new Snort release.
 
Go ahead and register at [https://www.snort.org/pub-bin/register.cgi Snort]. If you really don't want to register, you can use the rules from [http://www.bleedingsnort.com/ BleedingSnort.com]. They're bleeding edge, meaning they haven't been tested thoroughly.
 
 
A user has created a [http://aur.archlinux.org/packages.php?do_Details=1&ID=4314 PKGBUILD for oinkmaster].
 
 
======Oinkmaster setup======
 
Edit {{Filename|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.
 
 
When you log into your new account, create an "Oink code".
 
Another thing to change is
 
use_external_bins===1 # 1 uses wget, tar, gzip instead of Perl modules
 
 
The rest of the config file is fine.
 
 
======Oinkmaster usage======
 
oinkmaster.pl -o /etc/snort/rules
 
  
Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.
+
See [[Snort]].
  
 
==See also==
 
==See also==
 
*[[Simple stateful firewall]]
 
*[[Simple stateful firewall]]
 
*[[Internet Share]]
 
*[[Internet Share]]

Revision as of 20:22, 18 November 2012

This article is a tutorial for turning a computer into an internet gateway/router. It focuses on security, since the gateway is connected directly to the Internet. It should not run any services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.

This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see Internet Share.

Hardware Requirements

  • At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.
  • At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.
  • A hub, switch or UTP cable: You need a way to connect the other computers to the gateway

Conventions

Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.

  • intern0: the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.
  • extern1: the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.

Installation

Note: For a full installation guide, see the Official Arch Linux Install Guide.

A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.

Partitioning

For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the gparted livecd can be used to resize, move, or create new partitions.

Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.

Post-Installation

After creation of non-root account you are recommended to install sudo and disable root login.

Network interface configuration

Persistent naming

When you let udev handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1.

To fix this problem, see here.

IP configuration

Now you will need to configure the network interfaces. The best way to do so is using netcfg profiles, instead of the regular network daemon. You will need to create two profiles.

  • /etc/network.d/extern0-profile
CONNECTION='ethernet'
DESCRIPTION='Public Interface.'
INTERFACE='extern0'
IP='dhcp'
  • /etc/network.d/intern0-profile
CONNECTION='ethernet'
DESCRIPTION='Private Interface.'
INTERFACE='intern0'
IP='static'
ADDR='10.0.0.1'
NETMASK='255.255.255.0'
BROADCAST='10.0.0.255'
Note: The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.

Next up is to set up the interfaces.

  • Define the profiles in /etc/conf.d/netcfg:
NETWORKS=(extern0-profile intern0-profile)
  • Replace the network daemon with net-profiles in /etc/rc.conf:
DAEMONS=( ... net-profiles ... )
  • If using systemd, net-profiles.service is a symlink to netcfg.service. So you may do:
# systemctl enable net-profiles.service

or if that fails:

# systemctl enable netcfg.service

ADSL connection

Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in bridged mode though, otherwise the modem will act as a router too.

# pacman -S rp-pppoe

Configuration: rp-pppoe

/usr/sbin/pppoe-setup 

The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.

DNS and DHCP

We will use dnsmasq, a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.

First, install dnsmasq:

# pacman -S dnsmasq

Now, dnsmasq needs to be configured. To do this:

Edit /etc/dnsmasq.conf and add the following lines

interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)
expand-hosts      # add a domain to simple hostnames in /etc/hosts
domain=foo.bar    # allow fully qualified domain names for DHCP hosts (needed when
                  # "expand-hosts" is used)
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: 
                  # from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a
                  # DHCP lease of 1 hour (change to your own preferences)

Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.

Now start dnsmasq:

# /etc/rc.d/dnsmasq start

and add the daemon to the DAEMONS list in /etc/rc.conf.

Connection sharing

Time to tie the two network interfaces to each other.

iptables

Simple stateful firewall documents the setup of an iptables firewall and NAT.

Shorewall

Shorewall, an iptables frontend, can be used as an easier alternative.

# pacman -S shorewall

Shorewall configuration

Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.

SUBSYSLOCK=/var/run
IP_FORWARDING=On : it is a gateway, remember! ;)
STARTUP_ENABLED=Yes # when you are done editing

After installing shorewall, run

$ pacman -Ql shorewall | grep Sample

to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory. Now use Shorewall's guide to set up the files correctly.

Read the document carefully. Take special care to change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:

  • /etc/shorewall/interfaces : add "dhcp" to the loc line to allow computers on the LAN to make use of our DHCP server
  • /etc/shorewall/rules : add
ACCEPT        loc        $FW        TCP      2367

but change 2367 into whatever port you have your SSH server listening on.

Finally, run

# /etc/rc.d/shorewall start

From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.

Port forwarding (DNAT)
  • /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.
DNAT        net        loc:10.0.0.85:80        tcp        5000

Cleanup

Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.

First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):

$ pacman -Qm

Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.

$ pacman -Qet

Completely remove the packages you do not need along with their configuration files and dependencies:

# pacman -Rsn package1 package2 package3

Logrotate

You should review the logrotate configuration to make sure the box is not brought down by lack of diskspace due to logging.

Logrotate is installed by default, so you will not have to install it.

Optional additions

UPnP

The above configuration of shorewall does not include UPnP support. Use of UPnP is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.

Read the Shorewall guide on UPnP for more information

Remote administration

OpenSSH can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).

Caching web proxy

See Squid or Polipo for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.

Time server

To use the router as a time server, see Network Time Protocol.

Then, configure shorewall or iptables to allow NTP traffic in and out.

Content filtering

Install and configure DansGuardian if you need a content filtering solution.

Traffic shaping

Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.

Traffic shaping with shorewall

Read Shorewall's Traffic Shaping/Control guide.

Here is my config as an example:

  • /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.
ppp0        4mbit        256kbit 
  • /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.
# interactive traffic (ssh)
ppp0            1       full    full    0
# online gaming
ppp0            2       full/2  full    5
# http
ppp0            3       full/4  full    10
# rest
ppp0            4       full/6  full    15              default
  • /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.
1       0.0.0.0/0       0.0.0.0/0       tcp     ssh
2       0.0.0.0/0       0.0.0.0/0       udp     27000:28000
3       0.0.0.0/0       0.0.0.0/0       tcp     http
3       0.0.0.0/0       0.0.0.0/0       tcp     https
4       0.0.0.0/0       0.0.0.0/0       all

I have split it up my traffic in 4 groups:

  1. interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.
  2. online gaming: needless to say you ca not play when your ping sucks. ;)
  3. webtraffic: can be a bit slower
  4. everything else: every sort of download, they are the cause of the lag anyway.

Intrusion detection and prevention with snort

See Snort.

See also