Difference between revisions of "Router: Basic"

From ArchWiki
Jump to: navigation, search
(Replaced Defining Routes section with ethernet device settings section)
(14 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]]
+
[[Category:Networking]]
 +
 
 +
=DRAFT=
 +
This article is a draft. It may be more helpful/secure to use [[Router]] until this article is more complete.
 +
 
 
=Description=
 
=Description=
  
Line 10: Line 14:
 
* Gateway - Translate between protocols of the internal network and your Internet Service Provide (optional)
 
* Gateway - Translate between protocols of the internal network and your Internet Service Provide (optional)
  
=Hardware=
+
=Ethernet Devices=
  
 +
==Installation==
 
You'll need to have at least two Network Card Interfaces (NIC's) on the computer you plan to use as a router.  Once installed see that they are recognized by the kernel:
 
You'll need to have at least two Network Card Interfaces (NIC's) on the computer you plan to use as a router.  Once installed see that they are recognized by the kernel:
  
 
  ifconfig -a
 
  ifconfig -a
  
If the NIC(s) don't show up, then either 1) the kernel module (driver) will need be loaded, 2) the kernel will need to be rebuilt with support for the hardware, or 3) the kernel may not have support for the driver yet.
+
If the NIC(s) do not show up, then either 1) the kernel module (driver) will need be loaded, 2) the kernel will need to be rebuilt with support for the hardware, or 3) the kernel may not have support for the driver yet.
  
 
If there is a kernel module for you NIC, the generic Arch Linux kernel will likely have support for it.  You can add it by:
 
If there is a kernel module for you NIC, the generic Arch Linux kernel will likely have support for it.  You can add it by:
Line 24: Line 29:
 
If there is support in the kernel, but not in the Arch kernel take a look at [[Kernel Compilation with ABS]].
 
If there is support in the kernel, but not in the Arch kernel take a look at [[Kernel Compilation with ABS]].
  
==Ethernet Device Names==
+
==Names==
  
[[Udev]] is the device manager for Arch Linux and can be used to manually choose names for each ethernet device. This should be done to make sure that each physical network connection always has the same name, and also for convenience during later configuration steps. Create a Udev rule:
+
[[Udev]] is the device manager for Arch Linux and can be used to manually choose names for each ethernet device. This should be done to make sure that each physical network connection always has the same name, and also for convenience during later configuration steps.  
  
{{File|name=/etc/udev/rules.d/10-network.rules|content=<nowiki>
+
Create a Udev rule {{ic|/etc/udev/rules.d/10-network.rules}}
SUBSYSTEM=="net", ATTR{address}=="aa:bb:cc:dd:ee:ff", NAME="wan"
+
SUBSYSTEM=="net", ATTR{address}=="aa:bb:cc:dd:ee:ff", NAME="wan"
SUBSYSTEM=="net", ATTR{address}=="ff:ee:dd:cc:bb:aa", NAME="lan"
+
SUBSYSTEM=="net", ATTR{address}=="ff:ee:dd:cc:bb:aa", NAME="lan"
</nowiki>}}
+
  
 
You can easily find the address of an existing device:
 
You can easily find the address of an existing device:
Line 39: Line 43:
 
Just use the output as the second field in the rules file. Next time Udev assigns device names it will use these. This article assumes "wan" connects to the Internet and that "lan" connects to the local network.
 
Just use the output as the second field in the rules file. Next time Udev assigns device names it will use these. This article assumes "wan" connects to the Internet and that "lan" connects to the local network.
  
=Ethernet Device Settings=
+
==IP Settings==
  
Each ethernet device's IP configuration needs to be set in the system-wide configuration file.
+
Each ethernet device's IP configuration needs to be set in {{ic|/etc/rc.conf}}:
 
+
=== /etc/rc.conf ===
+
 
  wan="dhcp"
 
  wan="dhcp"
 
  lan="lan 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255"
 
  lan="lan 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255"
Line 52: Line 54:
 
=LAN Setup=
 
=LAN Setup=
  
For connecting to/from your LAN client(s), you can have to either add to the router a DHCP server (which will build the LAN client's routes for you) or define a static-route(s) manually.
+
For connecting to/from your LAN client(s), you can have to either add to the router a DHCP server (which will build the LAN client's routes for you) or define a static-route(s) manually. There might be problems is both methods are used.
  
==DHCP Server==
+
== dnsmasq ==
  
If you have a good number of LAN clients or would like dynamic IP's defined, add a DHCP server to the router. [[Dnsmasq]] is a lightweight DHCP server good for 50 or less LAN clients with a basic configurationFor a more industrial solution look at [http://www.archlinux.org/packages/extra/x86_64/dhcp/ dhcp].
+
Install dnsmasq
 +
 
 +
# pacman -S dnsmasq
 +
 
 +
Edit the dnsmasq configuration file
 +
{{ic|/etc/dnsmasq.conf}}:
 +
<pre>
 +
# Only listen to routers' LAN NICDoing so opens up tcp/udp port 53 to
 +
# localhost and udp port 67 to world:
 +
interface=lan
 +
 
 +
# dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with
 +
# dynamic interfaces (assigning dynamic ips). Dnsmasq will discard world
 +
# requests to them, but the paranoid might like to close them and let the
 +
# kernel handle them:
 +
bind-interfaces
 +
 
 +
# Dynamic range of IPs to make available to LAN pc
 +
dhcp-range=192.168.0.1,192.168.0.255,12h
 +
 
 +
# If you’d like to have dnsmasq assign static IPs, bind the LAN computer's
 +
# NIC MAC address:
 +
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.0.1
 +
</pre>
  
 
==Static-Route==
 
==Static-Route==
Line 66: Line 91:
 
  ROUTES=(gateway)
 
  ROUTES=(gateway)
  
=Forward Requests=
+
=IP Masquerading and Firewall=
 +
 
 +
==Kernel Settings==
  
 
The kernel will need to be told it's allowed to forward packets to/from the LAN clients:
 
The kernel will need to be told it's allowed to forward packets to/from the LAN clients:
Line 76: Line 103:
 
  net.ipv4.ip_forward=1
 
  net.ipv4.ip_forward=1
  
Redirection of packets to/from the LAN client(s) can be done with iptables.
+
==Shorewall==
 +
 
 +
Shorewall is an iptables frontend. It is easier to setup than manually defining iptables rules. shorewall is available from the AUR. These settings are based on the [http://www.shorewall.net/two-interface.htm two-interface documentation on the shorewall website].
 +
 
 +
Use the some example configuration files that come with the shorewall package
 +
 
 +
# cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall/
 +
 
 +
===/etc/shorewall/interfaces===
 +
 
 +
'''Change''' the interface settings to match the names used for our ethernet devices and to allow dhcp traffic on the local network. Edit {{ic|/etc/shorewall/interfaces}}
 +
 
 +
original
 +
net    eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
 +
loc    eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
 +
 
 +
new
 +
net    wan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
 +
loc    lan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
 +
 
 +
===/etc/shorewall/policy===
 +
 
 +
'''Change''' the policy file to allow the router (this machine) to access the Internet. Edit {{ic|/etc/shorewall/policy}}
 +
 
 +
original
 +
<pre>
 +
###############################################################################
 +
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
 +
 
 +
loc            net            ACCEPT
 +
net            all            DROP            info
 +
# THE FOLLOWING POLICY MUST BE LAST
 +
all            all            REJECT          info
 +
</pre>
 +
 
 +
new
 +
<pre>
 +
###############################################################################
 +
#SOURCE        DEST            POLICY          LOG LEVEL      LIMIT:BURST
 +
$FW            net            ACCEPT
 +
loc            net            ACCEPT
 +
net            all            DROP            info
 +
# THE FOLLOWING POLICY MUST BE LAST
 +
all            all            REJECT          info
 +
</pre>
 +
 
 +
===/etc/shorewall/rules===
 +
 
 +
DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. '''Add''' these lines to {{ic|/etc/shorewall/rules}}
 +
 
 +
<pre>
 +
#      Accept DNS connections from the local network to the firewall
 +
#
 +
DNS(ACCEPT)     loc              $FW
 +
</pre>
 +
 
 +
'''OPTIONAL:''' You can '''add''' these lines if you want to be able to SSH into the router from computers on the Internet
 +
 
 +
<pre>
 +
#      Accept SSH connections from the internet for administration
 +
#
 +
SSH(ACCEPT)    net            $FW
 +
</pre>
  
pacman -S iptables
+
===/etc/shorewall/shorewall.conf===
  
And add the rule:
+
When you are finished making above changes, enable shorewall by a '''change''' in it's config file {{ic|/etc/shorewall/shorewall.conf}}:
  
  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
original
 +
  STARTUP_ENABLED=No
  
The rule can be added permanently in <code>/etc/rc.local</code> though you'll probably want to create a bash script for it to build a firewall later. More information about firewalls can be found on [[Simple stateful firewall HOWTO]].
+
new
 +
  STARTUP_ENABLED=Yes

Revision as of 17:45, 23 April 2012


DRAFT

This article is a draft. It may be more helpful/secure to use Router until this article is more complete.

Description

If you'd like to build a router to forward connections to LAN client(s), you'll need the details of creating a basic router. A router is required in order to connect multiple machines to the Internet using the a single global IP address. This is almost always the case for residential Internet access. The Arch Linux machine will fulfill several roles required to connect machines in a local network to the Internet:

  • Firewall - Block unauthorized packets but allow authorized traffic
  • IP Masquerading - Manipulate IP addresses as packets cross between internal network and Internet
  • DHCP Server - Manage IP addresses of machines in the internal network
  • DNS Server - Accept DNS lookups from local machines and forward them to the Internet
  • Gateway - Translate between protocols of the internal network and your Internet Service Provide (optional)

Ethernet Devices

Installation

You'll need to have at least two Network Card Interfaces (NIC's) on the computer you plan to use as a router. Once installed see that they are recognized by the kernel:

ifconfig -a

If the NIC(s) do not show up, then either 1) the kernel module (driver) will need be loaded, 2) the kernel will need to be rebuilt with support for the hardware, or 3) the kernel may not have support for the driver yet.

If there is a kernel module for you NIC, the generic Arch Linux kernel will likely have support for it. You can add it by:

modprobe <device-module>

If there is support in the kernel, but not in the Arch kernel take a look at Kernel Compilation with ABS.

Names

Udev is the device manager for Arch Linux and can be used to manually choose names for each ethernet device. This should be done to make sure that each physical network connection always has the same name, and also for convenience during later configuration steps.

Create a Udev rule /etc/udev/rules.d/10-network.rules

SUBSYSTEM=="net", ATTR{address}=="aa:bb:cc:dd:ee:ff", NAME="wan"
SUBSYSTEM=="net", ATTR{address}=="ff:ee:dd:cc:bb:aa", NAME="lan"

You can easily find the address of an existing device:

udevadm info -a -p /sys/class/net/<device> | grep address

Just use the output as the second field in the rules file. Next time Udev assigns device names it will use these. This article assumes "wan" connects to the Internet and that "lan" connects to the local network.

IP Settings

Each ethernet device's IP configuration needs to be set in /etc/rc.conf:

wan="dhcp"
lan="lan 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255"
INTERFACES=(wan lan)

The device wan will request a dynamic IP address from the ISP. The device lan will use a static IP address. Later on dnsmasq will be configured used to grant dhcp leases to other local machines in the same subnet, i.e. with address in the range 192.168.0.1-192.168.0.255 (but not 192.168.0.0 because the router has that local address).

LAN Setup

For connecting to/from your LAN client(s), you can have to either add to the router a DHCP server (which will build the LAN client's routes for you) or define a static-route(s) manually. There might be problems is both methods are used.

dnsmasq

Install dnsmasq

# pacman -S dnsmasq

Edit the dnsmasq configuration file /etc/dnsmasq.conf:

# Only listen to routers' LAN NIC.  Doing so opens up tcp/udp port 53 to
# localhost and udp port 67 to world:
interface=lan

# dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with
# dynamic interfaces (assigning dynamic ips). Dnsmasq will discard world
# requests to them, but the paranoid might like to close them and let the 
# kernel handle them:
bind-interfaces

# Dynamic range of IPs to make available to LAN pc
dhcp-range=192.168.0.1,192.168.0.255,12h

# If you’d like to have dnsmasq assign static IPs, bind the LAN computer's
# NIC MAC address:
dhcp-host=aa:bb:cc:dd:ee:ff,192.168.0.1

Static-Route

To assign a static-route (for example on a Arch Linux LAN client):

eth0="eth0 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255"
gateway="default gw 192.168.0.7"
ROUTES=(gateway)

IP Masquerading and Firewall

Kernel Settings

The kernel will need to be told it's allowed to forward packets to/from the LAN clients:

echo 1 > /proc/sys/net/ipv4/ip_forward

To permanently set this, enable ip forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward=1

Shorewall

Shorewall is an iptables frontend. It is easier to setup than manually defining iptables rules. shorewall is available from the AUR. These settings are based on the two-interface documentation on the shorewall website.

Use the some example configuration files that come with the shorewall package

# cp /usr/share/shorewall/Samples/two-interfaces/* /etc/shorewall/

/etc/shorewall/interfaces

Change the interface settings to match the names used for our ethernet devices and to allow dhcp traffic on the local network. Edit /etc/shorewall/interfaces

original

net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians

new

net     wan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     lan            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

/etc/shorewall/policy

Change the policy file to allow the router (this machine) to access the Internet. Edit /etc/shorewall/policy

original

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

new

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

/etc/shorewall/rules

DNS lookups are handled (actually forwarded) by dnsmasq, so shorewall needs to allow those connections. Add these lines to /etc/shorewall/rules

#       Accept DNS connections from the local network to the firewall
#
DNS(ACCEPT)     loc              $FW

OPTIONAL: You can add these lines if you want to be able to SSH into the router from computers on the Internet

#       Accept SSH connections from the internet for administration
#
SSH(ACCEPT)     net             $FW

/etc/shorewall/shorewall.conf

When you are finished making above changes, enable shorewall by a change in it's config file /etc/shorewall/shorewall.conf:

original

STARTUP_ENABLED=No

new

STARTUP_ENABLED=Yes