If you'd like to build a router to forward connections to LAN client(s), you'll need the details of creating a basic router. A router is required in order to connect multiple machines to the Internet using the a single global IP address. This is almost always the case for residential Internet access. The Arch Linux machine will fulfill several roles required to connect machines in a local network to the Internet:
- Firewall - Block unauthorized packets but allow authorized traffic
- IP Masquerading - Manipulate IP addresses as packets cross between internal network and Internet
- DHCP Server - Manage IP addresses of machines in the internal network
- DNS Server - Accept DNS lookups from local machines and forward them to the Internet
- Gateway - Translate between protocols of the internal network and your Internet Service Provide (optional)
You'll need to have at least two Network Card Interfaces (NIC's) on the computer you plan to use as a router. Once installed see that they are recognized by the kernel:
If the NIC(s) don't show up, then either 1) the kernel module (driver) will need be loaded, 2) the kernel will need to be rebuilt with support for the hardware, or 3) the kernel may not have support for the driver yet.
If there is a kernel module for you NIC, the generic Arch Linux kernel will likely have support for it. You can add it by:
If there is support in the kernel, but not in the Arch kernel take a look at Kernel Compilation with ABS.
Ethernet Device Names
Udev is the device manager for Arch Linux and can be used to manually choose names for each ethernet device. This should be done to make sure that each physical network connection always has the same name, and also for convenience during later configuration steps. Create a Udev rule:
You can easily find the address of an existing device:
udevadm info -a -p /sys/class/net/<device> | grep address
Just use the output as the second field in the rules file. Next time Udev assigns device names it will use these. This article assumes "wan" connects to the Internet and that "lan" connects to the local network.
Ethernet Device Settings
Each ethernet device's IP configuration needs to be set in the system-wide configuration file.
wan="dhcp" lan="lan 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255" INTERFACES=(wan lan)
The device wan will request a dynamic IP address from the ISP. The device lan will use a static IP address. Later on dnsmasq will be configured used to grant dhcp leases to other local machines in the same subnet, i.e. with address in the range 192.168.0.1-192.168.0.255 (but not 192.168.0.0 because the router has that local address).
For connecting to/from your LAN client(s), you can have to either add to the router a DHCP server (which will build the LAN client's routes for you) or define a static-route(s) manually.
If you have a good number of LAN clients or would like dynamic IP's defined, add a DHCP server to the router. Dnsmasq is a lightweight DHCP server good for 50 or less LAN clients with a basic configuration. For a more industrial solution look at dhcp.
To assign a static-route (for example on a Arch Linux LAN client):
eth0="eth0 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255" gateway="default gw 192.168.0.7" ROUTES=(gateway)
The kernel will need to be told it's allowed to forward packets to/from the LAN clients:
echo 1 > /proc/sys/net/ipv4/ip_forward
To permanently set this, enable ip forwarding in
Redirection of packets to/from the LAN client(s) can be done with iptables.
pacman -S iptables
And add the rule:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The rule can be added permanently in
/etc/rc.local though you'll probably want to create a bash script for it to build a firewall later. More information about firewalls can be found on Simple stateful firewall HOWTO.