Router

Sorry I posted this in the wrong forum:

I am using DSL at home, and would like to use my slack box as a router for my internet acces at home, so that I can use more than 1 computer on the internet at a time. How would i go about doing this? I use to have a linksys router but it blew up and I can't afford another router at this time. ((

Any help would be grateful, btw what is a good irc channel to hangout in to get more proficient in linux and slack in particular.

Note: THis is a very very very rough "howto" if you will, and may contain some
errors because im doing this from what i remember. I havent set up a router in
a good month or 2 and some things have escaped me but this should work for the most part
i guess.


Assumptions: eth0 is connected to the internet, eth1 and eth2 are LAN NICs.


Part A: Things you need
1. A NIC for your DSL connection, and a NIC for you LAN connection.
You can go about this a couple ways. You can have a LAN nic for every
computer u wanna connect, or you can use 1 NIC and connect it to a hub/switch that has more connection points.
But as i gather u dont have a hub because u blew up the one u had and "cant afford another at this time".
So you may want to have a NIC for every computer u want to connect to the internet.

2. Crossover cable: You need this if you plan on connecting the computer directly to the router itself.
If you use regular straight through cable.....it wont work.

3. Iptables installed- never put a computer on the internet naked



PART B: Setting up the router

1. Give each NIC an ip address:

Code:

            ifconfig eth1 192.168.1.1 netmask 255.255.255.0 bcast 192.168.1.255
            ifconfig eth2 192.168.2.1 netmask 255.255.255.0 bcast 192.168.2.255
            

and so on and so forth. Note here that each nic is ON A DIFFERENT SUBNET!!!
I suppose you can put em all on the same subnet, but i like to make each nic its own
seperate network personally...makes me feel good

2. Add entries to you routing table:

Code:

	   route add -net 192.168.1.0 netmask 255.255.255.0 dev eth1
           route add -net 192.168.2.0 netmask 255.255.255.0 dev eth2
           route add ....
           seeman routefor more details on this
          

3. Turn on ipforwarding:

Code:

	  echo 1 > /proc/sys/net/ipv4/ip_forward
 	  

note, this must be done everytime the computer is rebooted, i put this line in rc.local to remedy that
test it out by doing a: cat /proc/sys/net/ipv4/ip_forward you should get a 1 back. If you get
0 back then re-type the command


if you do all this, and have NO firewall setup, you should be able to connect a computer to each interface
with crossover cables, assign them ip addresses for the subnet they are on, and ping between subnets.

PART C: Sample client setup

Lets say u have a win2K box on the network, connected to eth1 (eth1 has ip 192.168.1.1).
Because the win2k box is connected to eth1, it must have an IP for that subnet. So a good one is
192.168.1.100 for the win2k box, its default gateway would be the IP of the NIC its connected to
i.e. 192.168.1.1 and its DNS servers would be the DNS servers of your ISP.

If you connected a computer to the other interface then it would have an ip of 192.168.2.X gateway
of 192.168.2.1 and DNS servers of your ISP.

PART D: Firewalling

I recommend iptables (netfilter) as most other stuff is just a frong end to it anyway....and i've never
used the other stuff before (like firestarter).

I'll just give you a basic set of iptables rules:

Code:

	iptables -P INPUT DROP           ### DROP EVERYTHING COMMING INTO THE ROUTER
	iptables -P FORWARD DROP         ### DROP EVERYTHING WANTING TO BE FORWARDED TO ANOTHER NETWORK
        iptables -P OUTPUT ACCEPT        ### ALLOW STUFF OUT ON THE INTERNET

	### TURN ON INTERNET CONNECTION ###
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #### ALLOWS ESTABLISHED CONNECTIONS TO PERSIST
        
	### ALLOW SOME FORWARDING BETWEEN NETWORKS ####
        iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT ### ALLOW FORWARDING IF THE SOURCE IS LAN
        iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT  #### .... it works i guess
	

PART E: Nating

To set up Nating you need to consider something, is you assigned IP static of dynamic, here are
both ways to set up nating:

Code:

  		STATIC IP WAY:              
		iptables -A POSTROUTING -s 192.168.1.100 -j SNAT -to 1.2.4.5 ### 1.2.4.5 = isp assigned address
		
		DYNAMIC IP WAY:
		iptables -A POSTROUTING -s 192.168.1.100 -j MASQUERADE ### it figures out your ip for you
		
		
                

	

PART F: Port Forwarding

Those nice little home routers provide port forwarding...well Linux can too so here goes

Code:

	iptables -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.200 ### FORWARDS HTTP requests to .1.200
        iptables -A PREROUTING -p tcp --dport 22 -j DNAT --to 192.168.2.100 ### FORWARDS SSH requests to .2.100

	Iptables is so flexible you can do the port forwarding how u want, that's the gist of it though.

You will want to do all this stuff incrementally. Setup the the routing without a firewall...test it. Fix any communications problems.
Then set up the firewall and test that. If you do it all at once before seeing if it works, you'll have a big mess to figure out.
If any of this is confusing (i have almost confused myself because it has taken me too long to write this) then just re-post and i'll help you
out. I made a lot of assumptions that could be dead wrong too, so if none of this helped...my bad man..i tried.

aaaahhhh, i got 2 posts mixed up!!!!! i have to edit the above post.

EDIT:

OK i fixed it i think, i got it mixed up with another post, i had 2 different posts in my head and after a while they ran toghether.

Additonal considerations:

put the firewall rules in a script and have it run each time the computer reboots. I put mine in a file called lockdown.sh and added the following lines to rc.local

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
sh /path/to/firewall/firewall.sh

that way every time i reboot, my firewall rules get set and ipforwarding is turned on.

howdy, thanx for the help, I misplaced this post myself =/

I have 2 winXP clients,1 slack server with 2 nics(eth0 and eth1), and one 5 port hub with uplink.

I did ifconfig eth1 192.168.1.1 netmask 255.255.255.0 bcast 192.168.1.255, as eth1 is the internal nic.

I did: route add -net 192.168.1.0 netmask 255.255.255.0 dev eth1

I turned on ipforwarding

I set both winXP clients to an ip of 192.168.1.101/102
subnet mask 255.255.255.0 and gateway of 192.168.1.1 and DNS servers of my ISP.

I connect on my slack box using adsl-start(pppoe) it gets connected, I can ping outside to yahoo.com etc. My 2 winxp machines can ping each other as well as the gateway, but can not ping outside of the network. my slack box can ping both winxp machines.

ifconfig shows:
eth0: with no ip gateway or subnet,
bcast running multicast mtu

eth1: has ip of 192.168.1.1 bcast:192.168.1.255 mask:255.255.255.0
bcast running multicasts mtu

lo: normal 127.0.0.1 mask 255.0.0.0 setup
up loopback running

ppp1: 66.143.250.yyy P-t-P 66.143.251.xxx Mask 255.255.255.255
up pointopoint running noarp multicast mtu
route -n shows

Destination Gateway mask Flags Iface
66.143.251.xxx 0.0.0.0 255.255.255.255 UH ppp1
192.168.1.0 0.0.0.0 255.255.255.0 U eth1
127.0.0.0 0.0.0.0 255.0.0.0 U lo
0.0.0.0 66.143.251.xxx 0.0.0.0 UG ppp1

One thing I notice is I don't see eth0 when i do a route -n which is the nic connected to my dsl modem

I just put the iptables,nating, dyanddr and the forwarding in a file called /etc/rc.d/rc.firewall and added a line in rc.local to run rc.firewall at bootup. I have commented out the line in rc.local to troubleshoot the issue of me not being able to get outside with my winxp clients. I am not sure if this is correct or not, please correect me if i am wrong as where to put the iptables stuff

Also I am not sure if i need to run dhcpd along with this, basically I was totally lost but your post shed a lot of light =), I've read so many man pages and how to's on everything from dhcpd to iptables to ipmasquerading that they all seem to do the same thing hehehe. I'm guessing it has something to do with the gateway and eth0, but then again what do i know hehe

anyways thanks for all of the help and any future help you can provide with this info

the nating is definitly needed to get the 2 out on the internet. make sure in you firewall rules you are indeed doing the nating, for you setup the rule should look like this:

Code:

iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j MASQUERADE

i think i fudged the rule in my 1st post. and left off -t nat, sorry.


if your isp has given u a static ip u can change the rule to:

Code:

iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j SNAT --to ip.given.by.isp

sorry about messin that up the 1st time.

also because you have a hub, you MAY not need all the forwarding stuff as long as you have ip_forward on....but im not 100% sure right now. if it still doesnt work, post again and i'll see what else i can come up with.

Question:

Where do I insert these IPTABLES rules?

Can I forward just ftp from my LAN, and would i have to turn of my FTP server whish is on teh machine which serves as the router?

And is there any way to somehow proxy dns so that i can use my routers address in the dns entry of the clients instead of my ISP's dns servers?

Thanks alot

Where to put the rule
~~~~~~~~~~~~~~~~~~

create a file called rc.firewall and put the rules in there.

then open up /etc/rc.local and put in it the lines:

echo 1 > /proc/sys/net/ipv4/ip_forward
rc.firewall


this way it will run on boot. rc.local may be empty when u open it



the FTP question
~~~~~~~~~~~~~~~~
yea you can forward just ftp, i think ftp uses 2 ports, 21 and 23 or something like that i dont remember. all you need is the DNAT rules on the
router:

iptables -A PREROUTING -t nat -p tcp --dport <ftp port> -j DNAT -to 192.168.1.100

where <ftp port> is port 20-something, but i think you need that for 2 ports
but i cant remember (i do know that 22 is ssh though). and 192.168.1.100
is the ip of the machine running the ftp server

the name server question
~~~~~~~~~~~~~~~~~~~~~~
there may be a way, but im not aware of an easy way...you could set up a
dhcp server on the router that handed out IP addresses and with that you
can tell connected machine what the name servers are....but that's not an
easy way....its easier to just hard code them on the seperate machines unless
you have a network with hundreds of hosts.

oh, dont forget, the MASQUERADE rules in the 1st post are wrong because
i left off -t nat

Ok thanks, I'll be sure to give those a try.

But the FTP question was in regard to the router box also having an FTP server on it. I.e. I wanted to Masquerade FTP traffic to the outside appropriately, and still accept traffic to the local FTP server. Would I have to use a differet port for my FTP Server or what?

And also I thought I read somewhere about specifing the protocol in the routing, is that applicable here?

thank you so much robert 0380 , i just tried your corrections to the nating and it is working, sorry for the delay in the post as I have not had time to try your suggestions until now. I think your post was the most down to earth help I have received after reading all of the man pages and HOW-TO's

oh ya, 1 more noob question, how do i go about restarting rc.firewall after i make changes to it? I need to add a few rules to allow filetopia port 443 and a few other apps that i run on my windoze machines and up until this point when i made changes i restarted my whole server (

Indeed- This thread should be edited and included in documentation somewhere...
Simplest how to for the *exact* project I'm working on right now...

Was having problems working the router as a hub as well, with three nics... eth0 as internet connection, and eth1 and 2 as internal network directly to pcs.

Your info rules!

-Shade

well, i dont use rc.firewall, i just see a lot of other peole suggesting it , the way
i do mine is by putting it into a .sh file (lockdown.sh) and running mine like so:

sh /path/to/file/lockdown.sh << this line is what is in my rc.local

and when i modify mine, i just run the command at the command line:

sh lockdown.sh

if you do it this way, you should make the very 1st line in the scripting file:

#!/bin/bash

that way when u do sh firewall.sh it will run the commands as if it were
in the bash shell (you can choose other shells and even perl but i use /bin/bash
and that's what i see other people using and it works)

so yea, that's how i do mine. you may be able to run the rc.firewall file the same way
make it executable and try this (in the same directory as rc.firewall)

bash rc.firewall
./rc.firewall (thats a dot slash)
sh rc.firewall

and see if any of those work.

I have been configuring lockdown.sh with various rulesets and have been pretty successful. I ran into the problem in filetopia, Like I can receive files incoming to my internal computers, but I can not send out files. I figured the:

iptables -P OUTPUT ACCEPT

rule would allow anything out of my network, or do I need to add more flags to that rule?

you need to modify the FORWARDing part.

iptables -A FORWARD -s $LANIP -j ACCEPT

or check the NAT rules (SNAT), post both here so we can take
a look.

I did it the newbie way. I used shorewall firewall and setup masquerading via webmin module. works for me.

http://www.webmin.com
http://www.shorewall.net

P.S.
shorewall uses iptables. If you need to use ipchains you would use pmfirewall.
http://www.pointman.org/PMFirewall/