Note: THis is a very very very rough "howto" if you will, and may contain some
errors because im doing this from what i remember. I havent set up a router in
a good month or 2 and some things have escaped me but this should work for the most part
i guess.
Assumptions: eth0 is connected to the internet, eth1 and eth2 are LAN NICs.
Part A: Things you need
1. A NIC for your DSL connection, and a NIC for you LAN connection.
You can go about this a couple ways. You can have a LAN nic for every
computer u wanna connect, or you can use 1 NIC and connect it to a hub/switch that has more connection points.
But as i gather u dont have a hub because u blew up the one u had and "cant afford another at this time".
So you may want to have a NIC for every computer u want to connect to the internet.
2. Crossover cable: You need this if you plan on connecting the computer directly to the router itself.
If you use regular straight through cable.....it wont work.
3.
Iptables installed- never put a computer on the internet naked
PART B: Setting up the router
1. Give each NIC an ip address:
Code:
ifconfig eth1 192.168.1.1 netmask 255.255.255.0 bcast 192.168.1.255
ifconfig eth2 192.168.2.1 netmask 255.255.255.0 bcast 192.168.2.255
and so on and so forth. Note here that each nic is ON A DIFFERENT SUBNET!!!
I suppose you can put em all on the same subnet, but i like to make each nic its own
seperate network personally...makes me feel good
2. Add entries to you routing table:
Code:
route add -net 192.168.1.0 netmask 255.255.255.0 dev eth1
route add -net 192.168.2.0 netmask 255.255.255.0 dev eth2
route add ....
seeman routefor more details on this
3. Turn on ipforwarding:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
note, this must be done everytime the computer is rebooted, i put this line in rc.local to remedy that
test it out by doing a: cat /proc/sys/net/ipv4/ip_forward you should get a 1 back. If you get
0 back then re-type the command
if you do all this, and have NO firewall setup, you should be able to connect a computer to each interface
with crossover cables, assign them ip addresses for the subnet they are on, and ping between subnets.
PART C: Sample client setup
Lets say u have a win2K box on the network, connected to eth1 (eth1 has ip 192.168.1.1).
Because the win2k box is connected to eth1, it must have an IP for that subnet. So a good one is
192.168.1.100 for the win2k box, its default gateway would be the IP of the NIC its connected to
i.e. 192.168.1.1 and its DNS servers would be the DNS servers of your ISP.
If you connected a computer to the other interface then it would have an ip of 192.168.2.X gateway
of 192.168.2.1 and DNS servers of your ISP.
PART D: Firewalling
I recommend
iptables (netfilter) as most other stuff is just a frong end to it anyway....and i've never
used the other stuff before (like firestarter).
I'll just give you a basic set of
iptables rules:
Code:
iptables -P INPUT DROP ### DROP EVERYTHING COMMING INTO THE ROUTER
iptables -P FORWARD DROP ### DROP EVERYTHING WANTING TO BE FORWARDED TO ANOTHER NETWORK
iptables -P OUTPUT ACCEPT ### ALLOW STUFF OUT ON THE INTERNET
### TURN ON INTERNET CONNECTION ###
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #### ALLOWS ESTABLISHED CONNECTIONS TO PERSIST
### ALLOW SOME FORWARDING BETWEEN NETWORKS ####
iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT ### ALLOW FORWARDING IF THE SOURCE IS LAN
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #### .... it works i guess
PART E: Nating
To set up Nating you need to consider something, is you assigned IP static of dynamic, here are
both ways to set up nating:
Code:
STATIC IP WAY:
iptables -A POSTROUTING -s 192.168.1.100 -j SNAT -to 1.2.4.5 ### 1.2.4.5 = isp assigned address
DYNAMIC IP WAY:
iptables -A POSTROUTING -s 192.168.1.100 -j MASQUERADE ### it figures out your ip for you
PART F: Port Forwarding
Those nice little home routers provide port forwarding...well Linux can too so here goes
Code:
iptables -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.200 ### FORWARDS HTTP requests to .1.200
iptables -A PREROUTING -p tcp --dport 22 -j DNAT --to 192.168.2.100 ### FORWARDS SSH requests to .2.100
Iptables is so flexible you can do the port forwarding how u want, that's the gist of it though.
You will want to do all this stuff incrementally. Setup the the routing without a firewall...test it. Fix any communications problems.
Then set up the firewall and test that. If you do it all at once before seeing if it works, you'll have a big mess to figure out.
If any of this is confusing (i have almost confused myself because it has taken me too long to write this) then just re-post and i'll help you
out. I made a lot of assumptions that could be dead wrong too, so if none of this helped...my bad man..i tried.