justlinux.com
Sat, 11-Feb-2012 20:08:37 GMT

Forum: Registered Users: 75960, Online: 301
nhfs Here you can view your subscribed threads, work with private messages and edit your profile and preferences Registration is free! Calendar Find other members Frequently Asked Questions Search Home Home

Help File Library: Routing


By: Skippy
Rewrite By: Edward Taussig

Why would you need to configure your machine as a router? If you intend to use it as a Firewall, or Proxy, or as a Gateway to a cable or DSL/ADSL provider, you will need to make sure that it will function correctly as a router first.

Before beginning, you should make sure that Linux has been set up properly on the machine you intend to use as a router. Check that TCP/IP networking is installed properly by trying to ping 127.0.0.1, then check that ipchains is installed by typing "ipchains -L" (note: the machine set up as a router for this article used a Server install of RedHat 6.2, and all networking services were installed and set up properly by the installation program)

NOTE: If you see references to "ipfwadm" in other articles, it was the routing service in older versions of Linux, and has been replaced by ipchains).

Installing the Ethernet Cards

The first thing you need to do is install and configure the network interface cards (NICs) for use. This differs from a standard install, where you would normally only have one NIC installed  As a Router, you must have two NIC cards installed (at a minimum).

First, make certain that both of your cards are supported. Check your Linux vendor's hardware compatibility list.

The easiest configuration (and one that I highly recommend) is to use two different brands of cards, each of which is supported by your Linux distribution "out of the box", i.e. with no configuration parameters needed to be set in order for the card to be recognized. Many PCI cards fall into this category. There are many inexpensive NIC's readily available today (new or used), and you may save yourself a lot of headaches by  purchasing two just for this purpose.

NOTE: I purchased a LinkSys EtherFast LNE100TX 10/100 card and an SMC EtherPower II 10/100 9432TX card just for this purpose, both of which were recognized and installed automatically (by RedHat 6.2) with no manual configuration needed. I've also had good luck with the DLink DFE530 cards. (Cards based on the RealTek 8139B chip also install with no problems, and very inexpensive generic cards using this chip are readily available). You can probably find any of these cards on one of the auction sites such as Ebay.

If you must use a NIC that is not directly supported by your distribution, you will need to find and install the drivers, and edit your /etc/conf.modules file to point to the specific driver for the card.

If you use two NIC's of the same kind (or use the same driver), you may even need to recompile your kernel, but several modules now allow for multiple cards. It may be that you just need to use a boot time argument such as: 

boot: linux ether=11,0x300,eth0 ether=5,0x340,eth1

This option can be made permanent so you don't have to re-enter it each time you boot. (See the LILO configuration option 'append' in the 'lilo.conf' man page.) 

NOTE: You may need to do some preparations on older ISA bus cards before installing them (or before installing Linux). I would recommend running the DOS utilities included with your card to manually configure your NIC's IO address and IRQ. (choosing different IO and IRQ addresses for each card).

If your card doesn't work, when you boot up, you will get a message like:

Bringing up interface eth0 delaying eth0 initialization [failed]

The Ethernet HOWTO is also an excellent source of info:

http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO.html

Now you need to configure the NIC cards in Linux.

RedHat  includes a very nice utility to do this called linuxconf. This is a hierarchical menu system of configuration options. To use it, log in a root, and type: linuxconf.
First, choose NETWORKING, then CLIENT TASKS, Under here are several options. We want BASIC HOST INFORMATION.

Here, you can select a host name (which must be a fully qualified domain name). You can also select which ethernet adaptors to enable. Since we plan on using our Linx box as a router, we'll need at least two adaptors.

Now in linuxconf, we select the first interface (eth0), and check the ENABLED box. Then you specify the configuration mode: Manual, DHCP, or BOOTP.

My first adapter is connected to my internal network, and so it is manually configured with the following information filled into the following fields:

Enabled [x] 
Manual [x]
IP Address: 192.168.0.1
Netmask: 255.255.255.0
Net Device: eth0
Kernel Module: ne
IO Port: 
IRQ: 

(It doesn't matter which physical card becomes eth0 and eth1).

You can really use _any_ IP scheme you want; although most folks will tell you to use 192.168.XXX.XXX. Netmask is your TCP/IP subnet mask; 

The standard address for a Gateway interface to the internal network usually ends in ".0.1"

The Net Device is the interface name that Linux will use to communicate with this device. They are generally named "eth0" for the first one, "eth1" for the second one, etc etc. 

Note: If Linux recognizes your NIC, you won't need to bother with the following two options:
Kernel Module is the module that will load that provides your kernel with information about this device. 
IO port and IRQ are the hardware information for your card. If you use a PCI card, these items will not be filled in.

Now we repeat the same process for the second card. Check the ENABLED box, and then specify the particulars: 

The second NIC will be the "Gateway" interface to the external network (i.e. the Internet). If you have been given a Static IP from your ISP, or if you are using a DSL modem/router that has a gateway IP address, then use that address 

If your second NIC is connected to a cable or DSL modem or router, and it gets its configuration through DHCP, then check the DHCP box in linuxconf for this NIC. You don't enter an IP Address or Netmask in this case.

If your second NIC is connected to another Gateway (i.e. a cable or DSL modem or router) which provide a "Gateway IP address" (or if you've just been given a single ip address by your ISP), then check the MANUAL box for this NIC.
You can give your second NIC (eth1) any valid ip address within your chosen range (e.g. 192.168.0.2 to 192.168.0.254), but you will also have to configure networking to recognize the Gateway ip address of your modem/router.  Under NETWORKING -> CLIENT TASKS, choose the menu option ROUTERS AND GATEWAYS and enter the ip address of your cable or Dsl modem/router as the Default Gateway, and check the "Enable Routing" box.

Now we need to tell Linux how to communicate with the external network.

Select ACCEPT from the BASIC HOST CONFIGURATION screen, and scroll down to the next item: NAME SERVER SPECIFICATION (DNS). Check DNS USAGE, telling Linux that it needs DNS (Domain Name System - the process by which internet names are translated into internet IP addresses). You need to specify at least one nameserver. So far as I know, any legal nameserver will work. Your ISP should have two. Mine are 204.210.252.252 and 204.210.252.250.

Select ACCEPT. Select Quit, and linuxconf will prompt you to activate the changes. Say yes.

Well, we're almost set, except if you're using DHCP, you need to make sure that Red Hat knows how to get IP addresses using DHCP. This is done with the DHCPCD DHCP Client Daemon). On my Red Hat CD, it's an RPM in /mnt/cdrom/RedHat/RPMS/dhcpcd-0.70-2.i386.rpm. So cd to that directory and type rpm --install dhcpcd-0.70-2.i386.rpm and it's installed.

At this point reboot your system:
     reboot now or shutdown -Fr now.

When your system comes back online, you should see the networking information being displayed during the boot process. Here's what mine looks like:

tulip.c:v0.91g-ppc 7/16/99 becker@cesdis.gsfc.nasa.gov
eth0: Lite-On 82c168 PNIC rev 32 at 0xff00, 00:A0:CC:26:9B:F9, IRQ 9.
eth0: MII transceiver #1 config 3100 status 7829 advertising 01e1.
epic100.c:v1.04 8/23/98 Donald Becker http://cesdis.gsfc.nasa.gov/linux/drivers/epic100.html
eth1: SMC EPIC/100 at 0xfe00, IRQ 9, 00:e0:29:1f:f9:e5.
eth1: MII transceiver #3 control 3000 status 7809.
eth1: Autonegotiation advertising 01e1 link partner 0001.

Now try entering the following command: ifconfig -a
That will tell you if both of your Ethernet cards are operating properly.

Make the connection.

Now make sure your cables are connected properly.
Connect your first adapter (eth0) directly to the network card of your client machine, -or- connect it to a hub, and also connect the client machine to the hub.
NOTE: This is not an "uplink" connection, if you connect your NIC card to a hub, the cable must go into one of the standard slots, not the "uplink" slot.
(the client machine also connects to a standard slot of course).

Now set up your clients to use your new router.

Give you clients an ip address in the range 192.168.0.2 thru 192.168.0.254 (don't use .0.1 or .0.255 or any address you've used for your second NIC   eth1).

(You could set up a DHCP server on your router to provide ip address to your internal machines, but that's beyond the scope of this article).

Just configure your clients to use the internal interface on your Linux box as their default gateway (in this case, it would be: 192.168.0.1), and supply them with DNS name servers (probably the same two you used for your Linux machine!)

Test the connections.

Now Log in as Root, and make sure the following connections work:

  1. From your new router, try to ping an address on the internet, for example, ping www.justlinux.com
  2. From your new router, try to ping the client machine (after configuring the client to use your new router as it's gateway as shown above).
  3. From your client machine, try to ping the router's gateway address (e.g. 192.168.0.1).

If you get a valid response to all three, then you are ready to set up the router to allow connections between your clients and the internet.

Now setup Routing

Now it's time to configure the routing function. This is done with an extremely powerful tool called ipchains.
ipchains uses rules to tell your system what kind of traffic is allowed, and in what direction. It's quite complex in it's entirety, but we only need a few rules:

echo "1"> /proc/sys/net/ipv4/ip_forward
ipchains -F
ipchains -P forward DENY
ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0

Now test the Routing

From your client machine, try to ping an address on the internet, for example, ping www.justlinux.com. You should get some responses if everything went right. If everything look okay, then:

Make the changes permanent.

Edit /etc/rc.d/rc.local and put the same four lines in it. Now every time you boot, IP forwarding will start, and your machine is now a router!

echo "1"> /proc/sys/net/ipv4/ip_forward
ipchains -F
ipchains -P forward DENY
ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0

Security

Congratulations!
You have now completed the first step in using a Linux box as a router  If you intend to use it to permanently connect your machines on your internal network to the internet, there is much more you will need to do in order to protect both your router and your internal network from intrusion or attack from the internet. You will need to disable any non-essential services on your new router that are usually started by default at bootup, and to add more firewall rules (using ipchains) to provide greater protection, and perhaps to add rules to enable the use of certain services (e.g. http or ftp).
This is beyond the scope of this article, but further info can be found at:

http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html