You are not logged in.

#1 2006-03-31 07:53:18

FUBAR
Member
From: Belgium
Registered: 2004-12-08
Posts: 1,029
Website

[Wiki in progress] ArchLinux as a router/NAT - feedback req

I'm writing a Wiki page on how to set up ArchLinux as a router / NAT. I've got a box I'm turning into one, so I'm trying to write all the steps I do/did down for future reference.

I have little experience with Linux networking, I can get a NIC get an IP and that's about it. So I'm mostly using documentation I found googling around and on Wiki's from other (-ugh ugh- Gentoo -ugh ugh-) distributions.

I'd appreciate it if someone would review what I've got so far (everything up until building a custom kernel!! lol ) and tell me if it's accurate.

Once I've got my router working, I'm even planning on writing a few helper scripts and maybe even make a specific router repo. But first things first: the installation and configuration of the router.

Any input will be greatly appreciated!


A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.

Offline

#2 2006-03-31 15:53:01

marcob
Member
From: B-town USA
Registered: 2004-11-10
Posts: 38
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

I doubt I can offer much help, but I'm very much interested in this, so good luck to you and thanks for your efforts!

Offline

#3 2006-03-31 16:55:30

FUBAR
Member
From: Belgium
Registered: 2004-12-08
Posts: 1,029
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

I'd appreciate it if you follow my Wiki page and tell me did and didn't work out. smile

[edit]
Once I finished it, of course
[/edit]


A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.

Offline

#4 2006-03-31 18:14:37

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

one thing I noticed..
you might want to use sysctl to enable forwarding of packets.. not sure if the kernel compilation alone is enough, or if you need the sysctl option as well. I always have the sysctl option..and I honestly haven't tried it without it lately. o.O

If you meant a nat'ing firewall, and not a router, then you of course don't need that option.

Technically, a router and a nat firewall are not the same thing. wink

EDIT: Based on your wiki entry, it appears you meant a nat-firewall, as you are putting a dns cacher on it as well.

cheers.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2006-03-31 21:58:33

FUBAR
Member
From: Belgium
Registered: 2004-12-08
Posts: 1,029
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

Done. Valid point, cactus.


A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.

Offline

#6 2006-03-31 22:06:28

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

good wiki so far. A definate valuable venture for sure. I can envision many people using this wiki as a very good jumping off point for nat'ing their infrastructure.

I want to work on routifying arch at some point. A very lean mean install that can run from a flash drive or a bootable biz card, that can just be rebooted when needed...mostly for internal routing work. Slap in a grip of nic cards into some random box, and "w00t: router with ACL"
wink


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#7 2006-04-01 01:49:53

syamajala
Member
From: here, there, everywhere
Registered: 2005-01-25
Posts: 617
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

cactus: that would be nice. especially if did cool things like traffic shaping and wireless routing.

Offline

#8 2006-04-04 15:45:45

marcob
Member
From: B-town USA
Registered: 2004-11-10
Posts: 38
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

FUBAR wrote:

I'd appreciate it if you follow my Wiki page and tell me did and didn't work out. smile

[edit]
Once I finished it, of course
[/edit]

Will do!

Offline

#9 2006-04-04 17:48:43

tpowa
Developer
From: Lauingen , Germany
Registered: 2004-04-05
Posts: 2,322

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

one little thing, what is missing in the standard kernel?
i mean it should be possible to build a router with standard kernel too.

Offline

#10 2006-04-04 20:22:30

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

It should indeed be the case. I was just not sure if routing was built as a module, or if it was built in.

For routing, I general like to build a very streamlined kernel for performance and size considerations.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#11 2006-04-05 01:19:09

Cam
Member
From: Brisbane, Aus
Registered: 2004-12-21
Posts: 658
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

tpowa wrote:

one little thing, what is missing in the standard kernel?
i mean it should be possible to build a router with standard kernel too.

Nothing is missing. I just spent last night/this morning setting up an old 800MHz as a router here off the stock kernel. It's a bit more than a router (proxy, mail server etc) but the routing part works great running 2.6.16-ARCH.

I suck at networking so now I'm off to try and set up DHCP... sad Wish me luck..

Offline

#12 2006-04-05 09:55:17

FUBAR
Member
From: Belgium
Registered: 2004-12-08
Posts: 1,029
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

tpowa wrote:

one little thing, what is missing in the standard kernel?
i mean it should be possible to build a router with standard kernel too.

I don't know, I never use stock kernels. But as cactus mentioned, I like a small modularized kernel without unneeded options, especially for a router.

I also don't think you'll want to updrage your kernel anytime you run pacman -Syu, just when it's necessary for security reasons. A new kernel requires a reboot and might introduce instability or security flaws.


A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.

Offline

#13 2006-04-15 10:34:10

FUBAR
Member
From: Belgium
Registered: 2004-12-08
Posts: 1,029
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

Just a little update: I've set up shorewall, Squid and DansGuardian and they're all working! It's amazing how easy this stuff is if you just stick to the documentation. ^_^

I don't know what else I can install on the box to make it more secure and / or powerful. Any tips?


A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.

Offline

#14 2006-04-19 10:58:33

FUBAR
Member
From: Belgium
Registered: 2004-12-08
Posts: 1,029
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

This thing keeps on growing. So large even that MediaWiki started complaining! big_smile

I've split it up:

NAT'ing firewall - Share your broadband connection
NAT'ing firewall - Adding advanced features


Tonight I'm going to install Snort. Maybe even Tripwire and grsec once I figure out what they do.[/list][/list]


A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.

Offline

#15 2006-04-20 05:10:54

sud_crow
Member
From: Argentina
Registered: 2003-06-30
Posts: 546
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

Hi Fubar!

Great doc, i added this a couple of days ago as a notice:

NOTE: This document's purpose is to set up a box exclusively as a gateway/router, this means that it's not suited (although it could be adapted or used partially) to set up a shared connection between 2 (two) 'desktop' PCs using cross-over cables, as the PC where this document applies will be turned into a 'server', not having the desktop applications necesary for normal use, and should be conected to a hub/switch.

Just in case someone wanting to share his internet connection between 2 pcs started following your guide... check it in case you dont feel it should be there or you like other way to express it.

I may translate it when i have the time to publish it in the Hispanic Arch Community Site it will make a fine addition.

Thanks again.


Leonardo Andrés Gallego
www.archlinux-es.org || Comunidad Hispana de Arch Linux

Offline

#16 2006-04-20 07:58:57

FUBAR
Member
From: Belgium
Registered: 2004-12-08
Posts: 1,029
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

sud_crow wrote:

Hi Fubar!

Great doc, i added this a couple of days ago as a notice:

NOTE: This document's purpose is to set up a box exclusively as a gateway/router, this means that it's not suited (although it could be adapted or used partially) to set up a shared connection between 2 (two) 'desktop' PCs using cross-over cables, as the PC where this document applies will be turned into a 'server', not having the desktop applications necesary for normal use, and should be conected to a hub/switch.

Just in case someone wanting to share his internet connection between 2 pcs started following your guide... check it in case you dont feel it should be there or you like other way to express it.

I may translate it when i have the time to publish it in the Hispanic Arch Community Site it will make a fine addition.

Thanks again.

I noticed that. I thought it was very useful: I'm currently so deep in this little project that I sometimes forget about such things, thinking of them as obvious.
Hopefully, your warning keeps users from thinking of the Wiki as a guide to Linux "ICS" (cf Windows XP). smile

I'd hold off the translation for a while: I haven't put the firewall "in production" yet. After I've done that and it's run for a few weeks, the Wiki is probably finished and you can translate it. Otherwise you'll just get frustrated about the constant changes you'd have to follow up. wink

I hope my Wiki is accurate and indeed as secure as I intended it to be: I don't really know how to check that.


A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.

Offline

#17 2006-04-20 16:50:31

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

Fubar. Something really cool to take a look at.
Transparent layer 7 proxy integration with AV scanning.

http://www.server-side.de/

Very cool stuff..
More cool L7 proxies: http://www.copfilter.org/docu.php  (bottom of page)


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB