You are not logged in.
Hi, I need to build a router for my home PCs, Any intruction/Tutorial on how to build it using archLinux? Which modules are necessary (iptable only or with iproute2?) and the best practise to put the configuration information in the /etc files? thanks.
Offline
This is how i do it. Hope it helps.
Have this in /etc/rc.d/firewall
#!/bin/sh
#
# chkconfig: 2345 11 89
#
# description: Loads the rc.firewall-2.4 ruleset.
#
# processname: firewall-2.4
# pidfile: /var/run/firewall.pid
# config: /etc/rc.d/rc.firewall-2.4
# probe: true
# ----------------------------------------------------------------------------
# v05/24/03
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates
# -------
# 05/24/03 - removed a old networking up check that had some
# improper SGML ampersand conversions.
# ----------------------------------------------------------------------------
# Source function library.
. /etc/rc.conf
. /etc/rc.d/functions
# Check that networking is up.
[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0
[ -x /sbin/ifconfig ] || exit 0
# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/usr/sbin/iptables
# See how we were called.
case "$1" in
start)
stat_busy "Starting Firewall"
/etc/firewall-2.4
stat_done
;;
stop)
stat_busy "Stopping Firewall"
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
stat_done
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -L
;;
mlist)
cat /proc/net/ip_conntrack
;;
*)
echo "Usage: firewall-2.4 {start|stop|status|mlist}"
exit 1
esac
exit 0In the daemon line in /etc/rc.conf add firewall.
That is for starting the firewall and routing tables. This is the actual script:
#!/bin/sh
EXTIF=eth0
INTIF=eth1
IPTABLES=/usr/sbin/iptables
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE#edit: Save this file as /etc/firewall-2.4 If you want to save it somewhere else, or change the name you'll have to modify the rc script.
By the way you should give both of this files execution permision (chmod 755 /files/files...)
And where were all the sportsmen who always pulled you though?
They're all resting down in Cornwall
writing up their memoirs for a paper-back edition
of the Boy Scout Manual.
Offline
Thanks, also I need to set up a dhcp server to dynamically assign IP address for Intranet (as well as the default gateway)...
Offline
Take a look at the 'dnsmasq' Arch package. It's great for a small home network and does DNS and DHCP.
Follow the link below, sign up, and accept one promotional offer. If I can get five suckers (err... friends) to do this, I'll get a free iPod. Then you too can try to get a free iPod. Thanks! http://www.freeiPods.com/?r=11363142
Offline
I would suggest the same. I used dnsmasq for a long time, and it works pretty well. It also works as a cache dns server, so it makes access to web pages from PCs inside the network a lot faster (at least here in Chile). Anyway I prefer using static IPs and I stopped using it.
And where were all the sportsmen who always pulled you though?
They're all resting down in Cornwall
writing up their memoirs for a paper-back edition
of the Boy Scout Manual.
Offline
Do I still need to do ip masquerade on the router machine? or dnsmasq will handle that too?
Offline
No, it won't, it will just set your hosts IP and give them the dns info.
And where were all the sportsmen who always pulled you though?
They're all resting down in Cornwall
writing up their memoirs for a paper-back edition
of the Boy Scout Manual.
Offline
Just found that, when using your script, I cannot connect some ftp server. Anyway to allow all kind of connect? I just need to router everything, no firewall...
This is how i do it. Hope it helps.
Have this in /etc/rc.d/firewall#!/bin/sh # # chkconfig: 2345 11 89 # # description: Loads the rc.firewall-2.4 ruleset. # # processname: firewall-2.4 # pidfile: /var/run/firewall.pid # config: /etc/rc.d/rc.firewall-2.4 # probe: true # ---------------------------------------------------------------------------- # v05/24/03 # # Part of the copyrighted and trademarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates # ------- # 05/24/03 - removed a old networking up check that had some # improper SGML ampersand conversions. # ---------------------------------------------------------------------------- # Source function library. . /etc/rc.conf . /etc/rc.d/functions # Check that networking is up. [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/usr/sbin/iptables # See how we were called. case "$1" in start) stat_busy "Starting Firewall" /etc/firewall-2.4 stat_done ;; stop) stat_busy "Stopping Firewall" $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat # Delete all User-specified chains $IPTABLES -X # # Reset all IPTABLES counters $IPTABLES -Z stat_done ;; restart) $0 stop $0 start ;; status) $IPTABLES -L ;; mlist) cat /proc/net/ip_conntrack ;; *) echo "Usage: firewall-2.4 {start|stop|status|mlist}" exit 1 esac exit 0In the daemon line in /etc/rc.conf add firewall.
That is for starting the firewall and routing tables. This is the actual script:#!/bin/sh EXTIF=eth0 INTIF=eth1 IPTABLES=/usr/sbin/iptables echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE#edit: Save this file as /etc/firewall-2.4 If you want to save it somewhere else, or change the name you'll have to modify the rc script.
By the way you should give both of this files execution permision (chmod 755 /files/files...)
Offline
In /etc/rc.conf make sure you add "ip_conntrack_ftp" to the MODULES=(...) list.
This kernel module checks if FTP active (not passive) connections should be allowed, opens the ports appropriately and closes them when the transfer is done.
Hope that helps.
IceRAM
P.S. I don't know if it works on forwarded connections, because I don't use iptables as a router.
:: / my web presence
Offline
In /etc/rc.conf make sure you add "ip_conntrack_ftp" to the MODULES=(...) list.
This kernel module checks if FTP active (not passive) connections should be allowed, opens the ports appropriately and closes them when the transfer is done.
Hope that helps.
IceRAM
P.S. I don't know if it works on forwarded connections, because I don't use iptables as a router.
Thanks, I will try it soon. don't know why ftp need to a kernel module to handle while some other protocal can be handled well...
btw, what else can be used to do ip forward? Is iptables the best one? (since it can be firewall at the sametime?)
Offline
added "ip_conntrack_ftp" to the Modules list and reboot, but FTP still doesn't work...
IceRAM wrote:In /etc/rc.conf make sure you add "ip_conntrack_ftp" to the MODULES=(...) list.
This kernel module checks if FTP active (not passive) connections should be allowed, opens the ports appropriately and closes them when the transfer is done.
Hope that helps.
IceRAM
P.S. I don't know if it works on forwarded connections, because I don't use iptables as a router.
Thanks, I will try it soon. don't know why ftp need to a kernel module to handle while some other protocal can be handled well...
btw, what else can be used to do ip forward? Is iptables the best one? (since it can be firewall at the sametime?)
Offline
don't know why ftp need to a kernel module to handle while some other protocal can be handled well...
Well, ftp does not need a kernel module to handle connections.
iptables is built within the kernel (or as modules). Therefore, to extend iptables functionality, you can add modules to the kernel. As you probably know, the active connections require port 20/21 (I think) to be opened. If a transfer is being started, a new port (highport > 32000 I think - check specs for detailed info) is opened and the transfer is done on that connection. The module I suggested tracks all the requests on port 20/21 for file transfers and opens in the firewall the corresponding high ports, closing them down when the transfers are done.
btw, what else can be used to do ip forward? Is iptables the best one? (since it can be firewall at the sametime?)
I personally don't know anything else for ipforward (all the scripts for IP forwarding are based on iptables, as far as I know).
I use gShield to create my firewall rules. Check http://bbs.archlinux.org/viewtopic.php? … ht=gshield .
It seems to be quite powerfull, altough I don't use all it's capabilities. It also has a nice support for routing (check /etc/firewall/routables after install). Maybe it will get in the Arch repositories.
:: / my web presence
Offline
remove this
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOGand cahnge this:
$IPTABLES -P FORWARD DROPby this:
$IPTABLES -P FORWARD ACCEPTThis isn't a very good policy, but if you wan't so...
By the way, I fused the two scripts in one, so that it'll be easer.
Here is my new firewall. Just remove /etc/firewall-2.4 and place this new one in /etc/rc.d/firewall (and give it exec wrights: chmod 755 /etc/rc.d/firewall)
#!/bin/sh
#
# Source function library.
. /etc/rc.conf
. /etc/rc.d/functions
# Check that networking is up.
[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0
[ -x /sbin/ifconfig ] || exit 0
# The location of various iptables and other shell programs
IPTABLES=/usr/sbin/iptables
EXTIF=eth0
INTIF=eth1
# See how we were called.
case "$1" in
start)
stat_busy "Starting Firewall"
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
stat_done
;;
stop)
stat_busy "Stopping Firewall"
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
stat_done
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -L
;;
mlist)
cat /proc/net/ip_conntrack
;;
*)
echo "Usage: firewall-2.4 {start|stop|status|mlist}"
exit 1
esac
exit 0And where were all the sportsmen who always pulled you though?
They're all resting down in Cornwall
writing up their memoirs for a paper-back edition
of the Boy Scout Manual.
Offline
Can this be done the same using kernel v2.6?
.: lytez :.
Offline