[Wiki in progress] ArchLinux as a router/NAT - feedback req

FUBAR · 2006-03-31 07:53:18

I'm writing a Wiki page on how to set up ArchLinux as a router / NAT. I've got a box I'm turning into one, so I'm trying to write all the steps I do/did down for future reference.

I have little experience with Linux networking, I can get a NIC get an IP and that's about it. So I'm mostly using documentation I found googling around and on Wiki's from other (-ugh ugh- Gentoo -ugh ugh-) distributions.

I'd appreciate it if someone would review what I've got so far (everything up until building a custom kernel!! ) and tell me if it's accurate.

Once I've got my router working, I'm even planning on writing a few helper scripts and maybe even make a specific router repo. But first things first: the installation and configuration of the router.

Any input will be greatly appreciated!

marcob · 2006-03-31 15:53:01

I doubt I can offer much help, but I'm very much interested in this, so good luck to you and thanks for your efforts!

FUBAR · 2006-03-31 16:55:30

I'd appreciate it if you follow my Wiki page and tell me did and didn't work out.

[edit]
Once I finished it, of course
[/edit]

cactus · 2006-03-31 18:14:37

one thing I noticed..
you might want to use sysctl to enable forwarding of packets.. not sure if the kernel compilation alone is enough, or if you need the sysctl option as well. I always have the sysctl option..and I honestly haven't tried it without it lately. o.O

If you meant a nat'ing firewall, and not a router, then you of course don't need that option.

Technically, a router and a nat firewall are not the same thing.

EDIT: Based on your wiki entry, it appears you meant a nat-firewall, as you are putting a dns cacher on it as well.

cheers.

FUBAR · 2006-03-31 21:58:33

Done. Valid point, cactus.

cactus · 2006-03-31 22:06:28

good wiki so far. A definate valuable venture for sure. I can envision many people using this wiki as a very good jumping off point for nat'ing their infrastructure.

I want to work on routifying arch at some point. A very lean mean install that can run from a flash drive or a bootable biz card, that can just be rebooted when needed...mostly for internal routing work. Slap in a grip of nic cards into some random box, and "w00t: router with ACL"

syamajala · 2006-04-01 01:49:53

cactus: that would be nice. especially if did cool things like traffic shaping and wireless routing.

marcob · 2006-04-04 15:45:45

FUBAR wrote:

I'd appreciate it if you follow my Wiki page and tell me did and didn't work out.
[edit]
Once I finished it, of course
[/edit]

Will do!

tpowa · 2006-04-04 17:48:43

one little thing, what is missing in the standard kernel?
i mean it should be possible to build a router with standard kernel too.

cactus · 2006-04-04 20:22:30

It should indeed be the case. I was just not sure if routing was built as a module, or if it was built in.

For routing, I general like to build a very streamlined kernel for performance and size considerations.

Cam · 2006-04-05 01:19:09

tpowa wrote:

one little thing, what is missing in the standard kernel?
i mean it should be possible to build a router with standard kernel too.

Nothing is missing. I just spent last night/this morning setting up an old 800MHz as a router here off the stock kernel. It's a bit more than a router (proxy, mail server etc) but the routing part works great running 2.6.16-ARCH.

I suck at networking so now I'm off to try and set up DHCP... Wish me luck..

FUBAR · 2006-04-05 09:55:17

tpowa wrote:

one little thing, what is missing in the standard kernel?
i mean it should be possible to build a router with standard kernel too.

I don't know, I never use stock kernels. But as cactus mentioned, I like a small modularized kernel without unneeded options, especially for a router.

I also don't think you'll want to updrage your kernel anytime you run pacman -Syu, just when it's necessary for security reasons. A new kernel requires a reboot and might introduce instability or security flaws.

FUBAR · 2006-04-15 10:34:10

Just a little update: I've set up shorewall, Squid and DansGuardian and they're all working! It's amazing how easy this stuff is if you just stick to the documentation. ^_^

I don't know what else I can install on the box to make it more secure and / or powerful. Any tips?

FUBAR · 2006-04-19 10:58:33

This thing keeps on growing. So large even that MediaWiki started complaining!

I've split it up:

NAT'ing firewall - Share your broadband connection
NAT'ing firewall - Adding advanced features

Tonight I'm going to install Snort. Maybe even Tripwire and grsec once I figure out what they do.[/list][/list]

sud_crow · 2006-04-20 05:10:54

Hi Fubar!

Great doc, i added this a couple of days ago as a notice:

NOTE: This document's purpose is to set up a box exclusively as a gateway/router, this means that it's not suited (although it could be adapted or used partially) to set up a shared connection between 2 (two) 'desktop' PCs using cross-over cables, as the PC where this document applies will be turned into a 'server', not having the desktop applications necesary for normal use, and should be conected to a hub/switch.

Just in case someone wanting to share his internet connection between 2 pcs started following your guide... check it in case you dont feel it should be there or you like other way to express it.

I may translate it when i have the time to publish it in the Hispanic Arch Community Site it will make a fine addition.

Thanks again.

FUBAR · 2006-04-20 07:58:57

sud_crow wrote:

Hi Fubar!
Great doc, i added this a couple of days ago as a notice:
NOTE: This document's purpose is to set up a box exclusively as a gateway/router, this means that it's not suited (although it could be adapted or used partially) to set up a shared connection between 2 (two) 'desktop' PCs using cross-over cables, as the PC where this document applies will be turned into a 'server', not having the desktop applications necesary for normal use, and should be conected to a hub/switch.
Just in case someone wanting to share his internet connection between 2 pcs started following your guide... check it in case you dont feel it should be there or you like other way to express it.
I may translate it when i have the time to publish it in the Hispanic Arch Community Site it will make a fine addition.
Thanks again.

I noticed that. I thought it was very useful: I'm currently so deep in this little project that I sometimes forget about such things, thinking of them as obvious.
Hopefully, your warning keeps users from thinking of the Wiki as a guide to Linux "ICS" (cf Windows XP).

I'd hold off the translation for a while: I haven't put the firewall "in production" yet. After I've done that and it's run for a few weeks, the Wiki is probably finished and you can translate it. Otherwise you'll just get frustrated about the constant changes you'd have to follow up.

I hope my Wiki is accurate and indeed as secure as I intended it to be: I don't really know how to check that.

cactus · 2006-04-20 16:50:31

Fubar. Something really cool to take a look at.
Transparent layer 7 proxy integration with AV scanning.

http://www.server-side.de/

Very cool stuff..
More cool L7 proxies: http://www.copfilter.org/docu.php (bottom of page)

Arch Linux

#1 2006-03-31 07:53:18

[Wiki in progress] ArchLinux as a router/NAT - feedback req

#2 2006-03-31 15:53:01

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#3 2006-03-31 16:55:30

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#4 2006-03-31 18:14:37

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#5 2006-03-31 21:58:33

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#6 2006-03-31 22:06:28

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#7 2006-04-01 01:49:53

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#8 2006-04-04 15:45:45

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#9 2006-04-04 17:48:43

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#10 2006-04-04 20:22:30

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#11 2006-04-05 01:19:09

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#12 2006-04-05 09:55:17

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#13 2006-04-15 10:34:10

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#14 2006-04-19 10:58:33

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#15 2006-04-20 05:10:54

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#16 2006-04-20 07:58:57

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

#17 2006-04-20 16:50:31

Re: [Wiki in progress] ArchLinux as a router/NAT - feedback req

Board footer