You are not logged in.

#1 2005-06-13 15:06:37

nehsa
Member
Registered: 2003-01-14
Posts: 159

Setting up Arch as a router

I have two network cards in my server.  What I want to do is have eth0 get my internet then eth1 connect it with my LAN.  Unfortunantly, I don't know much about setting this up.

My first problem I think is the gateway, if it's the default is set to 192.168.0.1 then my internet will not work.  What I would like to do is have eth1 have that as the gateway but let eth0 find its own.  Is there a way to do this using rc.conf or do I need to manually add to the routes table?

Assuming I get the routing right, how do I then go about sharing the connection?  Is iptables required? 

Thanks for any help!

Offline

#2 2005-06-13 15:27:59

Stinky
Member
From: The Colony, TX
Registered: 2004-05-28
Posts: 187

Re: Setting up Arch as a router

Iptables is required using NAT/Masquerade. 
This helped me get started years ago..
http://www.e-infomax.com/ipmasq/

Offline

#3 2005-06-13 17:46:25

nehsa
Member
Registered: 2003-01-14
Posts: 159

Re: Setting up Arch as a router

Hey, thanks for the quick reply.  I've read through that article (briefly) and do ahve a much greater idea of what needs to happen.  The only thing I can't find is information about routing.

In the rc.conf file you have the option to set the default gateway, the problem is, if enabled my LAN works, if not enabled the internet works.  I think what I need is leave the default gateway blank and just add a gateway to eth1, I can't seem to figure out how to do this though. 

(From memory)

gateway = default gw 192.168.0.1
gateway = gateway

I've tried:

gateway = eth1 gw 192.168.0.1
gateway = gateway

That doesn't work though.

Offline

#4 2005-06-13 17:52:30

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: Setting up Arch as a router

you need to setup iptables rules and enable ip forwarding too - setting just a gateway isn't going to do jack

Offline

#5 2005-06-13 20:19:04

nehsa
Member
Registered: 2003-01-14
Posts: 159

Re: Setting up Arch as a router

OK, got it.  I'm still a little confused about how this'll work. 

This is my current plan:
INTERNET to ETH0, ETH1 to uplink port of router, router to rest of network.

Should that work?  If I plug ETH1 into the uplink port of the router, what should I set the internet potion to?  Since it's not going to actually be connected to the internet I doubt I should be putting in my real IP.  Should I just make one up?  Or, if I leave it set to DHCP should archlinux provide that information? 

I understand these are probably silly questions, I'm hoping that I'll get a greater understanding of networking by doing this.

Offline

#6 2005-06-13 20:26:33

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: Setting up Arch as a router

well, the uplink port is going to request an IP from your gateway in that case... which means you should either run a dhcp server, or just set it to some random class C address (192.168.1.X).

Now, on the gateway box itself, you need to use iptables and ip forwarding to get eth0 and eth1 to talk to each other...

Offline

#7 2005-06-13 20:59:10

nehsa
Member
Registered: 2003-01-14
Posts: 159

Re: Setting up Arch as a router

Work it work to plug into a normal port?  I would like to get this working w/o making up fake IP numbers if possible.  Would like the routing to be as simple as possible.

Offline

#8 2005-06-13 21:36:53

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,838

Re: Setting up Arch as a router

If you're able to use your existing router as a plain switch i.e. without the routing, dhcp, nat etc capabilites, then you can connect your Arch box to a normal port.

Slightly OT - selecting an address range for internal use is not quite the same as "making up fake IP numbers". There are various ranges that have been designated as private non-routable, 192.168.x.x being one. If you're interested, look up RFC 1918.

Offline

#9 2005-06-13 21:51:02

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: Setting up Arch as a router

tomk wrote:

Slightly OT - selecting an address range for internal use is not quite the same as "making up fake IP numbers". There are various ranges that have been designated as private non-routable, 192.168.x.x being one. If you're interested, look up RFC 1918.

I was going to say that... 8)
I think by "fake" you mean "arbitrary" - as in, it really doesn't matter that they are, so long as they work (my server, on a static IP is 192.168.1.123... I arbitrarilly picked 123 because it was easy to remember and was outside my router's dhcp range)

Offline

#10 2005-06-14 00:07:22

Stinky
Member
From: The Colony, TX
Registered: 2004-05-28
Posts: 187

Re: Setting up Arch as a router

If you want to set it up as a gateway/router, There's a few IPTABLES rules you 'have' to have. 

echo "1" > /proc/sys/net/ipv4/ip_forward

That's one of 'em.  That enables ip forwarding.  Use to be off by default, not sure any more, I just put it in all my scripts for good measure. 
This rule enables forwarding, and thus IPMASQ.  It allows all connections out, and only Established/Related in.

$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

This one enables SNAT (Masquerade) funtionality on eth0

$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to $EXTIP

Now, that's all well and good, but you're not blocking anything coming in.  What I do is block absolutely everything coming in by default and only allow through what I want to allow through. 
To allow something in through the firewall, it would look something like this:

$IPTABLES -A INPUT -p tcp -i eth0 -s 0.0.0.0/0 --dport 80 -j ACCEPT

And if you wanted to forward a port, say, like I have 2 arch machines behind my router...I ssh into both of them.  Can't have them both listening on the same port, so I have to forward a port to each machine.  It takes two rules for each port and would look something like this:

$IPTABLES -A FORWARD -p tcp -d 192.168.1.100 --dport 2000 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i eth0 -d $EXTIP --dport 2000 -j DNAT --to 192.168.1.100:2000

That should get you started in the right direction.... 8)

Offline

Board footer

Powered by FluxBB