Fri, 10 Apr 2009
/Linux/router-bridge:
How to Build Your Own Linux Network Router
Gentoo is justifiably held in great esteem for their very good
documentation. I am going to give you a simplified version of this
guide[1], from a Debian perspective, and also, some of the things I do
while building a router are simpler by design. Here are a couple other
interesting links for background reading: [2][3]
Why would you want to do this? Cheap commercial routers often do not
work very well, choking up on certain kinds of traffic, even locking up
regularly so that someone must manually cycle the power to restart them.
If you build your own router, you can keep the software up-to-date,
which is a big security advantage over the commercial competition. And
you can install any software you want on it, like your own web and
e-mail server, for instance. This is not meant to be an exhaustive
list....
Start with the cheapest, oldest laptop you can find with the capacity
for the number of network cards you want to use (two for a wired *or*
wireless local network, three for a wired *and* wireless local network).
One network card is needed to connect to the outside world (presumably,
the internet) and another one for *each* local network that you want to
connect to the internet (typically, a wired and / or a wireless
network).
Note that a really old laptop, like the Pentium One that I use, has
no CD and no USB. The easiest way to install Linux on it is to remove
the hard drive and place it temporarily in another computer (or a USB
enclosure) for the Linux installation. A minimal install is all that is
necessary, just enough to get a terminal command prompt and functioning
networking. Note that at least on Debian, standard kernels will work
right off the shelf. Then replace the newly installed drive in your
soon-to-be router.
Get a Wireless Card that Will Work
Setting up a router for a wired LAN (Local Area Network) is actually
a subset of setting up a wireless router, so I will just describe a
wireless router here. (Turning a wireless configuration into a wired
configuration just requires a minor alteration or two....) You need a
wireless card that will talk to the hostap_cs kernel driver, and also
supports "Master" mode. These are not easy to find in, in my experience. I
have stumbled across two, one of which broke and I am now having quite a
hard time replacing it.
The orinoco_cs and hostap_cs drivers support many of the same cards. Best
to just blacklist the orinoco_cs driver and take your laptop shopping for
cards. You really need to test the card before buying it (easy in the second
hand Chinese markets I shop in). If you find a card that the hostap_cs
driver recognizes, test for Master mode with the iwconfig command:
iwconfig wlan0 mode Master
If the card does not like Master mode, you will get an error something
like:
# iwconfig eth1 mode Master
Error for wireless request "Set Mode" (8B06) :
SET failed on device eth1 ; Invalid argument.
If it works, ifconfig will show, in part:
wlan0 IEEE 802.11b ESSID:"clayton" Nickname:""
Mode:Master Frequency:2.462 GHz
(Note the "Mode:Master" part.)
Configure Networking
I will avoid great detail here. The most probable options are, your
"outside world" network card will either connect directly and probably
be called "eth0", or it will connect using PPPOE which you will probably
configure with a very simple and straight-forward piece of software
called "pppoeconf" and result in a "ppp0" interface. For routing
purposes, all you need to know is what the interface is called, and that
it works.
As for the wireless card: give it a static IP and set it to Master
mode in /etc/network/interfaces:
auto eth0
iface eth0 inet dhcp
auto wlan0
iface wlan0 inet static
wireless-essid somename
address 192.168.8.1
netmask 255.255.255.0
network 192.168.8.0
broadcast 192.168.8.255
wireless-mode Master
wireless-channel 11
wireless-key somepassword
Note that in the above, eth0 connects to the internet, and therefore in
this case I am not using PPPOE. I will address the slightly more complicated
case of PPP in /etc/network/interfaces at a later date.
Set Up Routing and Firewall
We will do them at the same time because the same software does both!
Install the "firehol" package. Then create a /etc/firehol/firehol.conf
file as follows:
# firehol configuration for a masquerading server
version 5
# The network of our internal LAN.
home_ips="192.168.8.0/24"
# try "mac " to filter on MAC addresses
# blacklist full 192.168.8.101 192.168.8.51 192.168.8.53
# DHCP needs 0.0.0.0/255.255.255.255 access.
interface wlan0 dhcp1
policy return
server dhcp accept
# interface eth0 internet src not "${UNROUTABLE_IPS}"
interface eth0 internet
protection strong 10/sec 10
server "smtp http icmp ssh" accept
server donkey2 accept
server ident reject with tcp-reset
client all accept
# reduce noise in the syslog by dropping this stuff silently
server "dhcp samba" drop
interface wlan0 wlan src "${home_ips}"
policy reject
server "http dns ssh icmp" accept
client all accept
# server dhcp drop
interface eth1 lan src "${home_ips}"
policy reject
server "http dns ssh icmp" accept
client all accept
router internet2wlan inface eth0 outface wlan0
masquerade reverse
client all accept
server ident reject with tcp-reset
router internet2lan inface eth0 outface eth1
masquerade reverse
client all accept
server ident reject with tcp-reset
There are tutorials out there that will step you through the creation
of this file, which is how I started, but if you are careful about the
customizaion process, you should be able to use my config as your
starting point.
Some salient points:
- eth0 connects to the outside world, wlan0 is the wireless LAN, eth1 is
the wired LAN. Lines in "interface" blocks that begin with "server" list the
kinds of connections that the firewall will accept on that interface. All
other incoming connections will not be accepted by default.
- "router" blocks define which interfaces traffic is allowed to pass
between.
- this config file was pulled from a currently running eth0 / wlan0
router, so it *will* work for setting up a wireless network.
- I am not currently using eth1 on the machine from which I pulled
this example, so it may not work out of the box for eth1. I think the
eth1 DHCP block is missing, for starters.
- DHCP needs very special and careful treatment or it will not work.
- Port forwarding can be done, but I have not yet provided an example.
DHCP with dnsmasq
Install the dnsmasq package. Add the following line to
/etc/dnsmasq.conf:
dhcp-range=192.168.8.50,192.168.8.150,12h
Restart dnsmasq, and your router should now respond to DHCP requests
from the wireless network.
Wasn't that simple? Comments / errata welcome.
[1] http://www.gentoo.org/doc/en/home-router-howto.xml
[2] http://www.bit-tech.net/bits/2008/06/27/build-your-own-router/1
[3] http://thoughtattic.com/security/MakeYourOwnRouter.html
posted at: 07:32 | path: /Linux/router-bridge | permanent link to this entry
