# using a gentoo box as a software router

## madmango

I'm pretty sure this has been covered before, but most of it is over my head.

Essentially, I want to setup a Gentoo box as a router/firewall, and also a network bridge. I've got my cable modem on eth2. It uses dhcp to autoconfigure an address, and I can get the internet on the gentoo box. Interfaces eth0 and eth1 use statically configured IPs, and i'm running dhcpd to assign ips to clients over these interfaces.

From a computer on a crossover cable, I can ssh to the gentoo box. I can get the internet from the gentoo box. What I want to do is be able to get to the internet from eth0 or 1 and also create a bridge between eth0 and 1, so computers on these interfaces can talk to eachother and the internet.

Essentially:

Internet------|

Comp1------Gentoo Box

Comp2-------|

With crossover cables and NICs where necessary. Eventually I'll go wireless and buy wired--wireless bridges, but that's it for now.

Because my ISP allows only one computer hooked to the net at a time (or they charge extra) I think I need NAT or something. Or not. Not very sure. I believe I can just do the setup without NAT and incurr no extra charges.

How do I do the configuration? Thanks in advance, and good job if you can plow through my rambling.

----------

## To

It beeing discussed in other topic here https://forums.gentoo.org/viewtopic.php?t=66664 and try to search on the forum you may find anything.

Tó

----------

## fido

Since your router box already has a working internet connection, you won't need to change your eth2 configuration.

However, I dont know enough about the configuration of the networks that are attached on eth's 0 and 1. So, in an effort to answer you questions, I am going to make a few assumptions.

Assuming the networks on eth0 and eth1 are both on the same subnet will make things easier. So we will say this:

Network 1: eth0 

 IP: 192.168.0.2 - 192.168.0.100

 Gateway: 192.168.0.1

Network 2: eth1 

 IP: 192.168.0.102 - 192.168.0.199

 Gateway: 192.168.0.101

If this is not the exact configuration (what are the chances), let me know. Anyway, on with the show...

1) Set up the interfaces themselves (eth0 and eth1). I have never done this on a gentoo system, so hopefully it will work. The information pertaining to the interface configurations is in /etc/conf.d/net. Since there should already be a line for eth2, you only need to add two lines to the file:

iface_eth0="192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0"

iface_eth0="192.168.0.101 broadcast 192.168.0.255 netmask 255.255.255.0"

2) Next, you need to have NAT to allow these internal computers to talk to the internet. To do this, you need to modify the kernel. Open up your favorite kernel configuration editor (I prefer xconfig), and go to Networking Options and enable 'Network packet fintering (replaces ipchains)'. Then scroll down to 'IP: Netfilter Configuration'. Turn on 'Connection tracking (required for masq/MAT)', 'IP tables support', 'Full NAT', and 'MASQUERADE target support'. Im pretty sure those are the only ones you need. Network packet filter support is not module capable, so you might as well set all of the options to compile in rather than module. Save changes and recompile. Then you can go ahead and copy the image to the boot directory, modify lilo/grub conf file to add a NEW ENTRY for the new kernel, and reboot. Ever since I hosed a box by overwriting an installed kernel, I find it best to just make a new entry. Also, make sure to boot into the new kernel.  :Smile: 

3) If it is not already installed, emerge iptables. Once done, go ahead and try the following command:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0.0.0.0/0 -j MASQUERADE. 

If you return to a prompt, it probably worked. iptables -t nat -L should produce the following line, among others:

MASQUERADE  all  --  192.168.0.0/24       anywhere

If so, then you have a router! Lastly, you need to configure dhcpd for the hosts. Almost done...

4) If you dont have it, emerge dhcp. Since you are going to have two different networks, it would be easiest with two config file, although others might disagree. The following configuration files should work:

File for eth0 (/etc/dhcpd.eth0.conf):

subnet 192.168.0.0 netmask 255.255.255.0 {

        max-lease-time 602000;

        default-lease-time 602000;

        range 192.168.0.2 192.168.0.100;

        option subnet-mask 255.255.255.0;

        option routers 192.168.0.1;

        option domain-name-servers your.isps.ns1, your.isps.ns2;

}

And for eth1 (/etc/dhcpd.eth1.conf):

subnet 192.168.0.0 netmask 255.255.255.0 {

        max-lease-time 602000;

        default-lease-time 602000;

        range 192.168.0.102 192.168.0.200;

        option subnet-mask 255.255.255.0;

        option routers 192.168.0.101;

        option domain-name-servers your.isps.ns1, your.isps.ns2;

}

Then to start dhcpd:

/usr/sbin/dhcpd -cf /etc/dhcpd.eth0.conf eth0

/usr/sbin/dhcpd -cf /etc/dhcpd.eth1.conf eth1

And that should do it. Also, the commands could be put into an init file so that they would run at startup.

Thanks.

----------

## wire

Why are you using dhcpd to assign ips to those hosts?

"Interfaces eth0 and eth1 use statically configured IPs, and i'm running dhcpd to assign ips to clients over these interfaces. "

If you only have two hosts on this network (thats what i understand you are trying to do), than i would just statically configure them. From my understanding at least they are going to have private addresses ne way, since you dont wanna pay your isp for extra ips.

-kai

----------

## ben

Fido is quite right on the spot, although I do not share his view about subnet.

Actually I understand the OP like this: He want to build a router to feed his home net. half of his home net will be wired, while the second half will eventually be wireless. Then the question he asked is quite open for such future implementation.

So If you want two separate subnet (say for wired and wireless, btw not a bad idea because you could limit the right of the wireless part with security in mind), you just have to put some more iptables rules (allowing transfert frometh0 to eth1 and from eth1 to eth0, ...). I think echo 1 > /proc/ipv4/forward is also necessary to allow packet to be forwarded from an eth to the others.

HTH

Ben

----------

## madmango

Exactly. Wonderful.

I've checked, and my isp dosen't care about extra ips, so long as they use the private address space. So I'm configuring a range of 10.152.2.1-21 on eth0 and 10.152.3.1-21 on eth1.

The only part I was confused about was the actual use of iptables, but methinks you've cleared that up. Now I just need to figure out a a init script. 

Oh, and when i rc-update add dhcp default, it only starts dhcpd eth0. I think I fixed it by removing ${IFACE} in the /etc/init.d/dhcp script, but not sure.

----------

## ben

A word about your ISP:

They sure don't care about your internal network, unless they limit the ports.

But they DO CARE if someone is distributing IP addreses on their network. So please be very careful, that dhcp serves only on the internal ethx.

Actually, as Fido said, in the command dhcpd you should list the interface you will be listenning to.

in start() from my /etc/init.d/dhcp I have:

start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd -- eth1 eth3

And now for the human good, here is my firewall script (AS AN EXAMPLE, this is by no mean an example I suggest to follow, it should be suited to me, not for anyone else)

```

## Insert connection-tracking modules (not needed if built into kernel).

echo "   loading modules  "

insmod ip_conntrack

insmod ip_conntrack_ftp

insmod ip_conntrack_irc

insmod iptable_nat

insmod ip_nat_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "0" > /proc/sys/net/ipv4/tcp_ecn

## flush all

echo "   clearing anz rules and setting default policy "

/sbin/iptables -P INPUT ACCEPT

/sbin/iptables -F INPUT

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -F OUTPUT

/sbin/iptables -P FORWARD DROP

/sbin/iptables -F FORWARD

/sbin/iptables -t nat -F

## Create chain which blocks new connections, except if coming from inside.

/sbin/iptables -N block

/sbin/iptables -F block

/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A block -m state --state NEW -i ! eth2 -j ACCEPT

/sbin/iptables -A block -p UDP -s 10.10.10.1 --sport 67 -j DROP

/sbin/iptables -A block -i eth1 -j ACCEPT

/sbin/iptables -A block -i eth3 -j ACCEPT

/sbin/iptables -A block -j LOG

/sbin/iptables -A block -p tcp -d 213.221.129.148 --dport www -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.129.148 --dport https -j ACCEPT

/sbin/iptables -A block -p udp -d 213.221.129.148 --dport domain -j ACCEPT

/sbin/iptables -A block -p udp -d 213.221.129.164 --dport domain -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.129.148 --dport smtp -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.129.148 --dport pop-3 -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.129.148 --dport imap3 -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.129.148 --dport imaps -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.129.148 --dport ftp -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.129.148 --dport ssh -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.130.148 --dport www -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.130.148 --dport https -j ACCEPT

/sbin/iptables -A block -p udp -d 213.221.130.148 --dport domain -j ACCEPT

/sbin/iptables -A block -p udp -d 213.221.130.164 --dport domain -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.130.148 --dport smtp -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.130.148 --dport pop-3 -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.130.148 --dport imap3 -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.130.148 --dport imaps -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.130.148 --dport ftp -j ACCEPT

/sbin/iptables -A block -p tcp -d 213.221.130.148 --dport ssh -j ACCEPT

/sbin/iptables -A block -p icmp --icmp-type echo-request -j ACCEPT

/sbin/iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.

/sbin/iptables -A INPUT -j block

/sbin/iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT

/sbin/iptables -A FORWARD -j LOG

/sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

echo "   firewall in place and active  "

```

Now I did copy an init.d service, called it firewall, set it up to execute the script above on start and restart, save it. Then I ran rc-update add firewall default.

HTH

Ben

----------

## uzik

http://www.freesco.org has a menu configurable floppy based

linux that does this.  You might give it a whirl

----------

## madmango

Yes, I was considering using fresco, but it only supports three NICs, and eventually I might hook up anywhere up to five.

----------

## uzik

I ended up using two freesco boxes. Since my wife and I play online

games, we each need a different IP address at the same time.

Worked out just fine for us

----------

