# Creating a router!

## Negated Void

Hello!

I'm sorry to not look it up, but i couldn't find it easily and i need help w/ this (if i can't "know how to do it" in like two days, a certain relative will use windows for it.. ewww)

I've gotta box, lets assume it's got eth0 and eth1 both setup, eth0 is cable internet, eth1 is lan.

How do i make this box become a router? I want it to serve DHCP, and to allow port forwarding to indiviual compouters on the network. It's not got to be anything enterprise-level, we're talking ten computers, with high load, and an average of four hundred open connections.

That's for starters, future wants would be monitoring of the load (up and down) usage of all computers on the lan, and anything else cool.

Thanks in advance,

-Murph

----------

## Kirigoe

hi,

the easiest way to set up a router like this is to use some kind of complete solution, instead of hacking away with iptables and whatnot. even if you have the knowledge to setup something yourself maybe someday other people needs to be able to edit the setup and then it's a lot easier with a nice webinterface and easy settings.

i haven't tried any of these firewall solutions out but i've heard good things of them:

http://www.astaro.com

http://www.smoothwall.org

http://www.clarkconnect.com

http://www.sentryfirewall.com

http://m0n0.ch/wall/index.php

hope it helps!

----------

## Negated Void

Sounds very good, does anyone have experience with such things? a reccomendation

Thanks

----------

## zeky

 *Negated Void wrote:*   

> Sounds very good, does anyone have experience with such things? a reccomendation

 

All you have to do is:

1) install rp-pppoe client (for xDSL connection) [emerge rp-pppoe and than run adsl-setup script]

2) install and configure a DHCP server (in order for your client machines to get an internal IP address) [emerge dhcp and configure /etc/dhcp/dhcpd.conf]

2) install and configure iptables so you can do NAT

For monitoring clientt/connections either use graphical interface "ntop" or console based- "iptraf".

That is all  :Smile: 

Have fun  :Wink: 

----------

## Negated Void

Is there a how-to or something on configuring iptables?

One issue is that the guy who's going to use the box knows *no* linux, so it'd be good for him if there was some kinda web-based monitoring/setup ability, or i could teach him to ssh in, but thats harder.

-Matt

----------

## jonnymalm

I started off using smoothwall.  It works, has a great web interface, and some really nice features.  However, what I did not like about it was that you are limited to what comes with it.  I wanted to have complete control of snort and be able to install other programs whenever I wanted.  If you want complete control, go with a gentoo install and do it all manually.  Yes, you may have a few sleepless nights trying to figure out iptables but it is well worth it.  That is just my 2 cents...

----------

## NeddySeagoon

Negated Void,

I like Smoothwall. Its made deliberately difficult to install other things on - the more you add the more likely you are to mess up the security.

You can still add things and tweak the scripts if you want.  If you google for the extras, you will even find sites that tell you how to do the modifications.

I've added S@H and ntp to mine and keep intendeing add advert blocking.

----------

## krusty_ar

shorewall is also a good alternative with compreensive examples

----------

## funkmankey

the example in the gentoo security guide has worked great for me on several different machines. very understandable, easy to customize, and strong/secure by default.

http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12_pre5

altho it is missing examples for PREROUTING rules for port-forwarding...but those are not too hard, e.g. something like

```
$IPTABLES -t nat -A PREROUTING -p tcp --dport http -i $EXTIF -j DNAT --to 192.168.0.15
```

would go right before the POSTROUTING rule.

----------

## ausmusj1

I would go with shorewall, personally. Not web-based, but very easy to configure after 1 read through the documentation. Even I was able to get it working correctly...   :Laughing: 

----------

## Rip7

*With iptables:

```

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE

```

*Or you can use a transparant proxy, configure your proxy (for example squid) to use your internet connection (eth0) and use iptables to route all traffic going to port 80 to go to your proxy.

```

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:8080

```

For dhcp just emerge dhcpd and,

```

default-lease-time 600;

max-lease-time 7200;

option subnet-mask 255.255.255.0;

option broadcast-adress 192.168.0.255;

option routers 192.168.0.1;

option domain-name-servers 195.130.130.130, 195.130.131.2;

                                                                               

subnet 192.168.0.0 netmask 255.255.255.0{

range 192.168.0.2 192.168.0.254;

}

```

This is my dhcpcd.conf file, it assign's my pc's an ip address between 192.168.0.2 and 192.168.0.254.

-Option domain-name-servers are the dns servers of your isp.

-Option routers is the ip of eth1.

And in /etc/conf.d/dhcp you must set your iface (eth0).

I think that it would be time to have a sticky post in this forum with a how-to about this, because this is asked many, many times.

.....

Greetings Rip7 (steven.l@linux.be)

----------

## Manco

I have a friend who worked on a project with work, he had to create a router and he used smoothwall, he also recommended it me because at the time I also needed a router. Anywayz I bought a hardware router.

----------

## dogghaus

One solution that I don't believe was mentioned is LEAF (linux embedded appliance firewall).  I've been using the Bering version for three years (when it was still the Linux Router Project), it has never failed, and it runs on boxes most people throw away these days.  I have a p133 with 32 mbs ram, and that is overkill.  It runs an ssh server, web server for logging and intrusion alerts, and many other configurable options I do not use.  Best of all, it does not need a hard drive, merely a floppy (or in my case, a CD that I compiled); it uses the Shorwall firewall too.

I use Checkpoint via an IDS box where I work, but since the IDS is a single point of failure I created a LEAF machine to replace it if it went down.  A year ago it did, I put the LEAF machine in it's place, and it worked great till the IDS people sent us another box.

Here is a link to the site; as I mentioned I recommend the Bering distro:

http://leaf.sourceforge.net/

----------

