Router choices

[SeijiSensei]

I browsed around to see what howtos are out there. A quick google search for "ubuntu gateway" turned up a number of items.

Here, in broad outline, is what will happen. I'm assuming your Internet connection arrives via a broadband modem or some other device with an ethernet connector.

First, if this machine is already connected to the Internet, run the following command as root or with sudo:

# /sbin/ifconfig

This will display your network interfaces. By default one of them will be called "lo" (the local interface, which is represented purely by software); the ethernet cards should appear as eth0 and eth1 (if you've already installed the new one).

If you've been using this machine to connect to the Internet, it should have your public IP address assigned to eth0. ifconfig should display something like this:

eth0 Link encap:Ethernet HWaddr 00:50:04:9E:898
inet addr:xx.xxx.xx.xx Bcast:xx.xxx.xx.255 Mask:255.255.255.0
inet6 addr: xxxxxxxxxxxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30222273 errors:4 dropped:0 overruns:0 frame:4
TX packets:36653670 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2888910808 (2.6 GiB) TX bytes:2364603806 (2.2 GiB)
Interrupt:169 Base address:0x4800

where the inet addr field will display your public IP address as assigned by your provider, probably via DHCP. Leave the configuration of this interface as it stands, and install the other network card.

Now you'll have an eth1 as well, but it won't be assigned an address. You should be able to use the NetworkManager tool in Ubuntu to configure eth1 statically. Use the following values:

addr: 192.168.1.1
netmask 255.255.255.0
broadcast 192.168.1.255

You won't need to specify a "default gateway" for eth1. It will be talking to your local network.

Now you'll need to enable packet forwarding which is usually disabled by default. Edit the file /etc/sysctrl.conf and make sure you have
net.ipv4.ip_forward = 1

OK, now let's go to your sister's machine. Use the Windows Control Panel networking applets to assign the following IP address to your sister's ethernet connection:

addr: 192.168.1.10
netmask, broadcast same as above
default gateway: 192.168.1.1

This tells the Windows machine that other machines in 192.168.1.0-255 are local; all other traffic gets handed to the Linux router (the "default gateway") for further routing. In the boxes for DNS servers enter the values given by your provider. (A better solution is to run a "caching-nameserver" on the Linux box and point the internal machines at it. A Google search for "ubuntu caching nameserver" turned up some good instructions.)

You should now be able to ping the router from your sister's machine and vice versa. If you want to assign them symbolic names, you can add entries to /etc/hosts on the Linux box and the hosts file in the C:\Windows tree. For instance, if both machines have the entries

192.169.1.1 wk
192.168.1.10 sis

then you can use "wk" and "sis" to represent each machine rather than its address.

You're almost done. You'll need to add the ability for the router to perform "network address translation" so it will masquerade itself on behalf of the hosts behind it. You'll need to find the firewalling script (usually something like /etc/init.d/iptables) and add the following to it:

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to your.external.ip.address

The first rule accepts all packets coming in on eth1, the local network. The second allows forwarding of these packets outbound by the router. The third adds a rule to the "nat" table that performs "source NAT" on the outbound traffic, meaning the external address of the router is substituted for the source address of the outbound packets. (What about the reply traffic you ask? It's handled by the fairly standard rule

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This accepts reply traffic if it can be linked to an outbound request. Without this rule you wouldn't get any replies to things like requests for web pages.)

You might choose instead to use someone else's firewalling script; this one looks like a possibility.

You should now be able to browse the web from both the Linux box and your sister's machine. For information about using squid to manage web traffic, refer to the thread that I and Ledgem quoted above.

A good book on the topic of *nix networking is Craig Hunt's TCP/IP Network Administration available from O'Reilly. It's written for sysadmins and covers a wide range of subjects in a very clear manner. O'Reilly has a couple of other books specifically on home networking, but I think you can find answers to most of those questions by searching at Google.

Good luck!

[WanderingKnight]

A quick question: You specify the eth1 device's internal address as 192.168.1.1, but I'm using eth1 for my internet connection and eth0 is the one unused (weird, yes, but that's the way I have it set up). It's not a hassle to swap it, but anyways, I wanted to know that if I'm using eth0 I should change that address... should I change first 1 to 0?

I'll try what you posted here tomorrow. Thanks for the heads up!

[SeijiSensei]

No, you don't need to swap them, but you'll need to reverse them in the firewalling rules I gave. I usually make the eth0 interface the outward-facing one, but that's just personal convention.

One other thing I saw re-reading my earlier posting. If you change the ip_forward value in sysctrl.conf but don't reboot, the kernel won't see the change. To change it on the fly use the command as root:

echo '1' > /proc/sys/net/ipv4/ip_forward

which sets the same parameter by brute force.

[WanderingKnight]

Okay, so they asked me to set up the Debian machine first. I configured all of those machine's eth0 addresses using ifconfig and the same instructions that you gave, but I can't seem to find a way to configure the DNS servers (I've googled around but can't find anything not written in a heavy networking-speak)... and I can't ping the machine. I'm a bit lost here, and this is pretty new to me. I'd install network-manager in the Debian box, but it would mean either hunting manually for all the dependencies, or unplugging the thing and plugging it near my broadband modem.

Note: There is no router in the middle of any of the connections, only the network switch.

EDIT: Whoa, I found a problem with network-admin in the Ubuntu box: it doesn't let me choose a broadcast address, I just did it on a whim and didn't really pay attention to what the boxes said (the third one was Default Gateway). I'll try with ifconfig manually and then post the results.

EDIT 2: YAY! IT WORKS! Now I only need to know how to change the Debian's box DNS server settings... should I manually edit the /etc/resolv.conf file? (<-- nevermind that... since I had already plugged it to the modem when I was installing and configuring the box, resolv.conf says the same as the Ubuntu box... does it mean it's already configured?).

[SeijiSensei]

That's the easiest way. You'll just need a couple of nameserver records:

nameserver your.isp.dns.srv
nameserver your.isp.dns.othersrv

[WanderingKnight]

Code:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to your.external.ip.address

When I swap it for eth1 (to accommodate to my NIC setup) it leaves me without connection.

By the way, I've applied this general iptables script since Ubuntu doesn't seem to have any (and I've added the forwarded ports I have for BT). I've followed all of your instructions until that last bit (including the final iptables rule) and the Debian box doesn't get any connection (ping brings up an "unknown host" error). Both machines can still be pinged though.

[WanderingKnight]

Okay, I discovered a rule I had incorrectly typed (forgot to swap one "eth0" for "eth1"), so I tried again, everything goes smoothly, including that nat table rule, but I still get no connection from the Debian box

[WanderingKnight]

Scratch all that, it's a huge SUCCESS! For some reason, the forwarding rules weren't properly working, even when I bruteforced it to 1 (and yes, I checked the file).

To check on this last bit, there's a doubt I have:

Ubuntu actually doesn't have a /etc/sysctrl.conf file--its name is sysctl.conf. Now, that wouldn't be much of an issue, but the rule to allow IPv4 forwarding is actually named "net.ipv4.conf.default.forwarding". I had that manually set to 1, however, on reboot, /proc/sys/net/ipv4/ip_forward was set to 0... which is something I quite don't understand.

Anyways, thanks for the help! I'll see about setting it to 1 with a startup script in case I don't find any way to do it with a conf file. Tomorrow I will probably look into the Windows machine, since I've got to go to work in an hour or so.

[SeijiSensei]

Ah, Google! Ever the friend of the puzzled sysadmin:
http://www.google.com/search?q=net.i...ult.forwarding

Looks like an Ubuntu bug:
https://bugs.launchpad.net/ubuntu/+s...cps/+bug/84537

You can solve the problem by adding that "brute-force" command to /etc/rc.local. That file is usually the last startup script to run at boot.

And, yes, I did spell sysctl.conf wrong. Sorry!

Glad to hear you got things working for your mom's machine. I always feel quite rewarded when all the various little pieces fall into place and suddenly everything starts working as advertised.

[WanderingKnight]

I have a question regarding this:

I have a small iptables script added to init.d in order to open all the ports I need at startup, but I have a problem with the postrouting rule:

Quote:

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to ip-address

The problem is that DHCP changes my IP address when the modem is disconnected, or as it happened to me yesterday, after a long while. Is there a way to set the current IP address as an environmental variable and call it on that line instead of manually having to change it every time?

[SeijiSensei]

Code:

IPADDR=`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | awk -F: '{print $2}'`

Note the use of the backtick operator (`); it's on the same key as the tilde (~). This tells the shell to treat the result of the enclosed command as a string. The command itself first asks ifconfig to report on eth0, then looks for the address line with grep, then uses awk twice to extract the address. awk tokenizes a line of text; by default it uses the space character, but you can specify a delimiter with the -F option as I do in the second instance. The result is stored in IPADDR.

Replace eth0 with eth1 if your Internet-facing interface occupies eth1.

Here's an example of how this works:

"ifconfig eth0 | grep 'inet addr'" returns "inet addr:1.2.3.4 Bcast:1.2.3.255 Mask:255.255.255.0"

Breaking this up with awk assigns "inet" to $1 and "addr:1.2.3.4" to $2, so we take just this item, split it again with ":" and get the address.

The shell is a wondrous thing of beauty grep, awk, and sed are some of the most useful Unix utilities I know. I probably grep for something almost every day. awk/sed are more useful in scripts, but I'll run them on the command line at times as well. Once you learn the basic Unix notion of piping, it's really easy to build incredibly complex commands by piping text through filters like grep, awk, and sed.

BTW: Could you add "firewall" to the tag list for this thread? I've used my two already.

[WanderingKnight]

Yes, I was thinking about grepping the output of ifconfig, but I never really sat down to learn how awk works. Guess I'll have to do that sooner or later

So, the final command would be something like this, then?

Code:

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $IPADDR

[SeijiSensei]

Yes, though you'll have to be careful about the order in which the init scripts are executed.

For instance, RedHat-flavored machines run the firewalling rules before the network is initialized for security reasons. I'd suspect most distributions do the same. Unfortunately for you that means the iptables script might run before the addresses are set. If you're running the NAT stuff yourself in a script like /etc/rc.local, then you just need to add the IPADDR= line to that script above the iptables command that uses $IPADDR. If you're relying on the standard startup scripts, you might need to reorder the sequence in which the scripts are executed so the network is started before the iptables rules are applied. That opens a teeny little window into the machine, but we're talking about at most a second or two if you place the scripts in close proximity during the startup sequence.

I put off learning about all those commands for a while, too. Then one day I decided to see what awk was for and realized it resolved a lot of problems with extracting information from text files like logs.