Activities

November 2009
M T W T F S S
« Oct   Dec »
 1
2345678
9101112131415
16171819202122
23242526272829
30  

How to configure a Linux router

Here are the tips to configure to a Linux box as Router for sharing internet.I uses Redhat 8 on Intel Pentium III,128MB RAM system is configured for around 25 internet users. It using unlimited 384Kbps broadband connection. I uses NAT using Iptables to share the connection and I have two scripts.

This scripts is very simple and I have two scripts for routing, First of all, we have to enable routing on Linux box
#echo “1” > /proc/sys/net/ipv4/ip_forward check whether it is set or not
#cat /proc/sys/net/ipv4/ip_forward should returns 1 .

Add this same command on /etc/rc.local file for enabling routing on each boot time
echo “echo “1” > /proc/sys/net/ipv4/ip_forward” >> /etc/rc.local

I suppose that your Modem/Adsl Router is configured in bridge mode and could get internet connection when it directly assigned a static ip on a desktop.

Scripts 1

<strong>#!/bin/bash
#eth0 is connected to internet through a bridged modem/router
/sbin/iptables -F -t nat
/sbin/iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -A INPUT -s 192.168.0.136  -p tcp --dport ssh -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.1  -p tcp --dport ssh -j ACCEPT
#/sbin/iptables -A INPUT -s 192.168.0.1/24 -p tcp --dport 3128 -j ACCEPT
/sbin/iptables -A INPUT -j DROP</strong>

This will update the firewall and now we need to save the iptables
#service iptables save
#chkconfig iptables on

That’s it

Scripts 2
This is for advanced users and we can have get full controll over the http traffic from the router system. It’s commonly called Transparent proxy server using squid.

A. We need to have Squid proxy installed on the router.
Execute the command as follows,

#yum install squid
#chkconfig squid on
#squid -z

– Creating cache directories

# service squid start

#

 vi /etc/squid/squid.conf

Add the following line at the end of the file. LAN is suppose to be 192.168.0.0/24 network.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.0.0/255.255.255.0
http_access allow localhost
http_access allow lan
acl blockeddomain dstdomain “/etc/squid/blocked.domains.acl”
http_access deny blockeddomain
#/etc/squid/blocked.domains.acl file contains the blocked domain list
Save and restart the squid

# service squid restart

B. Setup a routing scripts

#vi /etc/fw-proxy.sh

and add the following line,

#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.0.9"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
#iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save and execute the script,

# sh /etc/fw-proxy.sh && service iptables save

Reboot the server and configure this LAN ip of the router as gateway on each client desktop and use a valid DNS to resolve the ip. Best practice to check the connectivity is ping to a public ip.

Pls note that : if you are not much aware about Linux commands, I suggest you two solutions.

1. Try pfsense (http://www.pfsense.com). It’s great freeBSD router especially compiled kennel for routing purpose. I found a tremendous performance difference comparing it with normal Linux router. I will add the ‘how to ‘ about this on my blog later.

2. Buy a cheap efficient Router (http://www.cisco.com/en/US/products/ps9925/index.html). I recommended “Cisco RV042 4-port 10/100 VPN Router – Dual WAN”(It’s easy to configure and manage.Cost is around INR 8500/- It will suitable for a company having around 70-90 users to use common gateway to share the internet. It’s come up with load balancing & fail over features. It’s very good for if there are many web users but load balancing caused ssh connection brake after reaching the idle time.

10 comments to How to configure a Linux router

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>