Pages

Debian linux router






Recently I've used Debian 7 (Wheezy) as router for home network, I'll try to cover most of the aspects of a setting up Debian Linux  as router for those who like to do similar setup, although this tutorial is specifically for debian 7 (wheezy), its also applied to other Linux distributions.

Objective:
Making a Debian Linux router, which Enables Wireless (WiFi) internet throughout home, while controlling/ caching/ logging/ monitoring internet traffic with some Linux tools, in simple words  Wireless network with flexibility of Linux

Hardware used:

  • Computer with Debian 7 (wheezy) installed on it: you don't need a powerful computer to make it a router, only basic old computer is enough however the higher the specifications is always better, for example if you run local proxy (see below) you may need better computer to handle requests, enough disk space for logs ..etc. so you better judge your own needs, try an old computer you have, if it works fine, thats it.
  • 2 ( or more) Ethernet network cards: either built-in cards (attached directly to motherboard) or usb based, the primary Ethernet (connected to internet) will assign it eth0, I used 2 Ethernet cards one bult-in ethernet card and another usb ethernet card ( eth1), you can use more than 2
  • ADSL modem/router or direct internet cable:  what you got from your internet server provider, its ok to leave the router functionality active, but disable WiFi so we serve requests from the other WiFi router (access point) through Debian.
  • Wireless router: well its not really a router (routing done by Debian), but we'll use it as an access point (you should disable the routing feature), it will broadcast WiFi and all joining network requests will be forward to Debian, will refer to it in this post as AB 



Software used:

  • ISC dhcp server: it will assign ip addresses to connected clients ( pcs, phones, tablets ..etc) to install it run the following command  aptitude install isc-dhcp-server
  • iptables: will be used to forward requests between Ethernet ( local wireless network and internet)
  • bind (optional): caching and forwarding dns requests from local dns servers aptitude install bind9
  • squid3 (optional): caching and proxy server, can be used for many purposes, but we'll use it as caching server ( cache static files for fast browsing) aptitude install squid3
  • vnstat (optional): will record/display useful statistical data about download/upload traffic, coming in/out through our Debian router.aptitude install vnstat


Procedure:

  1. Connect the computer to ADSL modem/router( or internet cable line ) to primary Ethernet hub ( eth0 for example ).
  2. Wireless router MUST be set as access point with 10.5.5.5 ip address.
  3. Connect the computer to Wireless router( AB2 ).
  4. Test Debian router for internet connectivity, try ping for example: ping -c 3 google.com  if ping was not successful, then you need to troubleshoot your internet connection, try to connect the ADSL or internet cable to other computer make sure that computer can connect to the internet, if only Debian router isn't connected to the internet try switch the position of the cable, connect internet cable to eth1 and AB2 to eth0.
  5. Edit /etc/network/interfaces make sure its look like the following 
    # This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# automatic start the following interfaces:
auto lo eth0 eth1 

# The loopback network interface:
iface lo inet loopback

# The primary network interface:
allow-hotplug eth0 eth1 

# primary ethernet (connected to the internet)
iface eth0 inet dhcp

# secondery ethernet (connected to local side)
iface eth1 inet static
 address 10.5.5.1
 netmask 255.255.255.0
 network 10.5.5.0
 broadcast 10.5.5.255
 gateway 10.5.5.1

  6. Edit /etc/bind/named.conf.options so its look like the following ( please note that comments were stripped):

    options {
 directory "/var/cache/bind";

 forward first;
 forwarders {
   8.8.8.8;
   8.8.4.4; 
  };

  dnssec-validation no;

 auth-nxdomain no;  
 
 listen-on { 127.0.0.1; 10.5.5.1; };
 listen-on-v6 { none; };
};
    this will use google public dns as forwaders, pls change it to your ISP dns, its believed to be faster

  7. Edit /etc/dhcp/dhcpd.conf so its look like the following ( some comments stripped):

    #
# Sample configuration file for ISC dhcpd for Debian
#
#

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;


default-lease-time 600;
max-lease-time 7200;


# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.


######################
# internal network
######################
# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.0 {
  range 10.5.5.11 10.5.5.33;
  option domain-name-servers 10.5.5.1;
  option routers 10.5.5.1;
  option broadcast-address 10.5.5.255;
  default-lease-time 600;
  max-lease-time 7200;
}


# wireless router need fixed ip address 10.5.5.5
#  0000000000 mustbe replaces with router hardware mac address
host router{
  hardware ethernet 0000000000;
  fixed-address 10.5.5.5;
}



  8. Edit /etc/squid3/squid.conf
    squid has many options and configuring them is beyond this tutorial, generally speaking we concerned much with caching we set the disk cache up to 7 GB:

    acl localnet src 10.5.5.0/24 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443  # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
acl CONNECT method CONNECT

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager 

# one who can access services on "localhost" is a local user
#http_access deny to_localhost

# from where browsing should be allowed
http_access allow localnet

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 10.5.5.1:3128 intercept


# Uncomment and adjust the following to add a disk cache directory. 7168 = 7 Gb,  feel free to increase it
cache_dir ufs /var/cache/squid3 7168 16 256


# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid3


#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:  1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .  0 20% 4320



  9. Iptables rules:
    the following rules are suitable for a router, basically we allow forwarding the traffic between to Ethernet cards through the router squid proxy server ( port 3128 ), please notice that filter table is empty and quite permissive (which something I don't recommend), you may want to restrict access to local network and to the router to certain services/ip address

    *filter
:INPUT ACCEPT 
:FORWARD ACCEPT 
:OUTPUT ACCEPT 
COMMIT


*nat
:PREROUTING ACCEPT 
:INPUT ACCEPT 
:OUTPUT ACCEPT 
:POSTROUTING ACCEPT 
 -A PREROUTING -s 10.5.5.0/24 -i eth1 -p tcp -m tcp -j REDIRECT --to-ports 3128
 -A OUTPUT -s 10.5.5.0/24 -p tcp -m owner ! --uid-owner 13 -m tcp -j REDIRECT --to-ports 3128
 -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT


*mangle
:PREROUTING ACCEPT 
:INPUT ACCEPT 
:FORWARD ACCEPT 
:OUTPUT ACCEPT 
:POSTROUTING ACCEPT 
COMMIT


    save the content to to a file for example /etc/iptables-router.rules then preserve the settings after reboot by creating 2 files one to work before network up and another when the network goes down
    +New file /etc/network/if-pre-up.d/router.up

    #! /bin/sh

iptables-restore -c  < /etc/firewall.d/iptables-router.rules

exit 0

    make it executable
    chmod +x /etc/network/if-pre-up.d/router.up

    +New file /etc/network/if-post-down.d//router.down

    #! /bin/sh

iptables-restore -c  < /etc/firewall.d/iptables-router.rules

exit 0

    make it executable
    chmod +x /etc/network/if-post-down.d/router.down


  10. Edit /etc/sysctl.conf make sure it contains the following lines:


    # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
    this will basically enable packet forwarding, which is needed for router.
  11. reboot debian
    reboot

Debian as router will be up and running, I know this post is far from complete, I hope to add to it when I've free time.

---------
cheers



1 comments
Subscribe to: Posts (Atom)
Naoar.com ©2013