Recently I've used Debian 7 (Wheezy) as router for home network, I'll try to cover most of the aspects of a setting up Debian Linux as router for those who like to do similar setup, although this tutorial is specifically for debian 7 (wheezy), its also applied to other Linux distributions.
Objective:
Making a Debian Linux router, which Enables Wireless (WiFi) internet throughout home, while controlling/ caching/ logging/ monitoring internet traffic with some Linux tools, in simple words Wireless network with flexibility of Linux
Hardware used:
- Computer with Debian 7 (wheezy) installed on it: you don't need a powerful computer to make it a router, only basic old computer is enough however the higher the specifications is always better, for example if you run local proxy (see below) you may need better computer to handle requests, enough disk space for logs ..etc. so you better judge your own needs, try an old computer you have, if it works fine, thats it.
- 2 ( or more) Ethernet network cards: either built-in cards (attached directly to motherboard) or usb based, the primary Ethernet (connected to internet) will assign it eth0, I used 2 Ethernet cards one bult-in ethernet card and another usb ethernet card ( eth1), you can use more than 2
- ADSL modem/router or direct internet cable: what you got from your internet server provider, its ok to leave the router functionality active, but disable WiFi so we serve requests from the other WiFi router (access point) through Debian.
- Wireless router: well its not really a router (routing done by Debian), but we'll use it as an access point (you should disable the routing feature), it will broadcast WiFi and all joining network requests will be forward to Debian, will refer to it in this post as AB
Software used:
- ISC dhcp server: it will assign ip addresses to connected clients ( pcs, phones, tablets ..etc) to install it run the following command aptitude install isc-dhcp-server
- iptables: will be used to forward requests between Ethernet ( local wireless network and internet)
- bind (optional): caching and forwarding dns requests from local dns servers aptitude install bind9
- squid3 (optional): caching and proxy server, can be used for many purposes, but we'll use it as caching server ( cache static files for fast browsing) aptitude install squid3
- vnstat (optional): will record/display useful statistical data about download/upload traffic, coming in/out through our Debian router.aptitude install vnstat
Procedure:
- Connect the computer to ADSL modem/router( or internet cable line ) to primary Ethernet hub ( eth0 for example ).
- Wireless router MUST be set as access point with 10.5.5.5 ip address.
- Connect the computer to Wireless router( AB2 ).
- Test Debian router for internet connectivity, try ping for example: ping -c 3 google.com if ping was not successful, then you need to troubleshoot your internet connection, try to connect the ADSL or internet cable to other computer make sure that computer can connect to the internet, if only Debian router isn't connected to the internet try switch the position of the cable, connect internet cable to eth1 and AB2 to eth0.
- Edit /etc/network/interfaces make sure its look like the following
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # automatic start the following interfaces: auto lo eth0 eth1 # The loopback network interface: iface lo inet loopback # The primary network interface: allow-hotplug eth0 eth1 # primary ethernet (connected to the internet) iface eth0 inet dhcp # secondery ethernet (connected to local side) iface eth1 inet static address 10.5.5.1 netmask 255.255.255.0 network 10.5.5.0 broadcast 10.5.5.255 gateway 10.5.5.1
- Edit /etc/bind/named.conf.options so its look like the following ( please note that comments were stripped):
options { directory "/var/cache/bind"; forward first; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation no; auth-nxdomain no; listen-on { 127.0.0.1; 10.5.5.1; }; listen-on-v6 { none; }; };
this will use google public dns as forwaders, pls change it to your ISP dns, its believed to be faster
- Edit /etc/dhcp/dhcpd.conf so its look like the following ( some comments stripped):
# # Sample configuration file for ISC dhcpd for Debian # # # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-update-style none; default-lease-time 600; max-lease-time 7200; # network, the authoritative directive should be uncommented. authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; # No service will be given on this subnet, but declaring it helps the # DHCP server to understand the network topology. ###################### # internal network ###################### # A slightly different configuration for an internal subnet. subnet 10.5.5.0 netmask 255.255.255.0 { range 10.5.5.11 10.5.5.33; option domain-name-servers 10.5.5.1; option routers 10.5.5.1; option broadcast-address 10.5.5.255; default-lease-time 600; max-lease-time 7200; } # wireless router need fixed ip address 10.5.5.5 # 0000000000 mustbe replaces with router hardware mac address host router{ hardware ethernet 0000000000; fixed-address 10.5.5.5; }
- Edit /etc/squid3/squid.conf
squid has many options and configuring them is beyond this tutorial, generally speaking we concerned much with caching we set the disk cache up to 7 GB:
acl localnet src 10.5.5.0/24 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # one who can access services on "localhost" is a local user #http_access deny to_localhost # from where browsing should be allowed http_access allow localnet # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 10.5.5.1:3128 intercept # Uncomment and adjust the following to add a disk cache directory. 7168 = 7 Gb, feel free to increase it cache_dir ufs /var/cache/squid3 7168 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid3 # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
- Iptables rules:
the following rules are suitable for a router, basically we allow forwarding the traffic between to Ethernet cards through the router squid proxy server ( port 3128 ), please notice that filter table is empty and quite permissive (which something I don't recommend), you may want to restrict access to local network and to the router to certain services/ip address
*filter :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT COMMIT *nat :PREROUTING ACCEPT :INPUT ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT -A PREROUTING -s 10.5.5.0/24 -i eth1 -p tcp -m tcp -j REDIRECT --to-ports 3128 -A OUTPUT -s 10.5.5.0/24 -p tcp -m owner ! --uid-owner 13 -m tcp -j REDIRECT --to-ports 3128 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *mangle :PREROUTING ACCEPT :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT COMMIT
save the content to to a file for example /etc/iptables-router.rules then preserve the settings after reboot by creating 2 files one to work before network up and another when the network goes down
+New file /etc/network/if-pre-up.d/router.up
#! /bin/sh iptables-restore -c < /etc/firewall.d/iptables-router.rules exit 0
make it executable
chmod +x /etc/network/if-pre-up.d/router.up
+New file /etc/network/if-post-down.d//router.down
#! /bin/sh iptables-restore -c < /etc/firewall.d/iptables-router.rules exit 0
make it executable
chmod +x /etc/network/if-post-down.d/router.down
- Edit /etc/sysctl.conf make sure it contains the following lines:
# Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1
this will basically enable packet forwarding, which is needed for router. - reboot debian
reboot
---------
cheers
Trying to configure this router not successful.Instead of install the arno iptables firewall package to easily and securely set up a secure router configuration.
ReplyDeleteThanks
Silvester Norman
Change MAC Address