Networking

Hardware

Software

Consultation

 

Linux Gateway Setup

 
 

This tutorial describes how to create a simple gateway to share a single internet connection with multiple local computers.  It requires a basic computer system with at least two network interfaces.  This tutorial is completed using Ubuntu 9.10, but with the additional notes, should be reasonably portable.  The first thing to do is install gui-less operating system.  Again, Ubuntu 9.10 Server AMD64, will be used for this tutorial.  The hostname field is only important if you plan on having the gateway serve information to the Internet, if it will, please use the appropriate hostname at this time, ei. gw1.example.com.  Do not include any extra packages, all required packages will be added as needed.

I have created a simple script to install the gateway/server for you.

Gateway Install Script

As your root user place the file in your root users folder(/root), unpack it (tar -zxf Gateway_Install.tar.gz), run setup.sh, and answer the questions that follow.

If you have not set up root user logins, it is quite simple, follow the instructions found here:

Enabling Root User Logins

The following should do it:

su
cd
wget http://2stech.ca/applications/Gateway_Install.tar.gz
tar -zxf Gateway_Install.tar.gz
cd Gateway_Install
./setup.sh

If you plug in the values for your local network, you should be able to cut and paste.

Assumptions

Local Network:
	Network:		← Adjust First
	Netmask			← Adjust Next
	Address:		← Internal interface IP.
	Broadcast:	
Local Domain:		
Domain Name Server:		← IP Address.  Either 192.168.100.1 or 127.0.0.1
Dynamic Address Range:
	Min:			← Minimum 
	Max:			← Maximum 
Jump to...

Conventions

Commands - White on Black text is meant for copying and pasting.
Output - Yellow on Black text is the common output from a
      command.

Initial Preparations

Root user logins

Log into the computer using the non-root account established when installing the OS,  Then enable root logins by doing the following:

sudo passwd
[sudo] password for user:      ← Current users password
Enter new UNIX password:       ← Password for root
Re-enter new UNIX password:    ← Repeat password for root

Enter the password for the user and then enter the password you'd like for the root user, twice.

Log out of the non-root user:

exit

Now log into the computer as the root user, and update all packages:

aptitude update; aptitude -y full-upgrade; reboot

When the computer finished rebooting log into the computer as root again.  Now lets install an SSH server to allow you to use a terminal in a system with a gui.

aptitude -y install openssh-server

Now determine the external IP address:

ifconfig
eth0	Link encap:Ethernet  HWaddr FF:FF:FF:FF:FF:FF
	inet addr:10.1.1.2 Bcast:10.1.1.255  Mask:255.255.255.0
	UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1
	RX packets:156 errors:0 dropped:0 overruns:0 frame:0
	TX packets:73 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
	RX bytes:19192 (19.1 KB)  TX bytes:8703 (8.7 KB)

You can now log into the computer from an external SSH client.

Internal Interface

Edit the /etc/network/interfaces file to add an internal static interface:

vim /etc/network/interfaces

Add the following to the end:

# The Local Network Interface
auto eth1
iface eth1 inet static
	address		192.168.100.1
	netmask		255.255.255.0
	broadcast	192.168.100.255
	network		192.168.100.0

The IP's used are just a suggestion, but it is advisable to use non-routable addresses for your internal network.  For more info see: http://en.wikipedia.org/wiki/Private_network>

Now bring up the internal interface:

ifup eth1

Firewall

Next, we need to install a firewall:

aptitude -y install shorewall-shell shorewall-doc

The 'shorewall-shell' can be replaced with 'shorewall-perl'. There are a few caveat's, but it is very fast when compared to the shell script. (for the caveat's, see the shorewall webpage)

The documents package is required for the examples, this allows a simple configuration to be copied and then adjusted to work.  Copy the example configuration from the documents directory:

cp /usr/share/doc/shorewall-common/examples/two-interfaces/* /etc/shorewall

Unzip the shorewall configuration file overwriting the existing one:

gunzip /etc/shorewall/shorewall.conf

Next, edit the /etc/shorewall/shorewall.conf file to enable startup:

vim /etc/shorewall/shorewall.conf

Change:

STARTUP_ENABLED=No

To:

STARTUP_ENABLED=Yes

Edit the /etc/default/shorewall file to enable startup:

vim /etc/default/shorewall

Change:

startup=0

To:

startup=1

Restart shorewall:

shorewall restart

At this point the firewall (the gateway) will not have any access to the Internet (except DNS), this is a good idea if there is no requirement, however it may make some things like updating and package installation difficult, so let's allow the firewall to access the Internet.

vim /etc/shorewall/policy

Find the line:

$FW	net	REJECT	info

And change it to:

$FW	net	ACCEPT	#REJECT	info

At this point I would like to point out that if the firewall is miss-configured you will loose access via the network, so it is ALWAYS prudent to check the configuration before restarting:

shorewall check

If configuration is ok restart as before:

shorewall restart

DNS

Next lets install the DNS:

aptitude -y install bind9

By default when your external interface gets an IP address it will also ask the DHCP server for a Domain name, Search name, and nameserver.  This is ok unless you would like to serve IP's of your own, this can be solved by editing /etc/dhcp3/dhclient.conf:

vim /etc/dhcps/dhclient.conf

And change:

request subnet-mask, broadcast-address, time-offset, routers,
	domain-name, domain-name-servers, domain-search, host-name,
	netbios-name-servers, netbios-scope, interface-mtu,
	rfc3442-classless-static-routes, ntp-servers;

To:

request subnet-mask, broadcast-address, time-offset, routers,
	host-name, netbios-name-servers, netbios-scope, interface-mtu,
	rfc3442-classless-static-routes, ntp-servers;

And then edit /etc/resolv.conf

vim /etc/resolv.conf

delete the contents and add:

domain example.org
search example.org
nameserver 127.0.0.1

Don't worry if you don't have an Internet domain, this should be the trailing portion of whatever you decided to name the gateway.  ie: gateway.example.com would be example.com.

DHCP Server

At this point you should be able to surf the Internet from you internal network; However, it will require that you manually configure the interfaces.  To simplify this process lets install a DHCP server:

aptitude -y install dhcp3-server

The server startup will fail, but don't worry it just requires a little configuration.  First we need to change the /etc/dhcp3/dhcpd.conf:

vim /etc/dhcp3/dhcpd.conf

First find the lines:

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-server ns1.example.org, ns2.example.org;

Change them to:

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-server 192.168.100.1;

If the above is to work with your gateway name it must be configured in your bind configuration, it is likely better to just use the internal IP address, in this tutorial it would be 192.168.100.1.  Please note that this will not work if there are multiple internal interfaces, but there are several ways around this, which would be separate configurations per interface or configuring your gateways internal interfaces in bind and using the gateway name.

Now at the end of the file add:

# Local Network
subnet 192.168.100.0 netmask 255.255.255.0 {
	option broadcast-address 192.168.100.255;
	option routers 192.168.100.1;
	range 192.168.100.50 192.168.100.254;
	}

Also, I would make the DHCP server authoritative on the internal network by un-commenting the authoritative line in the file.

Find the line:

#authoritative

And change it to:

authoritative

Next edit the /etc/default/dhcp3-server

vim /etc/default/dhcp3-server

Change the line:

INTERFACES=""

To:

INTERFACES="eth1"

Restart the DHCP server:

/etc/init.d/dhcp3-server restart

DONE!!