Linux Gateway Setup |
This tutorial describes how to create a simple gateway to share a single internet connection with multiple local computers. It requires a basic computer system with at least two network interfaces. This tutorial is completed using Ubuntu 9.10, but with the additional notes, should be reasonably portable. The first thing to do is install gui-less operating system. Again, Ubuntu 9.10 Server AMD64, will be used for this tutorial. The hostname field is only important if you plan on having the gateway serve information to the Internet, if it will, please use the appropriate hostname at this time, ei. gw1.example.com. Do not include any extra packages, all required packages will be added as needed. I have created a simple script to install the gateway/server for you. As your root user place the file in your root users folder(/root), unpack it (tar -zxf Gateway_Install.tar.gz), run setup.sh, and answer the questions that follow. If you have not set up root user logins, it is quite simple, follow the instructions found here: The following should do it: su cd wget http://2stech.ca/applications/Gateway_Install.tar.gz tar -zxf Gateway_Install.tar.gz cd Gateway_Install ./setup.sh If you plug in the values for your local network, you should be able to cut and paste. AssumptionsConventionsCommands - White on Black text is meant for copying and pasting. Output - Yellow on Black text is the common output from a
command.
Initial PreparationsRoot user loginsLog into the computer using the non-root account established when installing the OS, Then enable root logins by doing the following: sudo passwd [sudo] password for user: ← Current users password Enter new UNIX password: ← Password for root Re-enter new UNIX password: ← Repeat password for root Enter the password for the user and then enter the password you'd like for the root user, twice. Log out of the non-root user: exit Now log into the computer as the root user, and update all packages: aptitude update; aptitude -y full-upgrade; reboot When the computer finished rebooting log into the computer as root again. Now lets install an SSH server to allow you to use a terminal in a system with a gui. aptitude -y install openssh-server Now determine the external IP address: ifconfig
eth0 Link encap:Ethernet HWaddr FF:FF:FF:FF:FF:FF
inet addr:10.1.1.2 Bcast:10.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:9000 Metric:1
RX packets:156 errors:0 dropped:0 overruns:0 frame:0
TX packets:73 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
RX bytes:19192 (19.1 KB) TX bytes:8703 (8.7 KB)
You can now log into the computer from an external SSH client. Internal InterfaceEdit the /etc/network/interfaces file to add an internal static interface: vim /etc/network/interfaces Add the following to the end: # The Local Network Interface auto eth1 iface eth1 inet static address 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255 network 192.168.100.0 The IP's used are just a suggestion, but it is advisable to use non-routable addresses for your internal network. For more info see: http://en.wikipedia.org/wiki/Private_network> Now bring up the internal interface: ifup eth1 FirewallNext, we need to install a firewall: aptitude -y install shorewall-shell shorewall-doc The 'shorewall-shell' can be replaced with 'shorewall-perl'. There are a few caveat's, but it is very fast when compared to the shell script. (for the caveat's, see the shorewall webpage) The documents package is required for the examples, this allows a simple configuration to be copied and then adjusted to work. Copy the example configuration from the documents directory: cp /usr/share/doc/shorewall-common/examples/two-interfaces/* /etc/shorewall Unzip the shorewall configuration file overwriting the existing one: gunzip /etc/shorewall/shorewall.conf Next, edit the /etc/shorewall/shorewall.conf file to enable startup: vim /etc/shorewall/shorewall.conf Change: STARTUP_ENABLED=No To: STARTUP_ENABLED=Yes Edit the /etc/default/shorewall file to enable startup: vim /etc/default/shorewall Change: startup=0 To: startup=1 Restart shorewall: shorewall restart At this point the firewall (the gateway) will not have any access to the Internet (except DNS), this is a good idea if there is no requirement, however it may make some things like updating and package installation difficult, so let's allow the firewall to access the Internet. vim /etc/shorewall/policy Find the line: $FW net REJECT info And change it to: $FW net ACCEPT #REJECT info At this point I would like to point out that if the firewall is miss-configured you will loose access via the network, so it is ALWAYS prudent to check the configuration before restarting: shorewall check If configuration is ok restart as before: shorewall restart DNSNext lets install the DNS: aptitude -y install bind9 By default when your external interface gets an IP address it will also ask the DHCP server for a Domain name, Search name, and nameserver. This is ok unless you would like to serve IP's of your own, this can be solved by editing /etc/dhcp3/dhclient.conf: vim /etc/dhcps/dhclient.conf And change: request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, domain-search, host-name, netbios-name-servers, netbios-scope, interface-mtu, rfc3442-classless-static-routes, ntp-servers; To: request subnet-mask, broadcast-address, time-offset, routers, host-name, netbios-name-servers, netbios-scope, interface-mtu, rfc3442-classless-static-routes, ntp-servers; And then edit /etc/resolv.conf vim /etc/resolv.conf delete the contents and add: domain example.org search example.org nameserver 127.0.0.1 Don't worry if you don't have an Internet domain, this should be the trailing portion of whatever you decided to name the gateway. ie: gateway.example.com would be example.com. DHCP ServerAt this point you should be able to surf the Internet from you internal network; However, it will require that you manually configure the interfaces. To simplify this process lets install a DHCP server: aptitude -y install dhcp3-server The server startup will fail, but don't worry it just requires a little configuration. First we need to change the /etc/dhcp3/dhcpd.conf: vim /etc/dhcp3/dhcpd.conf First find the lines: # option definitions common to all supported networks... option domain-name "example.org"; option domain-name-server ns1.example.org, ns2.example.org; Change them to: # option definitions common to all supported networks... option domain-name "example.org"; option domain-name-server 192.168.100.1; If the above is to work with your gateway name it must be configured in your bind configuration, it is likely better to just use the internal IP address, in this tutorial it would be 192.168.100.1. Please note that this will not work if there are multiple internal interfaces, but there are several ways around this, which would be separate configurations per interface or configuring your gateways internal interfaces in bind and using the gateway name. Now at the end of the file add: # Local Network subnet 192.168.100.0 netmask 255.255.255.0 { option broadcast-address 192.168.100.255; option routers 192.168.100.1; range 192.168.100.50 192.168.100.254; } Also, I would make the DHCP server authoritative on the internal network by un-commenting the authoritative line in the file. Find the line: #authoritative And change it to: authoritative Next edit the /etc/default/dhcp3-server vim /etc/default/dhcp3-server Change the line: INTERFACES="" To: INTERFACES="eth1" Restart the DHCP server: /etc/init.d/dhcp3-server restart DONE!! |