What you must have before this point<\/h3>\n
You need a Linux machine with two NICs, updated and ready to go.(I’ll be using 64bit Debian Jesse)<\/p>\n
The Network Architecture<\/h3>\n
Most likely, unless you have a particularly different setup, you have a modem connected to a combo router\/wireless access point, or perhaps a modem+router+WAP all-in-one unit. See the images below for a diagram of this:<\/p>\n
![\"Typical](\"http:\/\/jacobncalvert.com\/wp-content\/uploads\/2018\/02\/typical-aio-1024x386.png\")
Typical All-In-One Home LAN<\/p><\/div>\n
![\"Our](\"http:\/\/jacobncalvert.com\/wp-content\/uploads\/2018\/02\/typical-network-1024x312.png\")
Typical Modem+Router\/WAP\/Switch Home LAN<\/p><\/div>\n
The units in the red boxes usually handle the following things and not much more:<\/p>\n
- \n
- Routing<\/li>\n
- DHCP<\/li>\n
- DNS<\/li>\n
- Firewall<\/li>\n<\/ul>\n
It’s likely a small system-on-a-chip (SoC) and is configured with a web GUI. The architecture we are proposing is a little different. We want to replace that router part (the part inside the red box) with our Linux machine. We’ll let the Linux kernel do our packet switching, and let a few services handle DHCP, DNS, and the Firewall.<\/p>\n
Note: this will require that you have a separate modem with an Ethernet interface.<\/p>\n
Our IP network will have the following properties:<\/p>\n
\n\n
\n Property<\/th>\n Value or Description<\/th>\n<\/tr>\n \n Subnet<\/td>\n 192.168.0.0\/22<\/td>\n<\/tr>\n \n Linux machine LAN IP<\/td>\n 192.168.0.1<\/td>\n<\/tr>\n \n DHCP Pool<\/td>\n 192.168.1.0\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Let’s set up the interfaces<\/h3>\n
First, let’s see our two NICs and find out what the system calls them:<\/p>\n
machine:\/# ls \/sys\/class\/net\r\n\teth0 eth1 lo\r\nmachine:\/#\r\n<\/pre>\n
So we now know our interfaces are named eth0 and eth1. Let’s designate eth0 as the WAN or Internet side of our machine, and designate eth1 as the LAN side of the interface.
\nEdit the \/etc\/network\/interfaces to set up our WAN side to get and IP address from the ISP and our LAN side to have a static IP on our subnet.
\nThe file should look similar to:<\/p>\n\tsource \/etc\/network\/interfaces.d\/*\r\n\r\n\t# The loopback network interface\r\n\tauto lo\r\n\tiface lo inet loopback\r\n\r\n\t# The WAN network interface\r\n\tallow-hotplug eth0\r\n\tiface eth0 inet dhcp\r\n\r\n\t# The LAN network interface\r\n\tallow-hotplug eth1\r\n\tiface eth1 inet static\r\n\t\taddress 192.168.0.1\r\n\t\tnetmask 255.255.252.0\r\n\r\n\r\n<\/pre>\n
Once you save this file and restart the network service, you should be able to see your interfaces using the tool ifconfig.
\nNow, plug in the WAN side to your router and let’s get on the internet!<\/p>\nSetting up DHCP<\/h3>\n
Since we want our Linux machine to hand out IP addresses on our LAN side, we need to install a DHCP server. Use your package manager to install isc-dhcp-server:<\/p>\n
\tapt-get install isc-dhcp-server\r\n<\/pre>\n
Now we need to tell the DHCP server what to do. Edit the DHCP configuration file (likely in \/etc\/dhcp\/dhcpd.conf)<\/p>\n
\toption domain-name-servers 172.16.0.1;\r\n\toption routers 172.16.0.1;\r\n\tdefault-lease-time 600;\r\n\tmax-lease-time 7200;\r\n\tddns-update-style none;\r\n\r\n\tsubnet 192.168.0.0 netmask 255.255.252.0\r\n\t{\r\n\t\toption broadcast-address 192.168.3.255;\r\n\t\tallow unknown-clients;\t\r\n\t\tpool {\r\n\t\t\t range 192.168.1.0 192.168.1.255;\r\n\r\n\t\t}\r\n\t\r\n\r\n\r\n\r\n\t}\r\n<\/pre>\nThis will instruct the DHCP server to hand out addresses on the LAN in the range 192.168.1.0\/24.
\nRestart the DHCP service to have these changes take effect. You should now be able to plug your laptop into the LAN port on your Linux machine and get an IP address via DHCP.
\nNow that we have some addresses assigned for DHCP use, let’s assign some DHCP reservations. Editing the same config file, add this:<\/p>\nhost my-laptop {\r\n\t\thardware ethernet aa:bb:cc:dd:ee:ff;\r\n fixed-address 192.168.2.0;\r\n}\r\n<\/pre>\nThe ‘hardware ethernet’ line should contain the MAC address of your laptop, and the ‘fixed-address’ line should be the address you want to give that machine each time it requests one. Another restart will cause these new changes to take effect.<\/p>\n
DNS Cache server<\/h3>\n
This is the easy part!<\/p>\n
\tapt-get install bind9\r\n<\/pre>\n
Done! That’s all for a basic configuration.<\/p>\n
Forwarding and Firewall<\/h3>\n
Now we have a machine which can hand out IP addresses, but it can’t actually forward any traffic yet! First thing’s first, let’s enable forwarding.
\nEdit \/etc\/sysctl.conf and change the line regarding IPv4 forwarding to<\/p>\nnet.ipv4.ip_forward = 1\r\n<\/pre>\n
Then, to make these changes active, issue a ‘sysctl -p’
\nNow we can forward traffic, let’s create some iptables rules to keep us straight. Two things to note here,<\/p>\n- \n
- iptables rules must be re-enabled after each reboot<\/li>\n
- iptables can be dangerous! always backup your configuration<\/li>\n<\/ol>\n
Because iptables are not persistent between reboots, we’ll use a script! Let’s first create a file in \/etc\/network\/ called ‘iptables-rules’. In this script, place the following iptables rules:<\/p>\n
*nat\r\n:PREROUTING ACCEPT [0:0]\r\n:INPUT ACCEPT [0:0]\r\n:OUTPUT ACCEPT [0:0]\r\n:POSTROUTING ACCEPT [0:0]\r\n\r\n\r\n-A POSTROUTING -o eth0 -j MASQUERADE\r\n\r\nCOMMIT\r\n\r\n*filter\r\n:INPUT ACCEPT [0:0]\r\n:FORWARD ACCEPT [0:0]\r\n:OUTPUT ACCEPT [0:0]\r\n\r\n\r\n\r\n# accept all loopback\r\n-A INPUT -s 127.0.0.0\/8 -d 127.0.0.0\/8 -i lo -j ACCEPT\r\n\r\n# accept all pings\r\n-A INPUT -p icmp -j ACCEPT\r\n\r\n# accept all established connections\r\n-A INPUT -m state --state ESTABLISHED -j ACCEPT\r\n\r\n# enable traceroute rejections to get sent out\r\n-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable\r\n\r\n# DNS from LAN\r\n-A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT\r\n-A INPUT -i eth1 -p udp --dport 53 -j ACCEPT\r\n\r\n# SSH from LAN\r\n-A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT\r\n\r\n# DHCP from LAN\r\n-A INPUT -i eth1 -p udp --dport 67:68 -j ACCEPT\r\n\r\n\r\n# forward packets along established\/related connections\r\n-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\r\n\r\n# forward from LAN to WAN \r\n-A FORWARD -i eth1 -o eth0 -j ACCEPT\r\n-A FORWARD -i eth1 -o tun0 -j ACCEPT\r\n\r\n# drop all other forwarded traffic\r\n-A FORWARD -j DROP\r\n\r\n\r\n# drop all other inbound traffic\r\n-A INPUT -j DROP\r\n\r\n\r\nCOMMIT\r\n\r\n<\/pre>\n
The comments for each section describe what that particular rule accomplishes. Now, let’s make the script which will restore these rules on startup. Create an executable file in \/etc\/network\/if-pre-up.d called iptables-restore-rules. In that file, insert this:<\/p>\n
#!\/bin\/sh\r\niptables-restore < \/etc\/network\/iptables-rules\r\n<\/pre>\n
The location of this script, ensures that it will be executed *prior to* the network interfaces coming up, therefore protecting us from the internet!<\/p>\n
Wrap up<\/h3>\n
Now we have a basic Linux router which can serve IP addresses, route packets between interfaces, and has a basic level of firewalling from the internet. In the next post, we’ll do some more iptables stuff, and talk about OpenVPN and how we can use policy based routing to route some traffic through a VPN and some around it.
\nAs always, thanks for reading!<\/p>\n","protected":false},"excerpt":{"rendered":"BYOR part deux Hello all! I’m back again with part two of the Build Your Own Router Series! In this post, we’re going to do the following: Talk about our proposed network architecture Set up our interfaces Set up a DHCP server and define our subnets Define some subnet ranges for our devices Set up some DHCP reservations Set up a DNS cache server Set up some basic iptables rules and forwarding What you must have before this point You…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[7,10,6,9,8],"yoast_head":"\n
Build Your Own Router - Part 2 - Jacob N Calvert<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Build Your Own Router - Part 2 - Jacob N Calvert\" \/>\n<meta property=\"og:description\" content=\"BYOR part deux Hello all! I’m back again with part two of the Build Your Own Router Series! In this post, we’re going to do the following: Talk about our proposed network architecture Set up our interfaces Set up a DHCP server and define our subnets Define some subnet ranges for our devices Set up some DHCP reservations Set up a DNS cache server Set up some basic iptables rules and forwarding What you must have before this point You…\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Jacob N Calvert\" \/>\n<meta property=\"article:published_time\" content=\"2017-04-20T01:26:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-02-10T18:33:50+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/jacobncalvert.com\/wp-content\/uploads\/2018\/02\/typical-aio-1024x386.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/#website\",\"url\":\"https:\/\/jacobncalvert.com\/blog-archive\/\",\"name\":\"Jacob N Calvert\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/jacobncalvert.com\/blog-archive\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"http:\/\/jacobncalvert.com\/wp-content\/uploads\/2018\/02\/typical-aio-1024x386.png\",\"contentUrl\":\"http:\/\/jacobncalvert.com\/wp-content\/uploads\/2018\/02\/typical-aio-1024x386.png\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/#webpage\",\"url\":\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/\",\"name\":\"Build Your Own Router - Part 2 - Jacob N Calvert\",\"isPartOf\":{\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/#primaryimage\"},\"datePublished\":\"2017-04-20T01:26:58+00:00\",\"dateModified\":\"2018-02-10T18:33:50+00:00\",\"author\":{\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/#\/schema\/person\/f4b22a996d41bf09ed2bbe22912a8c8a\"},\"breadcrumb\":{\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/\",\"url\":\"https:\/\/jacobncalvert.com\/blog-archive\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/2017\/04\/19\/build-your-own-router-part-2\/#webpage\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/#\/schema\/person\/f4b22a996d41bf09ed2bbe22912a8c8a\",\"name\":\"Jacob\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/jacobncalvert.com\/blog-archive\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/64a2dd1c00cb39dfc19bb1204c87efbc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/64a2dd1c00cb39dfc19bb1204c87efbc?s=96&d=mm&r=g\",\"caption\":\"Jacob\"},\"sameAs\":[\"https:\/\/jacobncalvert.com\"],\"url\":\"https:\/\/jacobncalvert.com\/blog-archive\/author\/jcalvert\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/posts\/70"}],"collection":[{"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/comments?post=70"}],"version-history":[{"count":3,"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/posts\/70\/revisions"}],"predecessor-version":[{"id":75,"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/posts\/70\/revisions\/75"}],"wp:attachment":[{"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/media?parent=70"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/categories?post=70"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacobncalvert.com\/blog-archive\/wp-json\/wp\/v2\/tags?post=70"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}