Thursday, March 11, 2010

Make your computer a router


This guide will step you through the process of turning your Linux machine into a router.  These instructions are designed to work with Debian and should work on Ubuntu Server and Desktop.  No GUI is required only the base system needs to be installed.  As always the latest repositories should be used when possible.  The instructions use vi, you may substitute vi for vim, nano, or even gedit if you’d like


Debian or Ubuntu 9.10 (earlier versions may also work)
Two network adapters

Part 1: Setting up the DHCP Server

First, you need to pick the IP addresses to use on your internal network.  Most people will choose either 192.168.1.x or 10.1.1.x; both will work.  For this I will be using 

Edit the interfaces file to set the IP addresses of the adapters.  You can do this by typing:

sudo vi /etc/network/interfaces

Add the static IP settings for the internal network adapter.  In this example device eth0 is the external adapter (it will be receiving its internet connect via DHCP from your ISP or elsewhere) and eth1 which will be the adapter connecting to the internal network. Some configurations may require additional settings, what’s most import here is that eth1 is static and its address and netmask are defined.

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp

# The secondary/internal network interface
auto eth1
iface eth1 inet static

The next step is to install the dhcp daemon and configure it:

sudo apt-get install dhcp3-server

Once the server is installed it will try to start which usually fails.  This is normal.  The dhcp server needs to be configured so it will run properly.  So edit it by typing the following:

sudo vi /etc/dhcp3/dhcpd.conf

The file will already contain basic config but a few lines need to be changed.  Change the lines starting with “option domain-name” to match that of the configuration of your network.  In this example the domain name is router.local, and the DNS server is the server being setup (see part 2 for DNS config)

option domain-name "router.local";
option domain-name-servers;

Define the subnet and range of IP addresses the server will issue:

subnet netmask {
  option broadcast-address;
  option routers;

Additionally, if you want certain clients to always receive the same IP (static DHCP) you can add this to the config file.  Simply give it a host name, specify the client’s MAC address, and give it the IP.  The hostname does not have to match the computer’s hostname but it helps to keep them consistent.  To avoid problems you should specify an address outside of the range mentioned above.

host laptop     {
  hardware ethernet 00:0c:0f:82:e2:00;
  server-name "laptop";

To test your configuration reboot the server and client your clients.  The client machines should obtain IP addresses based on your configuration.  If it does not work check the syslog (/var/log/syslog) for help.

Part 2: Setting up the DNS server

To install the package type:

sudo apt-get install bind9

Once the daemon is installed a few files need to be created/edited.  First, edit /etc/bind/named.conf.local:

sudo vi /etc/bind/named.conf.local

A zone needs to be added for our new network, so add the lines to do so like below.  The zone name must match the domain-name specified that was specified in /etc/dhcp3/dhcpd.conf.  The file mentioned will to be created.  It doesn’t really matter where it is at so long as the service has access to it. 

zone "router.local" {
   type master;
   file "/etc/bind/zones/router.local.db";

With the new zone created, the zone configuration file must also be created.  Edit the zone file referenced in named.conf.local and add the appropriate lines below.  Watching the syntax carefully will save you plenty of time. 

$TTL 24H ;This specifies the amount of time(1W,1D,1H..)
router.local. IN SOA ns.router.local. root.router.local. (
   20103010 ;this line is the version number, client check for updates using this line

; Nameservers
@                      IN        NS
router.local.      IN        NS
ns                     IN        CNAME
www                 IN        CNAME

; Hosts
; static host names can also be defined here.
laptop.gateman.local.        IN        A

Now the configuration is complete, restart the DNS server and test to make sure it is working properly.  Again, if it does not work check /var/log/syslog for clues.

Restart DNS:

/etc/init.d/bind9 restart

Test client:


If everything worked you should see a response like this:


Non-authoritative answer:  canonical name =

If you only want your DNS server to be used by the internal network you can restrict who can query by adding the following lines to the file /etc/bind9/named.conf.options within the curly brackets for options.

options {
    #(other lines here)
        version none;
        allow-query {; };
        allow-transfer { none; };

There is a great resource for advanced configuration and troubleshooting here:

Part 3: IP Masquerading

Make sure iptables is installed:

sudo apt-get install iptables

Most Linux kernels above 2.4 support ip forwarding so module installation is not needed.  The IP forwarding does need to be enabled though. Edit the file /etc/sysctl.conf and look for the line below and uncomment it.


Now the system is ready for rules.  Each rule can be added by type iptables with the proper switches.  In this example to complete the router setup type the following:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

For help creating more IP table entries see the man pages or see any of the links below:

The ip tables need to be saved in order to be persistent.  Save the tables by running the command:

sudo iptables-save > /etc/iptables.rules

Now that the tables have been saved to a file it can be setup to load automatically.  To do this add the following line to your /etc/network/interface file:

up iptables-restore < /etc/iptables.rules

Once all this has been completed, restart the computer and test your connection.  If it doesn’t work right away, don’t worry, check the logs in /var/log and debug on client by doing ping, nslookup, and tracert.

No comments:

Post a Comment