Setting up a Linux Home Gateway

Ramesh Panuganty

               rameshpanuganty@myrealbox.com
            

Revision History
Revision v120 December 2001Revised by: rp
This is the initial release.

Table of Contents
1. Introduction
1.1. Why am I interested in this document?
1.2. Copyright
1.3. Disclaimer
2. Theory
3. Choices of implementation
3.1. Software Vs Hardware Solutions
3.2. Software Solutions in IP Masquerading
4. Comparision of Alternatives
5. Hardware Requirements
6. Kernel configuration
6.1. If using iptables
6.2. If using ipchains
7. Select your Private IP Addresses
8. Network Settings on Gateway
8.1. For PPP Connections
8.2. For Ethernet connections (cable-mode, DSL or T1)
9. IP Masquerade Configuration
9.1. For PPP Connections
9.2. For Ethernet connections (cable-mode, DSL or T1)
10. Creating Startup Scripts
11. Network Settings on workstations
12. Activating the gateway
13. How do I test the setup?

1. Introduction


2. Theory

This document will try to help you in setting up a linux based home gateway. The procedure explained here will help you in getting a software based gateway instead of going for expensive hardware solutions. At the end of the document, I will also try to briefly explain how you can secure your gateway from possible internet attacks.

The examples I would provided are based on Debian Linux - Woody distribution. However, it may be fairly easier if you are looking for other Linux distributions like RedHat, SuSe or Slackware.

After following the setup procedures you will be able to share your existing internet connection (PPP, DSL, cable modem or a T1 line) with other computers or devices in your home or office. Thereafter, your entire private network will be able to transparently access the internet with the single IP address.


3. Choices of implementation


4. Comparision of Alternatives

Linux 2.2 kernels will not have iptables (no official patches as yet). Though I will give examples for both ipchains and iptables, I would suggest you to start using iptables because of the greater flexibility and the reasons as explained above. With iptables, you can do stateful comparision of packets and also have enhanced set of rules. If you have a very old system with low memory (<8MB), suggest you to use only ipchains. Iptables keeps the states in RAM and may need a little more memory.

On 2.4 kernels, you may run either ipchains or iptables but not both at the same time. The rules specified by ipchains have precedence and the kernel even first attempts to load ipchains first. If you have ipchains modules installed, iptables may never start automatically.

If you decide to use iptables, you have a choice of several user interfaces for configuring your own firewall rules later-on. You may use knetfilter (GUI based), gshield, ferm, AGT or MM-Firewall. If you decide to use ipchains, you have a GUI tool gnome-lokkit to do the firewall configuration for your future firewall needs.


5. Hardware Requirements

If you are connecting to the ISP on ethernet, you need two ethernet cards on your gateway system. You may either install two single-port NIC cards in PCI slots, or select a dual-port NIC card. If you have a NIC slot built-in on your motherboard, you may go for a USB NIC device, instead of going for a second PCI slot. Choice is yours.

You need a NIC card one each on all your workstations (may be PCI, ISA, USB, wireless or built-int).

You need 10/100 network hub to connect all your workstations to the gateway system. Use a Cat5 cable for all connectivity reasons. If you are using uplink port on the hub, use a crossover cable and leave the adjacent normal port empty. Otherwise, if are using a normal port, use a straight-through network cable. If you have all similar cables avoid using the 'uplink' port on the network hub.


6. Kernel configuration

6.1. If using iptables

Iptables is actually a user interface tool and depends on the kernel implementation called netfilter. Netfilter includes support only for IPv4 and IPv6, and does not filter any other protocols. Hence if your system should run something like IPX, remember that the protocols other than IPv4 and IPv5 are not going to be filtered according to the iptables rules. User kerne 2.4.18 or above, if possible to have all the new features of netfilter.

Install the iptables software on your system (apt-get install iptables). Once you know that your kernel is configured with netfilter support, you need not worry about it at all. Just remember that iptables need the kernel support from netfilter.

Check if your kernel is configured for supporting iptables. Though most distributions include this support by default, do this quick test as root.

bash# modprobe ip_tables
bash# lsmod | grep ip_tables

If any of the above commands give an error or ip_tables doesn't show up in module listing, you must enable these options in the kernel configuration using make menuconfig or make xmenuconfig

  • Code maturity-level options for development and/or incomplete code/drivers

  • Network packet filtering in Networking options.

  • IP: Netfilter Configuration iin Networking options

select all these options as modules.


7. Select your Private IP Addresses

To have your private network talk to each other and also for the home gateway setup to work, you need to assign IP addresses to all your system. Though you may assign any IP address to your private systems, you are not advised to do so. You are expected to use a specific set of IP addresses which have been reserved by IANA for private networks.

Table 1. Private IP Address assignments from RFC1918

IP Address ClassIP Address FromIP Address ToCIDR NotationSubnet Mask
Class A10.0.0.010.255.255.25510.0.0.0/8255.0.0.0
Class B172.16.0.0172.31.255.255172.16.0.0/16255.255.0.0
Class C192.168.0.0192.168.255.255192.168.0.0/24255.255.255.0


8. Network Settings on Gateway


9. IP Masquerade Configuration

9.1. For PPP Connections

Create the file /etc/gateway.rules with the following initial ruleset,


9.1.1. If using ipchains

/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -F input                                
/sbin/ipchains -F output                                
/sbin/ipchains -F forward                                
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i ppp0 -s 192.168.1.0/24 -j MASQ

9.1.2. If using iptables

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP

/sbin/iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

/sbin/iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT

9.2. For Ethernet connections (cable-mode, DSL or T1)

I am assuming that eth0 refers to the external interface and eth1 refers to the internal interface.


9.2.1. If using ipchains

For users connecting to external network on ethernet & using ipchains:

/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -F input                                
/sbin/ipchains -F output                                
/sbin/ipchains -F forward                                
/sbin/ipchains -P forward REJECT

# use this line if you have a dynamic IP address (on DHCP or BOOTP) 
# configured from your ISP 
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth0 -s 192.168.1.0/24 -j MASQ

9.2.2. For iptables Users

For users connecting to external network on ethernet & using iptables:

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# use this line if you have a static IP address from your ISP 
# replace your static IP with x.x.x.x
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.x.x.x

# use this line only if you have dynamic IP address from your ISP
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT

10. Creating Startup Scripts

Create a script /etc/init.d/gateway

#! /bin/sh

# If no rules, do nothing.
[ -f /etc/gateway.rules ] || exit 0

case "$1" in
    start)
        echo -n "Turning on packet filtering:"

    	/sbin/modprobe ip_masq_ftp #only if using ipchains
    	/sbin/modprobe iptable_nat #only if using iptables
    	/sbin/modprobe ipt_MASQUERADE #only if using iptables
        /sbin/ipchains-restore < /etc/ipchains.rules || exit 1

        echo 1 > /proc/sys/net/ipv4/ip_forward
    	# for RedHat users, the above line is not needed if you have
    	# FORWARD_IPV4=true in /etc/sysconfig/network file

    	echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    	# the above option is for Dynamic IP users (DHCP,PPP or BOOTP)

        echo "."
        ;;
    stop)
        echo -n "Turning off packet filtering:"
        echo 0 > /proc/sys/net/ipv4/ip_forward

        /sbin/ipchains -F
        /sbin/ipchains -X
        /sbin/ipchains -P input ACCEPT
        /sbin/ipchains -P output ACCEPT
        /sbin/ipchains -P forward ACCEPT
        echo "."
        ;;
    *)
        echo "Usage: /etc/init.d/gateway {start|stop}"
        exit 1
        ;;
esac

exit 0

Give execute permissions to the startup scripts

bash# chmod 744 /etc/init.d/gateway

Use rcconf or chkconfig to create startup links for this file.


11. Network Settings on workstations

The values that need to be set on your workstations are,

	static IP address   : 192.168.1.2 to 192.168.2.max-hosts
	subnet Mask 	    : 255.255.255.0
	Default gateway     : 192.168.1.1
	Primary DNS Server  : <primary dns server as given by your ISP>
	Secondary DNS Server: <secondary dns server as given by your ISP>

If you are linux clients, configure your network settings file. The file would be /etc/network/interfaces for Debian and /etc/sysconfig/network/ifcfg-eth0 for RedHat systems.

If you are using Windows clients, go to control panel, network settings, Properties, TCP-IP settings, static values to enter these values.


12. Activating the gateway

After doing all the settings as mentioned above, restart your networking with
bash# /etc/init.d/networking restart

Then Check for your routing table information for the default gateway. For users connecting with ethernet to the ISP, update your routing table entry for the gateway appropriately (as given by your ISP).

bash# route add -net 192.168.1.0 netmask 255.255.255.0 gw X.X.X.X dev eth1

13. How do I test the setup?

First ping your gateway system from one of your workstations. Then access a web site or an external system from your gateway and finally try to connect from your workstation directly.

If you can't go beyond your gateway, try printing your rules using "iptables -L" or "ipchains -L". See if they are okay as per the instructions. Check for other system settings and see if all the network interfaces are up in your workstations and look into their configurations. To view the established connections, do
bash# cat /proc/net/ip_conntrack

Some of the troubleshooting tips include checking for the ifconfig output on the home gateway. You should also see a loopback interface other than the ppp0-eth0/eth0-eth1. Check if network hub is powered-on and all the relevant lights are on in the network hub.

If you can ping the gateway's external IP address but not he hosts on internet, make sure you are not running 'gated' on your gateway.