|
Size: 15850
Comment: converted to 1.6 markup
|
← Revision 101 as of 2017-08-31 21:44:51 ⇥
Size: 18053
Comment: Fix broken link to serverguide
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
| ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;">'''Contents'''<<BR>><<TableOfContents>>|| '''''This is where the new Ubuntu Router page is in development, please visit [[UbuntuWirelessRouter/New]] for more information''''' |
||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<TableOfContents>>|| |
| Line 8: | Line 8: |
| This article exists due a lack of concise information and easily followed instructions on the subject of setting up a wired and/or wireless Ubuntu router. It is intended for '''intermediate''' and '''advanced users''' who have or would like to set up a dedicated Ubuntu installation acting as a router at home or in their office. The end result is a powerful router that can provide functionality similar to popular products (for example, the Linksys WikiPedia:WRT54G). | This article is intended for '''intermediate''' and '''advanced users''' who would like to set up an Ubuntu installation acting as a router at home or in their office. The end result is a powerful router that can provide functionality similar to popular products (for example, the Linksys WikiPedia:WRT54G). == Scripted wired:wired router == I (user id Snake_Byte) created a python script a while back that sets up a wired router for you given some basic info (check the readme). Tested on Karmic and Lucid, let me know if you have any problems. I want to start a GUI project to make this simpler, and incorporate wireless features if anyone is interested, we can get a repo going. [Note added: The script included in this page at the link below assumes different addresses than on the rest of the page and MUST BE EDITED to replace the assumed IP address and range for your private network, and to remover the examples, before use. Furthermore, for recent versions of Debian and Ubuntu, the assumed dhcp3-server must be replaced by a more modern server, such as isc-dhcp-server, and all references to dhcp3 and dhcp3 should be replaced by just dhcp once you do so. Thus you should LOOK OVER ALL OF THE CONTENTS of the directory tree after unpacking the tar file - so not just blindly execute it before doing so.] You can get it here: [[attachment:ubuntu router.tar]] == Network Manager == This tool is perfect for simple networking problems, especially for laptop users. It is '''not''' appropriate for setting up a router, even though it does have a very basic internet connection sharing capability. === Typical Example === '''Home Office''' The basis is one PC connected to a broadband internet connection. Additional devices: * network printer * wifi PDA * laptop Some of these devices should be able to communicate with each other, some should be allowed to communicate with the internet. Some are wired, and some are wireless. With this guide, your PC can share the internet over additional network interfaces, such as wireless cards and ethernet cards. '''University''' Single PC on a university LAN. Additional devices: * X-Box running mythbuntu * Wifi mobile phone * laptops ==== Quick and Dirty ==== If you would like to try to do the same thing the 'quick and dirty' way, see EasyRouter, a much quicker method with much less flexibility. |
| Line 12: | Line 51: |
| The router that will be created is an Internet gateway for wired and/or wireless clients to share one broadband connection with one IP address. The basics this router will provide are: |
The router that will be created is an Internet gateway for wired and/or wireless clients to share an internet connection with one IP address. The essential components are: * routing of packets from your local networks to the internet, with WikiPedia:IP_masquerading * handling DNS requests * providing IP addresses to devices on your local networks (DHCP) This router can also provide: |
| Line 16: | Line 60: |
| * WikiPedia:IP_masquerading * port forwarding (optional) * DHCP server * DNS caching server |
* port forwarding |
| Line 23: | Line 64: |
| == Broadband Connection == A broadband connection like a cable or DSL modem is required. Your broadband service provider must either provide the necessary information to configure your IP address '''statically''' or provide a dynamically assigned address via '''DHCP'''. |
== Internet Connection == This is not strictly necessary, but is probably the reason you are following this article. You can set up a router in an isolated network using these instructions, but you will likely have specialist requirements, and need to make changes. |
| Line 29: | Line 70: |
| === Use your desktop PC === If you have a recent PC, bought in the last two years, it probably has enough horsepower to run all your normal applications and act as a router at the same time. === Dedicated Hardware === |
|
| Line 32: | Line 77: |
| * A network adapter connected to the broadband cable or DSL modem | * A network adapter |
| Line 34: | Line 79: |
| * Another network adapter connected to a hub or switch | * Another network adapter, typically an ethernet port on a motherboard, or PCI card. |
| Line 36: | Line 81: |
| * A wireless network adapter (which must be able to be set in "master" mode) * `sudo iwconfig <device name> mode master` should not return an error |
* A wireless network adapter * Ideally it should be able run in "master" mode, although "ad-hoc" mode might be good enough. Cards and chipsets which can work in '''master''' mode (otherwise known as '''access point''' or '''ap''' mode), are listed at the [[http://linuxwireless.org/en/users/Drivers|Linux Wireless Project]]. * `sudo ip link set dev <interface name> down && sudo iwconfig <interface name> mode master` should not return an error; but some cards take extra commands to set master mode. mac80211 compatible drivers can run cards in master mode. Pay careful attention to what hardware you buy. |
| Line 39: | Line 85: |
| * '''For both a wired and wireless network''', * All of the above Running `ifconfig -a` will show you what network interfaces are available. |
Running `ip addr` will show you what network interfaces are available. === Terminology === '''interface''' is used to mean the operating system's name for a place which sends or receives data packets. It is often, but not necessarily, the same as a device. An interface may have several devices associated (e.g. a bridge), or a single device may have several interfaces. '''device''' will refer here to the bit of hardware dealing with your network connections. |
| Line 47: | Line 95: |
Firstly, discover the IP address of your internet-connected interface. If you are plugged into a business or academic LAN, this is very likely to be given by: '''ip addr show eth0''' For a home broadband user, it may be a ppp interface; and a wireless user could have any number of interface names, such as ethX, wlanX, athX, where X is a digit. Be aware that it is important to use different numbers below to the one given to your internet device. This is probably the case already, but if you are not directly connected to the internet, you may be on a LAN with the same address range. If you already have a broadband router, for example, it might have given you the 192.168.0.2 address, and kept 192.168.0.1 for itself. If so, change the third digit (0) to another number (and do so throughout the rest of this tutorial). |
|
| Line 50: | Line 106: |
| || Network || 192.168.0.0 || || Netmask || 255.255.255.0 || |
|| Network || 192.168.0.0/24 || |
| Line 56: | Line 111: |
| || Netmask || 255.255.255.0 || | || Prefix length || /24 || |
| Line 70: | Line 125: |
| It is important to note that the names of the network devices above (__'''eth0'''__, __'''eth1'''__, and __'''wlan0'''__) are used as convention. It is very likely that your router will recognize its devices under different names (for example, madwifi calls its wireless device __'''ath0'''__). Please substitute the names of your device accordingly. For information about how to change the names of your network devices, try `man iftab`. | It is important to note that the names of the network interfaces above (__'''eth0'''__, __'''eth1'''__, and __'''wlan0'''__) are used as convention. It is very likely that your router will recognize its devices under different names (for example, madwifi calls its wireless device __'''ath0'''__). Please substitute the names of your device accordingly. For information about how to change the names of your network devices, try `man iftab`. |
| Line 75: | Line 130: |
| {{{sudo cp /etc/network/interfaces /etc/network/interfaces.bak | {{{ sudo cp /etc/network/interfaces /etc/network/interfaces.bak |
| Line 87: | Line 143: |
| {{{# Set up the local loopback interface | {{{ # Set up the local loopback interface |
| Line 97: | Line 154: |
| iface eth0 inet dhcp}}} | iface eth0 inet dhcp }}} ==== For PPPoE connection with dynamic IP address only ==== See [[http://ubuntuforums.org/showthread.php?p=9956712#post9956712|forum]]. |
| Line 103: | Line 165: |
| {{{# Set up the local loopback interface | {{{ # Set up the local loopback interface |
| Line 117: | Line 180: |
| gateway xxx.xxx.xxx.xxx}}} | gateway xxx.xxx.xxx.xxx }}} |
| Line 120: | Line 184: |
| {{{nameserver xxx.xxx.xxx.xxx nameserver xxx.xxx.xxx.xxx}}} You can visit the [[https://help.ubuntu.com/6.06/ubuntu/serverguide/C/network-configuration.html|Ubuntu Server Guide - Network Configuration]] documentation for more information |
{{{ nameserver xxx.xxx.xxx.xxx nameserver xxx.xxx.xxx.xxx }}} You can visit the [[https://help.ubuntu.com/lts/serverguide/network-configuration.html|Ubuntu Server Guide - Network Configuration]] documentation for more information |
| Line 128: | Line 194: |
| {{{sudo /etc/init.d/networking restart ping -c 3 -W 10 ubuntu.com}}} |
{{{ sudo /etc/init.d/networking restart ping -c 3 -W 10 ubuntu.com }}} |
| Line 131: | Line 199: |
| {{{PING ubuntu.com (82.211.81.166) 56(84) bytes of data. | {{{ PING ubuntu.com (82.211.81.166) 56(84) bytes of data. |
| Line 138: | Line 207: |
| rtt min/avg/max/mdev = 99.982/103.450/109.419/4.254 ms}}} | rtt min/avg/max/mdev = 99.982/103.450/109.419/4.254 ms }}} |
| Line 145: | Line 215: |
| {{{# Set up the internal wired network | {{{ # Set up the internal wired network |
| Line 155: | Line 226: |
| broadcast 192.168.0.255}}} | broadcast 192.168.0.255 }}} |
| Line 162: | Line 234: |
| {{{dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p | {{{ dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p |
| Line 166: | Line 239: |
| {{{# Set up the internal wireless network | {{{ # Set up the internal wireless network |
| Line 185: | Line 259: |
| broadcast 192.168.0.255}}} |
broadcast 192.168.0.255 }}} |
| Line 193: | Line 267: |
| {{{sudo apt-get install bridge-utils | {{{ sudo apt-get install bridge-utils |
| Line 197: | Line 272: |
| {{{dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p | {{{ dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p |
| Line 201: | Line 277: |
| {{{# Set up the internal wireless network | {{{ # Set up the internal wireless network |
| Line 238: | Line 315: |
| bridge-ports eth1 wlan0}}} | bridge-ports eth1 wlan0 }}} |
| Line 242: | Line 320: |
| == Restart Networking == Now, if the following command is executes successfully, your networking devices have been properly configured. {{{sudo /etc/init.d/networking restart }}} = Configuring the Firewall = == Background == == The Firewall Script == '''''This is a just a __rough draft__!''''' {{{ |
== Enable IP forwarding and Masquerading == Doing the above might not be enough to make the Ubuntu machine a real router which does NAT (Network Address Translation) and IP Forwarding. The following script configures the Kernel IPTable and IP forwarding. You will have to configure at least the script's 2 variables; the 1st is the external network interface; the 2nd is the internal network interface. {{{ EXTIF="eth0" INTIF="eth1" }}} The script was originally from a [[http://ubuntuforums.org/showthread.php?t=119787|Ubuntu router guide forum article]] which has 2 internal network interfaces. What's showing below uses only 1 internal network interface. You will have to modify the script manually or use the script in the [[http://ubuntuforums.org/showthread.php?t=119787|Ubuntu router guide forum article]] if you need to configure 2 internal network interfaces. {{{ |
| Line 258: | Line 332: |
IPTABLES=/sbin/iptables AWK=/usr/bin/awk IFCONFIG=/sbin/ifconfig # External (Internet-facing) interface |
echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe |
| Line 266: | Line 337: |
# External IP address (automatically detected) EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" # Internal interface INTIF="br0" # Internal IP address (in CIDR notation) INTIP="192.168.0.1/32" # Internal network address (in CIDR notation) INTNET="192.168.0.0/24" # The address of anything/everything (in CIDR notation) UNIVERSE="0.0.0.0/0" echo "External: [Interface=$EXTIF] [IP=$EXTIP]" echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]" echo echo -n "Loading rules..." # Enabling IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Clear any existing rules and set the default policy to DROP $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat # Delete all User-specified chains $IPTABLES -X # Reset all IPTABLES counters $IPTABLES -Z ################################################### # INPUT: Incoming traffic from various interfaces # ################################################### # Loopback interface is valid $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # Local interface, local machines, going anywhere is valid $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # Remote interface, claiming to be local machines, IP spoofing, get lost $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT # External interface, from any source, for ICMP traffic is valid $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in. $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT # Internal interface, DHCP traffic accepted $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT # External interface, HTTP/HTTPS traffic allowed $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT # External interface, SSH traffic allowed $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT # Catch-all rule, reject anything else $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT #################################################### # OUTPUT: Outgoing traffic from various interfaces # #################################################### # Workaround bug in netfilter $IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP # Loopback interface is valid. $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # Local interfaces, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, MASQ server source going to the local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT # anything else outgoing on remote interface is valid $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT # Internal interface, DHCP traffic accepted $IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT # Catch all rule, all other outgoing is denied and logged. $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT ########################### # Packet Forwarding / NAT # ########################### # ----- Begin OPTIONAL FORWARD Section ----- #Optionally forward incoming tcp connections on port 1234 to 192.168.0.100 #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234 # ----- End OPTIONAL FORWARD Section ----- # Accept solicited tcp packets $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow packets across the internal interface $IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT # Forward packets from the internal network to the Internet $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch-all REJECT rule $IPTABLES -A FORWARD -j REJECT # IP-Masquerade $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP echo " done."}}} |
INTIF="eth1" #INTIF2="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "nf_conntrack_irc, " $MODPROBE nf_conntrack_irc echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.." iptables-restore <<-EOF *nat -A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT -A FORWARD -j LOG COMMIT EOF echo -e "\nrc.firewall-iptables v$FWVER done.\n" }}} After configuring the 2 variables, save the script below as nat.sh and make it executable by doing {{{ chmod a+x nat.sh }}} Now, test the script by running as root {{{ sudo sh nat.sh }}} Investigate the messages from the console output to see if any error happened. If everything looks fine, use another host in the internal network to test if it can access the external network (presumably the Internet). A quick way to test is pinging [[http://code.google.com/speed/public-dns/|Google public DNS]] from the console. {{{ ping -c 3 -W 10 8.8.8.8 }}} If ping responds, make our new script bootable so we don't have to run the script every time we restart. {{{ sudo cp nat.sh /etc/init.d/ sudo ln -s /etc/init.d/nat.sh /etc/rc2.d/S95masquradescript }}} As a final test, restart your computer and test to see if you still have the same functionality. If so then congratulations! If not then make sure you followed the above correctly so the script is bootable. = Firewall = See [[Router/Firewall]] |
| Line 417: | Line 409: |
| [[dhcp3-server|Dynamic Host Configuration Protocol (DHCP)]] ---- CategoryNetworking |
Contents
|
1. Setting up an Ubuntu Wired/Wireless Router
1.1. Preface
This article is intended for intermediate and advanced users who would like to set up an Ubuntu installation acting as a router at home or in their office. The end result is a powerful router that can provide functionality similar to popular products (for example, the Linksys WRT54G).
1.2. Scripted wired:wired router
I (user id Snake_Byte) created a python script a while back that sets up a wired router for you given some basic info (check the readme).
Tested on Karmic and Lucid, let me know if you have any problems. I want to start a GUI project to make this simpler, and incorporate wireless features if anyone is interested, we can get a repo going.
[Note added: The script included in this page at the link below assumes different addresses than on the rest of the page and MUST BE EDITED to replace the assumed IP address and range for your private network, and to remover the examples, before use. Furthermore, for recent versions of Debian and Ubuntu, the assumed dhcp3-server must be replaced by a more modern server, such as isc-dhcp-server, and all references to dhcp3 and dhcp3 should be replaced by just dhcp once you do so. Thus you should LOOK OVER ALL OF THE CONTENTS of the directory tree after unpacking the tar file - so not just blindly execute it before doing so.]
You can get it here:
1.3. Network Manager
This tool is perfect for simple networking problems, especially for laptop users. It is not appropriate for setting up a router, even though it does have a very basic internet connection sharing capability.
1.3.1. Typical Example
Home Office
The basis is one PC connected to a broadband internet connection. Additional devices:
- network printer
- wifi PDA
- laptop
Some of these devices should be able to communicate with each other, some should be allowed to communicate with the internet. Some are wired, and some are wireless. With this guide, your PC can share the internet over additional network interfaces, such as wireless cards and ethernet cards.
University
Single PC on a university LAN. Additional devices:
- X-Box running mythbuntu
- Wifi mobile phone
- laptops
1.3.1.1. Quick and Dirty
If you would like to try to do the same thing the 'quick and dirty' way, see EasyRouter, a much quicker method with much less flexibility.
1.4. Technical Overview
The router that will be created is an Internet gateway for wired and/or wireless clients to share an internet connection with one IP address.
The essential components are:
routing of packets from your local networks to the internet, with IP_masquerading
- handling DNS requests
- providing IP addresses to devices on your local networks (DHCP)
This router can also provide:
- A firewall
- port forwarding
2. Prerequisites
2.1. Internet Connection
This is not strictly necessary, but is probably the reason you are following this article. You can set up a router in an isolated network using these instructions, but you will likely have specialist requirements, and need to make changes.
2.2. Router Hardware
2.2.1. Use your desktop PC
If you have a recent PC, bought in the last two years, it probably has enough horsepower to run all your normal applications and act as a router at the same time.
2.2.2. Dedicated Hardware
You'll need a dedicated computer to act as the router. The computer can use old hardware and having the minimum requirements to install Ubuntu should suffice. The author of this article runs his router on a P3 600mhz processor with 256MB of RAM. You are encouraged use this as a server for other applications perhaps by installing postfix, apache, mysql, and/or samba. This guide recommends a server installation of Ubuntu, but there's no reason why a desktop installation wouldn't work. If you plan to be able to access the router remotely, install ssh before proceeding.
The following needs to be physically installed and recognized by the kernel on your router:
- A network adapter
For a wired network,
- Another network adapter, typically an ethernet port on a motherboard, or PCI card.
For a wireless network,
- A wireless network adapter
Ideally it should be able run in "master" mode, although "ad-hoc" mode might be good enough. Cards and chipsets which can work in master mode (otherwise known as access point or ap mode), are listed at the Linux Wireless Project.
sudo ip link set dev <interface name> down && sudo iwconfig <interface name> mode master should not return an error; but some cards take extra commands to set master mode. mac80211 compatible drivers can run cards in master mode. Pay careful attention to what hardware you buy.
If your wireless network adapter is not recognized by your server installation of Ubuntu, it may use the madwifi chipset (like the D-Link DWL-G520). Please visit Router/Madwifi for more information.
- A wireless network adapter
Running ip addr will show you what network interfaces are available.
2.2.3. Terminology
interface is used to mean the operating system's name for a place which sends or receives data packets. It is often, but not necessarily, the same as a device. An interface may have several devices associated (e.g. a bridge), or a single device may have several interfaces. device will refer here to the bit of hardware dealing with your network connections.
3. Internal Network Information
Here are the values we'll use to set up your internal network. Advanced users use caution when changing them as the changes will need to be reflected in all further router configuration.
Firstly, discover the IP address of your internet-connected interface. If you are plugged into a business or academic LAN, this is very likely to be given by:
ip addr show eth0
For a home broadband user, it may be a ppp interface; and a wireless user could have any number of interface names, such as ethX, wlanX, athX, where X is a digit.
Be aware that it is important to use different numbers below to the one given to your internet device. This is probably the case already, but if you are not directly connected to the internet, you may be on a LAN with the same address range. If you already have a broadband router, for example, it might have given you the 192.168.0.2 address, and kept 192.168.0.1 for itself. If so, change the third digit (0) to another number (and do so throughout the rest of this tutorial).
Router |
|
Address |
192.168.0.1 |
Network |
192.168.0.0/24 |
Broadcast |
192.168.0.255 |
Clients |
|
Addresses |
192.168.0.2 - 192.168.0.254 |
Prefix length |
/24 |
Broadcast |
192.168.0.255 |
Gateway |
192.168.0.1 |
4. Setting Up Your Network Interfaces
4.1. Device Naming Overview
Network Device |
Internal or External Network |
Description |
eth0 |
External |
Network adapter connected to an external network (your broadband connection) |
eth1 |
Internal |
Network adapter connected to a hub or switch |
wlan0 |
Internal |
Wireless network adapter |
br0 |
Internal |
Network bridge between eth1 and wlan0 that will treat the two like one device |
It is important to note that the names of the network interfaces above (eth0, eth1, and wlan0) are used as convention. It is very likely that your router will recognize its devices under different names (for example, madwifi calls its wireless device ath0). Please substitute the names of your device accordingly. For information about how to change the names of your network devices, try man iftab.
4.2. Taking a Backup
Issue the following command to take a backup of your current network configuration:
sudo cp /etc/network/interfaces /etc/network/interfaces.bak
4.3. Configuring the External Network Interface
4.3.1. Setting up External Network Interface
Here, we configure the Ubuntu networking system to bring the the local loopback and external network interfaces up by editing /etc/networking/interfaces. The primary goal here is to set up your external network interface (eth0, or whatever you're using in place of it) to be brought up by the networking subsystem. The examples below are only for the most basic setups. If your setup requires additional configuration, for example you need to setup ADSL with PPPoE, adapt the following examples so that the end result is your external network interface connected to the Internet.
4.3.1.1. For Dynamic IP Addresses (DHCP) Only
Open /etc/network/interfaces with your favourite editor. Delete everything and paste in what is below. Follow the commented out instructions carefully.
# Set up the local loopback interface auto lo iface lo inet loopback # Set up the external interface # # Don't forget to change eth0 to the proper name of the external # interface if applicable. # auto eth0 iface eth0 inet dhcp
4.3.1.2. For PPPoE connection with dynamic IP address only
See forum.
4.3.1.3. For Static IP Address Only
Open /etc/network/interfaces with your favourite editor. Delete everything and paste in what is below. Follow the commented out instructions carefully.
# Set up the local loopback interface auto lo iface lo inet loopback # Set up the External interface # # For every xxx.xxx.xxx.xxx, enter the numeric address given to you # by your Internet provider. Don't forget to change eth0 to the proper # name of the external interface if applicable. # auto eth0 iface eth0 inet static address xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx
Now, set up your DNS servers as given to you by your service provider in /etc/resolv.conf, which should look something like this
nameserver xxx.xxx.xxx.xxx nameserver xxx.xxx.xxx.xxx
You can visit the Ubuntu Server Guide - Network Configuration documentation for more information
4.3.2. Testing Connectivity
Reload the network configuration and test for connectivity,
sudo /etc/init.d/networking restart ping -c 3 -W 10 ubuntu.com
And if all goes well something similar should return:
PING ubuntu.com (82.211.81.166) 56(84) bytes of data. 64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=1 ttl=43 time=99.9 ms 64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=2 ttl=43 time=109 ms 64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=3 ttl=43 time=100 ms --- ubuntu.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 99.982/103.450/109.419/4.254 ms
4.4. Configuring the Internal Network Interfaces
4.4.1. Wired Only
Append the following to /etc/network/interfaces and follow the commented out instructions carefully.
# Set up the internal wired network # # Don't forget to change eth1 to the proper name of the internal # wired network interface if applicable. # auto eth1 iface eth1 inet static address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255
Your internal network interface is: eth1 (or whatever you're using in place of it)
4.4.2. Wireless Only
If you plan on using WEP, generate a network key,
dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p
Append the following to /etc/network/interfaces and follow the commented out instructions carefully.
# Set up the internal wireless network # # Don't forget to change wlan0 to the proper name of the internal # wireless network interface if applicable. # # If you would like to use WEP, uncomment the line 'wireless-key' # and replace '<key goes here>' with a WEP key. # # You may also change the network essid and channel. # auto wlan0 iface wlan0 inet static wireless-mode master wireless-essid "UbuntuWireless" wireless-channel 1 #wireless-key <key goes here> address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255
Your internal network interface is: wlan0 (or whatever you're using in place of it)
4.4.3. Both Wired and Wireless
First install the necessary tools to create a network bridge,
sudo apt-get install bridge-utils
If you plan on using WEP, generate a network key,
dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p
Append the following to /etc/network/interfaces and follow the commented out instructions carefully.
# Set up the internal wireless network # # Don't forget to change wlan0 to the proper name of the internal # wireless network interface if applicable. # # If you would like to use WEP, uncomment the line 'wireless-key' # and replace '<key goes here>' with a WEP key. # # You may also change the network essid and channel. # auto wlan0 iface wlan0 inet manual wireless-mode master wireless-essid "UbuntuWireless" wireless-channel 1 #wireless-key <key goes here> # Set up the internal wired network # # It's not necessary to bring this interface up as the bridge # we are about to create does this. Leave these lines commented. # #auto eth1 #iface eth1 inet manual # Set up the internal wired/wireless network bridge # # Don't forget to change wlan0 and eth1 to the proper name of # the internal wired and wireless interfaces if applicable. # auto br0 iface br0 inet static address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 bridge-ports eth1 wlan0
Your internal network interface is: br0
4.5. Enable IP forwarding and Masquerading
Doing the above might not be enough to make the Ubuntu machine a real router which does NAT (Network Address Translation) and IP Forwarding. The following script configures the Kernel IPTable and IP forwarding. You will have to configure at least the script's 2 variables; the 1st is the external network interface; the 2nd is the internal network interface.
EXTIF="eth0" INTIF="eth1"
The script was originally from a Ubuntu router guide forum article which has 2 internal network interfaces. What's showing below uses only 1 internal network interface. You will have to modify the script manually or use the script in the Ubuntu router guide forum article if you need to configure 2 internal network interfaces.
echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe EXTIF="eth0" INTIF="eth1" #INTIF2="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "nf_conntrack_irc, " $MODPROBE nf_conntrack_irc echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.." iptables-restore <<-EOF *nat -A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT -A FORWARD -j LOG COMMIT EOF echo -e "\nrc.firewall-iptables v$FWVER done.\n"
After configuring the 2 variables, save the script below as nat.sh and make it executable by doing
chmod a+x nat.sh
Now, test the script by running as root
sudo sh nat.sh
Investigate the messages from the console output to see if any error happened. If everything looks fine, use another host in the internal network to test if it can access the external network (presumably the Internet). A quick way to test is pinging Google public DNS from the console.
ping -c 3 -W 10 8.8.8.8
If ping responds, make our new script bootable so we don't have to run the script every time we restart.
sudo cp nat.sh /etc/init.d/ sudo ln -s /etc/init.d/nat.sh /etc/rc2.d/S95masquradescript
As a final test, restart your computer and test to see if you still have the same functionality. If so then congratulations! If not then make sure you followed the above correctly so the script is bootable.
5. Firewall
See Router/Firewall
6. DHCP and DNS
Dynamic Host Configuration Protocol (DHCP)