Debian-Basic Routing Functions
From Grokdoc
The setup described in this document was performed and is currently a production part of a network. We sought to replace an Actiontec DSL Modem in a manner which would allow two distinct internal networks, and the ability to install a firewall and other services on the Routing machine.
Realistically, this is the necessary first step in getting a linux box set up to act as the guardian/gateway between your network and the Internet at-large.
Contents |
Initial Setup
We used a current Debian Install CD (actually a daily snapshop). Installed Debian (Stable) using the expert26 console. Outside of the Debian Core, we installed vim, for text (config) file editing.
NIC Setup
The system had three NIC cards installed. We edited our /etc/network/interface file to include the following config information, giving the (physically) top card the 192.168.100.1 network, the bottom card the 10.0.0.1, and the middle card we left to run PPPoE (PPP over Ethernet, the mechanism by which a DSL connects to the ISP).
iface eth0 inet static address 192.168.100.1 broadcast 192.168.100.255 netmask 255.255.255.0
auto eth1
iface eth2 inet static address 10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0
It might be good to notice here, that the configuration for the Middle Card is not really a good thing, but we couldn't figure out exactly what to say in the interface file, and it works.
DHCP Services
Using Apt, we installed a DHCP Server and configured it to run on eth0 and eth1, since eth1 is going to be getting PPPoE from the ISP.
apt-get install dhcp
Below is our /etc/dhcpd.conf File.
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.32 192.168.100.99;
option domain-name-servers ###.###.###.###;
option domain-name "host.domain.com";
option routers 192.168.100.1;
option broadcast-address 192.168.100.255;
default-lease-time 600;
max-lease-time 7200;
}
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.200;
option domain-name-servers ###.###.###.###;
option domain-name "host.domain.com";
option routers 10.0.0.1;
option broadcast-address 10.0.0.255;
default-lease-time 600;
max-lease-time 7200;
}
We needed to make the thing run on eth0 and eth2, but not on eth1. The standard configuration did not allow this, and the boot process threw errors referring to a missing section (eth1) of the config file. Since this is going to be a router receiving PPPoA on eth1, this was a problem.
Rather than wade around the Internet, I just figured I'd replace /etc/rc2.d/S20dhcp (a symlink to /etc/init.d/dhcp) with a shell script (below).
#!/bin/bash dhcpd eth0 eth2
This did the trick and we have a DHCP Server starting properly on boot.
Routing
It seems that all that is really neccesary to enable routing is that your routing table be correct, then type:
echo 1 > /proc/sys/net/ipv4/ip_forward
But you obviously need to include information about how to route packets, so you will need to add a route. This can be done by entering a command of this sort.
route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.1.124 dev eth0
Allows a computer on the 192.168.100.* network to find the path between itself, the gateway (192.168.1.124, in this example), and on to the device eth0. To set this permanently change the ip_forward line in /etc/network/options
NAT
NAT is an acronym for Network Address Translation. It is a mechanism by which the iptables system can send packets between networks, but modifying their destinations. It was hard to figure out how to configure the system, but we located the following NAT-AutoConfig script on the Internet. And it works properly.
#!/bin/sh # # rc.firewall-iptables FWVER=0.76 # # Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels # using IPTABLES. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # # # # Log: # 0.76 - Added comments on why the default policy is ACCEPT # 0.75 - Added more kernel modules to the comments section # 0.74 - the ruleset now uses modprobe vs. insmod # 0.73 - REJECT is not a legal policy yet; back to DROP # 0.72 - Changed the default block behavior to REJECT not DROP # 0.71 - Added clarification that PPPoE users need to use # "ppp0" instead of "eth0" for their external interface # 0.70 - Added commented option for IRC nat module # - Added additional use of environment variables # - Added additional formatting # 0.63 - Added support for the IRC IPTABLES module # 0.62 - Fixed a typo on the MASQ enable line that used eth0 # instead of $EXTIF # 0.61 - Changed the firewall to use variables for the internal # and external interfaces. # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP # all forwarded packets but it didn't have a rule to ACCEPT # any packets to be forwarded either # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default # 0.50 - Initial draft # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" # The location of the iptables and kernel module programs # # If your Linux distribution came with a copy of iptables, # most likely all the programs will be located in /sbin. If # you manually compiled iptables, the default location will # be in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # #IPTABLES=/sbin/iptables IPTABLES=iptables DEPMOD=depmod MODPROBE=modprobe #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # EXTIF="eth1" INTIF="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" $DEPMOD -a # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== echo "----------------------------------------------------------------------" #Load the main body of the IPTABLES module - "iptable" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " $MODPROBE ip_tables #Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp #Loads the IRC NAT functionality into the core IPTABLES code # Required to support NAT of IRC DCC requests # # Disabled by default -- remove the "#" on the next line to activate # #echo -e "ip_nat_irc" #$MODPROBE ip_nat_irc echo "----------------------------------------------------------------------" # Just to be complete, here is a partial list of some of the other # IPTABLES kernel modules and their function. Please note that most # of these modules (the ipt ones) are automatically loaded by the # master kernel module for proper operation and don't need to be # manually loaded. # -------------------------------------------------------------------- # # ip_nat_snmp_basic - this module allows for proper NATing of some # SNMP traffic # # iptable_mangle - this target allows for packets to be # manipulated for things like the TCPMSS # option, etc. # # -- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # echo -e " Done loading modules.\n" #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Disabling Path MTU Discovery.." echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP (REJECT is not a valid policy) # # Isn't ACCEPT insecure? To some degree, YES, but this is our testing # phase. Once we know that IPMASQ is working well, I recommend you run # the rc.firewall-*-stronger rulesets which set the defaults to DROP but # also include the critical additional rulesets to still let you connect to # the IPMASQ server, etc. # echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-iptables v$FWVER done.\n"
We did have to install this file in our /etc/rc2.d/ directory. Also, we had to install on copy for each interface (eth0, eth2). The one above is for eth0, but you modify this by changing eth0 to eth2 at the top of the file.
PPPoE Setup
According to Qwest (our IP in this instance), we should be able to use the router as a bridge so that the router we built will have a real, actual, internet routable, IP address. We installed PPPoE packages from Debian.
apt-get install pppoe
And then ran pppoe_config which asked a few questions and took username and password from our ISP. It located and configured the package on the proper interface (eth1).
We did have to do some router config on the DSL modem/router. Basically this involved telling the Actiontec modem not to do anything except bridge.
Note: It was in this step that we learned about setting up the interface eth1 as we did earlier. If this occurs on your install, verify that the /etc/network/interfaces file has a configuration similar to the one at the top of the page.
The One Big Problem
We did have to fix a problem with MTU size. Since the maximum packet size over Ethernet is 1500 bytes, and because PPPoE uses an 8-byte overhead, we needed to set our maximum packet size to 1492. This was not hard to do, but it had unintended consequences. It also took forever to resolve because we couldn't figure out what questions to ask.
We experienced problems getting to some sites, but not others. Places like www.google.com and www.groklaw.net came up fine, but Yahoo Mail just timed out. We eventually discovered that this occurs because, 1) because you are using PPPoE on your DSL, you lose 8 bytes of packet size, and the process by which you can negotiate your maximum packet size is being interupted by a firewall between your computer and the server you are trying to access.
The following line fixed the issue.
echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
I went ahead and placed this line at the end of my NAT script.
The Band-Aid we used was changing the maximum MTU size of packets on all clients to a maximum of 1492.
For Linux (as superuser)
ifconfig eth0 mtu 1492
For Windows 9x
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\NetTrans
MaxMTU = "1492", MaxMSS = "1452"
(String Values Reg_SZ)
A Good link About the Problem: [1]
