DIY Linux-powered router PC
Afnan Rehman delves into the world of networking to find out how to turn a Linux distribution into a fully functioning router.
It’s time to take charge of your network. As individuals in the unfortunate situation of being both attracted to technology and prone having it fail on us, we’ve gone through our fair share of consumer routers. Hunting for this year’s replacement we stumbled on a new idea, that you could build your own using Linux, with full control of the functionality and settings. What a novel idea! So we immediately retrieved a PC from the dungeon and set to work.
The idea of building a router is not completely new, but is growing in popularity among tech enthusiasts as a way to squeeze every last bit of performance out of your routing configuration while also maintaining full control in an era of cut-down appcontrolled consumer products. The reasoning for building your own homebrew solution is that it makes the typical home or small office network completely your own. You control every aspect of the functionality from routing to IP tables to NAT and DHCP services. You can even add other functions to the router to control certain types of traffic, speeds and how devices are prioritised.
This tutorial will serve as a basic how-to on setting up a functioning router and giving you a platform on which you can expand further and take it as far as you’d like.
First, let’s discuss the main components of any router intended to facilitate a home network. The router of today is often a bundle of many different components designed as a complete solution in one box. The ones you see on shop shelves typically have the actual router hardware, a network switch (the network ports you see on the back) and a wireless access point, which enables a wireless signal to connect all your wireless devices. Often these consumer routers use only the hardware necessary, and have a low storage capacity, RAM and processing power. These small compromises can cause bottlenecks in your network, especially when you’re using higher speeds from your internet service provider such as a 100Mbps connection or more. The ones that perform better often cost you an arm and a leg. The solution built in this tutorial only contains the core components of a router, not including a switch or wireless access point. However, you can add these separately.
SMALL IS BEAUTIFUL
Before we get down to the nitty-gritty of setup, let’s take a moment to talk about hardware. Some of you may be wondering exactly what kind of hardware is necessary to create a functioning router. Some of you may also be wondering who in their right mind would use a full sized desktop tower to function as a router. For those of you not keen on the idea of displaying your old hardware in the middle of your study, fear not. The wonderful thing about modern technology is how it grows ever smaller and sleeker. This also applies to the personal computer. For this project, we used a full-size desktop tower to test the idea, then moved everything over to a mini PC with dual Gigabit NIC about the same size as a consumer router for actual production use.
The hardware used for the build included a PC that was lying around rocking an Intel Celeron N3150 CPU with 4GB DDR3 RAM and a 64GB SSD. Is this overkill? Absolutely. Is this the cheapest system you can get to set this up? Probably not. You can certainly cut corners here using a smaller SSD, a spinning hard drive or even
an SD card to house the operating system, and you can certainly cut down on the amount of RAM. The processor can also be slower depending on what you want. We simply had these components on hand and frankly wanted top notch performance as well.
Most importantly, you must have at least two Ethernet ports, preferably Gigabit speed. The reason for this is simple: you need one port for a WAN connection (incoming from the internet) and one for LAN (outgoing traffic to local network). The LAN port can be connected to a switch to facilitate the use of multiple wired devices.
Now let’s talk about the operating system. We’re using Ubuntu Desktop to demonstrate this concept in a simple manner and most of the work will be done in the command line. Linux in general is built with routing in mind, making it a natural choice. As such, the instructions provided here can be adapted to almost any common Linux distro. In a lower-spec system, it may be wiser to use a minimal install such as base Ubuntu Server or CentOS Minimal to minimise the overhead taken up by the operating system, reserving your processing power for the actual routing.
SETTING UP
The first step is, of course, to install Ubuntu or your distro of choice. This is quite simple and there are plenty of guides online. Whatever you end up using, we recommend you make sure it has long-term support, such as the Ubuntu LTS version. This will ensure that there will be continued security updates for the foreseeable future, which is important for a router that you may be using for a few years.
The first thing you want to do once you log in is find out which network interface is which. You might want to grab a pen and paper to keep track. The screen should show a couple of network connections, and one marked “lo” for the loopback which we won’t worry about. Ours are labelled “enp2s0” and “enp3s0” and are both Gigabit Ethernet connections. Your hardware may vary, and the interface name may vary from what we have. Be sure to record these names, as you will be using them throughout this tutorial.
The next step is to configure your network interfaces now that you know which one is which. Type the following command into your console to open the editor:
$ sudo nano /etc/network/ interfaces
You’ll be greeted with a configuration file that already has a couple of lines in it regarding the loopback interface. Leave those lines alone and type the following underneath them:
# The WAN interface, above the USB port auto enp3s0 iface enp3s0 inet dhcp # The LAN interface, above the HDMI port auto enp2s0 iface enp2s0 inet static address 192.168.97.1 netmask 255.255.255.0 As you can see, we have configured both our WAN (incoming) port and our LAN (outgoing) port. We also labelled them with comments so that we know which is which. This will become very helpful later when we are using these interfaces to write our rules for routing. The LAN port is configured with a static IP address that should correspond to the one of your current router. The netmask can also be determined by looking at the settings of your current router. Both may be different from what’s listed above depending on your network, so make sure to double check. The WAN interface is configured with DCHP from your internet provider so we simply write the line above and leave it as is. Once you’re done, save the file
and reboot. Next, you will want to edit the file /etc/sysctl.conf and uncomment (by deleting the # symbol) the line that says net.ipv4.ip_forward=1 .
This will allow packet forwarding for all network interfaces, which is essential to forward packets between your WAN and LAN networks. Save this change and run sudo sysctl -p to refresh the configuration.
TIME FOR TABLES
Now we get to the meat and potatoes of this tutorial. We are now going to set up iptables. Iptables is the most widely used Linux firewall for a long time, and we will use it here to sort and limit traffic incoming and outgoing, which will be essential if we are going to connect to the internet or any other device for that matter. The first thing we will take care of is setting up rules for packet forwarding that are applied before the network interfaces are started, which will ensure that, if we ever restart the router, packets will immediately be forwarded. First, we will install iptables-persistent, which is a package that will allow iptables rules to remain after any reboots. Run the following command to install it:
$ sudo apt-get install -y iptables-persistent netfilterpersistent
Once that’s completed, let’s set up a startup script to tell the operating system to run the iptables ruleset before the network interfaces become available, so that the router never goes online or accesses the internet without the protection of the iptables ruleset. Create the script using the command:
$ sudo nano /etc/network/ if-pre-up.d/iptables
Populate the script file with the following two lines: #!/bin/sh /sbin/iptables-restore < / etc/network/iptables
Now, save the file and run the following commands in the command line in the order given:
$ sudo chown root /etc/ network/if-pre-up.d/iptables
$ sudo chmod 755 /etc/ network/if-pre-up.d/iptables
The first tells the system that the script is owned by root and the second tells the system it is writeable by root and readable/executable by everybody.
Now we will create the iptables by creating a file in /etc/network/iptables with your preferred editor. Populate it with the following lines to start out: *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] #enp3s0 is WAN interface and enp2s0 is LAN interface
-A POSTROUTING -o enp3s0 -j MASQUERADE
COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Service rules -A INPUT -j DROP # Forwarding rules -A FORWARD -j DROP COMMIT What we have done here is create a basic skeleton which includes ‘nat’ and ‘filter’ categories, each ending with the word ‘commit’. One important thing this initial ruleset does is enable NAT, or Network Address Translation. NAT handles address translation between the local addresses on your local network, and addresses on the other side of the router. This makes sure the router knows where to send a packet of data coming in from outside, and send it to the proper client device on the local network.
We’re not quite ready to go online yet. We want to also make sure the router can hand out IP addresses to clients just like a consumer router would. This part is very easy. First, we will install a DHCP server package:
$ sudo apt-get install iscdhcp-server
Next, open the /etc/dhcp/dhcpd.conf configuration file and add the following clause to set parameters for router address, client IP range,
and broadcast address:
subnet 192.168.97.0 netmask 255.255.255.0 {
range 192.168.97.50 192.168.97.199; option routers 192.168.97.1; option domain-name-servers 192.168.97.1;
option broadcast-address 192.168.97.255;
f course, be sure to change these specific addresses based on your network situation. You can set whichever parameters for client IP addresses you wish, and the range can be as large or small as you want. To apply the configurations, we just run the following command: $ sudo /etc/init.d/isc-dhcpserver restart
We are still missing a local DNS; however, this is even easier to acquire. Simply run the following command, no configuration will be necessary: $ sudo apt-get install bind9
LOOSENING UP
At this point, all the basics are there, and our router is now able to handle DNS queries, give IP addresses to clients and forward traffic. However, our rules are currently so extremely strict that it will refuse to do any of this. What we will do now is add several rules to the ruleset to specify what traffic goes out to the internet, what can go into the local network from the internet, and rules for port forwarding.
So we’ll go back to editing /etc/network/iptables and start with creating a service ruleset, forwarding rules, and NAT prerouting. Our complete ruleset is shown below: *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # enp3s0 is WAN and enp2s0 is LAN
-A POSTROUTING -o enp3s0 -j MASQUERADE
# NAT pinhole: HTTP from WAN to LAN
-A PREROUTING -p tcp -m tcp -i enp3s0 --dport 80 -j DNAT --to-destination 192.168.97.50:80
COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Service rules # basic accept rules -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT # enable traceroute reject -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-portunreachable # DNS -A INPUT -i enp2s0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp2s0 -p udp --dport 53 -j ACCEPT # SSH -A INPUT -i enp2s0 -p tcp --dport 22 -j ACCEPT
# DHCP client requests - accept from LAN
-A INPUT -i enp2s0 -p udp --dport 67:68 -j ACCEPT
# drop all other inbound traffic
-A INPUT -j DROP # Forwarding rules # forward packets along related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # forward from LAN to WAN -A FORWARD -i enp2s0 -o enp3s0 -j ACCEPT
# allow traffic from our NAT pinhole
-A FORWARD -p tcp -d 192.168.97.100 --dport 80 -j ACCEPT
# drop all other forwarded traffic -A FORWARD -j DROP COMMIT The service ruleset is under the filter area and will make rules for what the router can accept and what it can forward to the local network. Here, we also allow SSH access so that once the router is configured, we can remote-in to make changes rather than plug in a monitor and keyboard.
The part labelled ‘forwarding rules’ instructs the router to forward traffic to the LAN and from the LAN to the WAN for outgoing traffic. In addition, we add a line to the NAT section to create a NAT pinhole instructing the router to forward any arbitrary traffic from the internet to the local machine at the specified address. Ensure that the PREROUTING and the FORWARDING rules are there and in the right places.
To wrap up, restart your iptables by running the following:
$ sudo /etc/network/if-preup.d/iptables
Once you’ve done that, you should be good to go! Enjoy your new and improved routing experience!