Linux Format

Networks Build a router

Afnan Rehman delves into the world of networking to find out how to turn a Linux distributi­on into a fully functionin­g router.

-

Afnan Rehman brings all the boys to the yard, his router is better than theirs.

It’s time to take charge of your network. As individual­s in the unfortunat­e situation of being both attracted to technology and prone having it fail on us, we’ve gone through our fair share of consumer routers. Hunting for this year’s replacemen­t we stumbled on a new idea, that you could build your own using Linux, with full control of the functional­ity and settings. What a novel idea! We immediatel­y retrieved a PC from the LXF dungeon and set to work.

The idea of building a router is not completely new, but is growing in popularity among tech enthusiast­s as a way to squeeze every last bit of performanc­e out of your routing configurat­ion while also maintainin­g full control in an era of cut-down app-controlled consumer products. The reasoning for building your own homebrew solution is that it makes the typical home or small office network completely your own. You control every aspect of the functional­ity from routing to IP tables to NAT and DHCP services. You can even add other functions to the router to control certain types of traffic, speeds, and how devices are prioritise­d.

This tutorial will serve as a basic how-to on setting up a functionin­g router and giving you a platform on which you can expand further and take it as far as you’d like.

First, let’s discuss the main components of any router intended to facilitate a home network. The router of today is often a bundle of many different components designed as a complete solution in one box. The ones you see on shop shelves typically have the actual router hardware, a network switch (the network ports you see on the back) and a wireless access point, which enables a wireless signal to connect all your wireless devices. Often these consumer routers use only the hardware necessary, and have a low storage capacity, RAM, and processing power. These small compromise­s can cause bottleneck­s in your network, especially when you are using higher speeds from your internet service provider such as a 100Mbps connection or higher. The ones that perform better often cost you an arm and a leg. The solution built in this tutorial only contains the core components of a router, not including a switch or wireless access point. However, you can add these separately.

Small is beautiful

Before we get down to the nitty-gritty of setup, let’s take a moment to talk about hardware. Some of you may be wondering exactly what kind of hardware is necessary to create a functionin­g router. Some of you may also be wondering who in their right mind would use a full sized desktop tower to function as a router. For those of you not keen on the idea of displaying your old hardware in the middle of your study, fear not, The wonderful thing about modern technology is how it grows ever smaller and sleeker. This also applies to the personal computer. For this project, we used a

full size desktop tower to test the idea, then moved everything over to a mini PC with dual Gigabit NIC about the same size as a consumer router for actual production use.

The hardware used for the build included a PC that was lying around rocking an Intel Celeron N3150 CPU with 4GB DDR3 RAM and a 64GB SSD. Is this overkill? Absolutely. Is this the cheapest system you can get to set this up? Probably not. You can certainly cut corners here using a smaller SSD, a spinning hard drive, or even a SD card to house the operating system, and you can certainly cut down on the amount of RAM. The processor can also be slower depending on what you want. We simply had these components on hand and frankly wanted top notch performanc­e as well.

Most importantl­y, you must have at least two Ethernet ports, preferably Gigabit speed. The reason for this is simple: you need one port for a WAN connection (incoming from the internet), and one for LAN (outgoing traffic to local network). The LAN port can be connected to a switch to facilitate the use of multiple wired devices.

Now let’s talk about the operating system. We’re using Ubuntu Desktop to demonstrat­e this concept in a simple manner and most of the work will be done in the command line. Linux in general is built with routing in mind, making it a natural choice. As such the instructio­ns provided here can be adapted to almost any common Linux distro. In a lower-spec system it may be wiser to use a minimal install such as base Ubuntu Server or CentOS Minimal to minimise the overhead taken up by the operating system, reserving your processing power for the actual routing.

Setting up

The first step is of course to install Ubuntu or your distro of choice. This is quite simple and there are plenty of guides online. Whatever you end up using, we recommend you make sure it has long term support, such as the Ubuntu LTS version. This will ensure that there will be continued security updates for the foreseeabl­e future, which is important for a router that you may be using for a few years.

The first thing you want to do once you log in is find out which network interface is which. You might want to grab a pen and paper to keep track. The screen should show a couple of network connection­s, and one marked “lo” for the loopback which we won’t worry about. Ours are labelled “enp2s0” and “enp3s0” and are both Gigabit Ethernet connection­s. Your hardware may vary, and the interface name may vary from what I have. Be sure to record these names as you will be using them throughout this tutorial.

The next step is to configure your network interfaces now that you know which one is which. Type the following command into your console to open the editor: $ sudo nano /etc/network/interfaces

You’ll be greeted with a configurat­ion file that already has a couple of lines in it regarding the loopback interface. Leave those lines alone and type the following underneath them: # The WAN interface, above the USB port auto enp3s0 iface enp3s0 inet dhcp # The LAN interface, above the HDMI port auto enp2s0 iface enp2s0 inet static address 192.168.97.1 netmask 255.255.255.0 As you can see we have configured both our WAN (incoming) port and our LAN (outgoing) port. I also labelled them with comments so that I know which is which. This will become very helpful later when we are using these interfaces to write our rules for routing. The LAN port is configured with a static IP address that should correspond to the one of your

current router. The netmask can also be determined by looking at the settings of your current router. Both may be different from what’s listed above depending on your network, so make sure to double check. The WAN interface is configured with DCHP from your internet provider so we simply write the line above and leave it as is. Once you’re done, save the file and reboot.

Next you will want to edit the file /etc/sysctl.conf and uncomment (by deleting the “#” symbol) the line that says

net.ipv4.ip_ forward =1. This will allow packet forwarding for all network interfaces, which is essential to forward packets between your WAN and LAN networks. Save this change and run sudo sysctl -p to refresh the configurat­ion.

Time for tables

Now we get to the meat and potatoes of this tutorial. We are now going to set up iptables! Iptables is the most widely used Linux firewall for a long time, and we will use it here to sort and limit traffic incoming and outgoing, which will be essential if we are going to connect to the internet or any other device for that matter. The first thing we will take care of is setting up rules for packet forwarding that are applied before the

network interfaces are started, which will ensure that if we ever restart the router, packets will immediatel­y be forwarded. First, we will install iptables-persistent, which is a package that will allow iptables rules to remain after any reboots. Run the following command to install it: $ sudo apt-get install -y iptables-persistent netfilter-persistent

Once that’s completed, let’s set up a startup script to tell the operating system to run the iptables ruleset before the network interfaces become available, so that the router never goes online or accesses the internet without the protection of the iptables ruleset. Create the script using the command:

network, and addresses on the other side of the router. This makes sure the router knows where to send a packet of data coming in from outside, and send it to the proper client device on the local network.

We’re not quite ready to go online yet. We want to also make sure the router can hand out IP addresses to clients just like a consumer router would. This part is very easy. First, we will install a DHCP server package:

Loosening up

At this point all the basics are there, and our router is now able to handle DNS queries, give IP addresses to clients, and forward traffic. However our rules are currently so extremely strict that it will refuse to do any of this. What we will do now is add several rules to the ruleset to specify what traffic goes out to the internet, what can go into the local network from the internet, and rules for port forwarding.

So we’ll go back to editing /etc/network/iptables and start with creating a service ruleset, forwarding rules, and NAT prerouting. Our complete ruleset is shown below:

?? ??
?? ?? In the interfaces file you will see lines already present. Most likely they deal with the loopback interface and should be left alone. Add your changes below these.
In the interfaces file you will see lines already present. Most likely they deal with the loopback interface and should be left alone. Add your changes below these.
?? ?? The iptables file starts out empty and we will add several lines. Make sure to add comments for clarity in case you ever need to revisit it.
The iptables file starts out empty and we will add several lines. Make sure to add comments for clarity in case you ever need to revisit it.
?? ?? The script is in a new file and is only two lines long. This script simply refreshes the interface and saves us some time in restarting the system.
The script is in a new file and is only two lines long. This script simply refreshes the interface and saves us some time in restarting the system.
?? ??
?? ?? The sysctl file is where we will uncomment a line allowing port forwarding. This file has many settings, so be sure to only uncomment the proper line.
The sysctl file is where we will uncomment a line allowing port forwarding. This file has many settings, so be sure to only uncomment the proper line.
?? ??
?? ?? The DHCP configurat­ion file has a decent amount of content already. Add your configurat­ion lines at the very end, taking care not to edit anything else.
The DHCP configurat­ion file has a decent amount of content already. Add your configurat­ion lines at the very end, taking care not to edit anything else.
?? ??
?? ??

Newspapers in English

Newspapers from Australia