Solved

how to configure Linux as router

Posted on 2013-06-12
13
520 Views
Last Modified: 2013-06-20
I'm trying to set up a linux host as a router. I'm following the instruction at http://www.cyberciti.biz/tips/linux-as-router-for-dsl-t1-line-etc.html which assured me it would be a 2-minute process, but after 2 minutes, I'm stuck. Here's what I did so far, per the instructions:

The setup:

I am running Slackware distro, kernel  2.6.24.5

I currently have two NIC cards in this computer: eth0 is currently connected to a D-Link router (which, in turn, is connected to the ISP's cable modem), and eth1 is currently not connected to anything, but will be the LAN connection.

eth0 is configured in /etc/rc.d/rc.inet1.conf for DHCP.

STEPS SO FAR:

I connected eth0 to the cable mode and reset the NIC:

$ /etc/rc.d.rc.inet1 eth0_restart

That worked fine, eth0 got an IP. Then, I created the file /etc/sysctl.conf and added one line:

 net.ipv4.ip_forward = 1

Then the iptables commands for IP forwarding and Masquerading:

$ iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
$ iptables --append FORWARD --in-interface eth1 -j ACCEPT

Here's where I'm stuck. How to I configure eth1 in /etc/rc.d/rc.inet1.conf? I want to give it a static IP for the LAN, but what do I put in for gateway and DNS? Won't specifying a gateway confuse eth0?

# Config information for eth1:
IPADDR[1]="192.168.0.1"
NETMASK[1]=""
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""

# Default gateway IP address:
GATEWAY="???"

Do I use /etc/resolv.conf for DNS servers? Start named? Can I somehow specify eth0's IP as the gateway?

I'm CONFUSED!
0
Comment
Question by:jmarkfoley
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Eth0 is the gateway. IP of the dlink.  Make sure you do not double NAT the same segment.
I.e. eth0 must to be on the 192.168.0.0/24
Resolv.conf should point to the DNS server either local if you configure named as a caching server locally.

Post the output of netstat -rn.
Do you have DHCP configured to allocate IPs on the eth1 network?
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
Personally I'd recommend using a distro that is built with being a gateway already from the onset. For example Zentyal has this built-in, but also turnkey, ClearOS and others have this function already available. The advantage is that all these distro's have good management tools included which makes configuration very easy and straight forward.

http://distrowatch.com/table.php?distribution=zentyal
0
 
LVL 16

Expert Comment

by:vivigatt
Comment Utility
Check this (outdated but still very relevant and instructive) article:

https://wiki.archlinux.org/index.php/Router
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
I've got it sort-of working -- in fact, I'm using it as my router to post this comment -- but I still have still issues. I had a 2nd NIC that wouldn't play well in the computer (Linksys EtherFast 10/100 LNE100TX). I forget what error I was getting, something about a "tulip". I swapped out the card for one that worked, but then had to remove my /etc/udev/70-persistent-net.rules and reboot because udev was renaming my eth0 to eth2! Sheesh! My problem is some error messages I get when running `dhcpd -d eth0`. First, the messages, then I'll post the config:

When I started dhcpd I got:

Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 0 leases to leases file.
Listening on LPF/eth0/00:50:da:28:3b:06/192.168.0/24
Sending on   LPF/eth0/00:50:da:28:3b:06/192.168.0/24
Sending on   Socket/fallback/fallback-net

I assume these are normal start up messages. I then connected my WIN9 laptop for which I created a DHCP reservation for 192.168.0.102 (I think). When it connected I got:

Dynamic and static leases present for 192.168.0.102.
Remove host delcaration rover or remove 192.168.0.102
from the dynamic address pool for 192.168.0/24
DHCPREQUEST for 192.168.0.102 from 44:1e:a1:c8:e8:9b via eth0
DHCPACK on 192.168.0.102 to 44:1e:a1:c8:e8:9b via eth0
DHCPINFORM from 192.168.0.102 via eth0: not authoritative for subnet 192.168.0.0
If this DHCP server is authoritative for that subnet,
please write an 'authoritative;' directive either in the
subnet declaration or in some scope that encolses the
subnet declaration - for example, write it at the top
of the dhcpd.conf file.
DHCPINFORM from 192.168.0.102 via eth0: not authoritative for subnet 192.168.0.0

Not sure what all this means, but my guess is that I should not designate reserved IPs within my DHCP range (192.168.0.100 - 192.168.0.199). Also, not sure what the 'authoritative;' directive is all about.

Next, I connected my wife's laptop for which I did *NOT* make a reservation. I got:

if PC-de-Daniela.alluneedizluv.local IN A rrset doesn't exist add PC-de-Daniela.alluneedizluv.local 21600 IN A 192.168.0.101: DNS format error.
DHCPREQUEST for 192.168.0.101 from 00:13:77:d6:aa:2a via eth0
DHCPACK on 192.168.0.101 to 00:13:77:d6:aa:2a  (PC-de-Daniela) via eth0
DHCPINFORM from 192.168.0.101 via eth0: not authoritative for subnet 192.168.0.0
DHCPINFORM from 192.168.0.101 via eth0: not authoritative for subnet 192.168.0.0
if PC-de-Daniela.alluneedizluv.local IN A rrset doesn't exist add PC-de-Daniela.alluneedizluv.local 21600 IN A 192.168.0.101: timed out.

The messages DHCPREQUEST, DHCPACK, DHCPINFORM, DHCPINFORM repeat themselves about every half hour (something to do with lease time?). I can't even guess what these messages are about other than something to do with DNS ... which I'm not running. Despite all these messages, both laptops appear to have connected w/o any apparent problem on the laptop end. Nevertheless, I don't want to simply ignore them.

How do I fix these?

Configuration:

/etc/dhcpd.conf:
option domain-name "alluneedizluv.local";

ddns-update-style ad-hoc;

subnet 192.168.0.0 netmask 255.255.255.0 {
    option routers 192.168.0.1;
    range 192.168.0.100 192.168.0.199;
    option domain-name-servers 209.18.47.61, 209.18.47.62;  # from my ISP
}

host rover {
  hardware ethernet 44:1E:A1:C8:E8:9B;
  fixed-address 192.168.0.102;
}

/etc/rc.d/rc.inet1.conf:
# Config information for eth0:
# This is the LAN interface and is the add-in card
IPADDR[0]="192.168.0.1"
NETMASK[0]="255.255.255.0"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""

# Config information for eth1:
# This is the Internet interface and is the built-in NIC
IPADDR[1]=""
NETMASK[1]=""
USE_DHCP[1]="yes"
DHCP_HOSTNAME[1]=""
GATEWAY=""

I've specified no default gateway.

/etc/rc.d/rc.firewall:
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

/etc/resolv.conf:
# Generated by dhcpcd for interface eth1
search columbus.rr.com
nameserver 209.18.47.61
nameserver 209.18.47.62

With the above, do I even need the option domain-name-servers in dhcpd.conf?

arnold, the netstat -rn info:

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
76.181.64.0     0.0.0.0         255.255.224.0   U         0 0          0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         76.181.64.1     0.0.0.0         UG        0 0          0 eth1

Open in new window

vivigatt, I will also check out your link for clues.

So, what am I doing wrong?

Thanks
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The non-authoritative and the timeout deals with the DNS.
You should setup a local caching + authoritative for 0.168.192.in-addr.arpa zone where your DHCP server will register the IPs it allocates. And your internal domain alluneedizluv.local.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
according to my research, the "not authoritative for subnet" can be handled by putting the directive 'authoritative;' at the beginning of my /etc/dhcpd.conf file.

> You should setup a local caching ... for 0.168.192.in-addr.arpa zone

Do you mean running DNS (named) or are you talking about some configuration setting in dhcpd.conf?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 76

Expert Comment

by:arnold
Comment Utility
Yes, having bind's named or any other DNS service (tinydns) depending on your comfort level.
0
 
LVL 16

Accepted Solution

by:
vivigatt earned 250 total points
Comment Utility
DHCPREQUEST, DHCPACK, DHCPINFORM, DHCPINFORM messages are perfectly OK. Actually this is how DHCP works.
If PC-de-Daniela/rover gets the correct IP config, you are all set.
I think that you may have some name conflict. Let me guess.
PC-de-Daniela is a Windows PC that has a Windows name "PC-de-Daniela".
So when sending its DHCP requests, it adds its hostname in the request.
This is not what you have in your dhcps.conf file, but this should not cause any issue

DHCP leases are renewed periodically. Actually, there is a "renewal" dialog that occurs when the leases half expired. You can increase the lease time if you want.
You can add "authoritative" for the subnet if your DHCP is actually the one and only for this subnet.
If you want the DHCP service to update the DNS records, you have to set the correct config. But this requires you to run a local DNS that you have total control off. It may not be actually needed.
If you have a local DNS, you can also configure the clients (PC-de-Daniela) to send DNS update requests when it gets an IP config. Yet, since the DNS addresses you provide are
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
When I put the "authoritative" directive in the dhcpd.conf file I stopped getting the "not authoritative for subnet" messages, and I also stopped getting the "if PC-de-Daniela.alluneedizluv.local IN A rrset doesn't exist ... DNS format error." So, everything seems to be running just fine.

vivigatt: > DHCP leases are renewed periodically. Actually, there is a "renewal" dialog that occurs when the leases half expired. You can increase the lease time if you want.

Maybe this is too big a question for this posting, but what's the difference between max-lease-time and default-lease-time? What are the defaults if not set in dhcpd.conf? If I understand the logfile correctly, leases seem to be updated between 1 and 2 hours. This is a small, local network, so why not set lease times to e.g. a month or so?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 250 total points
Comment Utility
Includes a sample configuration as well as comments for some of the fields
http://www.dhcp.net/wordpress/?page_id=7

The short the default lease sets a time frame within which the client must renew the lease at the end of the period if not renewed the lease expires.
Max lease settings deals with whether you want a system to be forced to get a new IP.  This deals with rotating the IPs in use by a system.
The lease time duration deals with DHCP related network traffic.  Set it too low and all your systems will be spending time obtaining/renewing IP leases.  usually 3600 is the minimum duration and two weeks is the maximum.  The draw back deals with once an IP is allocated, it is marked as unavailable by the DHCP for the duration of the lease.  If you have many systems rotating in and out, and you set the lease time to a month, after 254 unique systems rotated in, any new system will not be allocated an IP as there will be no available IPs in the DHCP pool.

In a LAN the lease time should be one day.
a week or two weeks are used often on the ISP provider side for DSL, FIOS, type of connections.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
OK, I think that deals with my general router issues. Thanks. I've changed the default lease time to 1 day, as you suggested. Everything seems to be working just fine on the wired LAN

you wrote:
>The short the default lease sets a time frame within which the client must renew the lease at the end of the period if not renewed the lease expires.

I have a different question on a Linux DHCP *client* in a Windows domain and it seems to have to do with the Linux client not renewing the lease. Check out http://www.experts-exchange.com/Networking/Linux_Networking/Q_28162381.html and see if you can help me on that one.

Also, I don't know if you know anything about wireless, but I've added a wireless card into this mix that I want to be an access point. I've got it semi-configured -- client devices can see the SSID  and can connect -- but no Internet access happening. Check out http://www.experts-exchange.com/Networking/Linux_Networking/Q_28162388.html if this is in your baliwick.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Regarding the wireless, what IPs are assigning there? If you are assigning the same IP as the wired side your issue would be what IP the wireless niC has as well as what iptables rules are set on the NIC, I.e. does a wireless traffic passes without impediment through the wireless NIC to the outside.

If you are using a different block of IPs, you have to make sure that your iptables NAT rules route traffic correctly between the wireless NIC and the outside.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
I think I may have an issue with the iptables, but I'm no iptables guru so I'm not sure. Check out http://www.experts-exchange.com/Networking/Linux_Networking/Q_28162388.html. All the IP assignment, hostapd, etc. info is listed. I need to get that one fixed asap as I'm being bugged to toss out this linux server idea and by a linksys or something.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now