“UbuntuHelp:Router”的版本间的差异
来自Ubuntu中文
小 (新页面: {{From|https://help.ubuntu.com/community/Router}} {{Languages|UbuntuHelp:Router}} '''''This is where the new Ubuntu Router page is in development, please visit [[UbuntuHelp:UbuntuWireles...) |
小 |
||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/Router}} | {{From|https://help.ubuntu.com/community/Router}} | ||
{{Languages|UbuntuHelp:Router}} | {{Languages|UbuntuHelp:Router}} | ||
| − | |||
'''''This is where the new Ubuntu Router page is in development, please visit [[UbuntuHelp:UbuntuWirelessRouter/New]] for more information''''' | '''''This is where the new Ubuntu Router page is in development, please visit [[UbuntuHelp:UbuntuWirelessRouter/New]] for more information''''' | ||
== Setting up an Ubuntu Wired/Wirless Router == | == Setting up an Ubuntu Wired/Wirless Router == | ||
| − | |||
=== Preface === | === Preface === | ||
| − | |||
This article exists due a lack of concise information and easily followed instructions on the subject of setting up a wired and/or wireless Ubuntu router. It is intended for '''intermediate''' and '''advanced users''' who have or would like to set up a dedicated Ubuntu installation acting as a router at home or in their office. The end result is a powerful router that can provide functionality similar to popular products (for example, the Linksys WikiPedia:WRT54G). | This article exists due a lack of concise information and easily followed instructions on the subject of setting up a wired and/or wireless Ubuntu router. It is intended for '''intermediate''' and '''advanced users''' who have or would like to set up a dedicated Ubuntu installation acting as a router at home or in their office. The end result is a powerful router that can provide functionality similar to popular products (for example, the Linksys WikiPedia:WRT54G). | ||
| − | |||
=== Technical Overview === | === Technical Overview === | ||
| − | |||
The router that will be created is an Internet gateway for wired and/or wireless clients to share one broadband connection with one IP address. | The router that will be created is an Internet gateway for wired and/or wireless clients to share one broadband connection with one IP address. | ||
| − | |||
The basics this router will provide are: | The basics this router will provide are: | ||
* A firewall | * A firewall | ||
| 第19行: | 第13行: | ||
* DHCP server | * DHCP server | ||
* DNS caching server | * DNS caching server | ||
| − | |||
== Prerequisites == | == Prerequisites == | ||
| − | |||
=== Broadband Connection === | === Broadband Connection === | ||
| − | |||
A broadband connection like a cable or DSL modem is required. Your broadband service provider must either provide the necessary information to configure your IP address '''statically''' or provide a dynamically assigned address via '''DHCP'''. | A broadband connection like a cable or DSL modem is required. Your broadband service provider must either provide the necessary information to configure your IP address '''statically''' or provide a dynamically assigned address via '''DHCP'''. | ||
| − | |||
=== Router Hardware === | === Router Hardware === | ||
| − | |||
You'll need a dedicated computer to act as the router. The computer can use old hardware and having the minimum requirements to install Ubuntu should suffice. The author of this article runs his router on a P3 600mhz processor with 256MB of RAM. You are encouraged use this as a server for other applications perhaps by installing postfix, apache, mysql, and/or samba. This guide recommends a '''server''' installation of Ubuntu, but there's no reason why a '''desktop''' installation wouldn't work. If you plan to be able to access the router remotely, install ssh before proceeding. | You'll need a dedicated computer to act as the router. The computer can use old hardware and having the minimum requirements to install Ubuntu should suffice. The author of this article runs his router on a P3 600mhz processor with 256MB of RAM. You are encouraged use this as a server for other applications perhaps by installing postfix, apache, mysql, and/or samba. This guide recommends a '''server''' installation of Ubuntu, but there's no reason why a '''desktop''' installation wouldn't work. If you plan to be able to access the router remotely, install ssh before proceeding. | ||
| − | |||
The following needs to be physically installed and '''recognized''' by the kernel on your router: | The following needs to be physically installed and '''recognized''' by the kernel on your router: | ||
* A network adapter connected to the broadband cable or DSL modem | * A network adapter connected to the broadband cable or DSL modem | ||
| 第40行: | 第28行: | ||
* '''For both a wired and wireless network''', | * '''For both a wired and wireless network''', | ||
** All of the above | ** All of the above | ||
| − | |||
Running `ifconfig -a` will show you what network interfaces are available. | Running `ifconfig -a` will show you what network interfaces are available. | ||
| − | |||
== Internal Network Information == | == Internal Network Information == | ||
| − | |||
Here are the values we'll use to set up your internal network. ''Advanced users use caution when changing them as the changes will need to be reflected in all further router configuration.'' | Here are the values we'll use to set up your internal network. ''Advanced users use caution when changing them as the changes will need to be reflected in all further router configuration.'' | ||
| − | |||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
||| '''Router''' | ||| '''Router''' | ||
| 第57行: | 第41行: | ||
|- | |- | ||
| Broadcast || 192.168.0.255 | | Broadcast || 192.168.0.255 | ||
| − | | | + | |- |
| − | + | ||
| − | + | ||
||| '''Clients''' | ||| '''Clients''' | ||
|- | |- | ||
| 第70行: | 第52行: | ||
| Gateway || 192.168.0.1 | | Gateway || 192.168.0.1 | ||
|} | |} | ||
| − | |||
== Setting Up Your Network Interfaces == | == Setting Up Your Network Interfaces == | ||
| − | |||
=== Device Naming Overview === | === Device Naming Overview === | ||
| − | |||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
| '''Network Device''' || '''Internal or External Network''' || '''Description''' | | '''Network Device''' || '''Internal or External Network''' || '''Description''' | ||
| 第86行: | 第65行: | ||
| <u>'''br0'''</u> || Internal || Network bridge between <u>'''eth1'''</u> and <u>'''wlan0'''</u> that will treat the two like one device | | <u>'''br0'''</u> || Internal || Network bridge between <u>'''eth1'''</u> and <u>'''wlan0'''</u> that will treat the two like one device | ||
|} | |} | ||
| − | |||
It is important to note that the names of the network devices above (<u>'''eth0'''</u>, <u>'''eth1'''</u>, and <u>'''wlan0'''</u>) are used as convention. It is very likely that your router will recognize its devices under different names (for example, madwifi calls its wireless device <u>'''ath0'''</u>). Please substitute the names of your device accordingly. For information about how to change the names of your network devices, try `man iftab`. | It is important to note that the names of the network devices above (<u>'''eth0'''</u>, <u>'''eth1'''</u>, and <u>'''wlan0'''</u>) are used as convention. It is very likely that your router will recognize its devices under different names (for example, madwifi calls its wireless device <u>'''ath0'''</u>). Please substitute the names of your device accordingly. For information about how to change the names of your network devices, try `man iftab`. | ||
| − | |||
=== Taking a Backup === | === Taking a Backup === | ||
| − | |||
Issue the following command to take a backup of your current network configuration: | Issue the following command to take a backup of your current network configuration: | ||
<pre><nowiki>sudo cp /etc/network/interfaces /etc/network/interfaces.bak | <pre><nowiki>sudo cp /etc/network/interfaces /etc/network/interfaces.bak | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
=== Configuring the External Network Interface === | === Configuring the External Network Interface === | ||
| − | |||
==== Setting up External Network Interface ==== | ==== Setting up External Network Interface ==== | ||
| − | |||
Here, we configure the Ubuntu networking system to bring the the local loopback and external network interfaces up by editing `/etc/networking/interfaces`. The primary goal here is to set up your external network interface (<u>'''eth0'''</u>, or whatever you're using in place of it) to be brought up by the networking subsystem. The examples below are only for the most basic setups. If your setup requires additional configuration, for example you need to setup [[UbuntuHelp:ADSLPPPoE|ADSL with PPPoE]], adapt the following examples so that the end result is your external network interface connected to the Internet. | Here, we configure the Ubuntu networking system to bring the the local loopback and external network interfaces up by editing `/etc/networking/interfaces`. The primary goal here is to set up your external network interface (<u>'''eth0'''</u>, or whatever you're using in place of it) to be brought up by the networking subsystem. The examples below are only for the most basic setups. If your setup requires additional configuration, for example you need to setup [[UbuntuHelp:ADSLPPPoE|ADSL with PPPoE]], adapt the following examples so that the end result is your external network interface connected to the Internet. | ||
| − | |||
===== For Dynamic IP Addresses (DHCP) Only ===== | ===== For Dynamic IP Addresses (DHCP) Only ===== | ||
| − | |||
Open `/etc/network/interfaces` with your favourite editor. Delete everything and paste in what is below. Follow the commented out instructions carefully. | Open `/etc/network/interfaces` with your favourite editor. Delete everything and paste in what is below. Follow the commented out instructions carefully. | ||
<pre><nowiki># Set up the local loopback interface | <pre><nowiki># Set up the local loopback interface | ||
auto lo | auto lo | ||
iface lo inet loopback | iface lo inet loopback | ||
| − | |||
# Set up the external interface | # Set up the external interface | ||
# | # | ||
| 第115行: | 第85行: | ||
auto eth0 | auto eth0 | ||
iface eth0 inet dhcp</nowiki></pre> | iface eth0 inet dhcp</nowiki></pre> | ||
| − | |||
===== For Static IP Address Only ===== | ===== For Static IP Address Only ===== | ||
| − | |||
Open `/etc/network/interfaces` with your favourite editor. Delete everything and paste in what is below. Follow the commented out instructions carefully. | Open `/etc/network/interfaces` with your favourite editor. Delete everything and paste in what is below. Follow the commented out instructions carefully. | ||
| − | |||
<pre><nowiki># Set up the local loopback interface | <pre><nowiki># Set up the local loopback interface | ||
auto lo | auto lo | ||
iface lo inet loopback | iface lo inet loopback | ||
| − | |||
# Set up the External interface | # Set up the External interface | ||
# | # | ||
| 第135行: | 第101行: | ||
netmask xxx.xxx.xxx.xxx | netmask xxx.xxx.xxx.xxx | ||
gateway xxx.xxx.xxx.xxx</nowiki></pre> | gateway xxx.xxx.xxx.xxx</nowiki></pre> | ||
| − | |||
Now, set up your DNS servers as given to you by your service provider in `/etc/resolv.conf`, which should look something like this | Now, set up your DNS servers as given to you by your service provider in `/etc/resolv.conf`, which should look something like this | ||
<pre><nowiki>nameserver xxx.xxx.xxx.xxx | <pre><nowiki>nameserver xxx.xxx.xxx.xxx | ||
nameserver xxx.xxx.xxx.xxx</nowiki></pre> | nameserver xxx.xxx.xxx.xxx</nowiki></pre> | ||
| − | |||
You can visit the [https://help.ubuntu.com/6.06/ubuntu/serverguide/C/network-configuration.html Ubuntu Server Guide - Network Configuration] documentation for more information | You can visit the [https://help.ubuntu.com/6.06/ubuntu/serverguide/C/network-configuration.html Ubuntu Server Guide - Network Configuration] documentation for more information | ||
| − | |||
==== Testing Connectivity ==== | ==== Testing Connectivity ==== | ||
| − | |||
Reload the network configuration and test for connectivity, | Reload the network configuration and test for connectivity, | ||
<pre><nowiki>sudo /etc/init.d/networking restart | <pre><nowiki>sudo /etc/init.d/networking restart | ||
| 第152行: | 第114行: | ||
64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=2 ttl=43 time=109 ms | 64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=2 ttl=43 time=109 ms | ||
64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=3 ttl=43 time=100 ms | 64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=3 ttl=43 time=100 ms | ||
| − | |||
--- ubuntu.com ping statistics --- | --- ubuntu.com ping statistics --- | ||
3 packets transmitted, 3 received, 0% packet loss, time 2001ms | 3 packets transmitted, 3 received, 0% packet loss, time 2001ms | ||
rtt min/avg/max/mdev = 99.982/103.450/109.419/4.254 ms</nowiki></pre> | rtt min/avg/max/mdev = 99.982/103.450/109.419/4.254 ms</nowiki></pre> | ||
| − | |||
=== Configuring the Internal Network Interfaces === | === Configuring the Internal Network Interfaces === | ||
| − | |||
==== Wired Only ==== | ==== Wired Only ==== | ||
| − | |||
'''Append''' the following to `/etc/network/interfaces` and follow the commented out instructions carefully. | '''Append''' the following to `/etc/network/interfaces` and follow the commented out instructions carefully. | ||
<pre><nowiki># Set up the internal wired network | <pre><nowiki># Set up the internal wired network | ||
| 第173行: | 第131行: | ||
netmask 255.255.255.0 | netmask 255.255.255.0 | ||
broadcast 192.168.0.255</nowiki></pre> | broadcast 192.168.0.255</nowiki></pre> | ||
| − | |||
Your internal network interface is: <u>'''eth1'''</u> (or whatever you're using in place of it) | Your internal network interface is: <u>'''eth1'''</u> (or whatever you're using in place of it) | ||
| − | |||
==== Wireless Only ==== | ==== Wireless Only ==== | ||
| − | |||
If you plan on using WEP, generate a network key, | If you plan on using WEP, generate a network key, | ||
<pre><nowiki>dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p | <pre><nowiki>dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
'''Append''' the following to `/etc/network/interfaces` and follow the commented out instructions carefully. | '''Append''' the following to `/etc/network/interfaces` and follow the commented out instructions carefully. | ||
<pre><nowiki># Set up the internal wireless network | <pre><nowiki># Set up the internal wireless network | ||
| 第203行: | 第157行: | ||
netmask 255.255.255.0 | netmask 255.255.255.0 | ||
broadcast 192.168.0.255</nowiki></pre> | broadcast 192.168.0.255</nowiki></pre> | ||
| − | |||
| − | |||
Your internal network interface is: <u>'''wlan0'''</u> (or whatever you're using in place of it) | Your internal network interface is: <u>'''wlan0'''</u> (or whatever you're using in place of it) | ||
| − | |||
==== Both Wired and Wireless ==== | ==== Both Wired and Wireless ==== | ||
| − | |||
First install the necessary tools to create a network bridge, | First install the necessary tools to create a network bridge, | ||
<pre><nowiki>sudo apt-get install bridge-utils | <pre><nowiki>sudo apt-get install bridge-utils | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
If you plan on using WEP, generate a network key, | If you plan on using WEP, generate a network key, | ||
<pre><nowiki>dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p | <pre><nowiki>dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
'''Append''' the following to `/etc/network/interfaces` and follow the commented out instructions carefully. | '''Append''' the following to `/etc/network/interfaces` and follow the commented out instructions carefully. | ||
<pre><nowiki># Set up the internal wireless network | <pre><nowiki># Set up the internal wireless network | ||
| 第234行: | 第182行: | ||
wireless-channel 1 | wireless-channel 1 | ||
#wireless-key <key goes here> | #wireless-key <key goes here> | ||
| − | |||
# Set up the internal wired network | # Set up the internal wired network | ||
# | # | ||
| 第242行: | 第189行: | ||
#auto eth1 | #auto eth1 | ||
#iface eth1 inet manual | #iface eth1 inet manual | ||
| − | |||
| − | |||
# Set up the internal wired/wireless network bridge | # Set up the internal wired/wireless network bridge | ||
# | # | ||
| 第256行: | 第201行: | ||
broadcast 192.168.0.255 | broadcast 192.168.0.255 | ||
bridge-ports eth1 wlan0</nowiki></pre> | bridge-ports eth1 wlan0</nowiki></pre> | ||
| − | |||
Your internal network interface is: <u>'''br0'''</u> | Your internal network interface is: <u>'''br0'''</u> | ||
| − | |||
=== Restart Networking === | === Restart Networking === | ||
| − | |||
Now, if the following command is executes successfully, your networking devices have been properly configured. | Now, if the following command is executes successfully, your networking devices have been properly configured. | ||
<pre><nowiki>sudo /etc/init.d/networking restart | <pre><nowiki>sudo /etc/init.d/networking restart | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
== Configuring the Firewall == | == Configuring the Firewall == | ||
| − | |||
=== Background === | === Background === | ||
| − | |||
=== The Firewall Script === | === The Firewall Script === | ||
| − | |||
'''''This is a just a <u>rough draft</u>!''''' | '''''This is a just a <u>rough draft</u>!''''' | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | #!/bin/sh | ||
| − | |||
IPTABLES=/sbin/iptables | IPTABLES=/sbin/iptables | ||
AWK=/usr/bin/awk | AWK=/usr/bin/awk | ||
IFCONFIG=/sbin/ifconfig | IFCONFIG=/sbin/ifconfig | ||
| − | |||
| − | |||
# External (Internet-facing) interface | # External (Internet-facing) interface | ||
EXTIF="eth0" | EXTIF="eth0" | ||
| − | |||
# External IP address (autmatically detected) | # External IP address (autmatically detected) | ||
EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" | EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" | ||
| − | |||
# Internal interface | # Internal interface | ||
INTIF="br0" | INTIF="br0" | ||
| − | |||
# Internal IP address (in CIDR notation) | # Internal IP address (in CIDR notation) | ||
INTIP="192.168.0.1/32" | INTIP="192.168.0.1/32" | ||
| − | |||
# Internal network address (in CIDR notation) | # Internal network address (in CIDR notation) | ||
INTNET="192.168.0.0/24" | INTNET="192.168.0.0/24" | ||
| − | |||
# The address of anything/everything (in CIDR notation) | # The address of anything/everything (in CIDR notation) | ||
UNIVERSE="0.0.0.0/0" | UNIVERSE="0.0.0.0/0" | ||
| − | |||
| − | |||
echo "External: [Interface=$EXTIF] [IP=$EXTIP]" | echo "External: [Interface=$EXTIF] [IP=$EXTIP]" | ||
echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]" | echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]" | ||
| − | |||
echo | echo | ||
echo -n "Loading rules..." | echo -n "Loading rules..." | ||
| − | |||
# Enabling IP forwarding | # Enabling IP forwarding | ||
echo 1 > /proc/sys/net/ipv4/ip_forward | echo 1 > /proc/sys/net/ipv4/ip_forward | ||
| − | |||
| − | |||
# Clear any existing rules and set the default policy to DROP | # Clear any existing rules and set the default policy to DROP | ||
$IPTABLES -P INPUT DROP | $IPTABLES -P INPUT DROP | ||
| 第318行: | 第241行: | ||
$IPTABLES -F FORWARD | $IPTABLES -F FORWARD | ||
$IPTABLES -F -t nat | $IPTABLES -F -t nat | ||
| − | |||
# Delete all User-specified chains | # Delete all User-specified chains | ||
$IPTABLES -X | $IPTABLES -X | ||
| − | |||
# Reset all IPTABLES counters | # Reset all IPTABLES counters | ||
$IPTABLES -Z | $IPTABLES -Z | ||
| − | |||
# INPUT: Incoming traffic from various interfaces # | # INPUT: Incoming traffic from various interfaces # | ||
| − | |||
# Loopback interface is valid | # Loopback interface is valid | ||
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT | $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT | ||
| − | |||
| − | |||
# Local interface, local machines, going anywhere is valid | # Local interface, local machines, going anywhere is valid | ||
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT | $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT | ||
| − | |||
| − | |||
# Remote interface, claiming to be local machines, IP spoofing, get lost | # Remote interface, claiming to be local machines, IP spoofing, get lost | ||
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT | $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT | ||
| − | |||
| − | |||
# External interface, from any source, for ICMP traffic is valid | # External interface, from any source, for ICMP traffic is valid | ||
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT | $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT | ||
| − | |||
| − | |||
# Allow any related traffic coming back to the MASQ server in. | # Allow any related traffic coming back to the MASQ server in. | ||
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT | $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| − | |||
| − | |||
# Internal interface, DHCP traffic accepted | # Internal interface, DHCP traffic accepted | ||
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT | $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT | ||
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT | $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT | ||
| − | |||
| − | |||
# External interface, HTTP/HTTPS traffic allowed | # External interface, HTTP/HTTPS traffic allowed | ||
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT | $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT | ||
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT | $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT | ||
| − | |||
# External interface, SSH traffic allowed | # External interface, SSH traffic allowed | ||
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT | $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT | ||
| − | |||
| − | |||
# Catch-all rule, reject anything else | # Catch-all rule, reject anything else | ||
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT | $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT | ||
| − | |||
| − | |||
# OUTPUT: Outgoing traffic from various interfaces # | # OUTPUT: Outgoing traffic from various interfaces # | ||
| − | |||
# Workaround bug in netfilter | # Workaround bug in netfilter | ||
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP | $IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP | ||
| − | |||
# Loopback interface is valid. | # Loopback interface is valid. | ||
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT | $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT | ||
| − | |||
| − | |||
# Local interfaces, any source going to local net is valid | # Local interfaces, any source going to local net is valid | ||
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT | $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT | ||
| − | |||
| − | |||
# local interface, MASQ server source going to the local net is valid | # local interface, MASQ server source going to the local net is valid | ||
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT | $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT | ||
| − | |||
| − | |||
# outgoing to local net on remote interface, stuffed routing, deny | # outgoing to local net on remote interface, stuffed routing, deny | ||
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT | $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT | ||
| − | |||
| − | |||
# anything else outgoing on remote interface is valid | # anything else outgoing on remote interface is valid | ||
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT | $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT | ||
| − | |||
| − | |||
# Internal interface, DHCP traffic accepted | # Internal interface, DHCP traffic accepted | ||
$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT | $IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT | ||
$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT | $IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT | ||
| − | |||
| − | |||
# Catch all rule, all other outgoing is denied and logged. | # Catch all rule, all other outgoing is denied and logged. | ||
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT | $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT | ||
| − | |||
| − | |||
# Packet Forwarding / NAT # | # Packet Forwarding / NAT # | ||
| − | |||
# ----- Begin OPTIONAL FORWARD Section ----- | # ----- Begin OPTIONAL FORWARD Section ----- | ||
| − | |||
#Optionally forward incoming tcp connections on port 1234 to 192.168.0.100 | #Optionally forward incoming tcp connections on port 1234 to 192.168.0.100 | ||
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234 | #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234 | ||
| − | |||
# ----- End OPTIONAL FORWARD Section ----- | # ----- End OPTIONAL FORWARD Section ----- | ||
| − | |||
| − | |||
# Accept solicited tcp packets | # Accept solicited tcp packets | ||
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT | $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| − | |||
# Allow packets across the internal interface | # Allow packets across the internal interface | ||
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT | $IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT | ||
| − | |||
# Forward packets from the internal network to the Internet | # Forward packets from the internal network to the Internet | ||
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT | $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT | ||
| − | |||
# Catch-all REJECT rule | # Catch-all REJECT rule | ||
$IPTABLES -A FORWARD -j REJECT | $IPTABLES -A FORWARD -j REJECT | ||
| − | |||
# IP-Masquerade | # IP-Masquerade | ||
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP | $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP | ||
| − | |||
| − | |||
echo " done."</nowiki></pre> | echo " done."</nowiki></pre> | ||
| − | |||
== DHCP and DNS == | == DHCP and DNS == | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2007年11月30日 (五) 21:20的版本
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
This is where the new Ubuntu Router page is in development, please visit UbuntuHelp:UbuntuWirelessRouter/New for more information
目录
- 1 Setting up an Ubuntu Wired/Wirless Router
- 2 Prerequisites
- 3 Internal Network Information
- 4 Setting Up Your Network Interfaces
- 5 Configuring the Firewall
- 6 DHCP and DNS
Setting up an Ubuntu Wired/Wirless Router
Preface
This article exists due a lack of concise information and easily followed instructions on the subject of setting up a wired and/or wireless Ubuntu router. It is intended for intermediate and advanced users who have or would like to set up a dedicated Ubuntu installation acting as a router at home or in their office. The end result is a powerful router that can provide functionality similar to popular products (for example, the Linksys WikiPedia:WRT54G).
Technical Overview
The router that will be created is an Internet gateway for wired and/or wireless clients to share one broadband connection with one IP address. The basics this router will provide are:
- A firewall
- WikiPedia:IP_masquerading
- port forwarding (optional)
- DHCP server
- DNS caching server
Prerequisites
Broadband Connection
A broadband connection like a cable or DSL modem is required. Your broadband service provider must either provide the necessary information to configure your IP address statically or provide a dynamically assigned address via DHCP.
Router Hardware
You'll need a dedicated computer to act as the router. The computer can use old hardware and having the minimum requirements to install Ubuntu should suffice. The author of this article runs his router on a P3 600mhz processor with 256MB of RAM. You are encouraged use this as a server for other applications perhaps by installing postfix, apache, mysql, and/or samba. This guide recommends a server installation of Ubuntu, but there's no reason why a desktop installation wouldn't work. If you plan to be able to access the router remotely, install ssh before proceeding. The following needs to be physically installed and recognized by the kernel on your router:
- A network adapter connected to the broadband cable or DSL modem
- For a wired network,
- Another network adapter connected to a hub or switch
- For a wireless network,
- A wireless network adapter (which must be able to be set in "master" mode)
- `sudo iwconfig <device name> mode master` should not return an error
- If your wireless network adapter is not recognized by your server installation of Ubuntu, it may use the madwifi chipset (like the D-Link DWL-G520). Please visit UbuntuHelp:Router/Madwifi for more information.
- A wireless network adapter (which must be able to be set in "master" mode)
- For both a wired and wireless network,
- All of the above
Running `ifconfig -a` will show you what network interfaces are available.
Internal Network Information
Here are the values we'll use to set up your internal network. Advanced users use caution when changing them as the changes will need to be reflected in all further router configuration.
| Router | |
| Address | 192.168.0.1 |
| Network | 192.168.0.0 |
| Netmask | 255.255.255.0 |
| Broadcast | 192.168.0.255 |
| Clients | |
| Addresses | 192.168.0.2 - 192.168.0.254 |
| Netmask | 255.255.255.0 |
| Broadcast | 192.168.0.255 |
| Gateway | 192.168.0.1 |
Setting Up Your Network Interfaces
Device Naming Overview
| Network Device | Internal or External Network | Description |
| eth0 | External | Network adapter connected to an external network (your broadband connection) |
| eth1 | Internal | Network adapter connected to a hub or switch |
| wlan0 | Internal | Wireless network adapter |
| br0 | Internal | Network bridge between eth1 and wlan0 that will treat the two like one device |
It is important to note that the names of the network devices above (eth0, eth1, and wlan0) are used as convention. It is very likely that your router will recognize its devices under different names (for example, madwifi calls its wireless device ath0). Please substitute the names of your device accordingly. For information about how to change the names of your network devices, try `man iftab`.
Taking a Backup
Issue the following command to take a backup of your current network configuration:
sudo cp /etc/network/interfaces /etc/network/interfaces.bak
Configuring the External Network Interface
Setting up External Network Interface
Here, we configure the Ubuntu networking system to bring the the local loopback and external network interfaces up by editing `/etc/networking/interfaces`. The primary goal here is to set up your external network interface (eth0, or whatever you're using in place of it) to be brought up by the networking subsystem. The examples below are only for the most basic setups. If your setup requires additional configuration, for example you need to setup ADSL with PPPoE, adapt the following examples so that the end result is your external network interface connected to the Internet.
For Dynamic IP Addresses (DHCP) Only
Open `/etc/network/interfaces` with your favourite editor. Delete everything and paste in what is below. Follow the commented out instructions carefully.
# Set up the local loopback interface auto lo iface lo inet loopback # Set up the external interface # # Don't forget to change eth0 to the proper name of the external # interface if applicable. # auto eth0 iface eth0 inet dhcp
For Static IP Address Only
Open `/etc/network/interfaces` with your favourite editor. Delete everything and paste in what is below. Follow the commented out instructions carefully.
# Set up the local loopback interface auto lo iface lo inet loopback # Set up the External interface # # For every xxx.xxx.xxx.xxx, enter the numeric address given to you # by your Internet provider. Don't forget to change eth0 to the proper # name of the external interface if applicable. # auto eth0 iface eth0 inet static address xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx gateway xxx.xxx.xxx.xxx
Now, set up your DNS servers as given to you by your service provider in `/etc/resolv.conf`, which should look something like this
nameserver xxx.xxx.xxx.xxx nameserver xxx.xxx.xxx.xxx
You can visit the Ubuntu Server Guide - Network Configuration documentation for more information
Testing Connectivity
Reload the network configuration and test for connectivity,
sudo /etc/init.d/networking restart ping -c 3 -W 10 ubuntu.com
And if all goes well something similar should return:
PING ubuntu.com (82.211.81.166) 56(84) bytes of data. 64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=1 ttl=43 time=99.9 ms 64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=2 ttl=43 time=109 ms 64 bytes from signey.ubuntu.com (82.211.81.166): icmp_seq=3 ttl=43 time=100 ms --- ubuntu.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 99.982/103.450/109.419/4.254 ms
Configuring the Internal Network Interfaces
Wired Only
Append the following to `/etc/network/interfaces` and follow the commented out instructions carefully.
# Set up the internal wired network # # Don't forget to change eth1 to the proper name of the internal # wired network interface if applicable. # auto eth1 iface eth1 inet static address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255
Your internal network interface is: eth1 (or whatever you're using in place of it)
Wireless Only
If you plan on using WEP, generate a network key,
dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p
Append the following to `/etc/network/interfaces` and follow the commented out instructions carefully.
# Set up the internal wireless network # # Don't forget to change wlan0 to the proper name of the internal # wireless network interface if applicable. # # If you would like to use WEP, uncomment the line 'wireless-key' # and replace '<key goes here>' with a WEP key. # # You may also change the network essid and channel. # auto wlan0 iface wlan0 inet static wireless-mode master wireless-essid "UbuntuWireless" wireless-channel 1 #wireless-key <key goes here> address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255
Your internal network interface is: wlan0 (or whatever you're using in place of it)
Both Wired and Wireless
First install the necessary tools to create a network bridge,
sudo apt-get install bridge-utils
If you plan on using WEP, generate a network key,
dd if=/dev/random bs=1 count=13 2>/dev/null | xxd -p
Append the following to `/etc/network/interfaces` and follow the commented out instructions carefully.
# Set up the internal wireless network # # Don't forget to change wlan0 to the proper name of the internal # wireless network interface if applicable. # # If you would like to use WEP, uncomment the line 'wireless-key' # and replace '<key goes here>' with a WEP key. # # You may also change the network essid and channel. # auto wlan0 iface wlan0 inet manual wireless-mode master wireless-essid "UbuntuWireless" wireless-channel 1 #wireless-key <key goes here> # Set up the internal wired network # # It's not necessary to bring this interface up as the bridge # we are about to create does this. Leave these lines commented. # #auto eth1 #iface eth1 inet manual # Set up the internal wired/wireless network bridge # # Don't forget to change wlan0 and eth1 to the proper name of # the internal wired and wireless interfaces if applicable. # auto br0 iface br0 inet static address 192.168.0.1 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 bridge-ports eth1 wlan0
Your internal network interface is: br0
Restart Networking
Now, if the following command is executes successfully, your networking devices have been properly configured.
sudo /etc/init.d/networking restart
Configuring the Firewall
Background
The Firewall Script
This is a just a rough draft!
#!/bin/sh
IPTABLES=/sbin/iptables
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig
# External (Internet-facing) interface
EXTIF="eth0"
# External IP address (autmatically detected)
EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
# Internal interface
INTIF="br0"
# Internal IP address (in CIDR notation)
INTIP="192.168.0.1/32"
# Internal network address (in CIDR notation)
INTNET="192.168.0.0/24"
# The address of anything/everything (in CIDR notation)
UNIVERSE="0.0.0.0/0"
echo "External: [Interface=$EXTIF] [IP=$EXTIP]"
echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]"
echo
echo -n "Loading rules..."
# Enabling IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Clear any existing rules and set the default policy to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
# Delete all User-specified chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# INPUT: Incoming traffic from various interfaces #
# Loopback interface is valid
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Local interface, local machines, going anywhere is valid
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# Remote interface, claiming to be local machines, IP spoofing, get lost
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT
# External interface, from any source, for ICMP traffic is valid
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in.
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Internal interface, DHCP traffic accepted
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
# External interface, HTTP/HTTPS traffic allowed
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT
# External interface, SSH traffic allowed
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT
# Catch-all rule, reject anything else
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
# OUTPUT: Outgoing traffic from various interfaces #
# Workaround bug in netfilter
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Loopback interface is valid.
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Local interfaces, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# local interface, MASQ server source going to the local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT
# anything else outgoing on remote interface is valid
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# Internal interface, DHCP traffic accepted
$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
# Packet Forwarding / NAT #
# ----- Begin OPTIONAL FORWARD Section -----
#Optionally forward incoming tcp connections on port 1234 to 192.168.0.100
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234
# ----- End OPTIONAL FORWARD Section -----
# Accept solicited tcp packets
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow packets across the internal interface
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT
# Forward packets from the internal network to the Internet
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch-all REJECT rule
$IPTABLES -A FORWARD -j REJECT
# IP-Masquerade
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
echo " done."
