Professional Documents
Culture Documents
I love Linux though, and so this opposition doesn’t stop me from wanting to setup a Linux machine at home. I
upgrade my wife’s computer in the study about once every couple of years, and often my kids’ machines get a
parts upgrade from the old machine at the same time. Recently, however, I found I had enough spare parts to
put together an entire machine, so I took the opportunity to replace my LinkSys router with a custom Linux
router. In this article, I’d like to describe this process because it was more difficult for me than it probably
should have been—mostly for lack of clear instructions.
Much like letters routed through local and regional post offices, at the lowest level, all internet traffic takes the
form of data packets routed from one machine to another through local and central internet packet routers.
Like letters and packages, each packet has a single source address and an ultimate destination address. Along
the route from source to destination, packets also pick up intermediate router addresses. Router software uses
complex algorithms that analyze final destination addresses to determine the next router on the shortest path
from source to destination. Each router adds a new address to the packet, and then forwards it to the next
router along the path.
At the lowest level, all internet traffic takes the form of data packets routed from one machine to
another
Want to try an interesting experiment? Open a terminal window and type this command (you may need to
change to super-user mode with the “su” command on some GNU/Linux distributions):
If you’re on a Windows machine you can type this command for a similar result:
On my Linux box at home, the output looks something like this (I’ve removed the DNS names and the usual
third try timing column to make it fit the column width):
The traceroute (or tracert) command causes each router in a complete path from source (your
machine) to destination (the address you specified on the command line) to return a message to your machine,
which is then interpreted and displayed. The millisecond values in the two columns following the router
address are the round-trip timing values for each of two trips to that router. On Linux, a -n option will
remove the DNS names, and a -q option allows you to specify a number of trips (the default is usually three).
Using -q1, for instance will show only the DNS name, IP address and one round-trip timing value.
The traceroute command makes use of a routing protocol referred to as ICMP, which is an acronym that
stands for Internet Control Message Protocol. It’s interesting to note that ICMP doesn’t provide direct support
for this sort of trace functionality. Years ago, inventive network programmers, in an attempt to create
debugging tools for IP networks, made use of ICMP error responses to essentially trick routers into returning
enough information to the sender to learn the path taken from the local host to the specified destination, as
well as the round trip time required for each router to return the test message.
This is the primary job of a router—to determine algorithmically the most efficient path to the final
destination, and thus the next router or host in the path, and then address and forward data packets
accordingly.
I asked the old carpenter working with me why these buildings were built this way, rather than just having the
roofs built on top of the walls. He told me about firewalls. A firewall is designed to protect the buildings on
either side of a burning building. If a fire breaks out in a building, the fire can’t (without great difficultly) get
past the firewall to the buildings on either side. The wall itself is thick enough to provide protection from
structural damage that might otherwise be caused by the heat of the fire, and high enough above the roofs of
the buildings on either side to keep the flames from jumping from roof to roof.
Network firewalls protect individual hosts or private networks from internet users with malicious
intent
Often routers closest to individual sending or receiving hosts provide additional functionality to protect local
network resources from malicious attackers on the internet. It’s a statistical truth about humanity that the
larger the group of people in a community, the more probable it is that someone will attempt to hurt or steal
from others for selfish reasons. Since we can’t change the basic nature of humanity (at least not overnight), we
have to protect the innocent, and that’s exactly the purpose of a network firewall. Like the literal firewalls
between the store buildings in my home town, network firewalls protect individual hosts or private networks
from internet users with malicious intent.
The trouble is there are too many computers on the internet today. Each computer—no each network interface
card (NIC) in each computer—must have a unique IP address. An IP address is commonly displayed as a
4-part number, where each numeric part holds an 8-bit value—enough space to hold any decimal values
between 0 and 255, and the parts are separated by periods:
66.123.55.63
Ultimately, however, this is just a format for display, and underneath the covers computers just treat these
addresses as single 32-bit values. With just a little math, we can see that the hard limit on the number of
available addresses is 2 to the 32nd power, or about 4 billion addresses. I called it the hard limit—the fact,
however, is that the IP addressing scheme involves breaking this 32-bit value into ranges designed for various
other uses such as broadcast, multi-cast and address ranges that are simply unusable because of the semantics
of the scheme.
Over the years, some additional infrastructure has been added to the original addressing scheme to allow
address ranges to be allocated to large, medium and small governments, institutions and companies. To
support this concept of address classes, a network mask specifies which bits of a 32-bit address are to be
considered the network address, and which bits are to be seen as the host address within the specified network.
IP addresses are commonly divided into three classes: A, B, and C. Class A addresses use only the first 8 bits
as the network number, giving the owner 24-bits of node number to play with—that’s a LOT of nodes—2 to
the 24th power nodes is around 16 million nodes. As a result, very few class A addresses exist today. Class B
addresses use the first 16 bits as the network number and the last 16 bits as the node number. This still leaves
Today, it’s quite common for Internet Service Providers (ISPs) to assign a class C address of say
45.119.145.37 to a customer, with a standard class C network mask of 255.255.255.0. This means
exactly what you’d expect it to mean—that all 24 bits in the first three values of the address (45.119.145)
specify the network number, while the last 8 bit value (37) indicates the host number within this network.
Later, the Classless Inter-Domain Routing (CIDR) system was devised to allow network addresses and
network masks to be specified in a single string value. The above network address and network mask would
be displayed in CIDR format as:
45.119.145.37/24
Again, this means exactly what you’d expect—that the first 24 bits of the address indicate the network
number, and the remaining 8 bits represent the node number. Simple, huh? But all of this overhead means that
there are actually far fewer addresses available for general public consumption than a raw 32-bit value might
suggest, and the fact is that around 1998, as public consumption of internet addresses began to explode the
world started to run dangerously low on 32-bit addresses.
There have been several suggestions for how to solve this problem over the years. The first solution presented
to the Internet Engineering Task Force (IETF) was a scheme where the entire addressing system for the
internet was to be upgraded from 32 to 128 bits. This scheme is called IPv6, since it would be the 6th revision
of the Internet Protocol to be designed and implemented (the currently implemented version is 4, sometimes
called IPv4. Version 5 was an experiment that never really went anywhere). IPv6 was well designed and well
implemented, but it’s been an uphill battle to get everyone to modify network software to work with an
entirely new scheme—from the lowest framework components to the highest-level network-enabled
applications.
Network address translation expanded the usefulness of IPv4 well into the foreseeable future
In the meantime, a new scheme was presented by hardware manufacturers. This scheme is called Network
Address Translation or NAT. Using NAT, router appliance manufacturers like Cisco designed into their
hardware the ability to translate internet addresses into private network addresses. The people who invented
this scheme then requested from the Internet Assigned Numbers Authority (IANA) a single class B address
(192.168.0.0/16) to be reserved for private networks. This scheme allows a single host (the router) to
represent, with just one public IP address potentially hundreds of hosts within the private network. And all
private networks could share the 192.168.0.0/16 class B address. Network address translation expanded
the usefulness of IPv4 well into the foreseeable future.
Finally, these appliances also generally provide filtering software so you can filter certain traffic to or from
certain nodes on your network. In my home, I have a single wired computer with access to the internet—the
one in my study. The kids’ computers don’t have internet access. They can access shared files and printers on
the home network, but they can’t access the internet. Let’s face it—there’s a lot of garbage on the internet, and
I want to protect them from this stuff till they’re old enough to make those decisions for themselves. I’m sure
I’m not the only one who feels this way. They can use the internet for school research, emailing their friends
and even for fun, but only in the most public place in the house, where I can monitor things.
Well, that’s a lot of potentially configurable stuff in a box with no switches or dials on it! How do you plug in
your ISP provided network address, default gateway and domain name server (DNS) information? Why, these
gateways even have a little web server built into them. You just connect your computer to one of its ethernet
ports, open a browser and enter http://192.168.x.y (your product’s instructions will tell what values
to use for ‘x’ and ‘y’) and presto! you’re looking at the firmware configuration pages for your router.
Basically, these little appliances are sort of all-in-one devices. The problem is that while they may do almost
everything, they don’t often do much of it really well—and sometimes the feature that’s missing or poorly
implemented is the one you really wanted. They’re cheap enough (60 to US$100) that you can always go out
and buy a different one if your current device doesn’t do exactly what you want, but there are two problems
with this approach. First, the software services they provide are generally not advertised in detail on the
specification sheets, so you really don’t know what you’re getting till it’s too late. And second, none of these
gateways offer everything you probably want, so it’s always a compromise in one way or another.
What you really need is a router implemented entirely in software, so you can program it the way you want
without the limitations inherent in an appliance. Interestingly, the LinkSys appliances actually run an
embedded version of Linux internally. Because Linux and GNU/Linux are released under the General Public
License (GPL) LinkSys must, by law, release the source code for their Linux based operating system to the
public. And in fact, they do just this. You can go to the LinkSys website and download the entire source code
for the modified embedded Linux system they install in their routers. LinkSys also provides complete (albeit a
bit cryptic, unless you’re in the know) instructions for compiling this source code into a ROM image that you
can then upload into your LinkSys router through it’s web interface. Since Linux provides excellent router
software, other vendors have also followed a similar path for their appliances.
Well, that’s one way of doing it, but let’s be honest here—you really have to know what you’re doing to
program new features into your LinkSys router, and who has the time for this sort of activity anyway? Well,
that’s the point of this article—to show you how to configure an old PC as a Linux router and firewall, so you
can use the features of GNU/Linux to make your router and firewall do just what you want them to
do—without a lot of programming.
The first thing you need is an old PC. Any Intel Pentium-class machine running 500 MHz or better is good
enough. I found that my Linux distro of choice (OpenSuSE) required at least 512M of RAM, as well—not to
run, mind you (Linux can run in 32K of RAM), it’s the silly installation program that requires all the memory.
The motherboard on my old PC had a built in 10/100 ethernet card—plenty of speed for my WAN connection.
This card became my external interface—the card that I connect to the roof top antenna.
One thing to be aware of is that your broadband, DSL or cable modem device may look and feel to the
network more like a computer than a concentrator. The physical difference between computers and
concentrators is in the way the ports on these devices are wired. The 8-wire port used by ethernet is
technically called an RJ-45 connector. There are two ethernet RJ-45 connector wiring standards in the US,
commonly called types A and B. Type A is used by AT&T, and Type B is widely used by everyone else.
These wiring standards are logical inverses of each other. That is to say, the transmit wires on one standard
are the receive wires on the other. A type A device must be connected to a type B device in order for
communication to happen properly—you can tell if you’ve connected two type A devices to each other if the
green signal LED on the back of the ethernet card doesn’t light up. The orange transmit LED may blink if the
computer is attempting to send on that card, but if the green LED is off, it’s a sure sign that the connection is
incorrect.
Ethernet cables are wired straight through, such that each wire in the cable is connected to the same pin
number on either end. This is sometimes called a straight or normal cable. Cables can also be wired such that
one end is type A and the other end is type B. These are called “cross-over” cables, because they allow two
devices of the same type to be connected directly together. If your broadband antenna, DSL or cable modem
looks like a type A device (NIC) then you’ll need a cross-over cable to connect it to your Linux router’s WAN
port. The simplest procedure is to just have a cross-over cable on hand as you hook up your new router, and
pay attention to the green lights on the NICs. Swap cables as necessary to make everything work.
Most newer concentrators today are auto-sensing devices, which means you can plug either type A or type B
devices into a concentrator port, and it’ll just figure out which standard you’re using. This feature allows you
to cascade concentrators in order to expand the number of ports you have on your network without requiring a
cross-over cable. Many older computers, NICs and concentrators, however, really do care which one you use.
Older concentrators are wired as a type B connection, while older NICs (including those often built into
motherboards) are of type A.
A router requires at least two network cards to be an effective firewall, so I bought another NIC. The network
card in my main home computer is actually 1000Base-T—a gigabit card. Since I needed a new concentrator
anyway (recall that my previous concentrator was built in to the LinkSys box) I now had an excuse to upgrade
my home network from 100Base-T to 1000Base-T. Okay, I admit, I was just dreaming here. How often am I
really going to need that kind of speed between any two of the three wired computers in my house? WiFi
machines like my laptop don’t count—remember, they’re limited by the WiFi link speed, which is much
slower—even by the fastest WiFi standards today. The fact is, I like to play, and hardware is fairly cheap
these days. But if you have access to some free or almost free 10/100 equipment, you might want to stick with
a 100Base-T concentrator. You can get concentrators in 4, 8, 12, 16, or 24 port configurations.
Four port routers are good enough for most home networks, but if you’ve wired your home the way I did with
a port in every room, or if you’re setting up a small business network, you might want to consider at least an 8
port device just so you don’t have to swap wires when you decided to use a wall outlet you haven’t used for a
while. I bought a NetGear 8-port 1000Base-T ethernet concentrator (US$69.00 at Amazon) and a NetGear
1000Base-T NIC (US$25.00 at Amazon)for the internal card in my Linux router. I also still needed WiFi in
The generally accepted canonical format of this ethernet MAC address would be:
00:08:B5:B3:23:44
Hardware manufacturers tend to string the entire value together and remove any leading zeros. The reason for
this is that the colon-delimited format is a nicety designed for human readability and data entry. As far as the
hardware is concerned, it’s just one long number.
It becomes much more apparent why you want to make a note of the MAC address if you have two cards of
the same make installed in your router. You won’t be able to tell them apart in the network device
configuration dialog except for the MAC address. With one of them known, you’ll at least be able to
determine which card is which. Even when the cards are significantly different externally, they might still use
the same chip-set, and thus the same driver. The driver name and MAC address is what you’ll see in the
dialog, not the brand or manufacturer name.
After initial installation, you can configure services through the SuSE Linux configuration system—YaST.
(Don’t ask me what that stands for—I’d guess “Yet Another…” something.) Fedora has its own methods, but
all distributions use the network device configuration dialog paradigm. While our distributions of choice
might be different, the concepts will be the same. Figure 2 shows the YaST main dialog with the Network
Figure 5 shows the firewall configuration dialog with the interface configuration option selected. Configure
the card connected to your external ISP connection as “external”. Initially, all inbound connection attempts
will be stopped, keeping malicious attackers from gaining access to your network resources. Configure the
card connected to your internal network concentrator as “internal”. This will allow computers on your home
network to communicate freely with external public services. They can communicate freely with each other as
well, but this is because they are connected to one another directly through the internal concentrator, and not
because of any particular router configuration.
You might also want to configure a DHCP server at this time, and set it up to hand out additional private
addresses to the machines on your internal network. Configuring a DHCP server is not always the smooth
process that it probably should be, so just be aware that you don’t need to do this. You can configure each
machine on your private network with static IP addresses also. Since my LinkSys gateway provided this
feature for me, and I was trying to duplicate this functionality, I added a DHCP server, but you may want to
do things differently.
By setting up remote administration, you will be able to disconnect the keyboard, mouse and monitor
from your router once you have it configured the way you like
Now would also be a good time to configure remote desktop administration on your router. Modern
GNU/Linux remote administration is implemented with VNC (Virtual Network Computing), which allows
you to open a window on another machine that contains a virtual desktop for your router. By setting up remote
administration, you will be able to disconnect the keyboard, mouse and monitor from your router once you
have it configured the way you like. You can just put the box in the wiring closet or basement and forget
about it. Later, when you want to change configuration options on your router, just connect to it using VNC
and it’s like you’re sitting in front of it. Remote administration is found under “Network Services” category in
OpenSuSE YAST. Basically, you just need to turn it on. If you’re using Windows on the machine you’ll be
using to access your router’s VNC desktop, then you’ll need to download a VNC client for Windows. The
Real VNC free package is as good as or better than any I’ve found, and is written by the folks who invented
the VNC protocol.
Filtering
The discussion of DHCP brings us to the last feature of my LinkSys gateway that I wanted to
emulate—filtering. I don’t mean web content filtering as much as internet access filtering, although content
filtering packages are available for installation on a Linux box, and this is one possible way to allow the kids
access to the web, without worrying too much about what they see. I still worry however, even with content
Filtering 12
Configuring a Linux home internet gateway
filtering because I know how content filters work—they’re either too restrictive, making the web experience
frustrating at best, or they’re too loose, which is worse than useless because it provides users with a false
sense of security, and they become cavalier about what they enter into search dialogs.
But back to access filtering. The primary reason I wanted to use Linux as my gateway was because my
LinkSys box allows me to turn on or off the ability for specified computers to access the internet through my
router—either all the time or during specified time periods. It even allows me to block certain sites. But it
doesn’t allow me to deny all access except certain sites. As I mentioned earlier, my kids’ machines are
Windows machines. Windows tends to die slowly if constant downloadable updates are not applied to the
operating system. Basically, I would like to grant access to microsoft.com for system updates, and to
apple.com for my kid’s iTunes programs, but then deny access to everything else.
With GNU/Linux as your router, this sort of thing can be done. It’s fairly complicated, and can’t generally be
done with graphical tools from the desktop, so I’ll leave it as an exercise for you to figure out
machine-specific filtering by IP address or domain. Here’s a hint—checkout the iptables package, which is the
standard Linux 2.6 kernel IP filtering package. It’s very powerful, and is used internally for many reasons by
both Linux kernel and user-space programs. The iptables filtering package can be configured to filter internet
access through the router based on the machine’s hardware MAC address, so you can still use DHCP to assign
IP addresses dynamically, while ensuring that your kids’ machines don’t end up with too much internet
freedom.
Another benefit of a publicly visible IP address is a web server. If you would like to administrate your own
web server, you can enable Apache2 on your GNU/Linux router. Don’t forget, that your firewall is blocking
nearly all inbound connections through the external network card on your router. You’ll have to go back into
your firewall configuration dialog, and specifically add “smtp” for your mail server to the list of allowed
connection types (smtp—simple mail transfer protocol—is actually a Unix service name, that implies a
particular port number, in this case 25—the standard port number for email servers using the smtp protocol).
Opening a port in a firewall need not be viewed with fear if you understand the potential dangers
You can also add “http” and “https” for your web server. But be careful, the more ports you open up, the more
vulnerable to attack you make yourself. Don’t take this to mean that you shouldn’t open these ports. They
provide access to the services you want to make available to the public. Opening a port in a firewall need not
be viewed with fear if you understand the potential dangers. If you want to provide a public service such as a
web server, the idea is to find out how web servers can be attacked and protect yourself with proper access
control management, not to fear it like you might fear some unknown virus strain. Every public web server on
the internet has the potential to be hacked. But the owners of (most of) these sites are well aware of what
attackers can do to their web site, and they’ve configured security for their site such that they are comfortable
with the risk level. The Apache manual will help you out with the security learning curve.
Summary
This is a lot of stuff to remember, and I had to discover it all the hard way—one Google search at a time. You
can keep this article around as a quick reference guide. If nothing else, at least it gives you a list of topics, a
set of keywords, and a starting point for each critical feature on your router. Like all fairly complex software
configuration procedures, the devil, as they say, is in the details, and you’ll likely have your share of issues
specific to the hardware and GNU/Linux distribution you’ve chosen, but at least you’ll have the advantage of
knowing the direction you should face when you fire your guns.
Biography
John Calcote (/user/28810" title="View user profile.):
Copyright information
Verbatim copying and distribution of this entire article is permitted in any medium without royalty provided
this notice is preserved.
Source URL:
http://www.freesoftwaremagazine.com/articles/home_internet_gateway
Summary 14