Re: Linux on a Router
On Tue, Jul 10, 2007 at 11:41:45PM -0500, ArcticFox wrote:
> On Jul 10, 2007, at 11:32 PM, Douglas Allan Tutty wrote:
> >What about using an old computer?  If you need wireless then it has to
> >have the bus to take a wireless NIC but if its wired then almost any
> >computer will do.
> >
> >What is it you need your router to do?
> >
> Allow 3 computers access to the internet plus my Vonage device. One of 
> them is a server and there should be a firewall to stop/deter hackers. 
> Wireless would be a plus, but not strictly necessary. I do have an old 
> PC that could be used, would I need two NIC to do this? Or could I just 
> use one?
You then need one computer to be your router/firewall.  Assuming that
your internet is in the form of a high-speed modem that presents you
with an ethernet connection, you would need one NIC for that.  If, like
me, you use dialup, then just a modem or serial port and external modem.
This then takes care of the internet side.
For your inside network, if you want wireless then you need a wireless
NIC and for ethernet you need an ethernet NIC.  There may be cards that
have both on one card but to Linux they will look like two ethernet
connections.
It may look like this:
eth0	NIC to internet modem.
		assume modem is 192.168.1.1,
		this NIC 192.168.1.2
eth1	internal wireless: 192.168.2.1
eth2	internal ethernet, connected to a simple ethernet switch to
	connect other computers and vonage. 192.168.3.1
Remember that you have three separate networks.
Your required computer speed will depend on the speed of the networks.
My 486's ISA bus gets saturated by one NIC.  The kernel has to handle
all the packets going between the ports.
Put a base install (no tasks selected during install).  Add iptables and
shorewall, lynx, mc, your text-mode editor of choice [or just use
mcedit], ssh server, a MTA that will send all mail to an inside box
unless this will be your mail gateway [separate project], rsync too.
Come up with one /etc/hosts file that lists all your boxes and put it on
all boxes (I use rsync or the shell-link in mc for this, both use ssh).
Install shorewall-doc on any of your workstations so that you can read
on how to setup shorewall to do your routing.
If all is well, you should be able to ping any box by name from any box.
You should be able to ssh into any box from your internal boxes, by
name.
The two things in this setup that I don't know anything about is using
wireless and dhcp (for the high-speed modem).  Other than those two
points, this really is trivial to setup; the most time consuming is
reading the shorewall documentation.
You should also read the harden-doc.  The most important is to ensure
that the firewall isn't listening on the outside interface to anything
that you don't need.  Unless you want to ssh in from the internet, you
shouldn't need any services listening on the outside interface.
Anything that _can't_ be so set will be caught by shorewall.
A nice touch to add would be ntp on all boxes with the firewall syncing
with a timeserver and your internal boxes syncing with the firewall.
Good luck,
Doug.
Reply to: