Setting up an Ubuntu router

Over the last week I scratched an geeky itch that I'd been having for a while.  I wanted to convert away from using SOHO networking equipment.  Instead I configured a Linux based PC to act as a router/firewall/DNS/DHCP server and another linux box to be a media server. This post will cover the setup procedures for the router box.

During the process I learned a lot about networking.  In the past I have always been able to avoid iptables, but this time I could not.  I bit the bullet and decided to read up on how iptables worked instead of just blindly copying and pasting commands and crossing my fingers.  What did I learn?  iptables really aren't that difficult conceptually, they're just not explained well by most tutorials on the internet.  I won't try to explain them in detail in this post.  Here is a link to a site that explains them really well.  Specifically, see section 3 for details about how packets actually traverse iptables.  Reading that section first will help you understand the commands that you will input later.

Here is a basic list of functionality that my router needed to have in order to be a viable replacement for my current SOHO wifi router:

• NAT routing
• firewall
• DHCP
• DNS
• OpenVPN 

Additionally,  my router is configured to handle the PPPOE connection to my DSL provider. This step is only necessary if you have DSL or some other service which uses PPPOE to connect.  As a bonus feature, I also set up a script to automatically update dynamic DNS for the current external IP address of the router.

First, I recommend configuring your new router without exposing it to the internet.  Plug the WAN port of your new router into your existing LAN.  Then plug another computer into the LAN port of your router.  This way you will be able to test all of your configurations without taking down your internet connection. 

This guide assumes some familiarity with Linux,  and a basic knowledge of networking.  I'm not going to go through the OS install process.  There is an excellent guide for that here.  During the install process, make sure you install the OpenSSH server package. This will make getting started a little easier. 

The first thing you'll want to do post installation is rename you NICs.  This guide assumes a dual NIC setup, though you could certainly have more.  This part is tricky.  My machine assigned eth1 to the built in NIC and eth0 to the add in card.  This is counter intuitive, not to mention not very self explanatory.  Edit the file /etc/udev/rules.d/70-persistent-net.rules

Change the "NAME" (highlighted in white) section at the end of the line for each NIC.  You may have to ifconfig in conjunction with a bit of cable plugging to see which NIC is which.

# PCI device 0x10ec:0x8168 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="e8:de:27:04:19:00", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="LAN"

# PCI device 0x10ec:0x8168 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1f:bc:03:bd:6e", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="WAN"

Restart the machine to apply these changes.  Next you'll need to adjust your network interface IP configuration.  Edit /etc/network/interfaces with your favorite editor.  Notice that the LAN interface does not have an IP address.  Rather the LAN interface is connected to the bridge which does have an IP address. Eventually we will attach an OpenVPN interface to this bridge.  We bridge these interfaces because we want the OS to treat two interfaces as one and move traffic between them without routing.  Never bridge the LAN interface to the WAN interface. Bad things will happen. 

# The loopback network interface
auto lo
iface lo inet loopback

auto WAN
iface WAN inet dhcp

############# LAN Stuff ###############
#The interfaces below are used on your LAN side
auto br0 #you'll need this for OpenVPN later
iface br0 inet static
address 10.10.10.1 #change this if you don't like it
netmask 255.255.255.0
network 10.10.10.0 #then change this
broadcast 10.10.10.255 #and this
bridge_ports LAN

iface LAN inet manual
up ip link set $IFACE up promisc on
down ip link set $IFACE down promisc off

Use service networking restart after saving your config file.  This will acquire a network address for the WAN interface and set the LAN address to the one specified in the config file.  From the router, try to ping a known address on your existing LAN.  If you get a response, your doing good.  If you have another machine plugged into the LAN port of the router, trying pinging the LAN IP of the router.  (Your will have to manually set the IP address of the interface on your test machine to be the on the same network as the LAN interface of the router. )  If you cannot ping your new router from your test machine, you'll need to fix that before continuing.

Next up iptables:  To first we will run the commands that are needed to create a minimum working NAT router.  If you aren't running as root, type sudo su now.  Run the following commands


echo 1 > /proc/sys/net/ipv4/ip_forward # this enables IP forwarding temporarily
iptables -A FORWARD -i LAN  -j ACCEPT # forward packets from the LAN to WAN
iptables -A FORWARD -i WAN -o LAN -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #forward only solicited packets from WAN to LAN

iptables -A POSTROUTING -s 10.10.10.0/24 -j MASQUERADE #NAT packets from LAN to WAN

Now you should be able to ping an address on your existing LAN from your test machine passing through your router.

---

It's been over a year since I started writing this article and I don't plan to finish it any time soon.  So yeah, it's incomplete.  Hopefully sometime I will find time to finish writing this.