Linux router howto - not just NAT

I'm trying to setup a linux box as a router - not just for simple NAT and
firewalling, but so that I can plug it directly into a line from an ISP that
offers a whole IP block. However, the ISP doesn't loan out routers, so I
wish to do this with a linux box instead. I know that this can be done (i.e.
configure the box to 'forward' any of the IP's to internal machines) - but
don't know where to look. What is this type of routing called?

I have done a search on 'linux router' online, but this keeps coming up with
the linux router project - which appears to be no more now! Besides, I want
to find out where to do it manually... not just use some fancy distro or
GUI.

Anyone have any pointers?

Thanks!

Terence

Terence Parker wrote:
> I'm trying to setup a linux box as a router - not just for simple NAT and
> firewalling, but so that I can plug it directly into a line from an ISP that
> offers a whole IP block. However, the ISP doesn't loan out routers, so I
> wish to do this with a linux box instead. I know that this can be done (i.e.
> configure the box to 'forward' any of the IP's to internal machines) - but
> don't know where to look. What is this type of routing called?

Well, it's called "routing"... - Just kidding, but there's absolutely
nothing unusual about this. The most important thing is - of course -
setting up and maintaining Your kernel's routing tables.

I recommend reading the Networking-HowTo, from where You can get the
basics about all this. Then "man route" will tell You how to fiddle
around.


> I have done a search on 'linux router' online, but this keeps coming up with
> the linux router project - which appears to be no more now! Besides, I want
> to find out where to do it manually... not just use some fancy distro or
> GUI.

I think You're making things appear too complicated. What You describe
above is just some very basic routing issue. IMHO, NATting is by far
more complex, but even this is no longer a major thing to do, nowadays.
And if You say that You do NAT and firewalling, You're more than close
to Your goal.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

"Terence Parker" <(E-Mail Removed)> wrote in message
news:bs5fui$(E-Mail Removed)...
> I'm trying to setup a linux box as a router - not just for simple NAT and
> firewalling, but so that I can plug it directly into a line from an ISP
that
> offers a whole IP block. However, the ISP doesn't loan out routers, so I
> wish to do this with a linux box instead. I know that this can be done
(i.e.
> configure the box to 'forward' any of the IP's to internal machines) - but
> don't know where to look. What is this type of routing called?


IP forwarding, or routing. Its what you get when you turn the firewalling
off.





>
> I have done a search on 'linux router' online, but this keeps coming up
with
> the linux router project - which appears to be no more now!

Smoothwall would replace "linux router project".

>Besides, I want
> to find out where to do it manually... not just use some fancy distro or
> GUI.

>
> Anyone have any pointers?

Start with ethernet interface
Give the interface an Ip address and netmask from the ISP allocated block -
the IP address can be the same as the PPP inteface gets... A route should
appear automatically .. if not
then 'route add -net networkaddress netmask dev eth0'

PPP/PPPoE will setup the IP address and default route ...

Then turn on ip forwarding with 'echo 1 > /proc/net/ipv4/ip_forwarding'...

Then make sure the firewall rules do not restrict traffic that you wish to
allow.
Especially turn off the NAT/masquerading rules, which would make all
internal PC's share the same IP address





>
> Thanks!
>
> Terence
>
>

Hmm... thanks guys for the replies - I appreciate the help. Perhaps I wasn't
clear enough though in my first post?

I currently already have a machine that does NAT in the office - taking in
the line from the ISP on eth0 and then carrying out NAT over the internal
interface eth1. However, I now want to do more than that.

My ISP has given me a block of several IP addresses - but no router. I will
plug one network interface into the line direct to the ISP (it's not PPPoE -
just straight through TCP/IP... it's FTTB here), and then the internal NIC
will interface with the office switch. I want the linux server configured
such that for any computer plugged into the switch, it can either grab an
internal address through DHCP (easy enough - doing that already) - OR the
user can manually configure a real IP on that computer, and as such that
would bypass the firewall and everything (though actually, it's still going
through the linux server, which is simply transparently forwarding real IP's
to the internal network). This is basically what a router does I gather -
but I don't have one of those things.

As a bonus - but one thing at a time - I actually have two incoming lines
from two separate ISP's, each with a block of several IP addresses. Ideally
I want the said server to connect to both ISP trunks (the PC has three
NIC's), thus allowing users on the internal network to tap in IP addresses
from either of the two networks. But i'll worry about that a bit later.

Does this help clear things up a bit?

Thanks,

Terence


> Start with ethernet interface
> Give the interface an Ip address and netmask from the ISP allocated
block -
> the IP address can be the same as the PPP inteface gets... A route should
> appear automatically .. if not
> then 'route add -net networkaddress netmask dev eth0'
>
> PPP/PPPoE will setup the IP address and default route ...
>
> Then turn on ip forwarding with 'echo 1 > /proc/net/ipv4/ip_forwarding'...
>
> Then make sure the firewall rules do not restrict traffic that you wish to
> allow.
> Especially turn off the NAT/masquerading rules, which would make all
> internal PC's share the same IP address

Terence Parker wrote:
> Hmm... thanks guys for the replies - I appreciate the help. Perhaps I wasn't
> clear enough though in my first post?
>
> I currently already have a machine that does NAT in the office - taking in
> the line from the ISP on eth0 and then carrying out NAT over the internal
> interface eth1. However, I now want to do more than that.
>
> My ISP has given me a block of several IP addresses - but no router. I will
> plug one network interface into the line direct to the ISP (it's not PPPoE -
> just straight through TCP/IP... it's FTTB here), and then the internal NIC
> will interface with the office switch. I want the linux server configured
> such that for any computer plugged into the switch, it can either grab an
> internal address through DHCP (easy enough - doing that already) - OR the
> user can manually configure a real IP on that computer, and as such that
> would bypass the firewall and everything (though actually, it's still going
> through the linux server, which is simply transparently forwarding real IP's
> to the internal network). This is basically what a router does I gather -
> but I don't have one of those things.
>
> As a bonus - but one thing at a time - I actually have two incoming lines
> from two separate ISP's, each with a block of several IP addresses. Ideally
> I want the said server to connect to both ISP trunks (the PC has three
> NIC's), thus allowing users on the internal network to tap in IP addresses
> from either of the two networks. But i'll worry about that a bit later.
>
> Does this help clear things up a bit?

Well, if that is what You really want to do...

If I get You correctly, You want Your linux box to do firewalling/NAT
for those clients in Your subnet that have private IP addresses. --
You're doing that already, so there's no problem.

Then, You want Your router to simply forward traffic to and from clients
in Your local net that have one of the public IPs.

You can simply do that. With iptables, You should already have a rule
that NATs all traffic from the inside. This rule should have both the
internal interface plus Your local private IP range in it.

Then, simply add one more rule that will only forward IP addresses from
Your public IP block back and forth.

I'm not sure whether this is a good idea at all, but if this is what
You want, I really cannot see where Your problem is.

Anyways, as for the routing, You should tell Your linux router that
both the internal subnet plus Your assigned IP range is available via
Your internal NIC, and all others via Your external one. The clients
must use Your router as the default gateway, no matter which IP they
have. And, the clients themselves must know that Your range of IPs is
local.


Hope this points You into the direction,

Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

"Terence Parker" <(E-Mail Removed)> écrivait
> I'm trying to setup a linux box as a router - not just for simple NAT
> and firewalling,

NAT is "just simple", this is a special function of a router. SO you
already have a router.

>> but so that I can plug it directly into a line from
> an ISP that offers a whole IP block. However, the ISP doesn't loan out

Cool, but what is your physical line type ? An ethernet connexion ? a
lesaed line (G707, ...) ? ... Do you have an ADSL modem ? ...

Depending on this, you should have a card on your computer with the
corresponding physical interface.

Next you ISP should "route" theses IPs to your Linux router, and so you
should have your router ip address, that you will set to your linux box.

Then you can fill your linux routing table with the other ips :

- use the "route add ..." command to add route entries
- set the ip of the "internal" servers with the ips.

If your ISP doesn't set your router as router for the ips block, but
'simply' send the trafic on your 'line', you should use a different
approch :

- use the 'ifconfig' command to add all ips on the router (on the
same interface)
- use the 'iptables' (linux kernel 2.4.x) to transparently forward
the trafic to internal servers
- set the internal server ip with private ips (192.168.x.x or
10.x.x.x)


For full documentation, have a look at The Linux Document Project :

http://tldp.org


Regards

Thanks again for all the replies.

I have now managed to solve my problem, albeit with a completelty
different approach. Actually it's probably my fault - I assumed this
would be an 'iptables' issue and asked the wrong question right from
the beginning. I didn't realise myself that I was doing the equivalent
of looking for vegetables in a computer mall.

The answer to my woes : bridging.

Basically, I have two incoming Internet connections from two different
ISP's - one providing me a block of 3 IP addresses, the other a block
of 12. The incoming wires can be connected directly to a
computer/server (as it is now), with the real IP's assigned (actually,
two servers: one for each line). Workstations connect through NAT
through either of these servers. The problem is that there is no way
for me to assign real IP's to anything else since there is only one
incoming line.

Presumably, I could have connected both incoming lines into a switch -
and then designated that switch a 'real ip' switch. Then anything
plugged into that switch can use a real IP. That would have been much
easier - should I just have done that? Would there be any
disadvantages to having done that?

Instead, I have a computer with three NIC's and have plugged in both
of those incoming ISP connections, as well as another connection to
the above said switch. Using bridging tools, I have bridged the three
connections together and output it back out to the switch. Considering
that bridges are entirely transparent - presumably this is exactly the
same as I could have achieved above? Except now i'm un-necessarily
wasting more electricity!!

But anyways, at least now everyone should be clear on what it was that
I was going on about.

Thanks again,

Terence


> Cool, but what is your physical line type ? An ethernet connexion ? a
> lesaed line (G707, ...) ? ... Do you have an ADSL modem ? ...
>
> Depending on this, you should have a card on your computer with the
> corresponding physical interface.
>
> Next you ISP should "route" theses IPs to your Linux router, and so you
> should have your router ip address, that you will set to your linux box.
>
> Then you can fill your linux routing table with the other ips :
>
> - use the "route add ..." command to add route entries
> - set the ip of the "internal" servers with the ips.

--snip--