Linux as SOHO Router

an article added by: Philip A Clare at 04092007


In: Categories » Computers and technology » Linux » Linux as SOHO Router

SOHO stands for Small Offices and Home Offices, and usually refers to situations where there exists just one computer at home to a few computers in a small office.
There is a very large offer of SOHO routers on the market nowadays from various manufacturers, but from what I've tested, most of them do the same basic things (NAT, DHCP, and some port filtering). They are less expensive than any computer, but if you have an old computer that you are about to throw away, you can easily install Linux on it and make it your own SOHO router having the advantage of higher flexibility at zero cost.
Usually, a SOHO router has a WAN port that is an Ethernet port where the provider connection must be plugged in. The Provider's CPE (Customer Premises Equipment) can be of any type (xDSL modem, wireless bridge, cable modem, fiber optic media converter) that can provide an Ethernet connection. SOHO routers usually have four to eight Ethernet ports for the LAN. This is basically a small four-to-eight-port switch that's built in the SOHO router. Some SOHO routers also have a wireless access point chipset that is bridged to the built-in switch.
Our computer that will run Linux and act as SOHO router must have two Ethernet cards, one for the WAN function of a SOHO router into which the provider's CPE is plugged, and one for the LAN. If you want the LAN to be wired and wireless, the Ethernet interface for the local network will be plugged into an access point with a built-in switch. However it is, everything is basically a LAN (wired, wireless, bridged, or switched); so, from the firewall point of view, it doesn't really matter what we use at the first and second layers of the OSI model (access points, hubs, switches).
The provider usually assigns us a public IP address that can be either statically assigned or dynamically assigned using DHCP or PPPoE. Linux has support for PPPoE; this can be downloaded from http://www.roaringpenguin.com/pppoe/.

Setting Up the Network

When setting up the local network, we must use a range of private IP addresses. In this example, we will use the private class C network 192.168.1.0/24; so, the best thing to do would be to assign the IP address 192.168.1.1 on the Ethernet interface eth1 on our Linux router.

router:~#ifconfig eth1 192.168.1.1 netmask 255.255.255.0 up

In order to create a proper firewall for all devices behind NAT, we should assign them static IP addresses. However, we might want to use DHCP for the gaming device and for the laptop. To do that, first, we need to install the DHCP server. This is a distribution-specific task. For example, on Debian we run the following commands:

router:~# apt-get install dhcp
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
Dhcp

Next, we need to set up the DHCP server. We want to let the laptop acquire IP addresses from 192.168.1.2 to 192.168.1.10, for example. We set up a range just in case we have some friends visiting with their laptops. In the /etc/dhcpd.conf file, we need to enter the following text:

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.10;
option domain-name-servers provider.assigned.me.one;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
default-lease-time 600;
max-lease-time 7200;
}

For the printer, desktop computer, and the children's computer, we want to assign them the same IP addresses every time. We find out the MAC addresses for each one, and, based on their MAC address, we assign them IP addresses by writing in the /etc/dhcpd.conf the following lines:


host children {
hardware ethernet 02:03:04:05:06:07;
fixed-address 192.168.1.55;
option name-servers provider.assigned.me.one;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
}
host desktop {
hardware ethernet 02:03:04:05:06:08;
fixed-address 192.168.1.11;
option name-servers provider.assigned.me.one;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
}
host printer {
hardware ethernet 02:03:04:05:06:09;
fixed-address 192.168.1.100;
option name-servers provider.assigned.me.one;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
}
host Xbox {
hardware ethernet 02:03:04:05:06:10;
fixed-address 192.168.1.200;
option name-servers provider.assigned.me.one;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
}

Now, we need to edit the /etc/init.d/dhcp script and set the interface to eth1:

# Defaults
INTERFACES="eth1"

and start the DHCP server by running the /etc/init.d/dhcp script with the start argument.

At this point, we have:

  • The Linux router has a public IP address on eth0, the private IP address on eth1 192.168.1.1, and DHCP running.
  • The laptop acquires a private IP address from the range 192.168.1.2-192.168.1.10.
  • The desktop computer always acquires the private IP address 192.168.1.11.
  • The children's computer always acquires the private IP address 192.168.1.55.
  • The network printer always acquires the private IP address 192.168.1.100.
  • The gaming device always acquires the private IP address 192.168.1.200.

Defining the Security Policy

Before building up any firewalls, we have to decide what the firewall must do by creating a security policy that can be from a document (recommended) to a piece of paper, or some thoughts in our heads.
For the simple and very common network just discussed, we can decide the following simple rules:

  • The gaming device can access anything on the Internet. Also, we want to host games on it using GameSpy Arcade.
  • The network printer must be accessed only from inside our network.
  • The children must use the computer to browse the Internet and use Yahoo! Messenger. We don't want them to be able to access porn content or download viruses. We also don't want to let them use P2P software; so basically we limit their access to the Web and Yahoo! messenger.
  • The laptop and guests laptops can access anything on the Internet (we don't want to be rude and deny them access to xxx sites, for example).
  • The desktop can access anything. Also, we want to be able to log in on the desktop computer from outside using VNC (Virtual Network Computing).
  • The Linux router must run SSH so that we can log in to it from the internal network and from the office.

The most difficult thing from our list is to perform all those restrictions for the children's computer. To be able to block porn sites and viruses, we must use a proxy server and make it transparent.

legal notice

Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.

Useful tools and features

Link to this article from your page    Send this article to you or to a friend
If you like this article (tutorial), please link to it from your web page using the information above.

related articles

1. IP Supernetting or CIDR
CIDR stands for "Classless Inter-Domain Routing". It is a new addressing scheme for the Internet, intended to replace the old classful (Class A, B, C) address scheme. CIDR allows a more efficient allocation of IP addresses and uses routing aggregation for minimizing the routing table entries, and is also called supernetting. A recapitulation of classful IP addressing shows us the following: Address ...

2. Linux Security Threats
Creating firewalls may block some malicious attempts on your network, but this step is far from running an entirely secure network. As a network administrator or security consultant, to design a proper firewall for your network you need to know what you defend your network from. We cannot fully discuss this topic, even in 1000 pages, but we want to explain some principles that you should consider in running a safe network. As hard as it may seem to protect your network from the outside world, the most dangerous threats always come f...

3. IP Spoofing
An attacker might spoof a trusted IP address when communicating to a host in order to gain unauthorized access on that host. There are a variety of tools that can be found on the Internet to do IP spoofing. Using IP spoofing, attackers can also initiate Denial of Service by sending data with the source IP spoofed to the attacked IP address. The receiver then sends back replies that can contain large amounts of data to the attacked IP address resulting in...

4. BIND Domain Name System DNS
BIND (Berkley Internet Name Domain) is the most used DNS server on the Internet. Nowadays, every Linux distribution has a BIND package for DNS services. The problem with BIND and any DNS server is that in order to be able to translate names into IP addresses it has to communicate with a whole lot of other DNS servers, and so, filtering DNS packets is not possible. DNS services are vital for internet connection; so in order to disrupt services to victims, attackers have a great interest in bringing down DNS servers. Although BIN...

5. Simple Network Management Protocol SNMP
These days, most network devices use SNMP for remote monitoring and configuration. SNMP is a simple protocol used usually to create monitoring software that can retrieve information such as network traffic, CPU load, disk load, etc., and also to modify configuration of devices such as wireless equipment, broadband routers, etc. Most SNMP implementations on those kinds of network devices use version 1 or version 2, which have a very weak authentication method. SNMP version 1 contains a set of bugs in the way SNMP traps and reques...

6. Firewalls, netfilter/iptables
The two things needed to build firewalls and Quality of Service (QoS) with Linux are two packages named netfilter and iproute. While netfilter is a packet filtering framework included in the Linux kernels 2.4 and 2.6, iproute is a package containing a few utilities that allow Linux users to do advanced routing and traffic shaping. This article is intended to introduce the tools we will use throughout this article. However, netfilter ...

7. Iptables Target Specifications in Linux
For the filter table, the most used targets for firewall rules are DROP and ACCEPT. If a rule matches the filtering specifications and has a DROP target, the packet will simply be discarded. If a packet matches a rule with a DROP target, the Linux kernel will drop the packet without consulting other rules in the firewall. If the target is ACCEPT, then the packet is accepted without further consultation of other firewall rules. An alternative to DROP is the REJECT target, which drops the packet but sends an ICMP packet to the sou...

8. A Basic Firewall Script, Linux as a Workstation
So far, we've learned mostly about the usage of iptables filtering options. I will now build up a small firewall script that I think should be default when installing any Linux distribution. By default, all Linux distributions have the default policy ACCEPT on all filter chains. Also, on a default installation, most Linux distributions leave a lot of services running. If you install an old Linux distribution and decide to go for lunch after you have just booted up without any firewall and with a public IP address, good chances a...

9. NAT and Packet Mangling with iptables
In the first part of this article we will learn how to perform Network Address Translation (NAT) and Port Address Translation (PAT), also referred to as Network Address and Port Translation (NAPT), with iptables. After that, we will learn what packet mangling is and how to mangle packets. A Short Introduction to NAT and PAT (NAPT) According to the way TCP/IP works, in order for hosts to communicate on the Internet, each must have a unique IP address. However, due to the shortage of public IP ad...