Talk:Home Router

From Gentoo Wiki
Jump to: navigation, search
This is a talk page. Please add newer comments below older ones, and sign your comments using four tildes (~~~~). When adding a new section (at the bottom of the page), please mark it as "open for discussion" by using {{talk|open}} so it will show up in the list of open discussions.


Talk status
This discussion is still ongoing.

I encounter problems with the NAT and PPPoE, some request responses never finished or loaded endless.

My solution was to fix the MTU with following rule:

root # iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

just before:

root # iptables -I FORWARD -i ${LAN} -d -j DROP

root # iptables -A FORWARD -i ${LAN} -s -j ACCEPT

root # iptables -A FORWARD -i ${WAN} -d -j ACCEPT

root # iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

Update supported kernels

Talk status
This discussion is still ongoing.

This guide only supports ancient Linux kernels (2.4/2.6): "Router is running Linux 2.4 or 2.6; other versions of the kernel are not supported by this guide"

Someone with appropriate knowledge (not me, unfortunately...) should update the guide and use the latest kernels available.

--Fturco (talk) 09:59, 21 March 2017 (UTC)

I will work on updating it. Should not be too bad, there are not very many options in this article. --Maffblaster (talk) 00:30, 15 April 2017 (UTC)

Basic router setup script

Talk status
This discussion is still ongoing.

While reading this guide I decided to put the fundamental parts in a bash script. In case it is useful to someone I post it below. Note: this script misses several things, most notably the hostapd configuration in case a WLAN interface is used. It makes several assumptions regarding networks. Also, my knowledge of Gentoo and OpenRC is not exhaustive.

FILE {{{filename}}}

set -e # Stop execution when any command fails

### Change as needed
NET_CONFIG="1" # Whether to apply any network interface configuration at all

WLAN="1" # Indicates if LAN interface is wireless

CONFIG_WAN="0" # Whether WAN should be configured or not


function net_config {
if [[ ${CONFIG_WAN} == "1" ]]; then
 # Assuming subnet for WAN + static IP
 # WAN interface configuration + DNS (in case it has not been configured yet)
 cat >> /etc/conf.d/net.${WAN} <<EOF
config_${WAN}="${WAN_IP_PREFIX}.2 netmask brd ${WAN_IP_PREFIX}.255"
routes_${WAN}="default via ${WAN_IP_PREFIX}.1"

if [[ $(cat $RESOLV | grep "${WAN_IP_PREFIX}.1") == "" ]]; then
 echo "nameserver ${WAN_IP_PREFIX}.1" >> ${RESOLV}

# LAN interface config
if [[ $WLAN == "1" ]]; then
 # Disable WLAN client modules
 echo "modules_${LAN}='!iwconfig !wpa_supplicant'" >> /etc/conf.d/net.${LAN}
echo "config_${LAN}=\"${LAN_NET}\"" >> /etc/conf.d/net.${LAN}

# Set OpenRC init scripts of network interfaces to depend on iptables initscript
echo 'rc_need="iptables"' >> /etc/conf.d/net.${LAN}
echo 'rc_need="iptables"' >> /etc/conf.d/net.${WAN}

if [[ $NET_CONFIG == "1" ]]; then net_config; fi

## Packages
# Install necessary packages and start on boot
pkgs="dnsmasq net-misc/dhcpcd iptables"
if [[ $WLAN == "1" ]]; then pkgs="${pkgs} hostapd"; fi
emerge --ask -n ${pkgs}
rc-update add dnsmasq default
rc-update add iptables default
if [[ $WLAN == "1" ]]; then  rc-update add hostapd default; fi

# dnsmasq config
mv /etc/dnsmasq.conf /etc/dnsmaq.conf.bak_$(date -I)
cat > /etc/dnsmasq.conf <<EOF

## iptables
# Flush tables
iptables -F
iptables -t nat -F

# Set default policy
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP

# LAN services
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# Allow SSH access from WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

# Drop packets to privileged ports (up to 1024)
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# NAT rules
iptables -I FORWARD -i ${LAN} -d ${LAN_NET} -j DROP
iptables -A FORWARD -i ${LAN} -s ${LAN_NET} -j ACCEPT
iptables -A FORWARD -i ${WAN} -d ${LAN_NET} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Enable routing in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# Save config
/etc/init.d/iptables save

if [[  $(cat /etc/sysctl.conf  | grep 'net.ipv4.ip_forward = 1') == "" ]]; then
 cat >> /etc/sysctl.conf <<EOF
# Necessary for IP routing
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

echo "Finished."