How to install a LINUX server AS a router
1Table of contents
1Table of contents
2Overview
3Requirements
4What to do before
5Installation of RedHat :
6Configure this server as a router
6.1Configure Ethernet cards
6.2IP forwarding
6.3Routing table
7Remote control
7.1VNC
7.2SSH
8Install a proxy: Squid
8.1Installation
8.2Configuration
8.3auto start Squid
9Use Iptables for IP filtration
9.1why IPTABLES
9.2Iptables generality
9.3How to activate iptables
9.4How to setup Iptables
9.4.1types of rules
9.4.2With WebMin
9.4.3With the config file
9.5some used full commands
10Setup VPN with Linux
10.1PPTP VPN
10.1.1VPN Client
Then install it with :
10.1.2VPN Server
11some used full commands
2Overview
Why Linux ?
-It is a free OS, with free software
3Requirements
-PIII 733 Mhz
-512 Mbytes (for SQUID)
-5 Gbytes
-Red Hat 7.3
4What to do before
-Put at least 2 Network Cards for a simple router, and more if you need.
5Installation of RedHat :
-select your keyboard type
-for the partitioning, take manual partitioning and you can select :
- for “/” : 1.5 Go
- for “/boot”: 1.5 Go
- for “/swap”: 1 Go
- for “/Home”: the rest of space
-for the package to install, you have to select :
- Windows
- Gnome (GNU)
- FireWall
Then let the OS continues its installation
6Configure this server as a router
6.1Configure Ethernet cards
When you have install RedHat, you can launch stratx, wich will allow you to use a graphical interface to configure network card :
Then you can select your network card and modify IP address, network mask, specify that this network card should be activate when server starts … :
To enable your new network configuration, you have to restart networking with this command :
/ etc / init.d / network reload
You have to restart networking after all modification on network configuration (IP address, routing table…)
6.2IP forwarding
To let this server forward IP, and then act as a router, you have to modify a file.
You can go to :
// etc / Sysctl.conf
and modify the value of
ip_forward from 0 to 1
6.3Routing table
To configure the routing table, you can go to :
// etc / sysconfig/ static-routes
and write the routing table as followed :
eth0 net 192.168.118.0 netmask 255.255.255.0 gw 192.168.202.6
eth0 net 192.168.108.0 netmask 255.255.255.0 gw 192.168.202.6
eth1 net 192.168.91.0 netmask 255.255.255.0 gw 192.168.201.2
eth1 net 192.168.92.0 netmask 255.255.255.0 gw 192.168.201.2
7Remote control
This can be used full during test or configuration, but should be used carefully (for security reason)
7.1VNC
You can download it from
Take care to choose the version which correspond to your version.
You can put it in /home for exemple.
Then go in this folder use this command to install it :
RPM –ivh VNC-3.3.3r2-28.i386.rpm
Then to activate VNC server, you can use the command
VNCSERVER
If you want that the VNCSERVER start automatically at startup you can go in the file
/etc/rc.d/rc.local
and then add these lines:
#vncserver
path=/usr/local/bin:$path
su –lc vncserver root
su –lc vncserver “password”
7.2SSH
You had to download package for
-ssh client ( openssh-clients-3.1p1-3.i386.rpm )
-ssh server ( openssh-server-3.1p1-3.i386.rpm )
You can download them from
To install the ssh server, you had to :
- Install the client
- Install the server
Then to activate the ssh server you have to use this command (in /etc/init.d/ ) :
./sshd start
To be able to connect your computer to this SSH server, you had to install an SSH client on your computer, for example :
Putty.exe (to download)
8Install a proxy: Squid
8.1Installation
You can download it from
When you have download the RPM package, you can install it with this command :
RPM –ivh squid-2.4.STABLE6-6.7.3.i386.rpm
8.2Configuration
Our configuration is that :
-squid receive request from users, and redirect all these request to another proxy which is connect to Internet.
-Our squid proxy does not make cache
This is what we had to our configuration to be able to use it as a proxy :
(this is a part of the file squid.conf which allow you to configure squid)
http_port 80
tcp_outgoing_address 255.255.255.255
cache_peer Our_other_proxy_Ip_adress parent 80 0 no-query default
never_direct allow all
no_cache deny all
8.3auto start Squid
to enable squid auto start you had to go to :
/etc/rc.d/rc.local
and then add these lines:
#squid
/etc/rc.d/init.d/squid start
9Use Iptables for IP filtration
9.1why IPTABLES
IP tables is installed by default with RedHat 7.3, it is simple to setup, and to manage
9.2Iptables generality
Rules created with the iptables command are only stored in RAM. If you were to restart your system after setting up various iptables rules, they would be lost and you would need to retype them. If you want particular rules to take effect whenever your system boots, you need to save them to the /etc/sysconfig/iptables file.
To do this, arrange your tables, chains, and rules the way they should be the next time the system boots or iptables is restarted, and type the /sbin/service iptables save command as the root user. This causes the iptables init script to run the /sbin/iptables-save program and write the current iptables configuration to the /etc/sysconfig/iptables file. This file should only be readable by root, so your precise packet filtering rules are not viewable by average users.
The next time the system boots, the iptables init script will reapply the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.
While it is always a good idea to test a new iptables rule before committing it to the /etc/sysconfig/iptables file, it is possible to copy iptables rules into this file from another system's version of this file. This allows you to quickly distribute sets of iptables rules to many different machines at once. Simply restart iptables to make the new rules take effect.
9.3How to activate iptables
If you have setup Webmin, you can activate Iptables by going in :
Networking, linux firewall,and then choose setup firewall
This action will create a files named Iptables in /etc/sysconfig/ wich will contains all the rules you create with webmin.
This file will be load by IPTABLES at boot time, or when iptables is restart.
The firewall rules will only be active if the iptables service is running. To manual start the service, use the command:
/sbin/service iptables restart
9.4How to setup Iptables
Here you will find 2 different way to setup Iptables.
I recommend you to use Webmin when you setup this firewall (it is more friendly)
But once it is done, desactivate webmin, and try to use only ssh or work directly on this server.
9.4.1types of rules
3 kind of request can be setup :
-Input
Here you have to allow people which should be able to acess directly to this server. If it is a router, only the administrator, if it is a mail server…
By default put, drop and add rules you need.
-Forward
If you use this server as a router, between different domain or server, you can choose who (by IP address) is available to reach on particular server. You can specify the destination and/or the source and/or the port.
By default put, drop and add rules you need.
-Output
These rules allow or not your server to communicate with other servers.
If some others rules (forward / input ) have been setup, it is not necessary to use this rule. Indeed, they already block the access.
By default, you can put accepted.
9.4.2With WebMin
So when you go in Networking, Linux configuration, you will be able to manage the rules.
You will see that while you try to modify these rules, if Iptables is already it will take a long time to make modification.
What I recommand you is to stop the service iptables during the modification.
9.4.3With the config file
If you use SSH to have remote access to your server, you will prefer to be able to manage this service with commands lines.
In order to do this, use “mc“ (for Midnight Commander). And then goes to the files :
/ etc / sysconfig / iptables
you will find something like that:
# Generated by iptables-save v1.2.5 on Wed Mar 5 16:40:43 2003
*nat
:PREROUTING ACCEPT [12:6985]
:POSTROUTING ACCEPT [6:2415]
:OUTPUT ACCEPT [6:2415]
COMMIT
# Completed on Wed Mar 5 16:40:43 2003
# Generated by iptables-save v1.2.5 on Wed Mar 5 16:40:43 2003
*mangle
:PREROUTING ACCEPT [153:28415]
:INPUT ACCEPT [153:28415]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [56:15700]
:POSTROUTING ACCEPT [56:15700]
COMMIT
# Completed on Wed Mar 5 16:40:43 2003
# Generated by iptables-save v1.2.5 on Wed Mar 5 16:40:43 2003
*filter
:OUTPUT ACCEPT [0:0]Here you have the default rules (fi no other rules a precise for a source or destination, this rule will be applied)
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
-A FORWARD -s 192.168.106.231 -j ACCEPTForward allow from 192.168.106.231
-A FORWARD -s 192.168.107.2 -j ACCEPTForward allow from 192.168.107.2
-A FORWARD -s 192.168.106.45 -d 192.168.107.2 -j ACCEPT Forward allow from 192.168.106.45 to 192.168.107.2
-A INPUT -s 192.168.106.231 -j ACCEPTAccept incoming request from 192.168.106.231
-A INPUT -s 192.168.106.51 -j ACCEPTAccept incoming request from 192.168.106.231
-A INPUT -s 192.168.107.1 -j ACCEPT
-A INPUT -s 192.168.107.5 -j ACCEPT
COMMIT
# Completed on Wed Mar 5 16:40:43 2003
9.5some used full commands
How to stop/restart iptables :
Goes in /etc/init.d/
and use this command line : ./iptables stop or ./iptables start
When you stop iptables, all packets are transmit with your routing tables.
You can do the same when you are logged under startx, you can go as shown and stop or start the sevice :
some specific commands for iptables :
Now for some options you can use to configure rules inside your chains:
-A Append a new rule
-I Insert a new rule
-R Replace a rule at a certain position
-D Delete a rule at a certain position
For example:
/sbin/iptables -A INPUT -p tcp -j ACCEPT
This rule would accept all tcp traffic. This is a little too broad isn't it? Let's take a look at how we can specify some other options.
Taking it one step further:
-j Specify the target (--jump)
-i Specify the input interface (--in-interface)
-o Specify the output interface (--out-interface)
-p Specify the protocol (--proto)
-s Specify the source (--source)
-d Specify the destination (--destination)
! Specifies an inversion (match addresses NOT equal to)
Now we're talking! Let's try it...
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -p tcp -j ACCEPT
This rule will allow traffic to be forwarded, as long as the protocol was tcp, and the source was a machine on the 192.168.1.0 subnet
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
This rule, coupled with the one above will allow for MASQUERADE(ing) your internal network traffic, via NAT (Network Address Translation), so that you can share your internet connection with the rest of your network.
Some useful tcp options (these also work for udp):
--sport Filters on the source port
--dport Filters on the destination port
This is handy. Let's try it out!
This rule would allow traffic going to the www port (80) to be forwarded on.
/sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
Change destination addresses of web traffic to 5.6.7.8, port 8080.
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 5.6.7.8:8080
--tcp-flags
This allows you to filter on specific TCP flags. The first option after "--tcp-flags" specifies which flags are to be examined, and the second option specifies which flags are to be set.
Here is an example of the --tcp-flags in use:
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DENY
Note: The list of possible flags is as follows
SYN,ACK,FIN,RST,URG,PSH
One of the other nice features is the ability to use the "! --syn" option. This is equivalent to typing:
--tcp-flags ACK,FIN,RST,URG,PSH
This would be useful in setting up your firewall to accept only connections that were initiated internally
10Setup a VPN with Linux
Lots of type of VPN are be used :
-IPSEC
-PPTP (Microsoft)
-SSH
-…
The IPSEC seems to be the more secure VPN solution.
However, PPTP is used by Microsoft without any ad-one, so in a first time, we will used a PPTP solution.
The product I have choose is PoPToP ( ). I have choose it because :
-Fully compatible with Microsoft VPN
-Compatible with other product to make VPN with IPSEC
-Can make have many VPN active in the same time
10.1PPTP VPN
10.1.1VPN Client
10.1.1.1Setup a VPN client with PoPToP. (
First you have to upgrade your kernel, for this you have to download :
ppp-mppe-2.4.0-4.i386.rpm
Then install it with :
rpm -Uvh --nodeps ppp-mppe-2.4.0-4.i386.rpm
now you can install the last pptp package (for the VPN connection as client) :
pptp-linux-1.1.0-1.i386.rpm
Then, install it with :
rpm -i pptp-linux-1.1.0-1.i386.rpm
10.1.1.2Use PPTP command
Now you can use PPTP command to activate your VPN :
To run it just tape :
Pptp-command
This will allow you to setup your VPN connection.
The folder resolv.conf allow you to use a Domain name for your connection and not an IP address.
10.1.1.3Configure your VPN connection
You can setup a VPN connexion with the file put in /etc/ppp/peers/ like this one :
#
# PPTP Tunnel configuration for tunnel DATACENTER
# Server IP: 192.168.200.4
# Route: add -net 192.168.121.0/24 eth0
#
#
# Tags for CHAP secret selection
#
name DATACENTER\\FredericSerrand
remotename PPTP
require-chapms-v2
+chapms-v2
#
# Include the main PPTP configuration file
#
file /etc/ppp/options.pptp
10.1.2VPN Server
10.1.2.1Setup a VPN Server with PoPToP. (
You have first to download and install :
pptpd-1.1.3-3
ppp_mppe-2.4.1-7
to start the service, just go in /usr/sbin/ and then :
pptpd start
(this start the service for the VPN)
10.1.2.2Configuration
To be able to use the VPN, you have to configure it and then modify theses differents files :
/etc/modules.conf
alias parport_lowlevel parport_pc
alias eth0 via-rhine
alias eth1 natsemi
alias eth2 3c59x
alias sound-slot-0 i810_audio
options i810_audio ftsodell=1
post-install sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -L >/dev/null 2&1 || :
pre-remove sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -S >/dev/null 2&1 || :
alias usb-controller usb-uhci
alias char-major-108 ppp_generic
alias ppp-compress-18 ppp_mppe
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate
alias tty-ldisc-3 ppp_async
alias tty-ldisc-14 ppp_synctty
/etc/pptpd.conf
localip 192.168.105.1-10
#For remote user
remoteip 192.168.105.100-115
/etc/ppp/options.pptpd
#
# Lock the port
#
lock
#
# We don't need the tunnel server to authenticate itself
#
noauth
nodetach
#
# Turn off transmission protocols we know won't be used
#
nobsdcomp
nodeflate
#
# We want MPPE
#
mppe-40
mppe-128
mppe-stateless
#
# We want a sane mtu/mru
#
mtu 1000
mru 1000
#
# Time this thing out of it goes poof
#
lcp-echo-failure 10
lcp-echo-interval 10
/etc/ppp/options
# CHANGE TO SUIT YOUR SYSTEM
lock
## turn pppd syslog debugging on
debug
## change 'pptpd' to whatever you specify as your server name in chap-secrets
# name pptpd
# name 192.168.200.4
# Don't need this
nobsdcomp
# Tell pptpd to find local interface and put it in proxyarp mode
proxyarp
#
auth
+chap
#
# This option applies if you use ppp with chapms-strip-domain patch
#chapms-strip-domain
# These options are for use with the OpenSSL-licensed patch
# NB! You should also apply the ChapMS-V2 patch
#-chap
#-chapms
+chapms-v2
mppe-40# both 40-bits and 128-bits encryption bite eachother
#mppe-128
#mppe-stateless
# These options are for use with the BSD-licensed patch (also for ppp-2.4.2)
#refuse-pap
#refuse-chap
#refuse-mschap
#require-mschap-v2
#+mppe-128
# These options will tell ppp to pass on these to your clients
# To use ms-dns or ms-dns in options.pptpd it must exist in /etc/resolv.conf
# ms-wins <ip-of-your-winsserver>
# ms-dns <ip-of-your-dnsserver>
/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# clientserversecretIP address
DATACENTER\\FredericSerrand*stopmenow* (if you want the IP address will be assign by the
DATACENTER\\Fred*stop192.168.200.101 (IP address you want to assign to your client)
#* * &/etc/samba/smbpasswd *
# here for the connection to a VPN server
DATACENTER\\FredericSerrandPPTPPutYourPassword
PPTPDATACENTER\\FredericSerrandPutYourPassword
####### redhat-config-network will overwrite this part!!! (begin) ##########
####### redhat-config-network will overwrite this part!!! (end) ############
11some used full commands
to restart the system:shutdown -r now
to have routing table :route
to have network card configuration :ifconfig
pingping
to move to a directory cd /“name of directory”
to see directory in a directoryls
to see where you arepwd
to find a filelocate
to update databse to use locateupdatedb
network configurationifconfig
restart network/etc/init.d/network reload
to see system usentop
to install a rpmRPM –iVh “name of RPM-version.I386”
remove a RPM installationRPM –e “name of RPM-version (without I386)”
uncompress folder or filetar xvgz “name of folder”
to have a text editormc
diskette :
Put the floppy disk in the machine's floppy drive. Open a terminal and type:
mount /mnt/floppy.
To see what is on the floppy type:
cd /mnt/floppy
ls /mnt/floppy
To copy to the floppy, use the cp command.
cp (give the path of the file location) /mnt/floppy
When you are done with the floppy, you need to change to a different directory and then umount the floppy.
cd /etc
umount /mnt/floppy
Suggestion: use the man pages to learn more about the mount command. At a terminal prompt type> man mount
CDROM
mount /mnt/cdrom.
09/10/2018 / FSE