How to install a linux server as a router / 1

How to install a LINUX server AS a router

1Table of contents

1Table of contents

2Overview

3Requirements

4What to do before

5Installation of RedHat :

6Configure this server as a router

6.1Configure Ethernet cards

6.2IP forwarding

6.3Routing table

7Remote control

7.1VNC

7.2SSH

8Install a proxy: Squid

8.1Installation

8.2Configuration

8.3auto start Squid

9Use Iptables for IP filtration

9.1why IPTABLES

9.2Iptables generality

9.3How to activate iptables

9.4How to setup Iptables

9.4.1types of rules

9.4.2With WebMin

9.4.3With the config file

9.5some used full commands

10Setup VPN with Linux

10.1PPTP VPN

10.1.1VPN Client

Then install it with :

10.1.2VPN Server

11some used full commands

2Overview

Why Linux ?

-It is a free OS, with free software

3Requirements

-PIII 733 Mhz

-512 Mbytes (for SQUID)

-5 Gbytes

-Red Hat 7.3

4What to do before

-Put at least 2 Network Cards for a simple router, and more if you need.

5Installation of RedHat :

-select your keyboard type

-for the partitioning, take manual partitioning and you can select :

  • for “/” : 1.5 Go
  • for “/boot”: 1.5 Go
  • for “/swap”: 1 Go
  • for “/Home”: the rest of space

-for the package to install, you have to select :

  • Windows
  • Gnome (GNU)
  • FireWall

Then let the OS continues its installation

6Configure this server as a router

6.1Configure Ethernet cards

When you have install RedHat, you can launch stratx, wich will allow you to use a graphical interface to configure network card :

Then you can select your network card and modify IP address, network mask, specify that this network card should be activate when server starts … :

To enable your new network configuration, you have to restart networking with this command :

/ etc / init.d / network reload

You have to restart networking after all modification on network configuration (IP address, routing table…)

6.2IP forwarding

To let this server forward IP, and then act as a router, you have to modify a file.

You can go to :

// etc / Sysctl.conf

and modify the value of

ip_forward from 0 to 1

6.3Routing table

To configure the routing table, you can go to :

// etc / sysconfig/ static-routes

and write the routing table as followed :

eth0 net 192.168.118.0 netmask 255.255.255.0 gw 192.168.202.6

eth0 net 192.168.108.0 netmask 255.255.255.0 gw 192.168.202.6

eth1 net 192.168.91.0 netmask 255.255.255.0 gw 192.168.201.2

eth1 net 192.168.92.0 netmask 255.255.255.0 gw 192.168.201.2

7Remote control

This can be used full during test or configuration, but should be used carefully (for security reason)

7.1VNC

You can download it from

Take care to choose the version which correspond to your version.

You can put it in /home for exemple.

Then go in this folder use this command to install it :

RPM –ivh VNC-3.3.3r2-28.i386.rpm

Then to activate VNC server, you can use the command

VNCSERVER

If you want that the VNCSERVER start automatically at startup you can go in the file

/etc/rc.d/rc.local

and then add these lines:

#vncserver

path=/usr/local/bin:$path

su –lc vncserver root

su –lc vncserver “password”

7.2SSH

You had to download package for

-ssh client ( openssh-clients-3.1p1-3.i386.rpm )

-ssh server ( openssh-server-3.1p1-3.i386.rpm )

You can download them from

To install the ssh server, you had to :

  1. Install the client
  2. Install the server

Then to activate the ssh server you have to use this command (in /etc/init.d/ ) :

./sshd start

To be able to connect your computer to this SSH server, you had to install an SSH client on your computer, for example :

Putty.exe (to download)

8Install a proxy: Squid

8.1Installation

You can download it from

When you have download the RPM package, you can install it with this command :

RPM –ivh squid-2.4.STABLE6-6.7.3.i386.rpm

8.2Configuration

Our configuration is that :

-squid receive request from users, and redirect all these request to another proxy which is connect to Internet.

-Our squid proxy does not make cache

This is what we had to our configuration to be able to use it as a proxy :

(this is a part of the file squid.conf which allow you to configure squid)

http_port 80

tcp_outgoing_address 255.255.255.255

cache_peer Our_other_proxy_Ip_adress parent 80 0 no-query default

never_direct allow all

no_cache deny all

8.3auto start Squid

to enable squid auto start you had to go to :

/etc/rc.d/rc.local

and then add these lines:

#squid

/etc/rc.d/init.d/squid start

9Use Iptables for IP filtration

9.1why IPTABLES

IP tables is installed by default with RedHat 7.3, it is simple to setup, and to manage

9.2Iptables generality

Rules created with the iptables command are only stored in RAM. If you were to restart your system after setting up various iptables rules, they would be lost and you would need to retype them. If you want particular rules to take effect whenever your system boots, you need to save them to the /etc/sysconfig/iptables file.

To do this, arrange your tables, chains, and rules the way they should be the next time the system boots or iptables is restarted, and type the /sbin/service iptables save command as the root user. This causes the iptables init script to run the /sbin/iptables-save program and write the current iptables configuration to the /etc/sysconfig/iptables file. This file should only be readable by root, so your precise packet filtering rules are not viewable by average users.

The next time the system boots, the iptables init script will reapply the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.

While it is always a good idea to test a new iptables rule before committing it to the /etc/sysconfig/iptables file, it is possible to copy iptables rules into this file from another system's version of this file. This allows you to quickly distribute sets of iptables rules to many different machines at once. Simply restart iptables to make the new rules take effect.

9.3How to activate iptables

If you have setup Webmin, you can activate Iptables by going in :

Networking, linux firewall,and then choose setup firewall

This action will create a files named Iptables in /etc/sysconfig/ wich will contains all the rules you create with webmin.

This file will be load by IPTABLES at boot time, or when iptables is restart.

The firewall rules will only be active if the iptables service is running. To manual start the service, use the command:

/sbin/service iptables restart

9.4How to setup Iptables

Here you will find 2 different way to setup Iptables.

I recommend you to use Webmin when you setup this firewall (it is more friendly)

But once it is done, desactivate webmin, and try to use only ssh or work directly on this server.

9.4.1types of rules

3 kind of request can be setup :

-Input

Here you have to allow people which should be able to acess directly to this server. If it is a router, only the administrator, if it is a mail server…

By default put, drop and add rules you need.

-Forward

If you use this server as a router, between different domain or server, you can choose who (by IP address) is available to reach on particular server. You can specify the destination and/or the source and/or the port.

By default put, drop and add rules you need.

-Output

These rules allow or not your server to communicate with other servers.

If some others rules (forward / input ) have been setup, it is not necessary to use this rule. Indeed, they already block the access.

By default, you can put accepted.

9.4.2With WebMin

So when you go in Networking, Linux configuration, you will be able to manage the rules.

You will see that while you try to modify these rules, if Iptables is already it will take a long time to make modification.

What I recommand you is to stop the service iptables during the modification.

9.4.3With the config file

If you use SSH to have remote access to your server, you will prefer to be able to manage this service with commands lines.

In order to do this, use “mc“ (for Midnight Commander). And then goes to the files :

/ etc / sysconfig / iptables

you will find something like that:

# Generated by iptables-save v1.2.5 on Wed Mar 5 16:40:43 2003

*nat

:PREROUTING ACCEPT [12:6985]

:POSTROUTING ACCEPT [6:2415]

:OUTPUT ACCEPT [6:2415]

COMMIT

# Completed on Wed Mar 5 16:40:43 2003

# Generated by iptables-save v1.2.5 on Wed Mar 5 16:40:43 2003

*mangle

:PREROUTING ACCEPT [153:28415]

:INPUT ACCEPT [153:28415]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [56:15700]

:POSTROUTING ACCEPT [56:15700]

COMMIT

# Completed on Wed Mar 5 16:40:43 2003

# Generated by iptables-save v1.2.5 on Wed Mar 5 16:40:43 2003

*filter

:OUTPUT ACCEPT [0:0]Here you have the default rules (fi no other rules a precise for a source or destination, this rule will be applied)

:FORWARD DROP [0:0]

:INPUT DROP [0:0]

-A FORWARD -s 192.168.106.231 -j ACCEPTForward allow from 192.168.106.231

-A FORWARD -s 192.168.107.2 -j ACCEPTForward allow from 192.168.107.2

-A FORWARD -s 192.168.106.45 -d 192.168.107.2 -j ACCEPT Forward allow from 192.168.106.45 to 192.168.107.2

-A INPUT -s 192.168.106.231 -j ACCEPTAccept incoming request from 192.168.106.231

-A INPUT -s 192.168.106.51 -j ACCEPTAccept incoming request from 192.168.106.231

-A INPUT -s 192.168.107.1 -j ACCEPT

-A INPUT -s 192.168.107.5 -j ACCEPT

COMMIT

# Completed on Wed Mar 5 16:40:43 2003

9.5some used full commands

How to stop/restart iptables :

Goes in /etc/init.d/

and use this command line : ./iptables stop or ./iptables start

When you stop iptables, all packets are transmit with your routing tables.

You can do the same when you are logged under startx, you can go as shown and stop or start the sevice :

some specific commands for iptables :

Now for some options you can use to configure rules inside your chains:
-A Append a new rule
-I Insert a new rule
-R Replace a rule at a certain position
-D Delete a rule at a certain position
For example:
/sbin/iptables -A INPUT -p tcp -j ACCEPT
This rule would accept all tcp traffic. This is a little too broad isn't it? Let's take a look at how we can specify some other options.
Taking it one step further:
-j Specify the target (--jump)
-i Specify the input interface (--in-interface)
-o Specify the output interface (--out-interface)
-p Specify the protocol (--proto)
-s Specify the source (--source)
-d Specify the destination (--destination)
! Specifies an inversion (match addresses NOT equal to)
Now we're talking! Let's try it...
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -p tcp -j ACCEPT
This rule will allow traffic to be forwarded, as long as the protocol was tcp, and the source was a machine on the 192.168.1.0 subnet
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
This rule, coupled with the one above will allow for MASQUERADE(ing) your internal network traffic, via NAT (Network Address Translation), so that you can share your internet connection with the rest of your network.
Some useful tcp options (these also work for udp):
--sport Filters on the source port
--dport Filters on the destination port
This is handy. Let's try it out!
This rule would allow traffic going to the www port (80) to be forwarded on.
/sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
Change destination addresses of web traffic to 5.6.7.8, port 8080.
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 5.6.7.8:8080
--tcp-flags
This allows you to filter on specific TCP flags. The first option after "--tcp-flags" specifies which flags are to be examined, and the second option specifies which flags are to be set.
Here is an example of the --tcp-flags in use:
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DENY
Note: The list of possible flags is as follows
SYN,ACK,FIN,RST,URG,PSH
One of the other nice features is the ability to use the "! --syn" option. This is equivalent to typing:
--tcp-flags ACK,FIN,RST,URG,PSH
This would be useful in setting up your firewall to accept only connections that were initiated internally

10Setup a VPN with Linux

Lots of type of VPN are be used :

-IPSEC

-PPTP (Microsoft)

-SSH

-…

The IPSEC seems to be the more secure VPN solution.

However, PPTP is used by Microsoft without any ad-one, so in a first time, we will used a PPTP solution.

The product I have choose is PoPToP ( ). I have choose it because :

-Fully compatible with Microsoft VPN

-Compatible with other product to make VPN with IPSEC

-Can make have many VPN active in the same time

10.1PPTP VPN

10.1.1VPN Client

10.1.1.1Setup a VPN client with PoPToP. (

First you have to upgrade your kernel, for this you have to download :

ppp-mppe-2.4.0-4.i386.rpm

Then install it with :

rpm -Uvh --nodeps ppp-mppe-2.4.0-4.i386.rpm

now you can install the last pptp package (for the VPN connection as client) :

pptp-linux-1.1.0-1.i386.rpm

Then, install it with :

rpm -i pptp-linux-1.1.0-1.i386.rpm

10.1.1.2Use PPTP command

Now you can use PPTP command to activate your VPN :

To run it just tape :

Pptp-command

This will allow you to setup your VPN connection.

The folder resolv.conf allow you to use a Domain name for your connection and not an IP address.

10.1.1.3Configure your VPN connection

You can setup a VPN connexion with the file put in /etc/ppp/peers/ like this one :

#

# PPTP Tunnel configuration for tunnel DATACENTER

# Server IP: 192.168.200.4

# Route: add -net 192.168.121.0/24 eth0

#

#

# Tags for CHAP secret selection

#

name DATACENTER\\FredericSerrand

remotename PPTP

require-chapms-v2

+chapms-v2

#

# Include the main PPTP configuration file

#

file /etc/ppp/options.pptp

10.1.2VPN Server

10.1.2.1Setup a VPN Server with PoPToP. (

You have first to download and install :

pptpd-1.1.3-3

ppp_mppe-2.4.1-7

to start the service, just go in /usr/sbin/ and then :

pptpd start

(this start the service for the VPN)

10.1.2.2Configuration

To be able to use the VPN, you have to configure it and then modify theses differents files :

/etc/modules.conf

alias parport_lowlevel parport_pc

alias eth0 via-rhine

alias eth1 natsemi

alias eth2 3c59x

alias sound-slot-0 i810_audio

options i810_audio ftsodell=1

post-install sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -L >/dev/null 2&1 || :

pre-remove sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -S >/dev/null 2&1 || :

alias usb-controller usb-uhci

alias char-major-108 ppp_generic

alias ppp-compress-18 ppp_mppe

alias ppp-compress-21 bsd_comp

alias ppp-compress-24 ppp_deflate

alias ppp-compress-26 ppp_deflate

alias tty-ldisc-3 ppp_async

alias tty-ldisc-14 ppp_synctty

/etc/pptpd.conf

localip 192.168.105.1-10

#For remote user

remoteip 192.168.105.100-115

/etc/ppp/options.pptpd

#

# Lock the port

#

lock

#

# We don't need the tunnel server to authenticate itself

#

noauth

nodetach

#

# Turn off transmission protocols we know won't be used

#

nobsdcomp

nodeflate

#

# We want MPPE

#

mppe-40

mppe-128

mppe-stateless

#

# We want a sane mtu/mru

#

mtu 1000

mru 1000

#

# Time this thing out of it goes poof

#

lcp-echo-failure 10

lcp-echo-interval 10

/etc/ppp/options

# CHANGE TO SUIT YOUR SYSTEM

lock

## turn pppd syslog debugging on

debug

## change 'pptpd' to whatever you specify as your server name in chap-secrets

# name pptpd

# name 192.168.200.4

# Don't need this

nobsdcomp

# Tell pptpd to find local interface and put it in proxyarp mode

proxyarp

#

auth

+chap

#

# This option applies if you use ppp with chapms-strip-domain patch

#chapms-strip-domain

# These options are for use with the OpenSSL-licensed patch

# NB! You should also apply the ChapMS-V2 patch

#-chap

#-chapms

+chapms-v2

mppe-40# both 40-bits and 128-bits encryption bite eachother

#mppe-128

#mppe-stateless

# These options are for use with the BSD-licensed patch (also for ppp-2.4.2)

#refuse-pap

#refuse-chap

#refuse-mschap

#require-mschap-v2

#+mppe-128

# These options will tell ppp to pass on these to your clients

# To use ms-dns or ms-dns in options.pptpd it must exist in /etc/resolv.conf

# ms-wins <ip-of-your-winsserver>

# ms-dns <ip-of-your-dnsserver>

/etc/ppp/chap-secrets

# Secrets for authentication using CHAP

# clientserversecretIP address

DATACENTER\\FredericSerrand*stopmenow* (if you want the IP address will be assign by the

DATACENTER\\Fred*stop192.168.200.101 (IP address you want to assign to your client)

#* * &/etc/samba/smbpasswd *

# here for the connection to a VPN server

DATACENTER\\FredericSerrandPPTPPutYourPassword

PPTPDATACENTER\\FredericSerrandPutYourPassword

####### redhat-config-network will overwrite this part!!! (begin) ##########

####### redhat-config-network will overwrite this part!!! (end) ############

11some used full commands

to restart the system:shutdown -r now

to have routing table :route

to have network card configuration :ifconfig

pingping

to move to a directory cd /“name of directory”

to see directory in a directoryls

to see where you arepwd

to find a filelocate

to update databse to use locateupdatedb

network configurationifconfig

restart network/etc/init.d/network reload

to see system usentop

to install a rpmRPM –iVh “name of RPM-version.I386”

remove a RPM installationRPM –e “name of RPM-version (without I386)”

uncompress folder or filetar xvgz “name of folder”

to have a text editormc

diskette :

Put the floppy disk in the machine's floppy drive. Open a terminal and type:

mount /mnt/floppy.

To see what is on the floppy type:

cd /mnt/floppy

ls /mnt/floppy

To copy to the floppy, use the cp command.

cp (give the path of the file location) /mnt/floppy

When you are done with the floppy, you need to change to a different directory and then umount the floppy.

cd /etc

umount /mnt/floppy

Suggestion: use the man pages to learn more about the mount command. At a terminal prompt type> man mount

CDROM

mount /mnt/cdrom.

09/10/2018 / FSE