Si algunos habeis leido la página de mi blog “Mis PCs” habréis leido que tengo un Via C3 con Debian Etch. Pues bien en él tengo dos tarjetas de red, eth0 desde la que recibe la conexión a Internet y eth1 donde va conectado mi AP wireless Conceptronic. Yo teniendo un switch de 8 puertos pues la verdad, es un poco tontería hacer todo esto, pero tenía ganas de aprender a hacerlo. Además se me ocurren muchas ideas como restringir cierto tráfico de datos. También se me ocurre la idea de hacer que la primera petición a la DNS lleve a una página informativa sobre la red wireless. Muchas ideas tengo en mente con esto, ya veré si esto no queda en una simple idea y puedo materializarlo 
. Pero vayamos a lo que seguro que os interesa, al howto:
(Paso 1) – Enrutado de eth0 a eth1
Leyendo documentación sobre el enrutado, he encontrado un fantástico script que se puede colocar en /etc/rcS.d/ para que sea autocargado al inicio. Este script lo que hace es cargar ciertos modulos necesarios para el enrutado, configurar las reglas de iptables… Este script lo guardais en la carpeta que dije con el nombre de S89enrutado por ejemplo. Es importante que el script lleve la S y la prioridad de ejecución, en mi caso la 89. Y mejor que sea tardía porque así nos aseguramos que cuando vaya a ejecutar el script la red esté levantada y funcionando. Bueno al caso, haceis un “nano /etc/rcS.d/S89enrutado” y pegais lo siguiente:
#!/bin/sh # # rc.firewall-iptables FWVER=0.76 # # Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels # using IPTABLES. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # # # # Log: # 0.76 - Added comments on why the default policy is ACCEPT # 0.75 - Added more kernel modules to the comments section # 0.74 - the ruleset now uses modprobe vs. insmod # 0.73 - REJECT is not a legal policy yet; back to DROP # 0.72 - Changed the default block behavior to REJECT not DROP # 0.71 - Added clarification that PPPoE users need to use # "ppp0" instead of "eth0" for their external interface # 0.70 - Added commented option for IRC nat module # - Added additional use of environment variables # - Added additional formatting # 0.63 - Added support for the IRC IPTABLES module # 0.62 - Fixed a typo on the MASQ enable line that used eth0 # instead of $EXTIF # 0.61 - Changed the firewall to use variables for the internal # and external interfaces. # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP # all forwarded packets but it didn't have a rule to ACCEPT # any packets to be forwarded either # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default # 0.50 - Initial draft # echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" # The location of the iptables and kernel module programs # # If your Linux distribution came with a copy of iptables, # most likely all the programs will be located in /sbin. If # you manually compiled iptables, the default location will # be in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # #IPTABLES=/sbin/iptables IPTABLES=/usr/local/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" $DEPMOD -a # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== echo "----------------------------------------------------------------------" #Load the main body of the IPTABLES module - "iptable" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " $MODPROBE ip_tables #Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp #Loads the IRC NAT functionality into the core IPTABLES code # Required to support NAT of IRC DCC requests # # Disabled by default -- remove the "#" on the next line to activate # #echo -e "ip_nat_irc" #$MODPROBE ip_nat_irc echo "----------------------------------------------------------------------" # Just to be complete, here is a partial list of some of the other # IPTABLES kernel modules and their function. Please note that most # of these modules (the ipt ones) are automatically loaded by the # master kernel module for proper operation and don't need to be # manually loaded. # -------------------------------------------------------------------- # # ip_nat_snmp_basic - this module allows for proper NATing of some # SNMP traffic # # iptable_mangle - this target allows for packets to be # manipulated for things like the TCPMSS # option, etc. # # -- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # echo -e " Done loading modules.\n" #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP (REJECT is not a valid policy) # # Isn't ACCEPT insecure? To some degree, YES, but this is our testing # phase. Once we know that IPMASQ is working well, I recommend you run # the rc.firewall-*-stronger rulesets which set the defaults to DROP but # also include the critical additional rulesets to still let you connect to # the IPMASQ server, etc. # echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-iptables v$FWVER done.\n"
Ahora haceis un “chmod 700 /etc/rcS.d/S89enrutado” para cambiarle los permisos. Por cierto, tanto eth0 como eth1 deben de tener la misma ip y demás. Os pongo mi /etc/network/interfaces para que entendais a que me refiero:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).# The loopback network interface
auto lo
iface lo inet loopback# The primary network interface
allow-hotplug eth0 eth1
iface eth0 inet static
address 192.168.1.3
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 80.58.61.250 80.58.61.254
dns-search Staredsi.net
post-up iptables-restore < /etc/iptables.up.rules
# dns-* options are implemented by the resolvconf package, if installed
iface eth1 inet static
address 192.168.1.3
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
Como os podeis fijar, misma ip, netmask, network y broadcast para que funcione. Además de tener a eth0 y eth1 con “allow-hotplug”. Creedme que me ha dado muchos quebraderos de cabeza esto.
Y con esto tenemos la parte más importante completada. Después de hacer correctamente esto, debería de haber conexión a traves del servidor a Internet. Nos tocaría configurar manualmente cada ordenador que se conectara ya sea por wifi como en mi caso o cable de red a esta tarjeta poniendo ip y demás, pero ¡cuidado!, la puerta de enlace o gateway debe de ser la del servidor. En mi caso es 192.168.1.3.
Y llegados a este punto, aprovechemos el tiempo y pongamos un servidor DHCP para que asigne las ips automáticamente
(Paso 2) – Instalar el servidor dhcp
Esta parte es muy sencilla, o para mi lo ha sido después de encontrar este fantástico artículo.
Primero instalamos el servidor haciendo un “apt-get install dhcp” . Una vez instalado editamos el fichero “/etc/default/dhcp” y buscamos la linea INTERFACES=”" y ponemos eth1 entre las comillas. Debe de ser eth1 o la tarjeta donde se van a conectar los clientes. Puedes poner más de una separadas por un espacio.
Y ahora editamos el fichero /etc/dhcpd.conf para añadir las reglas del servidor dhcp. El fichero viene muy bien documentado, así que no tendreis problemas para definir las reglas. De todas formas voy a poner el mio para que veais como lo tengo yo:
#
# Sample configuration file for ISC dhcpd for Debian
#
# $Id: dhcpd.conf,v 1.4.2.2 2002/07/10 03:50:33 peloy Exp $
## option definitions common to all supported networks…
# option domain-name “vmunix.passacaglia”;
# option domain-name-servers toccata.fugue.com;# option subnet-mask 255.255.255.0;
# default-lease-time 3600;
# max-lease-time 7200;#subnet 204.254.239.0 netmask 255.255.255.224 {
# range 204.254.239.10 204.254.239.20;
# option broadcast-address 204.254.239.31;
# option routers prelude.fugue.com;
#}# The other subnet that shares this physical network
#subnet 204.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 204.254.239.10 204.254.239.20;
# option broadcast-address 204.254.239.31;
# option routers snarg.fugue.com;
#}#subnet 192.5.5.0 netmask 255.255.255.224 {
# range 192.5.5.26 192.5.5.30;
# option name-servers bb.home.vix.com, gw.home.vix.com;
# option domain-name “vix.com”;
# option routers 192.5.5.1;
# option subnet-mask 255.255.255.224;
# option broadcast-address 192.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename “vmunix.passacaglia”;
# server-name “toccata.fugue.com”;
#}# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}# If a DHCP or BOOTP client is mobile and might be connected to a variety
# of networks, more than one fixed address for that host can be specified.
# Hosts can have fixed addresses on some networks, but receive dynamically
# allocated address on other subnets; in order to support this, a host
# declaration for that client must be given which does not have a fixed
# address. If a client should get different parameters depending on
# what subnet it boots on, host declarations for each such network should
# be given. Finally, if a domain name is given for a host’s fixed address
# and that domain name evaluates to more than one address, the address
# corresponding to the network to which the client is attached, if any,
# will be assigned.
#host confusia {
# hardware ethernet 02:03:04:05:06:07;
# fixed-address confusia-1.fugue.com, confusia-2.fugue.com;
# filename “vmunix.confusia”;
# server-name “toccata.fugue.com”;
#}#host confusia {
# hardware ethernet 02:03:04:05:06:07;
# fixed-address confusia-3.fugue.com;
# filename “vmunix.confusia”;
# server-name “snarg.fugue.com”;
#}#host confusia {
# hardware ethernet 02:03:04:05:06:07;
# filename “vmunix.confusia”;
# server-name “bb.home.vix.com”;
#}
subnet 192.168.1.0 netmask 255.255.255.0 {option domain-name “Staredsi.net”;
option domain-name-servers 192.168.1.3;
option subnet-mask 255.255.255.0;
default-lease-time 3600;
max-lease-time 7200;
range dynamic-bootp 192.168.1.50 192.168.1.100;
option routers 192.168.1.3;
option broadcast-address 192.168.1.255;
option netbios-name-servers 192.168.1.1; }
Como podeis ver se define la dns, el gateway o router, el broadcast, la mascara de subred…
Finalmente si quereis podemos instalar un servidor de DNS y configurarlo.
(Paso 3) – Servidor DNS
Pues ya estamos con el servidor configurado para que haga enrutado y encima lo haga con dhcp. ¿Porque no instalar un servidor DNS? Como siempre en internet hay howto “pa tó” y este es el que yo he encontrado. Sencillamente hay que hacer lo siguiente:
Primero instalamos el servidor de DNS Bind9 con el comando “apt-get install bind9″ . Y una vez esté instalado, editamos el fichero “/etc/bind/named.conf.options” y editamos las linias debajo de “forwarders”. Yo he puesto las dos DNS de Telefonica, vosotros poner las vuestras 
. Os pongo mi fichero entero:
options {
directory “/var/cache/bind”;// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0’s placeholder.forwarders {
80.58.61.250;
80.58.61.254;
};auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Y hasta aquí llega todo esto, espero que os haya sido de utilidad
