Linux as a router

I use RedHat as the base for all my installations not because it's good, but because it's easy and convenient. Path of least resistance for me, not the best technical solution. Currently, I'm on RH7.0, with 2.2.19 + David Hinds' pcmcia

My config at home is a linux box with two ethernets and a wireless lan interface. Because of the pcmcia, I recompile the kernel and pcmcia from scratch, and throw out the redhat pcmcia configuration scripts. I need the capability to do different things depending on the hardware address of the card. If wireless lan, do one custom thing. If wired lan, do another. dhcpd (dhcp server) needs to be restarted as interfaces come and go, so that's also added to the pcmcia config.

Also, there are a few minor things to be aware of.

• On older, slower machines, you MUST set the "optimize as router" flag. My old P90 laptop would route about one in 30 packets if this flag was missing. Needless to say, that didn't work very well. The P90 is setup just like all my other Linux routers, and it's my wireless server in a bag, with two large 10AHr Gel Cells to keep it running for 8-10 hours at a stretch.

Kernel Configuration

• Kernel configuration

My general procedure for building a kernel:

# make configuration changes
cd /usr/src/linux
co -l .config
make menuconfig
ci -u .config

# build kernel
make dep
make modules bzImage

# build pcmcia
cd pcmcia'*'
make config
make all

# install pcmcia
make install
cd ..

# install kernel
make modules_install
cp arch/i386/boot/bzImage /boot
cp System.map /boot/

# commit changes and reboot
lilo
reboot

ipchains Configuration

/usr/local/etc/ipchains_config - I call this both from my ppp and pcmcia configuration scripts. It requires an added config item in your ifcfg-eth* files, but it's nothing major. Everything else is done via the existing "local" hooks. Note, there is one major hole/assumption: all internal nets are 10 nets, and are routed accordingly. This can easily be narrowed to be smaller, but is that way for convenience.

Rough installation pointers

• Download ifup-local to /tmp
• Download ifdown-local to /tmp

# on boot, initialize the basic filters
echo "/usr/local/etc/ipchains_config init" >>/etc/rc.d/rc.local

# eth0
echo '# security controls for ipchains filters. see /usr/local/etc/ipchains_config' >>/etc/sysconfig/network-scripts/ifcfg-eth0
echo 'SECURITY=yes' >>ifcfg-eth0
echo 'SECURITY_TYPE=internal' >>ifcfg-eth0

# eth1
echo '# security controls for ipchains filters. see /usr/local/etc/ipchains_config' >>/etc/sysconfig/network-scripts/ifcfg-eth1
echo 'SECURITY=yes' >>/etc/sysconfig/network-scripts/ifcfg-eth1
echo 'SECURITY_TYPE=external' >>/etc/sysconfig/network-scripts/ifcfg-eth1

# wlan (david hinds' pcmcia scripts, not redhat's)
vi /etc/pcmcia/network.opts
# inside start_fn(), insert:
		/usr/local/etc/ipchains_config up   internal $DEVICE $IPADDR ;
		killall dhcpd ; dhcpd ; return
# inside stop_fn(),  insert:
		/usr/local/etc/ipchains_config down internal $DEVICE $IPADDR ;
		killall dhcpd ; dhcpd ; return

cp /tmp/ifup-local /usr/local/etc/.
ln -s ../usr/local/etc/ifup-local /sbin/ifup-local
ln -s ../../../usr/local/etc/ifup-local /etc/sysconfig/network-scripts/ifup-local

cp /tmp/ifdown-local /usr/local/etc/.
ln -s ../../../usr/local/etc/ifdown-local /etc/sysconfig/network-scripts/ifdown-local
ln -s ../usr/local/etc/ifdown-local /sbin/ifdown-local

And I think that's it...

Other Configurations

• Some other things to consider: you might want to Log all filtered packets, so that you know when you're under attack.