1 / 19

Building an Internet Gateway

Building an Internet Gateway The ABC of NAT on BSD Overview Introduction Equipment Configuration Installation & LAN Internet sharing via POTS/ADSL modem Internet sharing via cable modem Firewall Configuring LAN Machines Caveats & Future Options Introduction Aim is to:

lotus
Download Presentation

Building an Internet Gateway

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building an Internet Gateway The ABC of NAT on BSD

  2. Overview • Introduction • Equipment • Configuration • Installation & LAN • Internet sharing via POTS/ADSL modem • Internet sharing via cable modem • Firewall • Configuring LAN Machines • Caveats & Future Options

  3. Introduction • Aim is to: • Share an Internet connection over a LAN • Protect the LAN from the Internet • Also hope to: • require only minimal maintenance, • provide a remote administration capability, • provide automatic configuration forLAN, and • not interfere with Internet operation.

  4. Introduction • Why build a PC-based gateway? • To run services, such as: • a domain name service for local machines, • a shared web proxy, • a personal or business web server, • a mail server to centralise access to your mail, • a file server for backup or extra storage. • To impress your friends/opposite sex. • Because you love FreeBSD.

  5. Equipment • A basic PC • CPU & m/b (Pentium 90+ is overpowered) • RAM, HDD, FDD, video card, keyboard, etc • Newer peripherals are better! • A network card for the LAN • A hub/switch and cables for the LAN • A modem (POTS, ADSL, or cable) • Modem may require an extra network card

  6. Install & Configure LAN • Install FreeBSD (use handbook) • Use sysinstall to activate gateway • Or add gateway_enable=“yes” to rc.conf • Or run sysctl –w net.inet.ip.forwarding=1 • Set up network card for LAN • Use static IP address from test ranges • E.g 192.168.0.1/24 10.0.0.1/24

  7. Configure PPP • POTS and ADSL users • Config stored in /etc/ppp/ppp.conf • Samples in /usr/share/examples/ppp/ • Can set up multiple profiles in one file • Can choose operating mode: • ddial – continuous connection • auto – on-demand connection • background – once-off connection

  8. Configure PPP • Profiles share a default configuration • Sample: default: ident user-ppp VERSION (built COMPILATIONDATE) allow users root ppp set log Phase Chat LCP IPCP CCP tun command set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 accept chap accept pap add default HISADDR nat enable yes enable dns

  9. Configure PPP over POTS • Need to specify a basic modem script • Sample: dialup: set device /dev/cuaa0 set redial 15+30 3 set reconnect 15 3 set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" set login "" set timeout 0 set phonedialup-phone set authname dialup-username set authkeydialup-password

  10. Configure PPP over ADSL • Need to enable netgraph(4) • kldload netgraph • Sample profile: adsl: set device PPPoE:interface-name set mru 1492 set mtu 1492 set speed sync enable lqr set dial "" set login "" set redial 15 10000 set timeout 0 set lqrperiod 5 set authname adsl-username set authkey adsl-password

  11. Running PPP • PPP invoked with mode and profile • E.g. ppp –auto dialup • To run at start-up edit rc.conf • E.g for ADSL: • ppp_enable="YES" • ppp_mode="ddial" • ppp_profile="adsl" • ppp_user="ppp" • ppp_nat="YES"

  12. Configure for Cable • Use DHCP to configure network card • Uses firewall rule to handle NAT • Configure natd(8) to run at start-up • Add to rc.conf: natd_enable="YES" natd_interface="rl0" natd_flags="-dynamic"

  13. Configure for BigPond Cable • Telstra BigPond users need BPALogin • Download FreeBSD port (http://bpalogin.sourceforge.net/) • Extract (tar –xvzf bpalogin-port.tar.gz) • Build (cd bpalogin ; make) • Install (make install) • Edit /usr/local/etc/bpalogin.conf

  14. Configure for BigPond Cable • Sample /usr/local/etc/bpalogin.conf: # Print some diagnostics debuglevel 1 # Authentication details username your-username password your-password # You can override the default domain if you do not have # search vic.bigpond.net.au in your /etc/resolv.conf authdomain vic.bigpond.net.au # Use port 5050 on the local machine localport 5050 # Set the minimum heartbeat interval. minheartbeatinterval 60

  15. Configuring Firewall • FreeBSD includes simple LAN firewall • Allows incoming mail, web, DNS • Allows all outgoing traffic • Needs minor tweaks to rc.firewall • Enable through rc.conf firewall_enable="YES" firewall_type="simple"

  16. Configuring Firewall • Edit rc.firewall (about line 20) # set these to your outside interface network and netmask and ip oif="ed0" onet="192.0.2.0" # delete omask="255.255.255.240" # delete oip="192.0.2.1" # set these to your inside interface network and netmask and ip iif="ed1" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" setup_loopback # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # delete

  17. Configuring LAN Machines • Configure with static IP • E.g. 192.168.0.2, 192.168.0.14 • Netmask is the same (e.g 255.255.255.0) • Must manually copy DNS info • Gateway IP is often required • May sometimes be referred to as a router

  18. Caveats • NAT interferes with traffic • Okay for most connections (e.g. TCP) • Breaks active FTP (use passive FTP) • Creates problems for ICQ (and other UDP) • Breaks protocols that embed local IP • Firewalls can cause problems • Some protocols make incoming connections • E.g. identd for IRC, gnutella, other P2P

  19. Future • Use gateway as a DHCP server • Automatically provide IP, DNS, gateway to LAN machines • Web proxy (e.g. squid) • Web server (e.g apache) • Mail server (e.g postfix, qmail) • IMAP mail store (e.g. cyrus, courier)

More Related