First of all, you will have noted that the
SheevaPlug is a little limited in Ethernet ports to be a router - being that it only has one. So I popped into the local Apple Store to buy a USB Ethernet adapter (
http://store.apple.com/uk/product/MB442Z/A ) which, at under £20, isn't bad value - especially as it works out-of-the-box with the
SheevaPlug.
I could wait until the
GuruPlug Server Plus is available with two Gigabit ethernet ports but, for me, the 100Mbps USB Ethernet adapter will do fine for my ADSL broadband.
I think I should explain that my ADSL router, a nice Cisco 837
configure:Cisco837, is only bridging the IP network onto its Ethernet ports. It isn't doing and NAT or other nastiness to my IPv4 connection, but it is also terminating an IPv6 tunnel into Sixxs (
https://www.sixxs.net/main/ ).
The very first thing I need to do is make the SheevaPlug more secure.
Initially, when you receive the
SheevaPlug, there is only a root user with a very publicly known password, and the root user can connect using ssh. If we connect the
SheevaPlug to the Internet is this state it will get powned!
To make the
SheevaPlug more secure, change the root users password and disable ssh access for the root user:
# passwd
# nano /etc/ssh/sshd_config
# service sshd restart
make sure /etc/ssh/sshd_config includes the following line - in the default
SheevaPlug install line 26 has
PermitRootLogin yes which we must change!
PermitRootLogin no
and make a new user that you will use to log in (I'll use myuser as an example), add them to the sudo group, and make sure the sudo group has sudo permisions:
# adduser myuser
# adduser myuser sudo
# visudo
the last line of /etc/sudoers must be uncommented and be something like this:
%sudo ALL=(ALL) ALL
perhaps with the "NOPASSWD" option, but personally I have left that off.
From this point on I'll assume you've logged on as the user you've just created.
So, on with making the
SheevaPlug into a router/firewall.
Setup some the IP addresses on the SheevaPlug.
My ISP allocates me an IPv4 /29 subnet (8 IP addresses, including the unusable network and broadcast addresses and the address that the router gets) so I have 5 usable IPv4 addresses in my Internet WAN side network. I need to allocate one of those IPv4 addresses to the
SheevaPlug. The
SheevaPlug will then NAT into my home LAN to one IPv4 /24 subnet (more subnets will come later when I get a VLAN capable switch).
I also have an IPv6 /48 subnet routed from Sixxs and I want the
SheevaPlug to route a /64 subnet into my home LAN.
eth1 is the USB Ethernet adapter that I'm using for the Internet WAN side network, so this is what I add to /etc/network/interfaces on the
SheevaPlug to configure eth1:
auto eth1
iface eth1 inet static
name External Ethernet interface
address 82.xxx.yyy.28
netmask 255.255.255.248
network 82.xxx.yyy.24
broadcast 82.xxx.yyy.31
gateway 82.xxx.yyy.30
iface eth1 inet6 static
address 2a01:mmmm:nnnn:1::28
netmask 64
gateway 2a01:mmmm:nnnn:1::30
eth0 is the built-in Ethernet port on the
SheevaPlug, which I am using for my home LAN, so this is what I add to /etc/network/interfaces to configure eth0:
auto eth0
iface eth0 inet static
name Internal Ethernet interface
address 10.xxx.yyy.20
netmask 255.255.255.0
network 10.xxx.yyy.0
broadcast 10.xxx.yyy.255
gateway 10.xxx.yyy.1
iface eth0 inet6 static
address 2a01:mmmm:nnnn:64::20
netmask 64
and if I restart the networking and connect the Ethernet adapters I can ping and ping6 hosts on both networks.
$ sudo service networking restart
Check the output of ifconfig and the IP address and route tables to see that everything looks correct.
$ ifconfig
$ ip -4 address show
$ ip -4 route show
$ ip -6 address show
$ ip -6 route show
You make need to kill the dhcp client, since it doesn't seem to go away when you convert an interface from being 'dhcp' to being 'static', and clear up the routing table.
$$ ps -ef | grep dhclient
root 1630 907 0 11:18 ? 00:00:00 /sbin/dhclient -d -sf ...
$ sudo kill 1630
$ sudo ip -4 route del default dev eth0
$ sudo ip -6 route del default dev eth0
Make the Sheevaplug route IPv4 and IPv6
Now that we have a server connected to the Internet WAN and home LAN we need to convert it into a router. We also need to create a firewall script that will protect the LAN hosts from being attacked over IPv4 and IPv6, while allowing them NAT IPv4 access and direct IPv6 to the Internet.
To make a Linux Kernel route IPv4 you run this as root:
/sbin/sysctl -w net.ipv4.ip_forward="1"
To make a Linux kernel route IPv6 you run this as root:
/sbin/sysctl -w net.ipv6.conf.all.forwarding="1"
So, what I do is to write a two scripts, one for IPv4 and one for IPv6. In those scripts I include all the sysctl calls I want, to enable routing and tweak the IP security, and all the iptables calls I want to create my kick-ass firewall. This tutorial is not going to describe how to create a firewall - there are plenty of other web sites doing that. But once you have your firewall honed to perfection you want to apply it to your
SheevaPlug router.
Because this is just my home network I only want to implement the firewall when the Internet WAN facing Ethernet port is up. The easiest way to achieve that is to run the scripts I just described in the 'pre-up' phase of enabling eth1 (the USB Ethernet adapter):
auto eth1
iface eth1 inet static
pre-up /usr/local/firewall/IPv4
name External Ethernet interface
address 82.xxx.yyy.28
netmask 255.255.255.248
network 82.xxx.yyy.24
broadcast 82.xxx.yyy.31
gateway 82.xxx.yyy.30
iface eth1 inet6 static
pre-up /usr/local/firewall/IPv6
address 2a01:mmmm:nnnn:1::28
netmask 64
gateway 2a01:mmmm:nnnn:1::30
Now if we bounce eth1 it will get reconfigured with routing enabled and all the firewall rules applied:
$ sudo ifdown eth1 && sudo ifup eth1
Other services that make a home router useful
In my home network I use a DHCP server to hand out IPv4 addresses to the various clients. So apt-get install dhcp3-server and configure /etc/dhcp3/dhcpd.conf. Since man is not installed on the
SheevaPlug by default you may want to read the man page for dhcpd.conf on another server or online. Particularly useful is the failover system in ISC dhcpd 3.1, which allows primary and secondary dhcpd servers so if one server dies or needs maintenance your clients can continue working.
When its configured you can start the dhcp service, with the default Ubuntu install it will be restarted at boot time.
$ sudo service dhcpd start
In my home network I use a RADVD server to hand out IPv6 addresses to the various clients. So apt-get install radvd and configure /etc/radvd.conf. Since /etc/radvd.conf is not created by default it's probably easiest to copy the simple example and edit that.
$ sudo cp -a /usr/share/doc/radvd/examples/simple-radvd.conf /etc/radvd.conf
$ sudo nano /etc/radvd.conf
As an example, this is my simple radvd.conf
interface eth0
{
AdvSendAdvert on;
prefix 2a01:mmmm:nnnn:64::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
};
When its configured you can start the radv service, with the default Ubuntu install it will be restarted at boot time.
$ sudo service radvd start
In my home network I use a local DNS server to hand out DNS information to the local clients. I also host many domains for friends and family as a 'hidden master', which I secondary onto the Internet via a DNS hosting provider. This tutorial is not going to describe how to create a hidden master DNS server - but it's quite easy to install and setup a caching DNS server which you can hand out to your local clients with your dhcpd server.
sudo apt-get install bind9 dnsutils
Yep - that's it. You now have a caching DNS server available - and I only installed dnsutils to get the command 'dig' so we can prove that the local DNS server is working:
$ dig @localhost www.google.com
; <<>> DiG 9.5.1-P2.1 <<>> @localhost www.google.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7035
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 604730 IN CNAME www.l.google.com.
www.l.google.com. 230 IN CNAME www-tmmdi.l.google.com.
www-tmmdi.l.google.com. 230 IN A 216.239.59.105
www-tmmdi.l.google.com. 230 IN A 216.239.59.106
www-tmmdi.l.google.com. 230 IN A 216.239.59.147
www-tmmdi.l.google.com. 230 IN A 216.239.59.99
www-tmmdi.l.google.com. 230 IN A 216.239.59.103
www-tmmdi.l.google.com. 230 IN A 216.239.59.104
;; AUTHORITY SECTION:
google.com. 172729 IN NS ns3.google.com.
google.com. 172729 IN NS ns4.google.com.
google.com. 172729 IN NS ns1.google.com.
google.com. 172729 IN NS ns2.google.com.
;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr 4 11:07:45 2010
;; MSG SIZE rcvd: 244