How to Convert Your Linux Server into a Router
Router/firewall appliances that provide basic Internet connectivity for a small office or home network are becoming more affordable every day, but when budgets are tight you might seriously want to consider modifying an existing Linux server to do the job.
Details on how to configure Linux firewall security are covered in Chapter 14, but you need to understand how to activate routing through the firewall before it can become a functioning networking device.
Configuring IP Forwarding
For your Linux server to become a router, you have to enable packet forwarding. In simple terms packet forwarding enables packets to flow through the Linux box from one network to another.
The Linux kernel configuration parameter to activate this is named net.ipv4.ip_forward and can be found in the file /etc/sysctl.conf. Remove the # from the line related to packet forwarding.
Before:
# Disables packet forwarding
net.ipv4.ip_forward=0
After:
# Enables packet forwarding
net.ipv4.ip_forward=1
This enables packet forwarding only when you reboot, at which time Linux will create a file in one of the subdirectories of the special RAM memory-based /proc filesystem. To activate the feature immediately you have to force Linux to read the /etc/sysctl.conf file with the sysctl command using the -p switch. Here is how it's done:
[root@bigboy tmp] sysctl -p
sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
kernel.sysrq = 0
kernel.core_uses_pid = 1
[root@bigboy tmp]#
Please refer to Appendix I, "Miscellaneous Linux Topics," for more information on adjusting kernel parameters.
Configuring Proxy ARP
If a server needs to send a packet to another device on the same network, it sends out an ARP request to the network asking for the MAC address of the other device.
If the same server needs to send a packet to another device on a remote network the process is different. The server first takes a look at its routing table to find out the IP address of the best router on its network that will be able to relay the packet to the destination. The server then sends an ARP request for the MAC address that matches the router's IP address. It then sends the packet to the router using the router's MAC address and a destination IP address of the remote server.
If there is no suitable router on its network, the server then sends out an ARP request for the MAC address of the remote server. Some routers can be configured to answer these types of ARP requests for remote networks. This feature is called proxy ARP. There are some disadvantages with this. One of the most common problems occurs if two routers are on the network configured for proxy ARP. In this scenario there is the possibility that either one will answer the local server's ARP request for the MAC address of the remote server. If one of the routers has an incorrect routing table entry for the remote network, there is the risk that traffic to the remote server will occasionally get lost. In other words you can lose routing control.
|
It is for this and other reasons that it is generally not a good idea to configure proxy ARP on a router. It is also good to always configure a default gateway on your server and use separate routing entries via other routers for all networks your default gateway may not know about.
|
Some types of bridging mode firewalls need to have proxy ARP enabled to operate properly. These devices are typically inserted as part of a daisy chain connecting multiple network switches on the same LAN while protecting one section of a LAN from traffic originating on another section. The firewall typically isn't configured with an IP address on the LAN and appears to be an intelligent cable capable of selectively blocking packets.
If you need to enable proxy ARP on a Linux server the /proc filesystem comes into play again. Proxy ARP is handled by files in the /proc/sys/net/ipv4/conf/ directory. This directory then has subdirectories corresponding to each functioning NIC card on your server. Each subdirectory then has a file called proxy_arp. If the value within this file is 0, proxy ARP on the interface is disabled; if the value is 1, it is enabled.
You can use the /etc/sysctl.conf file mentioned in Appendix II to activate or disable proxy ARP. The next example activates proxy ARP, first for all interfaces and then for interfaces eth0 and wlan0:
#
# File: /etc/sysctl.conf
#
# Enables Proxy ARP on all interfaces
net/ipv4/conf/all/proxy_arp = 1
# Enables Proxy ARP on interfaces eth1 and wlan0
net/ipv4/conf/eth1/proxy_arp = 1
net/ipv4/conf/wlan0/proxy_arp = 1
You can then activate these settings with the sysctl command:
[root@bigboy tmp] sysctl -p
| 