“UbuntuHelp:UbuntuWirelessRouter”的版本间的差异
来自Ubuntu中文
小 |
小 |
||
| 第4行: | 第4行: | ||
---- | ---- | ||
Let me first remind the reader an important thing: this is a Wiki. That means: if you know better, then please please please edit this page, correct, complete, anotate. You are more than welcome to do that, you are encouraged. Twice! | Let me first remind the reader an important thing: this is a Wiki. That means: if you know better, then please please please edit this page, correct, complete, anotate. You are more than welcome to do that, you are encouraged. Twice! | ||
| − | |||
If you want to write to me directly, my wiki page is Ubuntu:HervéFache. | If you want to write to me directly, my wiki page is Ubuntu:HervéFache. | ||
| − | |||
Also, consider the Ubuntu help page for [[UbuntuHelp:Dnsmasq]]. | Also, consider the Ubuntu help page for [[UbuntuHelp:Dnsmasq]]. | ||
| − | |||
The idea of this page is to group a number of solutions that help build a wireless router based on a standard computer running Ubuntu, as I am currently doing at home. | The idea of this page is to group a number of solutions that help build a wireless router based on a standard computer running Ubuntu, as I am currently doing at home. | ||
| − | |||
Basically, you need: | Basically, you need: | ||
* some way for each machine to obtain the network configuration (IP address, router address, name server address) dynamically (DHCP) | * some way for each machine to obtain the network configuration (IP address, router address, name server address) dynamically (DHCP) | ||
| 第16行: | 第12行: | ||
* network address translation on one machine which will be the gateway/router (NAT) | * network address translation on one machine which will be the gateway/router (NAT) | ||
* for the wireless and wired access, a bridge between the two interfaces: see BridgingNetworkInterfaces | * for the wireless and wired access, a bridge between the two interfaces: see BridgingNetworkInterfaces | ||
| − | |||
It is also nice to have: | It is also nice to have: | ||
* a cacheing name service, not to ask your ISPs name servers all the time, which might be slow (cacheing DNS) | * a cacheing name service, not to ask your ISPs name servers all the time, which might be slow (cacheing DNS) | ||
* WPA-PSK (to be implemented, then written, alternatively check [[UbuntuHelp:WifiDocs/WPAHowTo]]) | * WPA-PSK (to be implemented, then written, alternatively check [[UbuntuHelp:WifiDocs/WPAHowTo]]) | ||
| − | |||
== DHCP, D-DNS and cacheing DNS == | == DHCP, D-DNS and cacheing DNS == | ||
| − | |||
I am not sure how well DHCP and ZeroConf can play together. For now, I have Dnsmasq which also does dynamic DNS updates. | I am not sure how well DHCP and ZeroConf can play together. For now, I have Dnsmasq which also does dynamic DNS updates. | ||
| − | |||
You will need Dnsmasq (from the universe repository) for this: | You will need Dnsmasq (from the universe repository) for this: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install dnsmasq | sudo apt-get install dnsmasq | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Let's have a look at what I have in my configuration file, /etc/dnsmasq.conf: | Let's have a look at what I have in my configuration file, /etc/dnsmasq.conf: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第40行: | 第31行: | ||
dhcp-range=192.168.0.21,192.168.0.250,168h | dhcp-range=192.168.0.21,192.168.0.250,168h | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
What does that all mean? | What does that all mean? | ||
* add domain to names | * add domain to names | ||
| 第49行: | 第39行: | ||
* name of the domain: example.com | * name of the domain: example.com | ||
* range of IPs to serve: 192.168.0.21 to 192.168.0.250, with a lease time of 168 hours (1 week) | * range of IPs to serve: 192.168.0.21 to 192.168.0.250, with a lease time of 168 hours (1 week) | ||
| − | |||
Note: the broadcast address, network mask and router parameters are automatically set to the expected values by Dnsmasq. | Note: the broadcast address, network mask and router parameters are automatically set to the expected values by Dnsmasq. | ||
| − | |||
Now, as you can see, I told Dnsmasq to use a different file from /etc/resolv.conf to find the nameservers: /etc/nameservers, why is that? Because I want the server itself to use the cacheing facilities of Dnsmasq. Let me explain. | Now, as you can see, I told Dnsmasq to use a different file from /etc/resolv.conf to find the nameservers: /etc/nameservers, why is that? Because I want the server itself to use the cacheing facilities of Dnsmasq. Let me explain. | ||
When asking for an address, what usually happens is: | When asking for an address, what usually happens is: | ||
| 第64行: | 第52行: | ||
* the cacheing name server will ask the name servers for the IP address for ubuntu.com | * the cacheing name server will ask the name servers for the IP address for ubuntu.com | ||
Of course, if the cacheing name server already knows the IP address for ubuntu.com, it will answer with no further ado, that's the whole point. | Of course, if the cacheing name server already knows the IP address for ubuntu.com, it will answer with no further ado, that's the whole point. | ||
| − | |||
So you need to create a /etc/nameservers file, which, if you are currently connected to your ISP, is just a copy of your current /etc/resolv.conf. Then you want to tell your DHCP client to not overwrite /etc/resolv.conf anymore, or to set it to what you want: | So you need to create a /etc/nameservers file, which, if you are currently connected to your ISP, is just a copy of your current /etc/resolv.conf. Then you want to tell your DHCP client to not overwrite /etc/resolv.conf anymore, or to set it to what you want: | ||
| − | |||
In my /etc/dhclient.conf, I added: | In my /etc/dhclient.conf, I added: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第75行: | 第61行: | ||
</nowiki></pre> | </nowiki></pre> | ||
Where eth0 is the interface connected to the internet, 'example.com' my local domain, and 192.168.0.2 my IP address (not 127.0.0.1, which is not served by Dnsmasq here!). | Where eth0 is the interface connected to the internet, 'example.com' my local domain, and 192.168.0.2 my IP address (not 127.0.0.1, which is not served by Dnsmasq here!). | ||
| − | |||
In case you're using PPP, and although I cannot test this, it seems you have to edit the file /etc/ppp/peers/dsl-provider and comment the line usepeerdns, so ppp won't overwrite your resolv.conf: | In case you're using PPP, and although I cannot test this, it seems you have to edit the file /etc/ppp/peers/dsl-provider and comment the line usepeerdns, so ppp won't overwrite your resolv.conf: | ||
<pre><nowiki> | <pre><nowiki> | ||
#usepeerdns | #usepeerdns | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
This also means you have to modify resolv.conf manually to: | This also means you have to modify resolv.conf manually to: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第86行: | 第70行: | ||
nameserver 192.168.0.2 | nameserver 192.168.0.2 | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
The last thing is to make sure that your /etc/hosts file is correct, so Dnsmasq can serve IP addresses from it, in my case the server's address. You want to leave the IPv6 stuff alone, the two first lines should look like this (if your server is called 'server'): | The last thing is to make sure that your /etc/hosts file is correct, so Dnsmasq can serve IP addresses from it, in my case the server's address. You want to leave the IPv6 stuff alone, the two first lines should look like this (if your server is called 'server'): | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第92行: | 第75行: | ||
192.168.0.2 server.example.com server | 192.168.0.2 server.example.com server | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Restart Dnsmasq and the network and you're done: | Restart Dnsmasq and the network and you're done: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第98行: | 第80行: | ||
sudo /etc/init.d/networking restart | sudo /etc/init.d/networking restart | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
== Network Address Translation and Firewall == | == Network Address Translation and Firewall == | ||
| − | |||
That's even easier, thanks to [http://www.netfilter.org/ NetFilter.] | That's even easier, thanks to [http://www.netfilter.org/ NetFilter.] | ||
| − | |||
This requires iptables: | This requires iptables: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install iptables | sudo apt-get install iptables | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
The NAT itself is just a matter of: | The NAT itself is just a matter of: | ||
<pre><nowiki> | <pre><nowiki> | ||
# Internet side interface | # Internet side interface | ||
wanint=eth0 | wanint=eth0 | ||
| − | |||
# Local network | # Local network | ||
localnet=192.168.0.0/24 | localnet=192.168.0.0/24 | ||
| − | |||
echo 1 > /proc/sys/net/ipv4/ip_forward | echo 1 > /proc/sys/net/ipv4/ip_forward | ||
iptables -t nat -A POSTROUTING -s $localnet -d 0.0.0.0/0 -o $wanint -j MASQUERADE | iptables -t nat -A POSTROUTING -s $localnet -d 0.0.0.0/0 -o $wanint -j MASQUERADE | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
As we are messing with iptables, let's just suggest a simple firewall: | As we are messing with iptables, let's just suggest a simple firewall: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第125行: | 第100行: | ||
iptables -A FORWARD -i $wanint -m state --state NEW,INVALID -j DROP | iptables -A FORWARD -i $wanint -m state --state NEW,INVALID -j DROP | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
These rules reject anything that tries to come in from the internet network interface. | These rules reject anything that tries to come in from the internet network interface. | ||
| − | |||
You can automatize the setup of your NAT/firewall by adding this to the script /etc/rc.local. | You can automatize the setup of your NAT/firewall by adding this to the script /etc/rc.local. | ||
---- | ---- | ||
2007年11月30日 (五) 21:57的版本
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
NOTE: This article is currently being rewritten from scratch. Visit UbuntuHelp:UbuntuWirelessRouter/New to view this new documentation.
Let me first remind the reader an important thing: this is a Wiki. That means: if you know better, then please please please edit this page, correct, complete, anotate. You are more than welcome to do that, you are encouraged. Twice! If you want to write to me directly, my wiki page is Ubuntu:HervéFache. Also, consider the Ubuntu help page for UbuntuHelp:Dnsmasq. The idea of this page is to group a number of solutions that help build a wireless router based on a standard computer running Ubuntu, as I am currently doing at home. Basically, you need:
- some way for each machine to obtain the network configuration (IP address, router address, name server address) dynamically (DHCP)
- a way to convert names into addresses, i.e. a domain name service (DNS), updated by the DHCP service (dynamic DNS or D-DNS)
- network address translation on one machine which will be the gateway/router (NAT)
- for the wireless and wired access, a bridge between the two interfaces: see BridgingNetworkInterfaces
It is also nice to have:
- a cacheing name service, not to ask your ISPs name servers all the time, which might be slow (cacheing DNS)
- WPA-PSK (to be implemented, then written, alternatively check UbuntuHelp:WifiDocs/WPAHowTo)
DHCP, D-DNS and cacheing DNS
I am not sure how well DHCP and ZeroConf can play together. For now, I have Dnsmasq which also does dynamic DNS updates. You will need Dnsmasq (from the universe repository) for this:
sudo apt-get install dnsmasq
Let's have a look at what I have in my configuration file, /etc/dnsmasq.conf:
domain-needed bogus-priv resolv-file=/etc/nameservers listen-address=192.168.0.2 expand-hosts domain=example.com dhcp-range=192.168.0.21,192.168.0.250,168h
What does that all mean?
- add domain to names
- keep private addresses in the local network (AIUI)
- use /etc/nameservers to find the name servers addresses
- only listen on whatever interface has IP address 192.168.0.2 for DHCP and DNS services
- if you have just the machine name in the hosts file, add the domain to it
- name of the domain: example.com
- range of IPs to serve: 192.168.0.21 to 192.168.0.250, with a lease time of 168 hours (1 week)
Note: the broadcast address, network mask and router parameters are automatically set to the expected values by Dnsmasq. Now, as you can see, I told Dnsmasq to use a different file from /etc/resolv.conf to find the nameservers: /etc/nameservers, why is that? Because I want the server itself to use the cacheing facilities of Dnsmasq. Let me explain. When asking for an address, what usually happens is:
- ask for ubuntu.com
- look at /etc/resolv.conf to find out the IPs of name servers
- ask the name servers for the IP address for ubuntu.com
What we want here is:
- ask for ubuntu.com
- look at /etc/resolv.conf to find out the IP of the (cacheing) name server
- ask the cacheing name server for the IP address for ubuntu.com
- the cacheing name server will in turn look at /etc/nameservers to find out the name servers
- the cacheing name server will ask the name servers for the IP address for ubuntu.com
Of course, if the cacheing name server already knows the IP address for ubuntu.com, it will answer with no further ado, that's the whole point. So you need to create a /etc/nameservers file, which, if you are currently connected to your ISP, is just a copy of your current /etc/resolv.conf. Then you want to tell your DHCP client to not overwrite /etc/resolv.conf anymore, or to set it to what you want: In my /etc/dhclient.conf, I added:
interface "eth0" {
supersede domain-name "example.com";
supersede domain-name-servers 192.168.0.2;
}
Where eth0 is the interface connected to the internet, 'example.com' my local domain, and 192.168.0.2 my IP address (not 127.0.0.1, which is not served by Dnsmasq here!). In case you're using PPP, and although I cannot test this, it seems you have to edit the file /etc/ppp/peers/dsl-provider and comment the line usepeerdns, so ppp won't overwrite your resolv.conf:
#usepeerdns
This also means you have to modify resolv.conf manually to:
search example.com nameserver 192.168.0.2
The last thing is to make sure that your /etc/hosts file is correct, so Dnsmasq can serve IP addresses from it, in my case the server's address. You want to leave the IPv6 stuff alone, the two first lines should look like this (if your server is called 'server'):
127.0.0.1 localhost.localdomain localhost 192.168.0.2 server.example.com server
Restart Dnsmasq and the network and you're done:
sudo /etc/init.d/dnsmasq restart sudo /etc/init.d/networking restart
Network Address Translation and Firewall
That's even easier, thanks to NetFilter. This requires iptables:
sudo apt-get install iptables
The NAT itself is just a matter of:
# Internet side interface wanint=eth0 # Local network localnet=192.168.0.0/24 echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s $localnet -d 0.0.0.0/0 -o $wanint -j MASQUERADE
As we are messing with iptables, let's just suggest a simple firewall:
iptables -A INPUT -i $wanint -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i $wanint -m state --state NEW,INVALID -j DROP
These rules reject anything that tries to come in from the internet network interface. You can automatize the setup of your NAT/firewall by adding this to the script /etc/rc.local.
