个人工具

UbuntuHelp:UbuntuWirelessRouter

来自Ubuntu中文

Wikibot讨论 | 贡献2008年10月20日 (一) 00:56的版本

跳转至: 导航, 搜索

NOTE: This article is currently being rewritten from scratch. Visit UbuntuWirelessRouter/New to view this new documentation. Reply note from the original author: in the end, this article has not been rewritten by you after 18 months, so I suggest next time you write the replacement before pointing people to nothing. You might not like my page, but at least, it does exist ;-)


Let me first remind the reader an important thing: this is a Wiki. That means: if you know better, then please please please edit this page, correct, complete, annotate. You are more than welcome to do that, you are encouraged. Twice! If you want to write to me directly, my wiki page is Ubuntu:HervéFache. Also, consider the Ubuntu help page for Dnsmasq. The idea of this page is to group a number of solutions that help build a wireless router based on a standard computer running Ubuntu, as I am currently doing at home. Basically, you need:

  • some way for each machine to obtain the network configuration (IP address, router address, name server address) dynamically (DHCP)
  • a way to convert names into addresses, i.e. a domain name service (DNS), updated by the DHCP service (dynamic DNS or D-DNS)
  • network address translation on one machine which will be the gateway/router (NAT)
  • for the wireless and wired access, a bridge between the two interfaces: see BridgingNetworkInterfaces

It is also nice to have:

  • a cacheing name service, not to go through external name servers all the time, which might be slow (cacheing DNS)
  • WPA-PSK (not tried in the end, but you may want to check WifiDocs/WPAHowTo)

DHCP, D-DNS and cacheing DNS

DHCP and ZeroConf (Avahi) play well together. I have Dnsmasq which does DHCP with dynamic DNS updates, put I can ping <machine name>.local and it works. You will need Dnsmasq (from the universe repository) for this:

sudo apt-get install dnsmasq

Let's have a look at what I have in my configuration file, /etc/dnsmasq.conf:

domain-needed
bogus-priv
resolv-file=/etc/nameservers
listen-address=192.168.0.2
expand-hosts
domain=example.com
dhcp-range=192.168.0.21,192.168.0.250,168h

What does that all mean?

  • add domain to names
  • keep private addresses in the local network (AIUI)
  • use /etc/nameservers to find the name servers addresses
  • only listen on whatever interface has IP address 192.168.0.2 for DHCP and DNS services
  • if you have just the machine name in the hosts file, add the domain to it
  • name of the domain: example.com
  • range of IPs to serve: 192.168.0.21 to 192.168.0.250, with a lease time of 168 hours (1 week)

Note: the broadcast address, network mask and router parameters are automatically set to the expected values by Dnsmasq. Now, as you can see, I told Dnsmasq to use a different file from /etc/resolv.conf to find the nameservers: /etc/nameservers, why is that? Because I want the server itself to use the cacheing facilities of Dnsmasq. Let me explain. When asking for an address, what usually happens is:

  • ask for ubuntu.com
  • look at /etc/resolv.conf to find out the IPs of name servers
  • ask the name servers for the IP address for ubuntu.com

What we want here is:

  • ask for ubuntu.com
  • look at /etc/resolv.conf to find out the IP of the (cacheing) name server
  • ask the cacheing name server for the IP address for ubuntu.com
  • the cacheing name server will in turn look at /etc/nameservers to find out the name servers
  • the cacheing name server will ask the name servers for the IP address for ubuntu.com

Of course, if the cacheing name server already knows the IP address for ubuntu.com, it will answer with no further ado, that's the whole point. So you need to create a /etc/nameservers file, which, if you are currently connected to your ISP, is just a copy of your current /etc/resolv.conf. Then you want to tell your DHCP client to not overwrite /etc/resolv.conf anymore, or to set it to what you want: In my /etc/dhclient.conf, I added:

interface "eth0" {
        supersede domain-name "example.com";
        supersede domain-name-servers 192.168.0.2;
}

Where eth0 is the interface connected to the internet, 'example.com' my local domain, and 192.168.0.2 my IP address (not 127.0.0.1, which is not served by Dnsmasq here!). In case you're using PPP, and although I cannot test this, it seems you have to edit the file /etc/ppp/peers/dsl-provider and comment the line usepeerdns, so ppp won't overwrite your resolv.conf:

#usepeerdns

This also means you have to modify resolv.conf manually to:

search example.com
nameserver 192.168.0.2

The last thing is to make sure that your /etc/hosts file is correct, so Dnsmasq can serve IP addresses from it, in my case the server's address. You want to leave the IPv6 stuff alone, the two first lines should look like this (if your server is called 'server'):

127.0.0.1 localhost.localdomain localhost
192.168.0.2 server.example.com server

Restart Dnsmasq and the network and you're done:

sudo /etc/init.d/dnsmasq restart
sudo /etc/init.d/networking restart

Network Address Translation and Firewall

That's even easier, thanks to NetFilter. This requires iptables:

sudo apt-get install iptables

The NAT itself is just a matter of:

# Internet side interface
wanint=eth0

# Local network
localnet=192.168.0.0/24

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s $localnet -d 0.0.0.0/0 -o $wanint -j MASQUERADE

As we are messing with iptables, let's just suggest a simple firewall:

iptables -A INPUT -i $wanint -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $wanint -m state --state NEW,INVALID -j DROP

These rules reject anything that tries to come in from the internet network interface. You can automatize the setup of your NAT/firewall by adding this to the script /etc/rc.local.