PDA

View Full Version : Create a local network using a second LAN inetrface



tntrush
25th February 2013, 05:36 PM
Hallo,

I have written a tutorial on how to create a local network. This is mostly my effort to remember what changes I have made to my system. The reason I did it is that I do not want to buy a new switch in order to connect another computer to my network and I decided to use my spare LAN interface.

I did not manage to make ends meet with the default Fedora18 firewall and I installed shorewall which is a very simple and straightforward command-line interface which handles iptables.

OK, this is not an official guide with security in mind that applies all known development standards in order to have a sound and brand new web network.

It is just a workaround to save a few Euro from buying a new switch. (Indeed I had a few of them in my closet but you never find something when you need it).

However, if you feel that it suits your taste, it might give you a starting point for further investigation on this subject, given that you follow the provided links to the relevant documentation.

Therefore, I would not be very fond of answering questions. Probably your system has a different configuration that this guide is unaware of. Please, follow the links to the relevant documentation.

Documentation

1) Fedora Network Interfaces (https://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/ch-Network_Interfaces.html)
2) Shorewall, Getting Started (http://www.shorewall.net/GettingStarted.html)
3) Shorewall, Introduction (http://www.shorewall.net/Introduction.html)
4) Shorewall, Two-Interface Firewall (http://www.shorewall.net/two-interface.htm)
5) Fedora, Configuring DHCP Server (http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/s1-dhcp-configuring-server.html)

After this disclaimer, I am very happy to start configuring!


My box has 2 LAN interfaces:

1) em1
2) em2

I am using em1 as an interface to connect to the internet, therefore it is my public interface.

I decided to use the second interface as a network provider for my local network. It will be my local interface!

This means, that I managed to connect another box to that interface and grand this box access to the internet through that interface.

What tools will we need?

Ingredients

1) Network Manager
2) Enable IP Forwarding
3) Shorewall firewall. (I am not an expert but shorewall provides a straightforward way of defining things. Its "drawback" is that it is configured from the command line.)
4) DHCP
5) Positive thinking!

1) First of all, we will setup the second lan interface (https://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/ch-Network_Interfaces.html) "em2" giving it the IP address 192.168.117.1

The main option, is to use the network manager (http://docs.fedoraproject.org/en-US/Fedora/14/html/Deployment_Guide/sec-Interacting_with_NetworkManager.html):


nm-connection-editor &
There, I have my two interfaces em1 em2 and I edit interface em2.

Under the "General" tab, I check

"Automatically connect to this network when it is available"
and

"All users may connect to this network"
Under Ethernet tab, I get the device MAC address and an automatic MTU.

Under IPv4 settings I define a "Manual Method" and under "addresses" I add

Address -> "192.168.117.1"
Netmask -> "255.255.255.0"
Gateway -> "192.168.117.1"

I also click on

Require IPv4 addressing for this connection to complete.

This is my /etc/sysconfig/network-scripts/ifcfg-em2 file produced:


TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=em2
UUID="XXX" <- my UUID here
ONBOOT=yes
ZONE=public
BROADCAST=192.168.117.255
NETWORK=192.168.117.0
DEVICE="em2"
IPADDR0=192.168.117.1
PREFIX0=24
GATEWAY0=192.168.117.1
HWADDR="XXX" <- My hardware number here
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes


2) We have to enable IP forwarding in our system in order to use IP Masquerading (http://encyclopedia2.thefreedictionary.com/IP+masquerading) for our network to work.

/etc/sysctl.conf
* EDIT*

The proper file to enter the new settings would be
/etc/sysctl.d/ip_forward
(Options for a better name, are always welcome!)

add

net.ipv4.ip_forward = 1

After saving the file, run the command


sysctl -p /etc/sysctl.d/ip_forward


3) install shorewall.


yum install shorewall

The shorewall documentation can be accessed here (http://www.shorewall.net/GettingStarted.html).

I will continue giving the specific changes I have made to my shorewall files, using the introduction (http://www.shorewall.net/Introduction.html) and the basic two interface (http://www.shorewall.net/two-interface.htm) documentation.

You can also find all the necessary documentation in your box executing the following command:


rpm -ql shorewall | fgrep two-interfaces

/etc/shorewall.conf


line 12
STARTUP_ENABLED=Yes

line 32
LOGFILE=/var/log/shorewall.log

line 155
IP_FORWARDING=On


/etc/shorewall/interfaces


#ZONE INTERFACE OPTIONS
net em1
loc em2


/etc/shorewall/zones


#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4


The following file, defines the policy that we will use for our interfaces.
1) Drop all incoming traffic to the public interface.
2) Allow all outgoing traffic to the public interface.
3) Allow traffic from local interface to fw. (Not necessary, try without it)


/etc/shorewall/policy

################################################## #############################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
fw net ACCEPT
loc fw ACCEPT
loc net ACCEPT
net all DROP info
# The following must be last
all all REJECT info

We will change the following file, according to the documentation (http://www.shorewall.net/two-interface.htm#SNAT):

/etc/shorewall/masq


################################################## ################################################## ############
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL
# GROUP DEST
em1 192.168.117.0/24


In the /etc/shorewall/rules (http://www.shorewall.net/manpages/shorewall-rules.html) we will define the exceptions that have to deviate from our policy.

Examples are also available in the file:

/usr/share/doc/shorewall-4.5.7.1/Samples/two-interfaces/rules


Stop the running firewall service

systemctl stop firewalld.service
systemctl disable firewalld.service


Enable the shorewall service:

systemctl start shorewall.service
systemctl enable shorewall.service


4) Install DHCP (http://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/s1-dhcp-configuring-server.html)


yum install dhcp

/etc/dhcp/dhcpd.conf


subnet 192.168.117.0 netmask 255.255.255.0 {
option routers 192.168.117.1;
option subnet-mask 255.255.255.0;
option domain-name-servers 172.16.0.1;
option time-offset -18000; # Eastern Standard Time
range 192.168.117.10 192.168.117.100;
}

Start and enable dhcp


systemctl start dhcpd.service
systemctl enable dhcpd.service

5) Feel free to start using the new network, or even better try to buy a new switch!

Kind regards,
tntrush

DBelton
26th February 2013, 04:29 AM
Just wondering. You said you did this on Fedora 18?

/etc/sysctl.conf isn't used on F18. The settings are now in /usr/lib/sysctl.d/00-system.conf and you overide those settings with files in /etc/sysctl.d/

Other than that, this is a great guide. Thanks for putting the work into it :)

tntrush
26th February 2013, 11:50 PM
:doh:

Indeed!

/etc/sysctl.conf file ...


# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

I just focused on the "enter new settings here" part and it was enough for me ... ! Hahaha! :dance:

I will correct it, thank you!

Kind regards,
tntrush

Gareth Jones
27th February 2013, 03:06 PM
For anyone just wanting to add a second desktop to their home network: on F18, I just used the NetworkManager applet in GNOME Shell and chose Network Settings->(interface)->Options->IPv4->Method->“Shared to other computers”, and everything just worked (remember to save!). I haven’t explored the firewall options though, and don’t much care what IP addressess are assigned.