Turn your trusty Linux box into the world’s most flexible router. Graham Morrison explains how.
The latest, most expensive routers include so many facilities you’d be forgiven for thinking that they’re more like PCs than tools for networking. This thought should lead you to wonder why you can’t use a regular PC to do the same thing. The answer, thanks to Linux, is you can, and it’s very easy.
There are many different Linux distributions designed specifically to turn your machine into a router or a gateway, complete with any number of enhancements. Our favourite is called ClearOS. It’s a fantastic choice of router for your network because it’s relatively painless to configure, but it’s also extendible, taking it far beyond even the most ambitious devices from the likes of Netgear. You could use it to host your cloud documents, complete with editing; host and access your email, either through a web interface or server; as well as a powerful firewall and intrusion detection.
ClearOS is unlike most Linux distributions because it offers both a free edition and a commercial edition that you have to pay for. Because some people do pay for it, ClearOS has one of the better user interfaces, and most of its facilities can be installed and configured through a web app. It’s also easy to install and has a great support network. This is important because all of your network’s data is going to go through it and you need to trust both the integrity of the packages and services it’s running, along with the source of those packages and the distribution itself. Fortunately, ClearOS’s heritage couldn’t be any better, as it’s based on the billion-dollar Red Hat enterprise.
Step 1: Installation
ClearOS uses Red Hat’s graphical installer and asks you only a few questions. Boot your machine with the ClearOS DVD in the drive (a USB option is also available) and select the first option from the boot menu: ‘Install or upgrade an existing system’. The graphical installer will appear after a few moments and you’ll have to answer the usual questions about language and keyboard layout. After these are out of the way, choose ‘Basic storage device’ as your installation medium and step through the regular drive and partition options. The next few questions deal with the network and where you’re located, before asking how you’d like to allocate space on your drives. The default values will choose a drive and create an installation automatically, but be warned: this will remove all data from the drive it chooses. The following two questions will confirm your choices before the installer goes off and does some installing. When this has finished, you get the chance to reboot into your new installation, so remove the DVD at this point.
Step 2: Configuration
When your machine has booted, the first thing you’ll notice is the lack of a desktop. In fact, the only thing you should see is a screen telling you the IP address of your machine and where to get further information. This is because, like any modern router, ClearOS is intended to be configured through a web browser. A fter you’ve made a note of its IP address, you can disconnect any screen, keyboard and mouse, and hide the machine under the floorboards if you like. As long as it’s connected to the network, you’ll be able to change the settings. Go to a browser on a machine on the same network and type in that IP address, using both the ‘https’ prefix and the port ‘81’. For our network, we typed in
The page that appears will ask you to log in and you’ll need to enter a username of
root followed by the password requested by the installer. You’ll then be presented with the first page of the ClearOS startup wizard. Click ‘Next’ and you’ll be asked which kind of network mode you want to configure. Which one you choose will depend on how you want to use your new router. The best option is to select ‘Gateway Mode’, but this won’t appear unless you have two network adapters installed: one connected to the internet and the other to your LAN. If you’d rather experiment with ClearOS as a server, choose one of the two other options. After selecting ‘Gateway Mode’, you need to tell the wizard which adapter is which. The installer makes a pretty good guess at this, marking one as ‘External’ and the other as ‘LAN’, although you can change the assignment if it’s wrong using the ‘Edit’ button. The next question asks for a DNS and we’d recommend entering the IP address of either your ISP, Google (184.108.40.206) or OpenDNS (220.127.116.11). After that, make sure the free community edition is selected and click ‘Next’ to download and install any critical updates.
Step 3: Marketplace
One of the best things about ClearOS is a package manager it calls the Marketplace, and the next step of the installation is to create an account to access this. You’ll be asked for an email address and be instructed to register your system with your new credentials.
You’ll then be asked a couple of questions about domain names for your connection. If this is a home connection, you might not have one. We’d recommend using a free dynamic DNS service to get yourself one. Otherwise, you can always use a made-up name or the default values as a temporary fix.
You can then start installing applications. To begin with, we’d recommend selecting the Windows file server, the bandwidth manager, port forwarding and the FTP server, but you can always come back at a later time and install more applications. After making your selection, click on the ‘Download and install’ button. This will automatically grab and install all the packages you’ve selected. A few minutes later, depending on the speed of your connection, you’ll be presented with the ClearOS dashboard and you’ll be able to start using your new gateway.
Step 4: Firewall
A gateway with a firewall acts as a permissive barrier between two networks. In our case, that’s between the internet and your local network. It’s a necessary precaution because the internet is saturated with systems that constantly bombard every connection with random requests directed at ports with known vulnerabilities. Most of these vulnerabilities are found on non-updated versions of Windows, but they can also be found within almost any network-facing service, such as a web server or file server.
Within ClearOS, the firewall can be configured by clicking on the ‘Network’ menu on the left or top of the dashboard, followed by ‘Incoming Firewall’. By default, there should already be a single defined rule called ‘webconfig’. This allows port 81 on the oncoming connection, which is the port you need to access the ClearOS web interface. This rule means you can configure your gateway from the internet and if you don’t want this facility, click on ‘disable’ for the rule. To add your own rule, click ‘Add’. You don’t need to memorise most port numbers because the ‘Add’ interface includes a list of the most common services. Select ‘SSH’, for example, and click on ‘Add’ again. The rule list will then include SSH running on port 22, which is its default port. If you need to add custom ports for your own services (or games), this can be done from the same interface.
ClearOS runs an SSH server, which is all you need if you want command line access, but you may also want command line access to another machine on your network. To do this, you’ll need to use port forwarding. This takes an incoming connection on one port — 22 in the case of SSH — and maps this to a different port on either a local machine or another machine within your LAN. Click on ‘Port forwarding’ and then ‘Add’. You’ll be able to select a standard service in the same way you could for the firewall, but you’ll also need to add a local IP address. This will be the destination for the port. You can forward custom ports, a range of ports, and choose between UDP and TCP protocols by using the other options on the page.
Step 5: Setting QoS
The other feature you only find in advanced routers is the ability to limit the connection bandwidth going through your router depending on what they’re doing. This is often known as QoS (Quality of Service) because it’s often used to make sure time-sensitive data isn’t affected by a torrent download, for example. Time-sensitive data could be streaming video or VoIP, where getting packets to the client is important. File downloads aren’t normally affected by some delay.
When you select ‘Bandwidth manager’, you have two choices. The first deals with bandwidth limiting on an interface, while the second can limit bandwidth by service. The first is useful if you have several subnets, such as a wireless host running on your gateway. You can either restrict data coming into and out of this network, or restrict the other interfaces, so you can ensure there’s always a decent amount of bandwidth.
The ‘Basic Rules’ table is the most useful for the majority of networks because it allows you to promote those first-class services while still allowing people to download large files. Click on ‘Add’ and you’ll get the option to choose a service (like SIP or FTP) and specify whether you want the bandwidth limited or reserved, in which direction and at what rate. To ensure SPI always gets 1Mbps, for example, choose ‘Reserve’, ‘SIP’, ‘Flowing to the network’ and set a rate of 1,000 (the rate is set in Kbps). If you have local users saturating your upstream bandwidth, change ‘Flowing to the network’ to ‘Flowing from the network’. ClearOS will transparently limit the packets going through the network to ensure the services you depend upon will have the lion’s share of your bandwidth. And unlike some ISPs we could mention, you’re in control of whether that’s BitTorrent or HTTP, which is the best thing about running your own gateway.
Testing your network’s security
As you’re messing around with firewall configuration and port forwarding, it’s worth making sure you don’t leave any obvious holes open that hackers can exploit. You can’t do this from within your own network because most ports should be open to machines on your LAN, so you’ll need to test security from a machine out on the internet. If you have command line access to this remote machine, we’d recommend using a tool called Nmap to scan the IP address of your gateway. This will tell you which ports are visible and which services are running on those ports, as well as whether you should consider closing them.
Our test failed because we’re running Apache. Just make sure your services are up to date.
If you don’t have access to a remote server, the best alternative is to use a free service like ShieldsUP! from Gibson Research Corporation. This will scan your IP address and list any ports it finds open. After getting to the main site, select ‘All service ports’ from the service list. This will probe the first 1,056 ports on your server and you’ll need to wait a few minutes while each port is tested in turn. Be warned, this may trigger any security software you’re running because it’s the same kind of scan a hacker will use to try to find vulnerabilities. You’ll see a list of green secure ports and red where an open port has been detected.
Enable file sharing
As we’ve built a router from a Linux box, we can augment it with lots of the things you may want to install on Linux. The first thing you may want to look at is file sharing. Many advanced routers now offer this, either through external USB devices or even with an internal drive. As we installed both the Windows File Sharing application and FTP when we installed ClearOS, you should already see them listed in the ‘Server’ menu of the web interface. Click ‘Windows Networking’ and you’ll see the option to either enable ‘Active Directory’ or ‘OpenLDAP’, both of which are used to manage users and what they can access. ‘Active Directory’ should be selected in an office environment with other Windows machines and ‘OpenLDAP’ if you’re running your server at home. We’d recommend the latter for most installations and after it’s enabled, you’ll need to enter a server name and a Windows domain. The Windows domain should be the same as the one your Windows or Linux network is using, which often defaults to ‘WORKGROUP’. Follow this by adding a password and then click the ‘Initialize’ button. This will create the configuration and run the service, and you’ll be able to see your gateway as a SAMBA source in Windows, Mac OS X and Linux machines.