Expat-IT Tech Bits




Search this site:


/ (289)
  Admin/ (123)
    Apache/ (10)
      HTTPS-SSL/ (4)
      PHP/ (3)
      performance/ (2)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (6)
    Monitoring/ (2)
      munin/ (2)
    SSH/ (6)
    SSL/ (1)
    Samba/ (1)
    VPN-options/ (7)
      OpenVPN/ (1)
      SSH-Proxy/ (3)
      Tinc/ (1)
      sshuttle/ (1)
    backups/ (17)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (2)
    commandLine/ (24)
      files/ (8)
      misc/ (10)
      network/ (6)
    crontab/ (1)
    databases/ (15)
      MSSQL/ (2)
      MySQL/ (8)
      Oracle/ (3)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (11)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (7)
      puppet/ (1)
    iptables/ (3)
    tripwire/ (1)
    virtualization/ (9)
      VMware/ (1)
      virtualBox/ (8)
  Coding/ (14)
    bash/ (1)
    gdb/ (1)
    git/ (3)
    php/ (5)
    python/ (4)
      Django/ (2)
  Education/ (1)
  Hosting/ (27)
    Amazon/ (18)
      EBS/ (3)
      EC2/ (10)
      S3/ (1)
      commandline/ (4)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (31)
    Android/ (1)
    Awesome/ (3)
    CPUfreq/ (1)
    China/ (2)
    Debian/ (8)
      APT/ (3)
      WPA/ (1)
    audio/ (1)
    encryption/ (3)
    fonts/ (1)
    misc/ (6)
    remoteDesktop/ (1)
    router-bridge/ (3)
  SW/ (45)
    Micro$soft/ (1)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (28)
      Drupal/ (9)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (7)
      WebERP/ (2)
      WordPress/ (1)
      eGroupware/ (1)
    chat/ (1)
    email/ (1)
    fileSharing/ (2)
      btsync/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (15)
    IMchat/ (2)
    circumvention/ (2)
    cryptoCurrency/ (1)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (2)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (14)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)


  • 2019/06
  • 2016/07
  • 2016/05
  • 2016/02
  • 2016/01
  • 2015/12
  • 2015/11
  • 2015/06
  • 2015/01
  • 2014/12
  • 2014/11
  • 2014/10
  • 2014/09
  • 2014/07
  • 2014/04
  • 2014/02
  • 2014/01
  • 2013/12
  • 2013/10
  • 2013/08
  • 2013/07
  • 2013/06
  • 2013/05
  • 2013/04
  • 2013/02
  • 2013/01
  • 2012/12
  • 2012/10
  • 2012/09
  • 2012/08
  • 2012/07
  • 2012/06
  • 2012/05
  • 2012/04
  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09
  • Subscribe XML RSS Feed

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

    This site has no ads. To help with hosting, crypto donations are accepted:
    Bitcoin: 1JErV8ga9UY7wE8Bbf1KYsA5bkdh8n1Bxc
    Zcash: zcLYqtXYFEWHFtEfM6wg5eCV8frxWtZYkT8WyxvevzNC6SBgmqPS3tkg6nBarmzRzWYAurgs4ThkpkD5QgiSwxqoB7xrCxs

    Tue, 29 Oct 2013

    /Linux/router-bridge: Virtualbox and Shorewall: Put Virtual Machines on Their Own Subnet

    Tired of your Virtual Machine's (VM's) network connection being b0rked every time your laptop moves to a different network environment? So am I. The solution: use VirtualBox's Host-Only Adaptor option to put the VM on it's own, routed, subnet so that kernel routing can shield the VM from the external network. On VirtualBox:

    On the VirtualBox host's Shorewall configuration:

    For the guest VM's network configuration, bring up the network with DHCP, create a default route, specify DNS servers:


    auto eth0
    iface eth0 inet dhcp
    post-up route add default gw



    posted at: 04:08 | path: /Linux/router-bridge | permanent link to this entry

    Fri, 10 Apr 2009

    /Linux/router-bridge: How to Build Your Own Linux Network Router

    Gentoo is justifiably held in great esteem for their very good documentation. I am going to give you a simplified version of this guide[1], from a Debian perspective, and also, some of the things I do while building a router are simpler by design. Here are a couple other interesting links for background reading: [2][3]

    Why would you want to do this? Cheap commercial routers often do not work very well, choking up on certain kinds of traffic, even locking up regularly so that someone must manually cycle the power to restart them. If you build your own router, you can keep the software up-to-date, which is a big security advantage over the commercial competition. And you can install any software you want on it, like your own web and e-mail server, for instance. This is not meant to be an exhaustive list....

    Start with the cheapest, oldest laptop you can find with the capacity for the number of network cards you want to use (two for a wired *or* wireless local network, three for a wired *and* wireless local network). One network card is needed to connect to the outside world (presumably, the internet) and another one for *each* local network that you want to connect to the internet (typically, a wired and / or a wireless network).

    Note that a really old laptop, like the Pentium One that I use, has no CD and no USB. The easiest way to install Linux on it is to remove the hard drive and place it temporarily in another computer (or a USB enclosure) for the Linux installation. A minimal install is all that is necessary, just enough to get a terminal command prompt and functioning networking. Note that at least on Debian, standard kernels will work right off the shelf. Then replace the newly installed drive in your soon-to-be router.

    Get a Wireless Card that Will Work

    Setting up a router for a wired LAN (Local Area Network) is actually a subset of setting up a wireless router, so I will just describe a wireless router here. (Turning a wireless configuration into a wired configuration just requires a minor alteration or two....) You need a wireless card that will talk to the hostap_cs kernel driver, and also supports "Master" mode. These are not easy to find in, in my experience. I have stumbled across two, one of which broke and I am now having quite a hard time replacing it.

    The orinoco_cs and hostap_cs drivers support many of the same cards. Best to just blacklist the orinoco_cs driver and take your laptop shopping for cards. You really need to test the card before buying it (easy in the second hand Chinese markets I shop in). If you find a card that the hostap_cs driver recognizes, test for Master mode with the iwconfig command:

    iwconfig wlan0 mode Master
    If the card does not like Master mode, you will get an error something like:
    # iwconfig eth1 mode Master
    Error for wireless request "Set Mode" (8B06) :
    SET failed on device eth1 ; Invalid argument.
    If it works, ifconfig will show, in part:
    wlan0 IEEE 802.11b ESSID:"clayton" Nickname:""
    Mode:Master Frequency:2.462 GHz
    (Note the "Mode:Master" part.)

    Configure Networking

    I will avoid great detail here. The most probable options are, your "outside world" network card will either connect directly and probably be called "eth0", or it will connect using PPPOE which you will probably configure with a very simple and straight-forward piece of software called "pppoeconf" and result in a "ppp0" interface. For routing purposes, all you need to know is what the interface is called, and that it works.

    As for the wireless card: give it a static IP and set it to Master mode in /etc/network/interfaces:

    auto eth0
    iface eth0 inet dhcp

    auto wlan0
    iface wlan0 inet static
      wireless-essid somename
      wireless-mode Master
      wireless-channel 11
      wireless-key somepassword

    Note that in the above, eth0 connects to the internet, and therefore in this case I am not using PPPOE. I will address the slightly more complicated case of PPP in /etc/network/interfaces at a later date.

    Set Up Routing and Firewall

    We will do them at the same time because the same software does both! Install the "firehol" package. Then create a /etc/firehol/firehol.conf file as follows:

    # firehol configuration for a masquerading server
    version 5
    # The network of our internal LAN.
    # try "mac  " to filter on MAC addresses
    # blacklist full
    # DHCP needs access.
    interface wlan0 dhcp1
      policy return
      server dhcp accept
    # interface eth0 internet src not "${UNROUTABLE_IPS}"
    interface eth0 internet
       protection strong 10/sec 10
       server "smtp http icmp ssh"  accept
       server donkey2 accept
       server ident reject with tcp-reset
       client all   accept
       # reduce noise in the syslog by dropping this stuff silently
       server "dhcp samba" drop
    interface wlan0 wlan src "${home_ips}"
       policy reject
       server "http dns ssh icmp" accept
       client all   accept
       # server dhcp drop
    interface eth1 lan src "${home_ips}"
       policy reject
       server "http dns ssh icmp" accept
       client all   accept
    router internet2wlan inface eth0 outface wlan0
       masquerade reverse
       client all      accept
       server ident    reject with tcp-reset
    router internet2lan inface eth0 outface eth1
       masquerade reverse
       client all      accept
       server ident    reject with tcp-reset

    There are tutorials out there that will step you through the creation of this file, which is how I started, but if you are careful about the customizaion process, you should be able to use my config as your starting point.

    Some salient points:

    DHCP with dnsmasq

    Install the dnsmasq package. Add the following line to /etc/dnsmasq.conf:


    Restart dnsmasq, and your router should now respond to DHCP requests from the wireless network.

    Wasn't that simple? Comments / errata welcome.

    [1] http://www.gentoo.org/doc/en/home-router-howto.xml
    [2] http://www.bit-tech.net/bits/2008/06/27/build-your-own-router/1
    [3] http://thoughtattic.com/security/MakeYourOwnRouter.html

    posted at: 03:32 | path: /Linux/router-bridge | permanent link to this entry

    Wed, 26 Nov 2008

    /Linux/router-bridge: Easy Connection Sharing with a Network Bridge

    Suppose you have two computers and only one network cable coming into the room, and you want to save a few bucks and a bit of clutter and not buy a switch....

    One could set up one of the computers as a router per [1], creating a sub-network within the room. But what if you do *not* want to create a sub-network, ie. you want both computers on the same network?

    The solution is to create a transparent network bridge between two ethernet interfaces on one of the computers. On Debian, I use the bridge-utils[2][3] package.

    The bridge-utils-interfaces[4] manpage is a bit general, the best reference I have found is here[5].

    Setup is really quite simple in principle. Create the following stanza in /etc/network/interfaces:

    auto br0 iface br0 inet dhcp bridge_ports eth0 auto eth2 iface eth2 inet manual up ifconfig $IFACE up post-up brctl addif br0 eth2

    Here eth0 is attached to the outside network, and added to the bridge br0 immediately. The br0 dhcp gets its IP through eth0, and the local computer networks through br0-eth0. (This should work irrespective of whatever might be going on with eth2.) eth2 is added to the bridge, but it is not configured locally with an IP because it does not need an IP. The only part eth2 plays in the network is to relay traffic between the br0 bridge and any computer attached to it. Any computer connecting to eth2 must take care of its own IP, through DHCP, for example, which the bridge would just relay to the DHCP server in the outside network.

    At this point I have my firehol firewall turned *off*, which is non-ideal. Once I figure out how to incorporate a firewall into bridging, I will post.

    [2] http://linuxfoundation.org/en/Net:Bridge
    [3] http://manpages.debian.net/cgi-bin/man.cgi?query=brctl&apropos=0&sektion=0&manpath=Debian+Sid&format=html&locale=en
    [4] http://manpages.debian.net/cgi-bin/man.cgi?query=bridge-utils-interfaces&apropos=0&sektion=0&manpath=Debian+Sid&format=html&locale=en
    [5] http://wiki.openzaurus.org/HowTos/Bridging_with_Ubuntu

    posted at: 03:04 | path: /Linux/router-bridge | permanent link to this entry