Howto: Set up Ubuntu as a firewall/gateway router with webmin

[rsriram22]

great tutorial - quick question. i am planning on setting this up inside a vm (virtualbox) on ******* box. i plan to disable the IPV4 and V6 stacks in the host. ..too, i d like to add a wireless card and have this whole setup simulate a wireless router...am looking at buying the following mobo that has 802.11ac inbuilt GIGABYTE GA-F2A88XN-WIFI

1) So how do I make use of a loopback adapter so that the host box gets an IP on the LAN and also has access to the internet
2) have the wireless clients get LAN IPs as well?

thanks in advance!

[mouse]

Configuring DHCP

We will set up DHCP first. Go to the "Servers" tab on the left in webmin, and click "DHCP Server". In the subnets section at the top, click "Add a new subnet". Enter details as follows:

"Subnet description" - A name for your subnet, I used "Local network on eth_SAFE"
"Network address" - 192.168.0.0
"Netmask" - 255.255.255.0
"Address ranges" - this can be anything you like, 192.168.0.100 - 192.168.200 should cover it.

Leave all the other options alone and click "Create". Now a new icon should have appeared called 192.168.0.0. Click this icon, you will be returned to a screen similar to the one you just left except it has some new buttons at the bottom. Click the one that says "Edit Client Options".

"Subnet mask" - 255.255.255.0
"Default routers" - 192.168.0.1
"Broadcast address" - 192.168.0.255
"DNS servers" - 192.168.0.1

Click "Save" and then "Save" again. One last thing to do on this page - scroll down and click "Edit Network Interface". Select eth_SAFE from the list and click "Save".

The DHCP server is now set up. Click the "Start Server" button at the bottom of the page, the server should start with no errors. If it gives errors, you've done something wrong .

Ok, all done! On to...

Configuring the DNS server

The DNS server works out of the box, it doesn't actually NEED any additional configuration.

Thanks. This worked out great. I knew it should be simple, but I always had trouble and had to start over so many times before I found your guide. But now, I'm up and running! I have one question that I hope someone can help me with. When I set the "DNS Servers" to 192.168.0.1 (The address of the router), I cannot not connect to the internet. If I leave the setting as default, I cannot connect to the internet. But, if I set the address to 8.8.8.8, everything seems to work great! What's up?

Thanks.

[anton-ptv]

Hi mouse,

Check if DNS server is installed.
To check log into webmin, and look under Servers list, there should be BIND DNS Server. If it is not there, you can install it through webmin, and reboot the server, after that all should be OK - DNS server will work out of the box
I had the same issue i.e. I could not connect to internet until DNS server was installed.

Let me know if this helped.

[anton-ptv]

Hi there,

First, THANK YOU, sammydee, HUGE THANK YOU for this how to!!! All is up and running

Also I wanted to add a couple of things to watch out for, while putting all pieces of the router together:

1. after intalling Webmin and changing its password with command

Code:

sudo /usr/share/webmin/changepass.pl /etc/webmin root NEW_PASSWORD

the command and the new password! will be stored in .bash_history file in your home directory. I did not really like the idea that my password is stored somewhere. So, just in case you are also paranoid like me edit the file with

Code:

nano /home/USER_NAME/.bash_history

and delete/change the entry, just to be safe

2. DHCP server. At the time of installation the current ubuntu server version was 12.04.3, and it has slightly different DHCP server isc-dhcp-server
To install it:

Code:

sudo apt-get install isc-dhcp-server

The problem was, however, that Webmin (at the time of installation it was version 1.660) did not see this DHCP server, and a small operation required to return its sight. In Webmin go to Servers - DHCP Server and there click on Module Config. Then check the following parameters:
a. DHCP server config file - /etc/dhcp/dhcpd.conf
b. DHCP server executable - /usr/sbin/dhcpd
c. Command to start DHCP server - service isc-dhcp-server start
d. Command to apply configuration - service isc-dhcp-server restart
e. Command to stop DHCP server - service isc-dhcp-server stop
f. Path to DHCP server PID file - /var/run/dhcp-server//dhcpd.pid
g. DHCP server lease file - /var/lib/dhcp/dhcpd.leases

Change, if they are different. Other options should be left as is, save changes, you might need to log out and log back into webmin, now it should see DCHP server.

3. When setting up IP tables, in Network Address Translation (NAT) table of IP tables under packets after routing (POSTROUTING) should be:

Masquerade if output interfase is eth_BAD
Default action = accept

i.e. all ip packets that go into the internet from LAN will be masked, otherwise computers from local network will not have access to the internet. To be completely honest I have a hunch, that that option was there by default, and I "accidentally" ... it while playing with different settings.





One of the reasons I bothered setting up the router from a computer in the first place was that I needed control over the internet traffic. My problem was that I had 30 Gb of data (download + upload) from my ISP every month, and sometimes all internet would suddenly be gone before even the middle of the current month, because someone downloaded/watched to many videos/skyped too much
So, all I really wanted is a simple control over the overall traffic - if it exeeds 2 Gb of data per day, then bandwidth should be slowed to ~50 Kb/s till the end of that day (and restored with the start of a new day at midnight). And I also wanted the router to send me a warning e-mail when the limit was reached, and speed was slowed. Note, that I did not care who actually overused the internet, nor about any other fancy and elaborated way to torture individual users.
And in addition to this, traffic control should work without GUI, as I did not want to add any GUI to a headless server.

So a bit of research showed that:
1. Wondershaper will be good for the job to restrict the max up/down speed for an interface.
2. The only problem was that wondershaper cannot keep any records of daily usage, and cannot dynamically change up/down speed depending on the total daily traffic all by itself as I wanted. And wondershaper will not send me any e-mails either. However, the wondershaper will do what it was created for - the main part - restrict speed, the rest will be done by a special script.
3. All more advanced ways of traffic control through IP tables and advanced network configuration were (well, actually, why were? they still are!) like a rocket science to me.


Traffic control.
Purpose: to restrict bandwidth speed of an internet interface if daily traffic through it reaches 2 Gb. There are several files apart from the main script.

0. First things first, you need to install wondershaper:

Code:

sudo apt-get install wondershaper

1. trcontr.sh file – main script file that does the job. Assigned as a cron job in webmin, executed every minute as root, because wondershaper requires root access to set up/down speed.
2. dailytr.log file – logges how many bytes were used
3. sl_int_msg.txt – text of e-mail message that will be sent in case limit was reached
4. rsl.sh – extra script that resets daily usage and removes any speed restrictions. Executed manually when needed
5. rsl_boot.sh – extra script, executed as a cron job on start-up only, if/when server re/boots to zero all statistics.

Main script uses eth1 as internet interface, e.g. eth1 = eth_BAD, and assumes that the script and all files are located in /home/USER_NAME/Scripts

If you need any assisstance on how to make a script executable, or assign a cron job in webmin, or set up ssmtp to send e-mails, check out this how-to, in particular how to assign cron jobs and how to set-up ssmtp.



trcontr.sh

Code:

#!/bin/bash 

#read RX and TX statistics for eth1 (internet) interface, and sum it up: 
R1=`cat /sys/class/net/eth1/statistics/rx_bytes` 
T1=`cat /sys/class/net/eth1/statistics/tx_bytes` 
TXRX=`expr $T1 + $R1` 

#read today's date and leave month and day only: 
t_date=$(date) 
sh_t_date=${t_date:4:6} 

#read start date, start RX/TX and current RX/TX from log file: 
start_date=$(sed -n '2p' /home/USER_NAME/Scripts/dailytr.log) 
start_RX_TX=$(sed -n '4p' /home/USER_NAME/Scripts/dailytr.log) 
current_RX_TX=$(sed -n '6p' /home/USER_NAME/Scripts/dailytr.log) 

#calculate how much was used today and set up daily limit: 
used_today=`expr $current_RX_TX - $start_RX_TX` 
daily_limit=2000000000 


echo "================================" 
echo "Start Date= "$start_date 
echo "Start RX/TX= "$start_RX_TX 
echo "Current RX/TX= "$current_RX_TX 
echo "Used today= "$used_today 

#check if this is a new day: 
  if [ "$sh_t_date" != "$start_date" ] 
  then 
    echo "Start date is different from current date, shall start a new day" 
    #update Start date in the log: 
    sed -i "2 c${sh_t_date}" /home/USER_NAME/Scripts/dailytr.log 
    #start RX/TX and current RX/TX = current RX/TX: 
    sed -i "4 c${current_RX_TX}" /home/USER_NAME/Scripts/dailytr.log 
    sed -i "6 c${current_RX_TX}" /home/USER_NAME/Scripts/dailytr.log 

    #remove any speed restrictions from internet 
    /sbin/wondershaper clear eth1 

    # remove "email sent" flag 
    sed -i "6 c0" /home/tony-s/Scripts/sl_int_msg.txt 

  else 
#The same day. Update current RX/TX in the log: 
    echo "This is still the same day, continue logging" 
    sed -i "6 c${TXRX}" /home/tony-s/Scripts/dailytr.log 

#Check if used amount reached daily limit: 
    if [ $used_today -ge $daily_limit ] 
    then 
     echo "Daily limit reached!" 
       #check if e-mail was already sent and speed restricitons applied: 
       if [ $(sed -n '6p' /home/USER_NAME/Scripts/sl_int_msg.txt) -ne 1 ] 
       then 
         echo "This is first time limit was reached today, will send e-mail and slow down the internet" 

         #update "email was sent" flag, send it and slow down the internet 
         sed -i "6 c1" /home/USER_NAME/Scripts/sl_int_msg.txt 

         /usr/sbin/ssmtp YOUR_MAIL@gmail.com </home/USER_NAME/Scripts/sl_int_msg.txt 

       #wait for 20 seconds, while e-mail is being sent, otherwise speed restrictions will be applied and it will take too much time to send the message
         sleep 20 

         /sbin/wondershaper eth1 50 50 
       else 
         echo "This is not the first time limit was reached today, e-mail was already sent, and restrictions applied, will do nothing" 
       fi 
    else 
     echo "Daily limit was not reached, enjoy fast internet (while you can :)" 
    fi 

  fi 

exit

rsl.sh

Code:

#!/bin/bash 


echo "====================" 
echo "Ineternet daily limit will be reset, any speed restrictions removed" 

#reset statistics: "start RX/TX" and "current RX/TX" = "current RX/TX": 
current_RX_TX=$(sed -n '6p' /home/USER_NAME/Scripts/dailytr.log) 
sed -i "4 c${current_RX_TX}" /home/USER_NAME/Scripts/dailytr.log 

#remove any restrictions from internet 
/sbin/wondershaper clear eth1 

# remove "email sent" flag 
sed -i "6 c0" /home/USER_NAME/Scripts/sl_int_msg.txt 

exit

dailytr.log

Code:

#Start date: 
Dec 29 
#Start RX_TX: 
587706007 
#Current RX_TX: 
616832747

sl_int_msg.txt

Code:

From: YOUR_MAIL@gmail.com 
Subject: Daily limit reached 

Daily internet limit was reached, connection speed was slowed down. 

0

zero at the end of sl_int_msg.txt is very important, and must be in line #6!


rsl_boot.sh

Code:

#!/bin/bash 

# this script will be run at start-up, in case server reboots to zero all statistics in log files 
echo "====================" 
echo "Ineternet daily limit will be reset, any speed restrictions removed" 

#reset statistics: "start RX/TX" and "current RX/TX" = "current RX/TX": 
sed -i "4 c0" /home/USER_NAME/Scripts/dailytr.log 
sed -i "6 c0" /home/USER_NAME/Scripts/dailytr.log 

#remove any restrictions from internet 
/sbin/wondershaper clear eth1 

# remove "email sent" flag 
sed -i "6 c0" /home/USER_NAME/Scripts/sl_int_msg.txt 

exit

That's it!