HN
Today

What changes when you turn a Linux box into a router

This post meticulously breaks down the seven essential configuration changes required to transform a multi-homed Linux system into a functional router and WiFi access point. It's a deep dive into Linux networking, demystifying the underlying kernel mechanisms that enable packet forwarding, firewalling, and wireless access. Hacker News readers appreciate this detailed, hands-on exploration of how to repurpose commodity hardware for sophisticated network roles.

23
Score
2
Comments
#4
Highest Rank
3h
on Front Page
First Seen
Apr 3, 9:00 PM
Last Seen
Apr 3, 11:00 PM
Rank Over Time
545

The Lowdown

The article provides a comprehensive guide to converting a standard Linux machine into a fully-fledged router and WiFi access point, challenging the notion that networking devices are fundamentally distinct from general-purpose computers. It details seven specific configuration changes, explaining not just what to do, but why these changes interact with the Linux kernel's networking stack to achieve routing capabilities.

  • Activating IP Forwarding: This foundational step enables the kernel to forward packets not explicitly destined for the local machine, opening the 'gate' for routing.
  • Defining The Bridge: An L2 bridge (br0) is created to unify multiple interfaces (e.g., eth0 for wired, wlan0 for wireless) into a single logical segment, allowing devices on both to communicate transparently.
  • Activating nftables policies: Modern firewall rules are installed using nftables on netfilter hooks to define packet processing policies, such as allowing outgoing connections while blocking unsolicited inbound traffic.
  • Stateful Firewalling with conntrack: The conntrack subsystem tracks connection states (new, established, related), making firewall rules efficient and robust by enabling intelligent packet acceptance based on session context.
  • Defining NAT and Masquerade policies: Network Address Translation (NAT) and masquerading are configured to rewrite private LAN IP addresses to the router's public IP for packets leaving the network, allowing multiple internal devices to share a single public IP.
  • Vending DHCP and DNS with dnsmasq: The dnsmasq daemon is deployed to dynamically assign IP addresses, default gateways, and DNS server information to clients joining the network.
  • Vending WiFi networks with hostapd: hostapd is used to switch the wireless card into Access Point (AP) mode, broadcast an SSID, manage client associations, and integrate the wireless interface into the network bridge.

Each change is explored with reference to specific kernel mechanisms, files, and commands, illustrating how these individual configurations collectively transform a Linux host into a powerful and flexible networking appliance. The piece concludes by emphasizing that these detailed modifications, which can be verified through a handful of commands, fundamentally alter the system's behavior from a mere workstation to a central network hub.