Description :

 

This one  is going to be a simple routed network , with five routers ,

routing  is done dynamically. We will use OSPF v2  for  this  setup  , 

we will be having two separate internet connections,  and if one fails

the backup router will be  automatically  used , we  will also use MD5

authentication.  The  routers  should  be  connected  according to the

following diagram :

 

 

STEP 1 - Download ISO , configure host names IP addresses

 

Download CentOS 6.5 iso from CentOS website (x86 or x64) : CentOS 6.5 ISO .

Install base system, partitioning and raid configuration is up to the user.

The hostname and ip addresses for the four routers are as follows :

 

ROUTER1

hostname : router01.home.lan

eth0: 192.168.40.200    (uplink ISP1)

eth1: 192.168.210.250

 

ROUTER1 - Backup

hostname : router01backup.home.lan

eth0: 192.168.40.201   (uplink ISP2)

eth1: 192.168.210.251

 

ROUTER2

hostname : router02.home.lan

eth0: 192.168.210.249

eth1: 192.168.200.250

eth2: 192.168.201.250

 

ROUTER3

hostname : router03.home.lan

eth0: 192.168.210.248

eth1: 192.168.202.250

 

ROUTER4

hostname : router04.home.lan

eth0: 192.168.202.249

eth1: 192.168.204.250

 

WARNING :

In this example we used everywhere the following passwords

password zebra  ( only change zebra  )
ip ospf message-digest-key 1 md5 quagga ( only change quagga )

Please make sure that you use your own complex passwords!

 

STEP 2 - Disable IPtables,SELinux and do a system upgrade

 

On all five routers we run the following commands :

chkconfig iptables off

chkconfig ip6tables off

vi /etc/selinux/config

 

Look for SELINUX= line and change it to SELINUX=disabled. Then reboot the system.

reboot

 

Once it's done we run system upgrade and install quagga.

yum upgrade

yum install quagga

 

STEP 3 - Configure dynamic routing

 

 

ROUTER1

 

We add to /etc/rc.d/rc.local file the following lines :

 

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway ( 192.168.40.1 is ip address of Cable modem )

route add default gw 192.168.40.1

# run nat script

/home/iptables-secure

 

Now we create /home/iptables-secure

vi /home/iptables-secure

 

And add the following content :

 

#!/bin/bash

 

IFCONFIG=/sbin/ifconfig

AWK=/bin/awk

 

EXTIF="eth0"

INTIF="eth1"

echo " External Interface:  $EXTIF"

echo " Internal Interface:  $INTIF"

echo " --- "

 

EXTIP="`$IFCONFIG $EXTIF | $AWK \

 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

echo " External IP: $EXTIP"

echo " --- "

 

iptables -t nat -A POSTROUTING -s 192.168.210.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.200.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.201.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.202.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.204.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

 

 

NOTE : POSTROUTING lines are single lines!!!

 

With this we configured our main router to do NAT for the following subnets :

192.168.210.0 , 192.168.200.0 , 192.168.201.0, 192.168.202.0, 192.168.204.0 .

This sample firewall script should be hardened to be used as a real firewall,

but for our routing example it's enough.

 

Now we edit configure Quagga with OSPF v2 , create the file /etc/quagga/ospfd.conf like this :

vi /etc/quagga/ospfd.conf

 

Then add the following lines :

hostname router01.home.lan

password zebra

!enable password please-set-at-here

 

router ospf

      network 192.168.210.0/24 area 0.0.0.0

      area 0.0.0.0 authentication message-digest

      redistribute static

      redistribute connected

      default-information originate metric 100

 

interface eth1

     ip ospf authentication message-digest

     ip ospf message-digest-key 1 md5 quagga

 

log file /var/log/quagga/ospfd.log

 

We then enable the following services :

chkconfig ospfd on

chkconfig zebra on

/etc/init.d/zebra start

/etc/init.d/ospfd start

 

ROUTER1 - Backup

 

We add to /etc/rc.d/rc.local file the following lines :

 

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway ( 192.168.40.1 is ip address of Cable modem )

route add default gw 192.168.40.1

# run nat script

/home/iptables-secure

 

Now we create /home/iptables-secure

vi /home/iptables-secure

 

And add the following content :

 

#!/bin/bash

 

IFCONFIG=/sbin/ifconfig

AWK=/bin/awk

 

EXTIF="eth0"

INTIF="eth1"

echo " External Interface:  $EXTIF"

echo " Internal Interface:  $INTIF"

echo " --- "

 

EXTIP="`$IFCONFIG $EXTIF | $AWK \

 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

echo " External IP: $EXTIP"

echo " --- "

 

iptables -t nat -A POSTROUTING -s 192.168.210.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.200.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.201.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.202.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.204.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

 

 

NOTE : POSTROUTING lines are single lines!!!

 

With this we configured our backup router to do NAT for the following subnets :

192.168.210.0 ,  192.168.200.0  , 192.168.201.0, 192.168.202.0, 192.168.204.0 .

This sample firewall script should be  hardened  to be used as a real firewall,

but for our routing example it's enough.

 

Now we edit configure Quagga with OSPF v2 , create the file /etc/quagga/ospfd.conf like this :

vi /etc/quagga/ospfd.conf

 

Then add the following lines :

hostname router01backup.home.lan

password zebra

!enable password please-set-at-here

 

router ospf

      network 192.168.210.0/24 area 0.0.0.0

      area 0.0.0.0 authentication message-digest

      redistribute static

      redistribute connected

      default-information originate metric 110

 

interface eth1

     ip ospf authentication message-digest

     ip ospf message-digest-key 1 md5 quagga

 

log file /var/log/quagga/ospfd.log

 

We then enable the following services :

chkconfig ospfd on

chkconfig zebra on

/etc/init.d/zebra start

/etc/init.d/ospfd start

 

ROUTER2

 

We add to /etc/rc.d/rc.local file the following lines :

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

Now we edit configure Quagga with OSPF v2 , create the file /etc/quagga/ospf.conf like this :

vi /etc/quagga/ospfd.conf

 

 

Then add the following lines :

hostname router02.home.lan

password zebra

!enable password please-set-at-here

 

router ospf

  network 192.168.210.0/24 area 0.0.0.0

  network 192.168.200.0/24 area 0.0.0.0

  network 192.168.201.0/24 area 0.0.0.0

  area 0.0.0.0 authentication message-digest

 

interface eth0

    ip ospf authentication message-digest

    ip ospf message-digest-key 1 md5 quagga

interface eth1

    ip ospf authentication message-digest

    ip ospf message-digest-key 1 md5 quagga

interface eth2

    ip ospf authentication message-digest

    ip ospf message-digest-key 1 md5 quagga

 

log file /var/log/quagga/ospfd.log

 

We then enable the following services :

chkconfig ospfd on

chkconfig zebra on

/etc/init.d/zebra start

/etc/init.d/ospfd start

 

 

ROUTER3

 

 

We add to /etc/rc.d/rc.local file the following lines :

 

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

 

Now we edit configure Quagga with OSPF v2 , create the file /etc/quagga/ospfd.conf like this :

vi /etc/quagga/ospfd.conf

 

Then add the following lines :

hostname router03.home.lan

password zebra

!enable password please-set-at-here

 

router ospf

     network 192.168.210.0/24 area 0.0.0.0

     network 192.168.202.0/24 area 0.0.0.0

 

interface eth0

      ip ospf authentication message-digest

      ip ospf message-digest-key 1 md5 quagga

interface eth1

      ip ospf authentication message-digest

      ip ospf message-digest-key 1 md5 quagga

 

log file /var/log/quagga/ospfd.log

 

We then enable the following services :

chkconfig ospfd on

chkconfig zebra on

/etc/init.d/zebra start

/etc/init.d/ospfd start

 

 

ROUTER4

 

 

We add to /etc/rc.d/rc.local file the following lines :

 

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

 

Now we edit configure Quagga with OSPF v2 , create the file /etc/quagga/ospf.conf like this :

vi /etc/quagga/ospfd.conf

 

Then add the following lines :

hostname router04.home.lan

password zebra

!enable password please-set-at-here

 

router ospf

    network 192.168.202.0/24 area 0.0.0.0

    network 192.168.204.0/24 area 0.0.0.0

    area 0.0.0.0 authentication message-digest

 

interface eth0

    ip ospf authentication message-digest

    ip ospf message-digest-key 1 md5 quagga

interface eth1

    ip ospf authentication message-digest

    ip ospf message-digest-key 1 md5 quagga

 

log file /var/log/quagga/ospfd.log

 

We then enable the following services :

chkconfig ospfd on

chkconfig zebra on

/etc/init.d/zebra start

/etc/init.d/ospfd start

 

 

STEP 4 - Testing

 

From  every  user  you  should  be  able to ping  every  other  subnet  without

getting ICMP redirects , also  you  should  be  able  do  traceroute  to  every

network  without  timeouts. From  a  client  in  subnet 192.168.204.0/24  start

pinging www.google.com , shut  down  router01 ,  you will  see  that  you  will

have a few timeouts (10~ or so) then it  will  go  out  using  router01backup .

In our setup  Router01  will  always  be  the  preferred  route  to internet if

available, should it fail , the system will use router01backup .

 

Congratulations   you've  just  setup a  simple  dynamically  routed  network .

You can now go on and add more subnets to it , you can even add iptables  rules

on the routers to allow or block  certain  traffic  from  to  certain  subnet/ip

addresses.