Description :

 

This one  is going to be a simple routed network , with four routers ,

routing is done dynamically. We will use Rip v2  for this setup , it's

a bit older technology with a max hop count  of 15  , but realisticaly

this should suffice for a small / mid size  company .  We will also be

using MD5 authentication. The  routers should be  connected  according

to the following diagram :

 

STEP 1 - Download ISO , configure host names IP addresses

 

Download CentOS 6.5 iso from CentOS website (x86 or x64) : CentOS 6.5 ISO .

Install base system, partitioning and raid configuration is up to the user.

The hostname and ip addresses for the four routers are as follows :

 

ROUTER1

hostname : router01.home.lan

eth0: 192.168.40.200 (uplink)

eth1: 192.168.210.250

 

ROUTER2

hostname : router02.home.lan

eth0: 192.168.210.249

eth1: 192.168.200.250

eth2: 192.168.201.250

 

ROUTER3

hostname : router03.home.lan

eth0: 192.168.210.248

eth1: 192.168.202.250

 

ROUTER4

hostname : router04.home.lan

eth0: 192.168.202.249

eth1: 192.168.204.250

 

As you  can see the network 192.168.210.0/24 is used to interconnect

our routers , it's our backbone , one of our routers, namely ROUTER4

is behind ROUTER3.

 

WARNING :

In this example we used everywhere the following passwords

password zebra  ( only change zebra  )
key-string quagga ( only change quagga )

Please make sure that you use your own complex passwords!

Also once this setup is up and running, I recommend  that  you  comment

out the following lines : ( add ! in front of the following two lines )

 !debug rip events

 !debug rip packet

 

STEP 2 - Disable IPtables,SELinux and do a system upgrade

 

On all four routers we run the following commands :

chkconfig iptables off

chkconfig ip6tables off

vi /etc/selinux/config

 

Look for SELINUX= line and change it to SELINUX=disabled. Then reboot the system.

reboot

 

Once it's done we run system upgrade and install quagga.

yum upgrade

yum install quagga

 

STEP 3 - Configure dynamic routing

 

ROUTER1

 

We add to /etc/rc.d/rc.local file the following lines :

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway ( 192.168.40.1 is ip address of Cable modem )

route add default gw 192.168.40.1

# run nat script

/home/iptables-secure

 

Now we create /home/iptables-secure

vi /home/iptables-secure

 

And add the following content :

 

#!/bin/bash

 

IFCONFIG=/sbin/ifconfig

AWK=/bin/awk

 

EXTIF="eth0"

INTIF="eth1"

echo " External Interface:  $EXTIF"

echo " Internal Interface:  $INTIF"

echo " --- "

 

EXTIP="`$IFCONFIG $EXTIF | $AWK \

 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

echo " External IP: $EXTIP"

echo " --- "

 

iptables -t nat -A POSTROUTING -s 192.168.210.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.200.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.201.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.202.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.204.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

 

NOTE : POSTROUTING lines are single lines!!!

With this we configured our main router to do NAT for the following subnets :

192.168.210.0 , 192.168.200.0 , 192.168.201.0, 192.168.202.0, 192.168.204.0 .

This sample firewall script should be hardened to be used as a real firewall,

but for our routing example it's enough.

 

Now we edit configure Quagga with Rip v2 , create the file /etc/quagga/ripd.conf like this :

vi /etc/quagga/ripd.conf

 

Then add the following lines :

hostname router01.home.lan

password zebra

 

key chain mykey1

      key 1

             key-string quagga

 

interface eth1

       ip rip authentication key-chain mykey1

       ip rip authentication mode md5

 

router rip

 

network 192.168.210.0/24

 

debug rip events

debug rip packet

 

log file /var/log/quagga/ripd.log

 

We then enable the following two services :

chkconfig ripd on

chkconfig zebra on

/etc/init.d/zebra start

/etc/init.d/ripd start

 

ROUTER2

 

We add to /etc/rc.d/rc.local file the following lines :

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway

route add default gw 192.168.210.250

Now we edit configure Quagga with Rip v2 , create the file /etc/quagga/ripd.conf like this :

vi /etc/quagga/ripd.conf

 

Then add the following lines :

hostname router02.home.lan

password zebra

 

key chain mykey1

      key 1

             key-string quagga

 

 

interface eth0

       ip rip authentication key-chain mykey1

       ip rip authentication mode md5

interface eth1

       ip rip authentication key-chain mykey1

       ip rip authentication mode md5

 interface eth2

        ip rip authentication key-chain mykey1

        ip rip authentication mode md5

 

 

router rip

 

network 192.168.210.0/24

network 192.168.200.0/24

network 192.168.201.0/24

 

debug rip events

debug rip packet

 

log file /var/log/quagga/ripd.log

 

We then enable the following two services :

chkconfig ripd on

chkconfig zebra on

/etc/init.d/zebra start

/etc/init.d/ripd start

 

 

ROUTER3

 

We add to /etc/rc.d/rc.local file the following lines :

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway

route add default gw 192.168.210.250

Now we edit configure Quagga with Rip v2 , create the file /etc/quagga/ripd.conf like this :

vi /etc/quagga/ripd.conf

 

Then add the following lines :

hostname router03.home.lan

password zebra

 

key chain mykey1

      key 1

             key-string quagga

 

interface eth0

       ip rip authentication key-chain mykey1

       ip rip authentication mode md5

interface eth1

       ip rip authentication key-chain mykey1

       ip rip authentication mode md5

 

router rip

 

network 192.168.210.0/24

network 192.168.202.0/24

 

debug rip events

debug rip packet

 

log file /var/log/quagga/ripd.log

 

We then enable the following two services :

chkconfig ripd on

chkconfig zebra on

/etc/init.d/zebra start

/etc/init.d/ripd start

 

 

ROUTER 4

 

We add to /etc/rc.d/rc.local file the following lines :

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway

route add default gw 192.168.202.250

Now we edit configure Quagga with Rip v2 , create the file /etc/quagga/ripd.conf like this :

vi /etc/quagga/ripd.conf

 

Then add the following lines :

hostname router04.home.lan

password zebra

 

key chain mykey1

      key 1

             key-string quagga

 

interface eth0

       ip rip authentication key-chain mykey1

       ip rip authentication mode md5

interface eth1

       ip rip authentication key-chain mykey1

       ip rip authentication mode md5

 

router rip

 

network 192.168.202.0/24

network 192.168.204.0/24

 

debug rip events

debug rip packet

 

log file /var/log/quagga/ripd.log

 

We then enable the following two services :

chkconfig ripd on

chkconfig zebra on

/etc/init.d/zebra start

/etc/init.d/ripd start

 

 

STEP 4 - Testing

 

From every user you should  be  able to ping  every  other  subnet without

getting ICMP redirects , also you should be  able do  traceroute  to every

network without  timeouts.  Congratulations  you've  just  setup a  simple

dynamically routed network . You can now go on and add more subnets to it ,

you can even add iptables  rules  on the routers to allow or block certain

traffic from to certain subnet/ip addresses.