Simple Linux gateway

This simple guide will show how to to turn on and off Internet access with some Linux PC in the middle. If you have Raspberry PI without its main purpose, it’ll be the perfect choice. With all the ingredients at one place, workshop can start.

The idea is to create simple Internet gateway using Raspberry PI or any other Linux PC. Why? To direct (some / children’s) computers through it and to have plain Internet plug switch.

The original text with all details is on the following url: http://kevinboone.net/linux_gateway.html

On the other hand, here you’ll find simpler version with turning on and off IP forward driven by cron scheduler. In few steps, small Internet gateway can be ready.

1) Enable IP forwarding
In /etc/sysctl.conf file net.ipv4.ip_forward parameter should be set to 1. This will be signal to kernel (after booting) to start “routing” according to iptables rules.

net.ipv4.ip_forward = 1

To enable routing right now (without system reboot), set 1 to /proc/sys/net/ipv4/ip_forward file with the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

To be more precise, /proc file system is a virtual file system that presents view to kernel information like processes, memory, devices …

2) Create /etc/rc.d/rc.local file
rc.local file will contain iptables rules that should be applied after Linux is booted. In this step, file will be created and set execution permissions.

bash> touch /etc/rc.d/rc.local
bash> chmod 755 /etc/rc.d/rc.local

3) Enable eth0:1 device and set iptables rules
Just copy and paste the following code to the /etc/rc.d/rc.local file. In this scenario, default gateway is 192.168.1.1 and Raspberry PI has 192.168.1.2 IP address on eth0:1 virtual device. With “ifconfig up” virtual device will be created and assigned IP address.

#!/bin/bash

# enable 192.168.1.2 IP address
ifconfig eth0:1 192.168.1.2 up

# Remove all rules from the FORWARD chain
iptables -F FORWARD
# Enable NAT for IP 192.168.1.2
iptables -t nat -A POSTROUTING -o eth0:1 -j MASQUERADE
# Enable forwarding between 192.168.1.1 and 192.168.1.2
iptables -A FORWARD -i eth0:1 -o eth0 -j ACCEPT

Here is complete output from ifconfig for eth0 and eth0:1 virtual device. As you can see, main IP address of Raspberry PI is 192.168.1.15 while virtual eth0:1 has 192.168.1.2

[root@pi ~]# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.15  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ba27:ebff:fe0e:2089  prefixlen 64  scopeid 0x20
        ether b8:27:eb:0e:20:89  txqueuelen 1000  (Ethernet)
        RX packets 16831563  bytes 1355292553 (1.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16487630  bytes 1649037959 (1.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
        ether b8:27:eb:0e:20:89  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)
        RX packets 137  bytes 9640 (9.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 137  bytes 9640 (9.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

4) Edit and set crontab file
Writing 1 or 0 to the /proc/sys/net/ipv4/ip_forward will enable or disable routing and this is ideal for crontab. In this example, Internet access is enabled at 7am and disabled at 10pm. Actually, cron will continuously disable internet every 15 minutes from 10pm till 7am next morning. The idea is to prevent “accidental” reboot Raspberry PI after 10pm ;)

MAILTO=""

# enable IP forwarding in 07:00
0 7 * * * /usr/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# disable IP forwarding every 15 minutes from 22:00 till 06:45
*/15 0-6,22-23 * * * /usr/bin/echo 0 > /proc/sys/net/ipv4/ip_forward

At the end, it’s needed direct children’s PC to newly configured Raspberry PI – in other words, just set 192.168.1.2 as default gateway to computers that will have limited internet access.

From my experience, Raspberry PI has enough throughput for two PC on 4Mbit ADSL connection. My kids didn’t notice any difference in network activities before and after new gateway is set.

Anyway, this post is result of my intent to put kids in the bed before midnight. Smartphones are not covered here and for details please see original page mentioned at the page top. Luckily, we have agreement with our kids to be disarmed with phones at 9pm and that is currently good enough.

Hope these tips will give you an idea how to setup simple Internet gateway for home purpose.

1 thought on “Simple Linux gateway

  1. Just to add extended crontab version evolved for the past 6 months:

    MAILTO=""
    
    # define echo and ip_forward variables
    eh = /usr/bin/echo
    ip = /proc/sys/net/ipv4/ip_forward
    
    # every day disable internet in 10:00, weekend in 11:00 (every 10 minutes - just for the case) and enable in 15:00
    */10 10 * * 1-5 $eh 0 > $ip
    */10 11 * * 6,7 $eh 0 > $ip
    0 15 * * * $eh 1 > $ip
    
    # every day disable internet in 19:00 (every 10 minutes - just for the case) and enable in 20:00
    */10 19 * * * $eh 0 > $ip
    0 20 * * * $eh 1 > $ip
    
    # disable IP forwarding every 15 minutes from 21:00 till 05:45 from Sunday till Thursday
    */15 21-23,0-5 * * 0-4 $eh 0 > $ip
    
    # disable IP forwarding every 15 minutes from 22:00 till 05:45 for Friday and Saturday
    */15 22,0-5 * * 5,6 $eh 0 > $ip
    
    # enable IP forwarding in 06:00
    0 6 * * * $eh 1 > $ip
    

Leave a Comment