Finally found the time to set up my little fanless Celeron 1037u router project today. So far, it’s very promising!
I installed Ubuntu Server on an elderly 4GB SD card I had lying around, with no problems other than the SD card being slow as molasses – which is no fault of the Alibaba machine, of course. Booted from it just fine. I plan on using this little critter at home and don’t want to deal with glacial I/O, though, so the next step was to reinstall Ubuntu Server on a 60GB Kingston SSD, which also had no problems.
With Ubuntu Server (14.04.3 LTS) installed, the next step was getting a basic router-with-NAT iptables config going. I used MASQUERADE so that the LAN side would have NAT, and I went ahead and set up a couple of basic service rules – including a pinhole for forwarding iperf from the WAN side to a client machine on the LAN side – and saved them in /etc/network/iptables, suitable for being restored using /sbin/iptables-restore (ruleset at the end of this post).
Once that was done and I’d gotten dhcpd serving IP addresses on the LAN side, I was ready to plug up the laptop and go! The results were very, very nice:
root@demoserver:~# iperf -c springbok ------------------------------------------------------------ Client connecting to 192.168.0.125, TCP port 5001 TCP window size: 85.0 KByte (default) ------------------------------------------------------------ [ 3] local demoserver port 48808 connected with springbok port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 1.09 GBytes 935 Mbits/sec You have new mail in /var/mail/root root@demoserver:~# iperf -s ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 85.3 KByte (default) ------------------------------------------------------------ [ 4] local demoserver port 5001 connected with springbok port 40378 [ ID] Interval Transfer Bandwidth [ 4] 0.0-10.0 sec 1.10 GBytes 939 Mbits/sec
935mbps up and down… not too freakin’ shabby for a lil’ completely fanless Celeron. What about OpenVPN, with 2048-bit SSL?
------------------------------------------------------------ Client connecting to 10.8.0.38, TCP port 5001 TCP window size: 22.6 KByte (default) ------------------------------------------------------------ [ 3] local 10.8.0.1 port 45727 connected with 10.8.0.38 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-11.6 sec 364 MBytes 264 Mbits/sec
264mbps? Yeah, that’ll do.
To be fair, though, LZO compression is enabled in my OpenVPN setup, which is undoubtedly improving our iperf run. So let’s be fair, and try a slightly more “real-world” test using ssh to bring in a hefty chunk of incompressible pseudorandom data, instead:
root@router:/etc/openvpn# ssh -c arcfour jrs@10.8.0.1 'cat /tmp/test.bin' | pv > /dev/null 333MB 0:00:17 [19.5MB/s] [ <=> ]
Still rockin’ a solid 156mbps, over OpenVPN, after SSH overhead, using incompressible data. Niiiiiiice.
For posterity’s sake, here is the iptables ruleset I’m using for testing on the little Celeron.
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # p4p1 is WAN interface -A POSTROUTING -o p4p1 -j MASQUERADE # NAT pinhole: iperf from WAN to LAN -A PREROUTING -p tcp -m tcp -i p4p1 --dport 5001 -j DNAT --to-destination 192.168.100.101:5001 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LOGDROP - [0:0] # create LOGDROP target to log and drop packets -A LOGDROP -j LOG -A LOGDROP -j DROP ##### basic global accept rules - ICMP, loopback, traceroute, established all accepted -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT # enable traceroute rejections to get sent out -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable ##### Service rules # # OpenVPN -A INPUT -p udp -m udp --dport 1194 -j ACCEPT # ssh - drop any IP that tries more than 10 connections per minute -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 11 --name DEFAULT --mask 255.255.255.255 --rsource -j LOGDROP -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # www -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # default drop because I'm awesome -A INPUT -j DROP ##### forwarding ruleset # # forward packets along established/related connections -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # forward from LAN (p1p1) to WAN (p4p1) -A FORWARD -i p1p1 -o p4p1 -j ACCEPT # NAT pinhole: iperf from WAN to LAN -A FORWARD -p tcp -d 192.168.100.101 --dport 5001 -j ACCEPT # drop all other forwarded traffic -A FORWARD -j DROP COMMIT
