Applications for an Intranet Router

In this article, we will cover some of the useful applications you can run to make a router much more useful, and to create a real Intranet. These applications include dhcp, for automatic allocation of IP addresses, squid, to cache web pages, apache to provide web content, ntp to ensure the time is correct across the LAN, and others.

To install these applications on your router, follow the standard procedure for installation on your chosen distribution. There are packages available for all of these applications in all the major distributions.

Dhcpd is perhaps the most useful - it facilitates the allocation of IP addresses to all the client machines on the LAN. This means you don't have to fiddle about with them ensuring all the settings are correct, and can also change them easily, if you need to. Additionally, it reduces the chance of misconfigured machines, or conflicting IP addresses. Following is an example /etc/dhcpd.conf, which allows you to specify a range of IPs to give to workstations, and also shows how to give static IPs to workstations if you desire.

server-identifier; # Specifies the routers IP

subnet netmask { # Specifies the network
  range; # What range to allocate
  option domain-name-servers; # Specifies the name servers
  option domain-name ""; # Specifies the domain name
  option routers; # Sets the default route
  option subnet-mask; # Sets the subnet mask
  option broadcast-address; # Sets the broadcast address
  default-lease-time 172800;
  max-lease-time 172800;

host foo { # Host you wish to give a static IP to
  hardware ethernet 00:80:c8:f9:6b:f3; # Hardware address
  fixed-address; # What IP you want it to have

As you can see, you can specify most aspects of network configuration, which means less to do on the client side - all you need to do is tell it to use DHCP to get the network settings.

There are many options available for configuring Squid, but only a few that are necessary for a secure simple configuration. For more details, see my previous articles about Squid.

To set the port the clients use to access the proxy:

    http_port 8080

To specify how hosts without a domain are handled, you can specify a domain that is appended to any unqualified hosts by the following:


Most ISPs already provide a proxy, so to increase performance it is a good idea to use it as a parent proxy. It is easy to set the proxy up so it goes direct for any local hosts, but is forced to use the proxy for remote hosts.

    cache_peer parent 80 3130

    acl local-intranet dstdomain
    always_direct allow local-intranet
    never_direct deny local-intranet
    never_direct allow all

It is also important to restrict access to the proxy to only your local intranet - otherwise anyone on the internet can use your proxy, which decreases performance, and bandwidth thats available to you.

    acl intranet src
    http_access allow intranet

Another useful program that goes hand in hand with squid is Junkbuster. With this, you can specify what type of information your browser will give to web servers, which is useful for restricting what people can know about your machines. This reduces the possibility of denial of service attacks, especially if the machines on your network are running reasonably vunerable operating systems.

Junkbuster can also - as the name suggests - bust junk. This means you can specify URLs that you don't wish to see, and they are replaced by other images. As you can imagine, this is incredibly useful removing unwanted things such as ads. From a subjective opinion this decreases bandwidth used and increases browsing speed.

The default configuration is fairly good with Junkbuster - you only need to make a few minor tweeks to have it functioning correctly. In /etc/junkbuster/config:

    blockfile /etc/junkbuster/blockfile
    cookiefile /etc/junkbuster/cookiefile
    forwardfile /etc/junkbuster/forwardfile
    aclfile /etc/junkbuster/acl
    listen-address :8000

One possibly overlooked security issue is that of accurate time. It is very important to have a correct time, as this means you can track down security issues across hosts, or, indeed, even across countries by ensuring the time is accurate. There is a protocol ntp - Network Time Protocol - which is used to sync time to a known good source - usually connected to an atomic clock, or some similar accurate source.

To /etc/ntp.conf, add a line similar to the following, for each ntp server you wish to use:


There are still plenty of applications left for you to configure, such as sshd, for secure remote access, or samba, for sharing files around on your intranet, but this article has covered a few of the basics.