Route between 2 subnets so device connected to Linux laptop can access Internet
 

I have a device connected to my laptop via a crossover cable, and I want that device to be able to access the internet through my laptop's internet connection. Let's say that device's IP address is 192.168.0.11, and my laptop's IP address for eth0 is 192.168.0.12 and for wlan0 is 192.168.1.12, both with subnet masks of 255.255.255.0. On my laptop, running the 'route' command currently gives the following:

I've never done anything like this before, so I'm not sure what I should do in order to route between the 2 subnets. Could anyone please describe what I need to do? Also, once I've done that do I need to set the Gateway and DNS on the device to the IP address of the laptop's wlan0 interface (in this case, 192.168.1.12), or to something else? Thanks.

I think the only thing you need to do is enable packet forwarding on your laptop:

You can solve this in two ways. First is to turn your laptop in a real router which means it has to know which IP your device is and set up route tables accordingly. That is not difficult, but it can be a bit overwhelming if you are not really familiar with the IP protocol. Have a look at this post: http://www.linuxquestions.org/questi...ml#post3877086
Take into account that your device is connected to the laptop and that in the diagram donald_pc plays the role of your internet modem. It means that you would have to set up a route in your modem which tells the modem the subnet 192.168.0.nnn must be reached thru 192.168.1.nnn. Most modems allow you to do that.

Alternatively, a quicker solution is to set up a NAT router inside your laptop, but you have to have iptables installed. Once it is installed, give these commands on the command line (as root):

Just enabling forwarding is not sufficient, packets from the modem back to the device don't know how to find the device. Therefor the masquerading, your modem will never know a device exists, it sends everything back to your laptop, and your laptop now knows how to handle it.

In your device you have to set the default gw to 192.168.0.12. DNS whatever you like, best is to use the same DNS as your laptop uses.

jlinkels

Thanks, the iptables solution did the trick. Couple of follow up questions just for my own curiosity and learning:

If I do 'echo 1 > /proc/sys/net/ipv4/ip_forward' do I also need to do 'net.ipv4.ip_forward = 1'? What's the difference between changing this setting in one place versus the other?

Regarding DNS servers, before I was setting the DNS server to be the IP address of the laptop. That's completely wrong (unlike for the gateway setting), isn't it? So I did a 'cat /etc/resolv.conf' on that laptop to find out which DNS servers it uses, and used those. I'm wondering, if you had done 'cat /etc/resolv.conf' on your computer and told me what DNS server you use, could I have also used that one? (So there's no 'security' around DNS servers? Anyone can use anyone's DNS?) Really basic question, I know... Thanks.

I haven't ever seen anything else than echo 1 > /proc/sys/net/ipv4/ip_forward
/proc/sys is a virtual file, used to tell the OS kernel something.
Where would you do net.ipv4.ip_forward = 1?

About DNS: yes, you could have used everyhting as DNS.
You made the error as to pointing to your laptop for DNS because most DSL modems contain a DNS server, and you won't see anything else than DNS the same as your default gateway, both your DSL modem. Quite understandable.

You could have used the DNS of your DSL modem if it contains one, the DNS of your ISP, my DSN or google, which is 8.8.8.8 or 8.8.4.4 IIRC. Google and "to find something" is pretty often used in one sentence...

jlinkels

If you have the Ubuntu distro, you can change the device to a 'shared internet' which is where you set the DHCP etc.

You'd set that in /etc/sysctl.conf as suggested to me by a previous poster in this thread. It's currently set to 0. I figured it might be analogous to setting a computer's hostname. If you just run the command 'hostname mycomputer' it will take effect immediately but the changes won't persist into the next reboot. In order to have it persist, you must change a file: by adding 'HOSTNAME=mycomputer' to /etc/sysconfig/network.

So I figured it's analogous - running 'echo 1 > /proc/sys/net/ipv4/ip_forward' would take effect immediately but not be persistent, but changing the /etc/sysctl.conf file would do the opposite? After running the echo command I did a 'grep ip_forward /etc/sysctl.conf' and the value is still 0. So if you don't change the file, then when you reboot isn't your computer being informed of the value '0' from the file but the value '1' from the command you ran? It's working for me but I'm curious to know more about the configuration just for my own learning. Thanks.

Ah, RHEL. Yes, they could do that thru /etc/sysctl.conf.

The command echo 1 > /proc/sys/net/ipv4/ip_forward had to be given after a reboot. I guess some script does just that when it processes sysctl.conf. And because this is executed at boot time such settings do survive reboots by design. It is just not smart to require a reboot to change such settings.

My own preference is to put all those iptables commands in a script file (including the echo to /proc) and run this file automatically at boot time. When such a file is available I can edit it at will, and run it to execute the changes I made.

It is important to start such a file with disabling forwarding, flush all iptables settings, build them again and enable forwarding.

But that is typically Debian-and-derivatives style. RHEL and associates use a different policy with which am not really familiar.

jlinkels

I'm going to do it this way - where exactly did you put this script file, and how is it called? Is there a place I can ADD rather than EDIT a file? Meaning rather than editing /etc/rc.local for example, a place where if I put it the script will be called. Such as adding a script to /etc/profile.d/ which will get called when a user logs in (but that wouldn't be the right place to add scripts related to iptables, because you don't want those run every time someone logs in).

Out of curiosity, why is it important to first disable forwarding before re-enabling them at the very end?

I have a directory called /etc/ipmasq/. In this directory I have the script file with names like ip_vas_gw. It is an ordinary bash script file almost written from scratch. Then in /etc/init.d I have created file called firewall.sh which takes start, stop and restart parameters, the usual stuff. It was copied and adapted from a suitable file in /etc/init.d. At start it runs the file from /etc/ipmasq, at stop it flushes the tables and disables forwarding. It think during boot it is called from rcS.d. You should follow the usual policy for your distro when you decide where to put it. The scripts are the same, but the location differ.

The huge advantage is that you have an independent script which you can run at will. Every time when you change something you run the script, which in turn flushes all iptables settings and you start clean with the rules. During running this script connections are not interrupted. I happily do this on a live system.

That is good custom. You don't want to mess around with iptables while forwarding is enabled.

jlinkels