LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   internet connection sharing (https://www.linuxquestions.org/questions/linux-software-2/internet-connection-sharing-316234/)

meinzorn 04-22-2005 09:19 PM
internet connection sharing
 
Hello.. I just got a new old box and I installed slackware linux 10 on it... I have a hardware modem and can connect to the internet and everything alright, but I want to be able to share that connection with a windows box that I have sitting next to it... can anyone help me do this?

I tried using google to search, and didn't find much, and what I did find kinda confused me.. any help is appreciated, thank you in advance for it.

win32sux 04-22-2005 09:51 PM
hardware: you'll need an ethernet card on each box, and either a crossover cable or two regular cables and a switch/hub...

software: basically it's just a matter of setting an iptables script in your /etc/rc.d/rc.firewall file... of course you'd need to have iptables installed before that... if you did a full install you already have it... you can check with:
Code:
ls /var/log/packages | grep iptables
the general overview of what you will be doing in order to share the connection is:

you will be configuring your internet-connected box as a NAT router... the dial-up modem will be it's external interface and the ethernet card will be the internal interface...

the windows machine will have one ethernet card and it will be connected with ethernet cabling to the internal ethernet card of the NAT box...

the windows machine will use an internal IP such as 192.168.0.2, for example...

the internal network card of the NAT box will also use an internal IP, such as 192.168.0.1, for example... the external interface (dial-up) will use whatever IP it gets from your ISP, as it normally does...

the windows machine will be configured to use 192.168.0.1 (or whatever the NAT box's internal IP is) as it's gateway...

the windows machine can use the same DNS servers that your NAT box uses (provided by your ISP) if you want...

win32sux 04-22-2005 10:14 PM
i wrote a very simple /etc/rc.d/rc.firewall iptables script for you that should do the trick once you have your network cards setup... all you'd have to do is save it as /etc/rc.d/rc.firewall and make it executable with a:
Code:
chmod 755 /etc/rc.d/rc.firewall
it'll then be automatically run everytime your computer starts...

Code:
#!/bin/sh

IPT="/usr/sbin/iptables"

LAN_IFACE="eth0"
INET_IFACE="ppp0"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP -i $LAN_IFACE --icmp-type 8 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "So let it be written. So let it be done."
EDIT: added rule allowing PINGs (--icmp-type 8) on the internal interface (eth0) to make it easier to test LAN connectivity...

meinzorn 04-22-2005 10:32 PM
ok.. I've gotten as far as setting up the network right.. but how do I use that script?

(I've never had experience with scripts before)

win32sux 04-22-2005 10:36 PM
just copy the script and save it as text file /etc/rc.d/rc.firewall and then make the file executable by doing a:
Code:
chmod 755 /etc/rc.d/rc.firewall
it'll get executed by the system automatically upon reboot...

after copying/chmod-ing it you can also execute it manually by issuing the command:
Code:
/etc/rc.d/rc.firewall

meinzorn 04-22-2005 10:59 PM
ok... when I dot hat it says..

"iptables: Table does not exist (do ou need to insmod?)
iptables: Table does not exist (do ou need to insmod?)"

win32sux 04-22-2005 11:03 PM
post the output of these commands (after executing the script):
Code:
iptables -L
Code:
iptables -t nat -L
Code:
lsmod
Code:
ifconfig

meinzorn 04-22-2005 11:06 PM
heh, nevermind that last post, I figured out why it was doing that...


type-o on my part.

win32sux 04-22-2005 11:08 PM
so everything is working fine now?? you can surf the web (etc.) from the windows box??

meinzorn 04-22-2005 11:28 PM
hmm, no... it still isn't working..

I'm not getting any error or anything, I just can't connect to the internet from the windows box. I've tried to sign onto AIM on my windows box and that isn't working, and I've tried pinging a website and that isn't working.

win32sux 04-22-2005 11:35 PM
are you able to ping the linux box from the windows box (and vice-versa)??

make sure you are using the latest script form post #3, as i added the PING thing after...

please post the output of the commands in post #7, as well as the IP configuration you've given the windows box...

meinzorn 04-23-2005 12:10 AM
hmm, this is difficult.. I'm doing this from the linux machine so I'm using links and I can't figure out how to copy and paste the results of those commands into this. I can ping the windows machine from here and I can ping this machine from the windows one. though.

win32sux 04-23-2005 12:26 AM
can you ping 64.233.187.99 or 64.233.187.104 from the windows machine??

win32sux 04-23-2005 12:30 AM
your IP configuration should look like this:

linux box:
ppp0 = whatever your ISP gives you
eth0 = 192.168.0.1 (netmask 255.255.255.0)

windows box:
IP = 192.168.0.2
netmask = 255.255.255.0
gateway = 192.168.0.1

meinzorn 04-23-2005 12:39 AM
hmm.. I definately just restarted the windows machine and it's working fine now. I probably should have tried that a while ago.

cool, I'm glad I have this working.. thank you for the help

win32sux 04-23-2005 12:42 AM
you're very welcome!! let me know if any issues come-up... good luck!!

meinzorn 04-23-2005 12:46 AM
hmm.. kinda an issue, not that big of one I guess....

but pre this, I had apache set up, as well as proftpd and they worked fine...

now they aren't working.. is it related, or did I change something without realizing it ?

ssh also isn't working...... which is more of an issue than anything... I planned on using that mostly when I needed to do anything with the machine.

win32sux 04-23-2005 12:49 AM
you mean, like, to access those services on your box from the internet??

meinzorn 04-23-2005 12:50 AM
well, yeah, or the local network.. from the windows machine..

and when I try to connect with ssh, it just times out.

same with http

win32sux 04-23-2005 12:54 AM
Quote:
Originally posted by meinzorn
hmm.. kinda an issue, not that big of one I guess....

but pre this, I had apache set up, as well as proftpd and they worked fine...

now they aren't working.. is it related, or did I change something without realizing it ?

ssh also isn't working...... which is more of an issue than anything... I planned on using that mostly when I needed to do anything with the machine.
Quote:
well, yeah, or the local network..

and when I try to connect with ssh, it just times out.

same with http
no problem, we just need to add a few rules to the script allowing http, ftp, and ssh (the original script i wrote was designed for complete stealth on the external interface, as i didn't know you were running services on it)...

here you go (the relevant rules are in bold):

here you go:

Code:
#!/bin/sh

IPT="/usr/sbin/iptables"

LAN_IFACE="eth0"
INET_IFACE="ppp0"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "So let it be written. So let it be done."

meinzorn 04-23-2005 01:01 AM
ok, so if I need a port opened for whatever reason, it's just like those added lines, only change the port number?

win32sux 04-23-2005 01:11 AM
yeah, basically... but it wouldn't be a bad idea to do some reading about iptables/netfilter so you can have a better understanding of what the script is doing:

http://www.linuxguruz.com/iptables/howto/

http://www.linuxguruz.com/iptables/

http://www.justlinux.com/nhf/Securit...es_Basics.html

http://iptables-tutorial.frozentux.n...-tutorial.html

for more iptables info: http://www.google.com/linux?hl=en&lr...es&btnG=Search

;-)

win32sux 04-23-2005 01:32 AM
BTW, that script is logging every packet that gets blocked by the firewall... you can see what packets are getting blocked in "real-time" by doing a:

Code:
tail -f /var/log/syslog
(you need to have sysklogd installed for this to work)

this is good for troubleshooting and stuff... like, for example when you weren't able to SSH to the box - by monitoring the log file you would have noticed the port 22 packets getting blocked... so you would have known it was a firewall issue right away...

it's also good for seeing all the weird spiders that crawl all over the internet... hehe...


All times are GMT -5. The time now is 12:35 PM.