Internet Sharing on Linux machines

varunbihani · 07-18-2003, 10:37 AM

I have 3 Linux RH 9 machines in my LAN.
I want to access internet on all the 3 machines.
Till now i am able to access all machines but not the internet. Internet is available only on 1 machine in which i have 2 NIC's. One is from my ISP and other is local lan card.

Can any body suggest my how to bring internet on all the 3 machines.
If IP tables is the solution, then please tell me how to configure those tables.

IP add of my server machine is 192.***.*.1

IP address of my ISP 10.*****
DNS =61.******
Common gateway=10.******

eth0 is my Local lan
eth1 is for internet distribution

in my eth1 i have statically given the IP info of my ISP and in route, i have given all the IP address of 3 machines in the destination Network and given the gateway of my ISP.

In eth0 ie Local Lan, I have given IP address of my machine statically instead of automatically obtain becoz in automatic connection i could activate my eth0.

Now with these settings i am only able to get internet on my machine with 2 NIC's but i can ping all of my 3 machines on the lan

mayankjohri · 07-18-2003, 11:25 AM

did you tried the forward_ipv4=yes

varunbihani · 07-18-2003, 11:30 AM

where to do this??

forward_ipv4=yes

in which file and how

serz · 07-18-2003, 11:39 AM

I'd suggest you to try MonMotha's IPTABLES firewall. It will do all the job for you.

Mathieu · 07-18-2003, 11:45 AM

Actually, forward_ipv4=yes will not work in RedHat.

Edit the file /etc/sysctl.conf and on the line net.ipv4.ip_forward = 0, change 0 to 1.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

IPtable rules are located in /etc/sysconfig/iptables

First, we need to flush the old rules.
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F

The following commands will create new rules for your system.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -j LOG

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

To save iptables modifications, use service iptables save.

Robert0380 · 07-19-2003, 12:19 PM

i dont have that file in redhat (/etc/sysconfig/iptables) i put my my rules in a custom file (firewall.sh) and i put the command:

sh flrewall.sh

in rc.local, did u make taht file (etc/sysconfig/iptables) or is in a different distribution from redhat?

Mathieu · 07-19-2003, 12:46 PM

By default, the file is NOT created.
If you want to create it, type service iptables save. This will save your rules.

You will no longer need firewall.sh if you edit the file /etc/sysctl.conf and change 0 to 1 on the line net.ipv4.ip_forward = 0.

You will also need to start iptables on boot.

fortezza · 07-19-2003, 07:28 PM

I am having problems with the DSL router ( Cisco 678 ).

What I have done is split my home network up into 2 networks, and insecure one and a securre one. Looking from the Internet, here is the setup I am using while testing the firewall router:

Test setup:
DSL Line->Cisco 678 -> Switch ( 10.0.0.0/24 network ) -> Firewall eth0 -> Firewall eth0 -> test computer eth0 ( network is 10.0.1.0/24 ) .

I have a laptopn on 10.0.1.0/24 and a workstation on 10.0.0.0/24 and they can ping/ssh each other with no problems. The only problem I have, at the moment is the while all the computers on 10.0.0.0/24 network can ping the router and be pinged by it , the lapt and router are not communicating at all. I set up the router to route packets for the 10.0.1.0/24 network the same way I set up the workstation ( which is on the same network as the router ), but it just gives me a timeout. It can ping the firewall/router interface on its local network, but either it isn't using the fw/router to route packets for the 10.0.1.0/24 network, or the fw/router is refusing to route them. The second isn't very likely since it is routing for all of my linux workstations.

To recap , from my workstation I can ping the DSL router, both nic's in the linux FW/Router, and the laptop the is connected to the fw/router. From my DSL router, I can ping all interfaces on its network, but cannot ping the fw/router eth1 ( 10.0.1.0/24) interface nor the laptop on that interface.

Also note that I have turned off all of my DSL routers filters and stopped all IPTables services on the linux machines to simplifiy troubleshooting.

Any ideas? My plan is to have a setup like this:

DSL Line->Cisco 678 -> Firewall eth0( 10.0.0.0/24 network ) -> Firewall eth0( 10.0.1.0/24 network ) -> switch -> all of my computers ( 10.0.1.0/24 ) .

Here are a few routing tables:

laptop ( that pings everything except the DSL router )
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 10.0.1.1 255.255.255.0 UG 0 0 0 eth0
10.0.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.0.1.1 0.0.0.0 UG 0 0 0 eth0

workstation ( same as laptop but it can ping the DSL router )
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0
10.0.1.0 10.0.0.2 255.255.255.0 UG 0 0 0 eth0
192.168.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0

DSL Router
[TARGET] [MASK] [GATEWAY] [M][P] [TYPE] [IF] [AGE]
0.0.0.0 0.0.0.0 0.0.0.0 1 SA WAN0-0 0
10.0.0.0 255.255.255.0 0.0.0.0 1 LA ETH0 0
10.0.1.0 255.255.255.0 10.0.0.2 2 SAR ETH0 0
66.0.0.0 255.0.0.0 0.0.0.0 1 A WAN0-0 0

FirewallDestination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0
10.0.1.0 * 255.255.255.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0

RKris · 07-19-2003, 07:33 PM

Man!! you need to buy a book on Cisco routers or on RedHat , rather than dumping your head in here.

regards
Krishna

fortezza · 07-19-2003, 10:51 PM

For now I am going with a workaround that I found - transparent bridging.

So what I did it made the firewall system transparent to my network, it copies everything in between the two interfaces, and filters the packets as they pass through. It doens't even need an IP address!

First install the bridge utilies found here ->
http://bridge.sourceforge.net/download.html

Then follow the instructions here ->
http://www.linuxquestions.org/questi...451#post188451

After you are done, you will only have access to the firewall from the keyboard/mouse connected to it, but it can be dangerous to try and remotely configure firewall rules anyhow ( you could disconnect yourself accidently and not get back in! ). One note is that older kernels ( older than 2.4-18, I presume ) did not have bridging capability enabled by default, but the kernel that came with Mandrake 9.1 did, so all I needed to install were the bridging tools referenced above.

I read somewhere that the downside of transparent bridging is you can only process incoming packets and not outgoing ones. I will put that to the test in a bit

.

I hope this information helps someone else.

win32sux · 07-20-2003, 09:34 AM

you could use shorewall to share your internet connection and protect your local area network... it makes iptables easy...

http://www.shorewall.net/

here's the guide for a two-interface setup like the one you described:

http://www.shorewall.net/two-interface.htm

you might also want to use something like squid to speed things up a little for the surfers and save bandwidth:

http://www.squid-cache.org/