LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 05-14-2011, 10:51 AM   #1
stu_c
LQ Newbie
 
Registered: Apr 2011
Distribution: Slackware
Posts: 20

Rep: Reputation: 0
routing / IP masquerade / NAT question


hello,

The wireless networking in my Mac doesn't work (hardware failure) and since it's old and out of warranty I don't intend to get it fixed. My solution is to put an extra ethernet card in my linux PC next to it and have the Mac connect to the internet via my linux PC. So the linux PC connects to the internet via eth1 (192.168.1.x addresses), and connects to the Mac via eth0. I've setup a dhcp server on eth0 (192.168.2.x addresses) to give the Mac an IP address - which it does. The problems I'm having are:

1.) The Mac can ping eth1 and eth0 interfaces on the linux PC, but can't see the internet. Also, the linux PC can't ping the MAC.

I've made rc.ip_forward executable - but presumably there is more to do in the way of network address translation / ip forwarding? What?

Also, as side issue. My dhcpd server is started from rc.dhcpd (which is executable) but doesn't seem to get called during the boot process - what's the best way of having this start automatically at boot time, rather than having to start it manually? A link into one of the other rc files - if so which one?

I'm running Slackware 13.1 with all the latest patches, etc.

Thanks in advance for any suggestions,
Stuart
 
Old 05-14-2011, 11:38 AM   #2
slac-in-the-box
Member
 
Registered: Mar 2010
Location: oregon
Distribution: slackware64-14.1
Posts: 160

Rep: Reputation: 26
you need to configure iptables

howdy stu_c

you also need to create rules for iptables... I used the script at http://connie.slackware.com/~alien/efg/ to generate a startup script, that I saved as /etc/rc.d/rc.firewall and made it executable... the script has options for gateways... but I'm pretty sure you need some rule on the nat chain with the -j SNAT option in it... the relevant line in my rc.firewall script is:
Code:
$IPT -t nat -A POSTROUTING -s $LOCAL_NAT -o $INET_IFACE \
     -j SNAT --to-source $INET_ADDRESS
hope it works for ya...
 
Old 05-14-2011, 03:20 PM   #3
Martinus2u
Member
 
Registered: Apr 2010
Distribution: Slackware
Posts: 342

Rep: Reputation: 55
Quote:
Originally Posted by slac-in-the-box View Post
Code:
$IPT -t nat -A POSTROUTING -s $LOCAL_NAT -o $INET_IFACE \
     -j SNAT --to-source $INET_ADDRESS
To the OP: if you set all default policies to ACCEPT, a line like that will suffice. Otherwise you need to make sure the packets are able to travel through the PREROUTING and FORWARD filters as well - both ways.

example:

Code:
# default policies
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t filter -P INPUT DROP
/usr/sbin/iptables -t filter -P FORWARD DROP
/usr/sbin/iptables -t filter -P OUTPUT DROP

# NAT on behalf of secondary LAN 
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j SNAT
--to-source 192.168.1.xxx

# forward packets from/to secondary LAN
/usr/sbin/iptables -t filter -A FORWARD -s 192.168.2.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -t filter -A FORWARD -d 192.168.2.0/255.255.255.0 -j ACCEPT

# further rules for INPUT & OUTPUT if default policy is DROP
If you're interested in some background about netfilter configuration, I once wrote a section about it in a slightly different context:

http://www.frogge.de/pepper/linux/li...#configure_nat

Martin
 
Old 05-15-2011, 02:08 PM   #4
stu_c
LQ Newbie
 
Registered: Apr 2011
Distribution: Slackware
Posts: 20

Original Poster
Rep: Reputation: 0
Solved

The script mentioned in slac-in-the-box's post has done the trick and without any modifications. Now I must read up about iptables so I actually understand what it's doing....

And the problem with not being able to ping the Mac was due to me giving my eth0 interface the address 192.168.2.0, apparently .0 is reserved and shouldn't be used.

Thanks for your help,
Stu
 
Old 05-15-2011, 02:51 PM   #5
lazardo
Member
 
Registered: Feb 2010
Location: SF Bay Area
Posts: 99

Rep: Reputation: Disabled
I run this on my laptop after the other machine is up, assumes the networking on the other machine is predictably in the same subnet. Usual disclaimers: GPL, works-for-me, no support, blah, blah, blah.

Cheers,

Code:
bash-4.1$ cat bin/forward
#!/bin/bash
# Useful when hosting a separate subnet on the other interface
# 
# Note that complex routing and/or more than 2 interfaces will
# probably not work.  This is a 'simple case of' tool.
#
# +- hosted -----+   +- host ----------------------+  \|/
# |         eth0 |   | eth0                  wlan0 |___|
# | 192.168.0.10 |===| 192.168.0.11   192.168.1.12 |
# +--------------+   +------------- default route -+

NETSTAT=( `netstat -nr | awk '\
/(wlan0|eth0)$/ && $1!="0.0.0.0" && ++cnt<=2{ print $1 };	# Edit for your network interfaces
/^0.0.0.0/{ print $(NF) };					# default route interface
'` )

if [[ ${#NETSTAT[*]} -eq 3 && "${NETSTAT[0]%\.*}" != "${NETSTAT[1]%\.*}" ]]; then
	sudo iptables --table nat --append POSTROUTING \
       	--out-interface ${NETSTAT[2]} -j MASQUERADE

	for i in ip_forward conf/{${NETSTAT[2]},all}/rp_filter; do
		echo "echo 1 > /proc/sys/net/ipv4/$i" | sudo bash
	done
	logger -st forward "${NETSTAT[2]} forward packets"
else
	logger -st forward "something didn't work: ${NETSTAT[*]}"
fi
 
Old 05-16-2011, 03:01 AM   #6
padeen
Member
 
Registered: Sep 2009
Location: Perth, W.A.
Distribution: Slackware 14, Debian 7, FreeBSD, OpenBSD
Posts: 172

Rep: Reputation: 34
Quote:
Originally Posted by stu_c View Post
And the problem with not being able to ping the Mac was due to me giving my eth0 interface the address 192.168.2.0, apparently .0 is reserved and shouldn't be used.
.0 is the network itself.
 
Old 05-16-2011, 08:01 AM   #7
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
stu_c,

Learning & using iptables is tricky. I fear you have embarked on a very dangerous path -- that you are leaving your LAN w/o a proper firewall & open to any crackers that find you. (And they will. )

I assume your internet connection is some form of broadband, what kind of modem do you have? Specifically:
  • Does it do DHCP?
  • Does it NAT?
  • Does it have WiFi?
  • Does it have any wired ports? ... If so, how many?

Scenario 1
If it can NAT & serve DHCP, but has only one LAN port; then buying & installing a (cheap &) simple switch is a quick, safe solution:
Code:
 (    )     +-------+   +--------+
( 'Net )====| Modem |---| switch |
 (    )     +-------+   +--------+
                          | | | |
  
  
#

Scenario 2
If your modem can't NAT or can't serve DHCP, then buy a (standard) SOHO NATing router & put it in your system like this:

Code:
 (    )     +-------+   +---------------+
( 'Net )====| Modem |---| NATing Router |
 (    )     +-------+   +---------------+
                            |  |  |  |
  
  
#

Scenario 3
If that is too easy, if you want a new learning curve, but still want to be safe in the process, then consider getting a "boat anchor" or "door stop" class, useless-for-anything-else, old machine & make it into a h/w firewall by installing IPCop or other firewall distribution:
Code:
                        +--------+
 (    )     +-------+   | IPCop  |   +--------+
( 'Net )====| Modem |---|  or    |---| switch |
 (    )     +-------+   | equiv. |   +--------+
                        +--------+    | | | |
  
  
  
#
Since IPCop etc. require at least 2 NICs, the extra one you have won't go to waste.


Personal Notes
I currently administer a 5 LAN IPCop for our computer club's suite.
I ran SmoothWall Express at home for over 5 years on 200 MHz, 128 MiB, 4GB Pentium box until its P/S gave up the "magic smoke".
At home I currently use a cast-off Netgear FVS318.

Last edited by archtoad6; 05-17-2011 at 08:36 AM. Reason: add scenari numbers, fix RAM size
 
Old 05-16-2011, 03:14 PM   #8
stu_c
LQ Newbie
 
Registered: Apr 2011
Distribution: Slackware
Posts: 20

Original Poster
Rep: Reputation: 0
Archtoad, thanks for your concern regarding my firewall.

I have a fairly standard ADSL modem (built-in wireless access point, ethernet port) which has a built in firewall which is currently set up to block all incoming connections (I checked).

My main reason for setting up a firewall (well, only really NAT) on my linux box is that the wireless on my Mac is knackered so I wished to share my ethernet connection.

However, I have no desire to have my computers hacked into, so I'm not afraid to ask why you recommend an additional switch / NAT router? Actually, this may have been a better way of sharing my ethernet connection, but (please correct me if I'm wrong) I can't see that it would improve security (which should primarily be provided by the modem firewall) other than providing an additional obstacle for a potential intruder to get through? Similarly, the firewall I've just implemented on my linux PC shouldn't really have a detrimental effect on security compared to my previous setup (no firewall on the linux PC). Surely, the firewall just provides a first layer defence, blocking unwanted incoming connections before they even connect with a service. I assume (here's the dangerous bit...) that network services in Slackware, by default (with perhaps the exception of ping?) are setup to ignore incoming connections unless specifically enabled? So without a firewall you are relying on the security of the service itself (i.e. no buffer overflows, etc) to keep out intruders?

Regards,
Stuart
 
Old 05-17-2011, 09:07 AM   #9
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Stuart,

Firewalls are long time interest of mine, even predating my use of Linux.

I know your modem has NAT & DHCP -- it's supplying "192.168.1.x addresses" to your Linux PC (sorry I missed that earlier) -- even though it has only one LAN port. Therefore it corresponds to Scenario 1 above. All you need to do is to add a switch & the NAT & DHCP functions will work on all the computers on your LAN. There is no need to duplicate the NAT & DHCP, they're already built into your modem.

Now that I know that your modem has a built-in firewall:
  • Scenario 2 does not apply.
  • Scenario 1 is my recommendation as the simple solution.
  • Scenario 3 remains available as an adventure in learning about firewalls; however, it does little or nothing to improve your existing security, & can be safely ignored.

Although I didn't answer your last post point by point, I hope I have responded to all the issues you raised. As always, if anything is unclear, feel free to ask.
 
Old 05-17-2011, 03:55 PM   #10
Martinus2u
Member
 
Registered: Apr 2010
Distribution: Slackware
Posts: 342

Rep: Reputation: 55
Quote:
Originally Posted by stu_c View Post
Similarly, the firewall I've just implemented on my linux PC shouldn't really have a detrimental effect on security compared to my previous setup (no firewall on the linux PC).
Stuart, you're totally right. With the firewall in your router (dropping incoming connections rather than forwarding them to your linux PC) and making sure you run no unneeded services on your linux PC you have two lines of defence. Clicking on mail attachments is more dangerous, or it will be, once Linux becomes more widespread.
 
  


Reply

Tags
dhcp, nat, routing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT with MASQUERADE only for eth2 ? czezz Linux - Networking 1 06-16-2010 11:08 AM
NAT/Masquerade not working? eswenson Linux - Networking 3 06-04-2010 02:08 PM
routing, nat question? pudhiyavan Linux - Networking 5 02-06-2005 01:35 PM
nat/masquerade, connection tracking b0uncer Linux - Networking 2 07-20-2004 04:22 AM
NAT'd subnet routing question ealpert1 Linux - Networking 10 05-19-2003 02:07 PM


All times are GMT -5. The time now is 04:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration