routing / IP masquerade / NAT question

stu_c · 05-14-2011, 10:51 AM

hello,

The wireless networking in my Mac doesn't work (hardware failure) and since it's old and out of warranty I don't intend to get it fixed. My solution is to put an extra ethernet card in my linux PC next to it and have the Mac connect to the internet via my linux PC. So the linux PC connects to the internet via eth1 (192.168.1.x addresses), and connects to the Mac via eth0. I've setup a dhcp server on eth0 (192.168.2.x addresses) to give the Mac an IP address - which it does. The problems I'm having are:

1.) The Mac can ping eth1 and eth0 interfaces on the linux PC, but can't see the internet. Also, the linux PC can't ping the MAC.

I've made rc.ip_forward executable - but presumably there is more to do in the way of network address translation / ip forwarding? What?

Also, as side issue. My dhcpd server is started from rc.dhcpd (which is executable) but doesn't seem to get called during the boot process - what's the best way of having this start automatically at boot time, rather than having to start it manually? A link into one of the other rc files - if so which one?

I'm running Slackware 13.1 with all the latest patches, etc.

Thanks in advance for any suggestions,
Stuart

slac-in-the-box · 05-14-2011, 11:38 AM

howdy stu_c

you also need to create rules for iptables... I used the script at http://connie.slackware.com/~alien/efg/ to generate a startup script, that I saved as /etc/rc.d/rc.firewall and made it executable... the script has options for gateways... but I'm pretty sure you need some rule on the nat chain with the -j SNAT option in it... the relevant line in my rc.firewall script is:

Code:

$IPT -t nat -A POSTROUTING -s $LOCAL_NAT -o $INET_IFACE \
     -j SNAT --to-source $INET_ADDRESS

hope it works for ya...

Martinus2u · 05-14-2011, 03:20 PM

Quote:

Originally Posted by slac-in-the-box

Code:

$IPT -t nat -A POSTROUTING -s $LOCAL_NAT -o $INET_IFACE \
     -j SNAT --to-source $INET_ADDRESS

To the OP: if you set all default policies to ACCEPT, a line like that will suffice. Otherwise you need to make sure the packets are able to travel through the PREROUTING and FORWARD filters as well - both ways.

example:

Code:

# default policies
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t filter -P INPUT DROP
/usr/sbin/iptables -t filter -P FORWARD DROP
/usr/sbin/iptables -t filter -P OUTPUT DROP

# NAT on behalf of secondary LAN 
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j SNAT
--to-source 192.168.1.xxx

# forward packets from/to secondary LAN
/usr/sbin/iptables -t filter -A FORWARD -s 192.168.2.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -t filter -A FORWARD -d 192.168.2.0/255.255.255.0 -j ACCEPT

# further rules for INPUT & OUTPUT if default policy is DROP

If you're interested in some background about netfilter configuration, I once wrote a section about it in a slightly different context:

http://www.frogge.de/pepper/linux/li...#configure_nat

Martin

stu_c · 05-15-2011, 02:08 PM

The script mentioned in slac-in-the-box's post has done the trick and without any modifications. Now I must read up about iptables so I actually understand what it's doing....

And the problem with not being able to ping the Mac was due to me giving my eth0 interface the address 192.168.2.0, apparently .0 is reserved and shouldn't be used.

Thanks for your help,
Stu

lazardo · 05-15-2011, 02:51 PM

I run this on my laptop after the other machine is up, assumes the networking on the other machine is predictably in the same subnet. Usual disclaimers: GPL, works-for-me, no support, blah, blah, blah.

Cheers,

Code:

bash-4.1$ cat bin/forward
#!/bin/bash
# Useful when hosting a separate subnet on the other interface
# 
# Note that complex routing and/or more than 2 interfaces will
# probably not work.  This is a 'simple case of' tool.
#
# +- hosted -----+   +- host ----------------------+  \|/
# |         eth0 |   | eth0                  wlan0 |___|
# | 192.168.0.10 |===| 192.168.0.11   192.168.1.12 |
# +--------------+   +------------- default route -+

NETSTAT=( `netstat -nr | awk '\
/(wlan0|eth0)$/ && $1!="0.0.0.0" && ++cnt<=2{ print $1 };	# Edit for your network interfaces
/^0.0.0.0/{ print $(NF) };					# default route interface
'` )

if [[ ${#NETSTAT[*]} -eq 3 && "${NETSTAT[0]%\.*}" != "${NETSTAT[1]%\.*}" ]]; then
	sudo iptables --table nat --append POSTROUTING \
       	--out-interface ${NETSTAT[2]} -j MASQUERADE

	for i in ip_forward conf/{${NETSTAT[2]},all}/rp_filter; do
		echo "echo 1 > /proc/sys/net/ipv4/$i" | sudo bash
	done
	logger -st forward "${NETSTAT[2]} forward packets"
else
	logger -st forward "something didn't work: ${NETSTAT[*]}"
fi

padeen · 05-16-2011, 03:01 AM

Quote:

Originally Posted by stu_c

And the problem with not being able to ping the Mac was due to me giving my eth0 interface the address 192.168.2.0, apparently .0 is reserved and shouldn't be used.

.0 is the network itself.

archtoad6 · 05-16-2011, 08:01 AM

stu_c,

Learning & using iptables is tricky. I fear you have embarked on a very dangerous path -- that you are leaving your LAN w/o a proper firewall & open to any crackers that find you. (And they will.

)

I assume your internet connection is some form of broadband, what kind of modem do you have? Specifically:

Does it do DHCP?
Does it NAT?
Does it have WiFi?
Does it have any wired ports? ... If so, how many?

Scenario 1
If it can NAT & serve DHCP, but has only one LAN port; then buying & installing a (cheap &) simple switch is a quick, safe solution:

Code:

 (    )     +-------+   +--------+
( 'Net )====| Modem |---| switch |
 (    )     +-------+   +--------+
                          | | | |
  
  
#

Scenario 2
If your modem can't NAT or can't serve DHCP, then buy a (standard) SOHO NATing router & put it in your system like this:

Code:

 (    )     +-------+   +---------------+
( 'Net )====| Modem |---| NATing Router |
 (    )     +-------+   +---------------+
                            |  |  |  |
  
  
#

Scenario 3
If that is too easy, if you want a new learning curve, but still want to be safe in the process, then consider getting a "boat anchor" or "door stop" class, useless-for-anything-else, old machine & make it into a h/w firewall by installing IPCop or other firewall distribution:

Code:

                        +--------+
 (    )     +-------+   | IPCop  |   +--------+
( 'Net )====| Modem |---|  or    |---| switch |
 (    )     +-------+   | equiv. |   +--------+
                        +--------+    | | | |
  
  
  
#

Since IPCop etc. require at least 2 NICs, the extra one you have won't go to waste.

Personal Notes
I currently administer a 5 LAN IPCop for our computer club's suite.
I ran SmoothWall Express at home for over 5 years on 200 MHz, 128 MiB, 4GB Pentium box until its P/S gave up the "magic smoke".
At home I currently use a cast-off Netgear FVS318.

stu_c · 05-16-2011, 03:14 PM

Archtoad, thanks for your concern regarding my firewall.

I have a fairly standard ADSL modem (built-in wireless access point, ethernet port) which has a built in firewall which is currently set up to block all incoming connections (I checked).

My main reason for setting up a firewall (well, only really NAT) on my linux box is that the wireless on my Mac is knackered so I wished to share my ethernet connection.

However, I have no desire to have my computers hacked into, so I'm not afraid to ask why you recommend an additional switch / NAT router? Actually, this may have been a better way of sharing my ethernet connection, but (please correct me if I'm wrong) I can't see that it would improve security (which should primarily be provided by the modem firewall) other than providing an additional obstacle for a potential intruder to get through? Similarly, the firewall I've just implemented on my linux PC shouldn't really have a detrimental effect on security compared to my previous setup (no firewall on the linux PC). Surely, the firewall just provides a first layer defence, blocking unwanted incoming connections before they even connect with a service. I assume (here's the dangerous bit...) that network services in Slackware, by default (with perhaps the exception of ping?) are setup to ignore incoming connections unless specifically enabled? So without a firewall you are relying on the security of the service itself (i.e. no buffer overflows, etc) to keep out intruders?

Regards,
Stuart

archtoad6 · 05-17-2011, 09:07 AM

Stuart,

Firewalls are long time interest of mine, even predating my use of Linux.

I know your modem has NAT & DHCP -- it's supplying "192.168.1.x addresses" to your Linux PC (sorry I missed that earlier) -- even though it has only one LAN port. Therefore it corresponds to Scenario 1 above. All you need to do is to add a switch & the NAT & DHCP functions will work on all the computers on your LAN. There is no need to duplicate the NAT & DHCP, they're already built into your modem.

Now that I know that your modem has a built-in firewall:

Scenario 2 does not apply.
Scenario 1 is my recommendation as the simple solution.
Scenario 3 remains available as an adventure in learning about firewalls; however, it does little or nothing to improve your existing security, & can be safely ignored.

Although I didn't answer your last post point by point, I hope I have responded to all the issues you raised. As always, if anything is unclear, feel free to ask.

Martinus2u · 05-17-2011, 03:55 PM

Quote:

Originally Posted by stu_c

Similarly, the firewall I've just implemented on my linux PC shouldn't really have a detrimental effect on security compared to my previous setup (no firewall on the linux PC).

Stuart, you're totally right. With the firewall in your router (dropping incoming connections rather than forwarding them to your linux PC) and making sure you run no unneeded services on your linux PC you have two lines of defence. Clicking on mail attachments is more dangerous, or it will be, once Linux becomes more widespread.