IP forwarding

paranoid times · 10-05-2005, 11:13 PM

I have two computers connected to each other through a switch. one of the computers is online. I want the other computer to be able to get online by going through the computer that is already online. I've looked around, and tried to get it all running with ip forwarding, which I believe is how I should go about this. However I have had no success playing with varous files, trying to get it all running.

I get online with a DHCP address, however the address is always the same. the computer that is online has two network devices in it. and everything is being run on fedora core 3.

thanks for any input.

dalek · 10-06-2005, 03:09 AM

Word of warning here, this is NOT my strong point. I found a script that allows me to do the same thing but you have to install iptables. I have also never used Redhat, Fedora, whatever you want to call it. If you install iptables then run this script it may work for you too. NOTE: You will have to change the first few lines to suite your setup. I'm on dial-up so mine is shared through ppp0. Yours may be eth0.

Code:

#!/bin/bash
 IPTABLES='/sbin/iptables'
# Set interface values
 EXTIF='ppp0'
 INTIF0='eth0'
 INTIF1='eth1'
 INTIF2='eth2'
 INTIF3='eth3'

# enable ip forwarding in the kernel
 /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
 $IPTABLES -F
 $IPTABLES -X
# enable masquerading to allow LAN internet access
 $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
 $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $INTIF2 to Internet interface $EXTIF
 $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state
#NEW,ESTABLISHED -j ACCEPT
 #echo -e "       - Allowing access to the SSH server"
 $IPTABLES -A INPUT --protocol ssh --dport 22 -j ACCEPT
 #echo -e "       - Allowing access to the HTTP server"
 $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
 $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
 $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

You may need to change the line EXTIF to eth0 instead of ppp0. You may have to change the other lines as well. I do get a few errors when I run this script but it works fine. I think they changed the program commands and there is a few lines that don't make sense to it anymore. As I said, this is not my strong point. I'm sure there are other ways to do the same thing and you may get some posts telling you how. I also have to run that script each time I reboot before it will work. You may also have to tell the compter to look to your main rig for the internet. I type in route add default gw 192.168.0.1 for mine. You may need to change the number part though.

I hope that helps or someone with more networking brains will come along.

Later

born4linux · 10-06-2005, 06:10 AM

try here:

http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html

look for Example 2.

paranoid times · 10-06-2005, 02:40 PM

well I tried both of your suggestions. I had tried the second one before, but tried tweaking it more then I did previosly. but I still didn't have any luck. sadly I don't get any error messages that I can use.

the computer that I want connected to the internet is set just to route through the computer connected to the internet. which as far as I know means all my work should be being done on the computer that is currently connected to the internet. is there something that needs to be restarted to get things running? perhaps you need to have a firewall enabled to have things work (I don't normally have one enabled, but I was playing with enabling it, still no luck), maybe that I have eth1 as the device that goes to the internet and eth0 goes to the local network?

well i'm still at a loss.
Thank you both for your input.

dalek · 10-06-2005, 02:50 PM

My setup is like this: pokey >>> ethernet >>> smoker >>> modem >>> internet. pokey is the fartherest from the net. I had to tell pokey to connect to the net through smoker. Smoker was told to forward the connection with iptables.

If you have not typed in the route command on the one fartherest from the net, it doesn't know how to find it yet. I used the command that I gave above, the route one. You may need to replace the IP number with whatever the IP address is of the computer that connects to the net. Also, you may need to copy over /etc/resolv.conf from the computer that connects to the net to the computer that you are wanting on the net. Mine had to have that is how I figured that out.

This is not my strong point but it did work for me, still does to.

Later

paranoid times · 10-06-2005, 04:55 PM

Quote:

Originally posted by dalek Also, you may need to copy over /etc/resolv.conf from the computer that connects to the net to the computer that you are wanting on the net.

awesome! that did it. but why did that work?

the computer that I wanted connected use to have

nameserver 192.168.1.2
in /etc/resolv.conf

but I copyed over what was on the computer connected to the internet

search humboldt.edu
nameserver 137.150.145.152
nameserver 137.150.17.5

so it says that, but I thought it was soppost to use my computer as the gateway, and didn't really know about the outside network. hmm..interesting.

Thank you very much.

-Michael

dalek · 10-06-2005, 05:11 PM

Like I said, this is not my strong point. If the numbers you had in your resolv.conf are not correct, it can't figure out who anybody is. That number is like looking in the phone book. You type in google and it looks at that phone book to see where it is on the net. Remember, what we see, www.google.com , is NOT what the computer uses. It has to have the IP numbers. Those DNS servers has that number.

It would be like me telling you to call John Smith in Tinbuktoo. You would need a phone number to call him. Either pick up a phone book or call information to get it. You can't dial John Smith.

Mostly, I'm just glad you got it to work. LOL

Later

paranoid times · 10-06-2005, 05:15 PM

oh, I know now why I was confused by that last bit working. I was use to the computer I connected to providing DNS information for me. but the computer that I'm using now isn't set up for running a DNS server (the school gets mad at me if I do

)

thanks again.

fotoguy · 10-06-2005, 06:55 PM

The reason you have had to add routes is because you have not loaded the nat module for iptables, and the default policies for the INPUT, FORWARD and OUTPUT chains by default are set to ACCCEPT, so you have what they call end-to-end routing.

dalek · 10-06-2005, 08:32 PM

Quote:

Originally posted by fotoguy
The reason you have had to add routes is because you have not loaded the nat module for iptables, and the default policies for the INPUT, FORWARD and OUTPUT chains by default are set to ACCCEPT, so you have what they call end-to-end routing.

Remember that this is not my strong point here. So all I can say is, Huh???? What is all that? NAT is network address table or something I think.

Now if you have a better way to do what I am doing, which may also help the thread starter as well, I'm all ears. I get tired of having to run that script when something happens and I have to reboot. I do run Folding for the LQ team on them. Speaking of, I should be getting 4 CPUs tomorrow for putput. putput is a Compaq Proliant 6000. It has holes for 4 CPUs but only had 1 when I got it. I found a set of four on Ebay and got them. They are only 200MHz but they are doing pretty good so far with just one CPU. I have a very basic install of Gentoo. They are set up as servers and I ssh in to get to them.

Now what is that better way of doing this you were talking about and how do I do it? Will it survive a reboot, <says prayer that it does>.

Later

fotoguy · 10-06-2005, 10:09 PM

Quote:

Originally posted by dalek
Remember that this is not my strong point here. So all I can say is, Huh???? What is all that? NAT is network address table or something I think.

I must admit I am new too this as well and it's not my strong point too. The nat module when loaded helps iptables interact with the nat table, plus i should have mentioned that there are a few more modules that you load as well which make the firewall a stateful packet inspection (SPI) and also allow you to masquerade the internal hosts ip's to the external ip address.

A simple script which is part of one i'm currently working and similar to the rules you posted earlier, has no logging rules but loads alot of modules should work ok to get started with:

#!/bin/sh

IPTABLES="/sbin/iptables"

INTERNET="eth1"
LOCAL="eth0"

dmesg -n 1 ## Kill copyright display on module load
dmesg -n 6
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_TOS
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_mac

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/tcp_ecn
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
#128 MB of RAM -> 8192 possible entries, 256 MB of RAM --> 16376 possible entries, etc...
echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 15 > /proc/sys/net/ipv4/ipfrag_time
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr# Uncomment if you get your external ip from DHCP server
fi

## Reduce DoS'ing ability by reducing timeouts

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo "Module options set"

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

## Set default policies to DROP

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

##################General rules##################
# INTERNET SIDE
# Allow only established or related from the internet

$IPTABLES -A FORWARD -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop anyone from the internet trying to connect to the router itself

$IPTABLES -A INPUT -i $INTERNET -j DROP

#############################################################
# LAN SIDE
# Allow all from the internal network out to the internet

$IPTABLES -A FORWARD -o $INTERNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow the internal hosts to connect to the router

$IPTABLES -A INPUT -i $LOCAL -j -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#############################################################
# Lets masquerade the internal hosts ip address to the external ip address

# Uncomment which one applies to your setup
# If you get your external ip address assigned by a DHCP server

#$IPTABLES -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE

# If your external ip address is static

#$IPTABLES -t nat -A POSTROUTING -o $INTERNET -j SNAT --to-source x.x.x.x

exit 0
#########END OF SCRIPT#############

dalek · 10-07-2005, 03:50 AM

OK.

LOL

The only thing is, I usually compile all that stuff IN my kernel. I hate to use modules. The only modules I have on mine is my temp sensors and the nvidia drivers.

I need to get a book on this stuff. May go to town tomorrow and see what they have on this stuff.

Keep it coming though.

Agrouf · 10-07-2005, 05:19 AM

eth0 it local network
eth1 is connected to the internet

# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# echo 1 > /proc/sys/net/ipv4/ip_forward

fotoguy · 10-07-2005, 04:10 PM

Quote:

Originally posted by dalek
OK. LOL

The only thing is, I usually compile all that stuff IN my kernel. I hate to use modules. The only modules I have on mine is my temp sensors and the nvidia drivers.

I need to get a book on this stuff. May go to town tomorrow and see what they have on this stuff.

Keep it coming though.

Some people do like to compile it in, I'm just too lazy and prefer to install the distro then load the modules from the script, I find it useful this way when you need to modify the script to use it on a number of workstations or servers.

I've been keeping my eye out for some books on the subject as well, just don't seem to pass by the bookstore much these days.