[SOLVED] Linux as a router

Jason.nix · 11-22-2023, 12:12 AM

Hello,
I have three PCs with the following information:

Code:

Windows with one NIC (192.168.1.2)

Linux with two NICs 

Windows with one NIC (172.20.1.2)

I want to connect two Windows OS through Linux box. I have two questions:

1- What IP addresses should I set on Linux NICs?

2- Please guide me how to write iptables rules to connect these two systems.

Thank you.

pan64 · 11-22-2023, 01:23 AM

It is already documented on the net, I guess nobody will write a new guide for you.
https://www.computernetworkingnotes....-a-router.html

Jason.nix · 11-24-2023, 11:27 AM

Quote:

Originally Posted by pan64

It is already documented on the net, I guess nobody will write a new guide for you.
https://www.computernetworkingnotes....-a-router.html

Hello,
Thank you so much for your reply.
I have done it this way before. I have two questions:

1- I want to do this with iptables.

2- Is a NIC required for each IP address range? For example, in a VLAN, many clients with different IP address ranges want to connect to the destination through this Linux router.

Jason.nix · 11-29-2023, 09:17 AM

Quote:

Originally Posted by pan64

It is already documented on the net, I guess nobody will write a new guide for you.
https://www.computernetworkingnotes....-a-router.html

Hello again,
Have you tested this environment? For example, connect two computers with Windows operating system through Linux and share a directory on one of these computers and open it on the other computer.

jayjwa · 11-29-2023, 11:54 AM

Forward all the traffic.

Code:

sysctl -w net.ipv4.tcp_ecn=1
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.default.forwarding=1
sysctl -w net.ipv4.conf.lo.forwarding=0
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=2

Put those in /etc/sysctl.conf (and make sure it gets called in startup).

Write a dhcpd.conf that will assign IP address. Two seperate NICs would be two different subnets, and two different dhcpd.conf snippets. Or, bridge them and assign one. That's what I do. A snippet is like so:

Code:

# Ethernet (wired) network subnet
subnet 192.168.10.0 netmask 255.255.255.0 {
	option routers 192.168.10.1;
	option subnet-mask 255.255.255.0;
	option broadcast-address 192.168.10.255;	

	pool {
		range 192.168.10.10 192.168.10.254;
		allow unknown-clients;
        }

Fill out and start radvd with ip6 prefix:

Code:

## Radvd.conf
##
## Configuration file for the radvd daemon.
## 
## To check config syntax:  radvd -c 
## To start and write to default logfile
## under /var/log:          radvd -m logfile
##
## See manpages 'radvd' and 'radvd.conf' for 
## further details.
##
## ----------------------------------------

## The interfaces to serve Router Advertisements on.

# Bridge used with TUN/TAP devices and SIMH for guest operating systems.
interface br0 {
	# This bridge is used with SIMH simulated operating systems and
	# as such the interface might not exist. Do not error out on such
	# a situation.
	IgnoreIfMissing on;

        AdvSendAdvert on;

        # DNS servers to use.

        # Google's
        #RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {

        # OpenDNS's
        RDNSS 2620:0:ccc::2 2620:0:ccd::2 {
        };

        # radvd complains without these - seems TWC isp uses them.
        AdvManagedFlag on;
        AdvOtherConfigFlag on;

        # The prefix you're serving.
        # This prefix is gotten from 'dhclient -6 -v -P $EXT_INTERFACE'
        prefix 2603:x:x:x::/64 {
                AdvOnLink on;
                AdvAutonomous on;
        };
	route 2603:x:x:x::/64 {
		AdvRoutePreference high;
	};
};

## EOF

Sometimes I have to set an ip6 default route for that. Use 'ip -c -6 route add default whatever'. Masquerade all rfc1918 traffic. The FORWARD table is likely ACCEPT by default anyway, so no need to explicitly allow it (iptables -P FORWARD ACCEPT).

Code:

# Masquerade all rfc1918 LAN ipv4 addresses
	iptables -t nat -A POSTROUTING -m comment --comment "Masquerading LAN rfc1918 addresses" -s $INTERNAL_NETWORK -j MASQUERADE

Quote:

share a directory on one of these computers and open it on the other computer

That would likely be with Samba and Windows networking. It's easier to get Linux speaking SMB/CIFS than it is to get Windows speaking NFS. I use the bridge version of this with a wireless interface inserted and everything can reach eachother. Anything that can speak ip6 will be accessible from the outside internet so take note of that security-wise.

Jason.nix · 12-04-2023, 05:38 AM

Quote:

Originally Posted by jayjwa

Forward all the traffic.

Code:

sysctl -w net.ipv4.tcp_ecn=1
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.default.forwarding=1
sysctl -w net.ipv4.conf.lo.forwarding=0
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=2

Put those in /etc/sysctl.conf (and make sure it gets called in startup).

Write a dhcpd.conf that will assign IP address. Two seperate NICs would be two different subnets, and two different dhcpd.conf snippets. Or, bridge them and assign one. That's what I do. A snippet is like so:

Code:

# Ethernet (wired) network subnet
subnet 192.168.10.0 netmask 255.255.255.0 {
	option routers 192.168.10.1;
	option subnet-mask 255.255.255.0;
	option broadcast-address 192.168.10.255;	

	pool {
		range 192.168.10.10 192.168.10.254;
		allow unknown-clients;
        }

Fill out and start radvd with ip6 prefix:

Code:

## Radvd.conf
##
## Configuration file for the radvd daemon.
## 
## To check config syntax:  radvd -c 
## To start and write to default logfile
## under /var/log:          radvd -m logfile
##
## See manpages 'radvd' and 'radvd.conf' for 
## further details.
##
## ----------------------------------------

## The interfaces to serve Router Advertisements on.

# Bridge used with TUN/TAP devices and SIMH for guest operating systems.
interface br0 {
	# This bridge is used with SIMH simulated operating systems and
	# as such the interface might not exist. Do not error out on such
	# a situation.
	IgnoreIfMissing on;

        AdvSendAdvert on;

        # DNS servers to use.

        # Google's
        #RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {

        # OpenDNS's
        RDNSS 2620:0:ccc::2 2620:0:ccd::2 {
        };

        # radvd complains without these - seems TWC isp uses them.
        AdvManagedFlag on;
        AdvOtherConfigFlag on;

        # The prefix you're serving.
        # This prefix is gotten from 'dhclient -6 -v -P $EXT_INTERFACE'
        prefix 2603:x:x:x::/64 {
                AdvOnLink on;
                AdvAutonomous on;
        };
	route 2603:x:x:x::/64 {
		AdvRoutePreference high;
	};
};

## EOF

Sometimes I have to set an ip6 default route for that. Use 'ip -c -6 route add default whatever'. Masquerade all rfc1918 traffic. The FORWARD table is likely ACCEPT by default anyway, so no need to explicitly allow it (iptables -P FORWARD ACCEPT).

Code:

# Masquerade all rfc1918 LAN ipv4 addresses
	iptables -t nat -A POSTROUTING -m comment --comment "Masquerading LAN rfc1918 addresses" -s $INTERNAL_NETWORK -j MASQUERADE

That would likely be with Samba and Windows networking. It's easier to get Linux speaking SMB/CIFS than it is to get Windows speaking NFS. I use the bridge version of this with a wireless interface inserted and everything can reach eachother. Anything that can speak ip6 will be accessible from the outside internet so take note of that security-wise.

Hello,
Thank you so much for you reply.
Do I need to install the DHCP service?

jayjwa · 12-06-2023, 11:59 AM

If you want what's connect to get assigned IP addresses. Even if they are static, I'd use DHCP (but with a static IP) just to keep all IP assignment in the same place.