Heres what i consider, tricky

dannyflounders · 07-31-2003, 07:13 PM

How if possible can i use a shared internet connection.

Our server is connected to the internet but our other computer which im installing linux on uses the internet through the other computer so is it possible to use it through the other comp like on windows?

Thanks

tangle · 07-31-2003, 07:35 PM

Yes, either using some form of NAT, iptables or a proxy server.

Tinkster · 07-31-2003, 07:46 PM

Quote:

some form of NAT, iptables or a proxy server.

I don't want to be a nit-picker here,
but if you use iptables for conection
sharing it does NAT ;)

As for the original question:

Quote:

Our server is connected to the internet but our other computer which im installing linux on uses the internet through the other computer so is it possible to use it through the other comp like on windows?

Yes :} ... it is possible.

Cheers,
Tink

tangle · 07-31-2003, 08:01 PM

Quote:

I don't want to be a nit-picker here,
but if you use iptables for conection
sharing it does NAT

I seen on here where some say that what iptables does isn't really NAT. I think that it is. But I thought that I would sperate them so as not to get flames.

Can't win them all.

Tinkster · 07-31-2003, 08:32 PM

Quote:

Originally posted by tangle
I seen on here where some say that what iptables does isn't really NAT. I think that it is.

I think it is, too, and so do the iptables
developers and the kernel maintainers :)

Quote:

Can't win them all.

Now THAT one is certain :}

Cheers,
Tink

tangle · 07-31-2003, 08:36 PM

If you took offence, I did mean anything by the post.

Tinkster · 07-31-2003, 08:38 PM

No worries...

Cheers,
Tink

Rodrin · 07-31-2003, 11:25 PM

Just to chime in on iptables capabilities. I believe it can do both full fledged NAT (Network Address Translation) and another form of NAT that is more specifically called IP masquerading. The earlier program ipchains, which iptables replaced, was, I believe, only capable of doing IP masquerading, so that may be why someone said that iptables is not capable of doing NAT.

The difference between IP masquerading and full fledged NAT is as follows:

With NAT the Linux router picks up traffic directed to any of a number of ouside IP addresses and translates certain outside addresses to inside addresses on a one to one basis, and also translates the internal addresses to outside addresses on the same basis. It is also possible to make it so users of several inside addresses have Internet browsing access using a NAT pool of fewer outside addresses (I haven't seen this done on a Linux box; I've never checked to see if it was possible with iptables, but I imagine that it is), but this arrangement will not make the inside machines that are using the pool visible to the outside world as servers. You can combine one to one translations for servers and a pool for other Internet access on the same router.

With IP masquerading you share Internet access through a single outside address by making it so different ports of the outside address are used to represent different inside IP addresses. This can even be used to make servers available to the outside by creating virtual servers on the router that simply redirect traffic addressed to them to different inside addresses (usually) on the same port.

bobmac010 · 08-01-2003, 07:39 AM

I am using iptables to do just that.
I have several server that are NAT'ed, and internal users that are pooled.
You can load balance with NAT, etc.
Sample Rules:
This set assumes that you have some knowledge of iptables.

###########################
# Configure Interfaces #
###########################
#
/sbin/ifconfig eth0:1 "enter_public_ip_here" broadcast "b-cast" netmask 255.255.255.0
/sbin/ifconfig eth1:0 192.168.2.1 broadcast 192.168.2.255 netmask 255.255.255.0
###########################
# Flush Rules #
###########################
#
iptables -F
iptables -X
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -Z # Zero ALL counters
#
##########################
# Set policies for rules #
##########################
#
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#
########################
# Setup NAT forwarding #
########################
#
iptables -N nat
iptables -t nat -F
#
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
################
# Drop PING
################
#
iptables -A INPUT -s 0.0.0.0/0 -d "enter_public_ip_here" -p icmp -j DROP
#
################
# The following systems, unspecified with NAT,
# to have the IP of "enter_public_ip_here" when visiting the internet
################
#
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "enter_public_ip_here"
#
#######################
# NAT translations start below
#######################
#
#######################
# Server Config
#######################
#
iptables -t nat -A PREROUTING -d "enter_other_public_ip_here" -j DNAT --to 192.168.2.2
iptables -t nat -A POSTROUTING -s 192.168.2.2 -j SNAT --to "enter_other_public_ip_here"
#
##############
# End Of File
##############

raypen · 08-26-2003, 01:28 PM

Just a little extra info:

SNAT and MASQUERADE are essentially the same in that internal
addresses are changed to match the public IP when outgoing
and changed back to the internal address when incoming.

The incoming packets are identified as belonging to a certain
internal IP through connection_tracking and are allowed in
with state matching (iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT)

The difference between the two is that SNAT is used with a
fixed IP address whereas MASQUERADE is used when the IP
address is assigned from a pool of IP addresses assigned
by an ISP either through PPP or DHCP. Obviously, MASQUERADE
involves a little more overhead in determining what IP address
has been assigned by the ISP, but will work automatically
no matter which IP address is being used currently.

You can use SNAT with an indicated IP address, but you will have
to change it in the firewall script each time an assigned address
changes.