[Courses] [Networking] Lesson 4 - Phase 4 - Internet Connection
Sharing.
Hamster
hamster at hamsternet.org
Wed Jul 23 18:00:03 EST 2003
#########################################
## Phase Four - Setting Up the Gateway ##
#########################################
This, the fourth and last section is the payoff for all your hard work.
After its completion, you'll have all your computers able to access the
internet. We'll do this in two stages. The first is getting a process called
NAT working, which involves the installation and configuration of a
programme called iptables. The second and final stage is the enabling of IP
forwarding.
The precise workings of NAT are beyond the scope of this lesson, but the
basic principle isn't hard to understand. As we learnt earlier, the private
IP addresses we assigned to our machines have no meaning on the internet.
NAT functions as a intermediary between the internet and our computers by
intercepting all traffic leaving our network. It replaces or "translates"
the Source Address of all packets from the private IP of the sending
computer to the public IP of the gateway and then sends it on to its
destination. When a response is received by the gateway, the NAT software
recognises it as being meant for the LAN and passes it on the right
computer.
ipforwarding is a much simpler affair. All it does is enable network traffic
to flow between separate network cards installed in the one computer. We
need it working in our gateway machine to permit the flow of traffic between
the interface connected to the internet and the one connected to our LAN.
What follows are the details for getting these two components up and
running. As before, they've been divided into two sections - one for
RedHat/Mandrake users, the second for Debian. This phase then ends with some
guidelines to testing and troubleshooting this final setup.
============================================================================
============================================================================
####################################
## RedHat / Mandrake Instructions ##
####################################
# Step One - Stage 1 - Checking for iptables #
There's not much point in installing something that's already there.
iptables might be on your system without you realising!
Check for its existence by running:
rpm -q iptables
If the package is not installed, you'll get the message "package iptables is
not installed" or if present, it'll return the full name and version of the
iptables package installed.
# Step One - Stage 2 - Installing iptables #
iptables can be found on disk 1 of your distro's CD set (both RH and Mdk).
Use your preferred method of installing RPMs, or on the command line change
to the directory on the CD containing all the packages and run the following
command, using the tab key to provide the full filename:
rpm -ivh iptables
# Step One - Stage 3 Configuring iptables #
This command instructs iptables to perform Network Address Translation. We
have to tell iptables the name of the interface that connects to the
internet. Unfortunately it won't be the same for each of us, so I can't
provide you with exactly what to type. In the command below you'll need to
substitute "$EXT" with the name of your external interface - the one that
connects to the internet.
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
Possible "real world" examples look like:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Last task in this step is to save this rule so it gets loaded every time
your computer restarts. Execute:
service iptables save
--------
iptables rules require no activation - the very act of hitting <enter> at
the end of typing in a rule makes it take effect straight away.
--------
# Step Two - IP Forwarding #
This very simple step is the last one. (Phew!)
Fire up your editor for the very last time and open the file:
/etc/sysctl.conf
It needs to contain the following line:
net.ipv4.ip_forward=1
It's also perfectly valid syntax to write that line using "/" in
place of "." between words.
That's it.
If you want to find out a bit more about what this file does, consult:
man sysctl
man sysctl.conf
--------
This command does need activating, do so by:
echo 1 > /proc/sys/net/ipv4/ip_forward
--------
============================================================================
============================================================================
#########################
## Debian Instructions ##
#########################
# Step One - Stage 1 - Checking for iptables #
There's not much point in installing something that's already there.
iptables might be on your system without you realising!
Check for its existence by running:
dpkg -l iptables
You'll either get a response saying "No packages found matching iptables."
or it will tell you the status and version of the iptables package present.
If you find iptables installed, make sure it's been set up to load on boot
(the install process doesn't automatically take care of this). Check for the
presence of the file S40iptables in the /etc/rcS.d directory. If it's there,
iptables will start on boot and load its rules. If it's not there, you
should run:
dpkg-reconfigure iptables
# Step One - Stage 2 - Installing iptables #
If iptables needs installing, run the following two commands;
apt-get install iptables
dpkg-reconfigure iptables
The second command enables iptables to automatically start on boot and to
load its rules.
--------
# Step One - Stage 3 Configuring iptables #
This command performs the Network Address Translation between the computers
on your private network and the internet. We have to tell iptables the name
of the interface that connects to the internet. Unfortunately the name is
not the same for each of us, so I can't provide you with the exact command
to type. In the line below you'll need to substitute "$EXT" with the name of
your external interface - the one that connects to the internet.
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
Possible "real world" examples look like:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Last task in this step is to save this rule so it gets loaded every time
your computer restarts. Execute:
/etc/init.d/iptables save active
--------
iptables rules require no activation - the very act of hitting <enter> at
the end of typing in a rule makes it take effect straight away.
--------
# Step Two - IP Forwarding #
This very simple step is the last one. (Phew!)
Fire up your editor for the very last time and open the file:
/etc/sysctl.conf
It needs to contain the following line:
net.ipv4.ip_forward=1
It's also perfectly valid syntax to write that line using "/" in
place of "." between words.
That's it.
If you want to find out a bit more about what this file does, consult:
man sysctl
man sysctl.conf
--------
This command does need activating, do so by:
echo 1 > /proc/sys/net/ipv4/ip_forward
--------
============================================================================
============================================================================
Most of you will have heard of iptables long before encountering it in this
lesson. It's a very versatile piece of software and gets much positive
exposure as the Linux firewalling programme. It's really important you
realise that even though iptables is installed, your computer is not
protected by a firewall. Just as we've written a rule to enable NAT, you
need to write rules to enable firewalling.
Before we end this lesson, we need to test this last lot of changes, making
sure the computers on your network really can access the internet. As
before, the order you do these tests in is important because of what the
results can tell us.
It is assumed all the tests listed in Phase Three have been successfully
completed. Don't even think about trying to contact the internet when your
LAN isn't working properly.
1. Testing Gateway <--> Internet by IP
First thing is to make sure the gateway machine itself has an internet
connection, so go on-line and try pinging a machine "out there". I'm leaving
it up to you to find an address to ping. I don't want to cause a ping flood
on any particular machine by publishing its address here. A failure
indicates there's something wrong with your connection. There's also a small
possibility that you mixed up which interface connects to the internet and
which one connects to the network.
2. Testing Gateway <--> Internet by Name
Still sitting at the gateway machine, try pinging an internet machine by
name.
Failure here indicates a problem with your /etc/resolv.conf file. If your
ISP dynamically assigns you an IP address and this file is empty, there's a
problem with the dhcp process. If you are expected to manually tell your
computer the name of relevant DNS servers, make sure the entries in this
file really are name servers!
3. Testing LAN <--> Internet by IP
Sit now at one of the computers on your network. First of all, try pinging
the public IP address of your gateway. If that's successful, ping any old IP
on the internet.
If either of these two fail, check the following:
* The gateway address entered in the file we edited at Step 2 of Phase 2 is
correct - remember the gateway address is the PRIVATE IP address of the
gateway machine - not its public internet address.
* ipforward is set up on the gateway. Run the following command on the
gateway:
cat /proc/sys/net/ipv4/ip_forward
If it prints a 1 then ip_forward is working. If it prints a 0, then you need
to enable ip_forward. Do this by typing:
echo 1 > /proc/sys/net/ipv4/ip_forward
and make sure this occurs every time your computer boots by following the
instructions in Step 3 of this phase.
* Make sure NAT is working. Execute the command:
iptables -L -t nat
and make sure the following entry exists:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
If it's not there, enter the command given in Step 1 Stage 3 of this phase
and don't forget to follow the instructions for saving that rule so it loads
every boot!
4. Testing LAN <--> Internet by Name
Test two tested name resolution from the gateway machine, in this last test
we make sure it's working from the rest of the machines on the network.
>From a computer on your LAN, try pinging a computer on the internet by name.
Failure means there's something wrong with the /etc/resolv.conf file (not
the /etc/hosts file - hosts has nothing to do with internet based machines
at all).
Check the contents of your /etc/resolv.conf file, making sure the entries
match those of the /etc/resolv.conf file on the (working) gateway machine.
--------------------
As you go through this lesson, please keep in mind that the very flexibility
Linux offers means there is more than one way to do every task. What I've
hoped to provide here is a fairly comprehensive outline - a guide as to what
you need to do.
It's very difficult writing instructions for such a wide range of experience
levels. In some places I've probably put too much detail, in others not
enough. Please write and ask if you're not clear on something. I'll do my
best to explain.
Many thanks to Dana for your support and illustrations during the writing of
Lesson Four. Thirty-six trillion indeed.
More information about the Courses
mailing list