|
In order
to get Internet Sharing working you will need to have the
appropriate modules compiled in your Linux Kernel, this should
be the case for most people but for some of you, you will
need to do this manual.
The first
thing you need to do is to the following three commands which
enable IP forwarding and tell the system which interface (i.e.
eth0) to use
as the main connection for the outside world.
modprobe
iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Once
you have done the above then you need to tell the system the
rules for accepting, rejecting and dropping connections from
the outside world to the system behind the network. (NOTE:
The following example is setup to be rather aggressive, when
people ping
your system it will pretend its not even there and thus gives
more security)
/sbin/iptables
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix
"ATTACK"
/sbin/iptables -A INPUT -j DROP
This allows
the traffic from your machine in and out, but will drop everything
else unless you put some more accept lines, it will also logs
it with a prefix of ATTACK
in the /var/log/messages/.
The next
thing to do is to setup the magic line to share the information
to a certain network that the Server is connected to, namely
your home LAN.
/sbin/iptables
-t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
This line is the equivalent of the IPChains: /sbin/ipchains
-A forward -s 192.168.0.0/24 -j MASQ
The above
command "tells Linux to append another rule for forwarding
that will forward packets to the allowed IP address of client
machines. On our example above we have given room for upto
256 computers to be on our network, this is shown by 192.168.0.0/24
which
will cover the range of IP address starting at 192.168.0.0
and ending at 192.168.0.255, you can adjust this as you want.
The 24 section relates to the 'bits' in the 'network' portion
of the subnet mask. A 24 bit subnet mask is 255.255.255.0.
This is indicating an entire "C class" network. If you wish
to setup a network only having 16 allowable IP address's then
you should use 192.168.0.0/28
which actually means 16 IP's and NOT 28. The subnet mask for
this block would be 255.255.255.240. It is recommended that
unless you want to make a secure network at home that you
just stick with the good old 24 bit configuration. But if
you wish to allow a specific number of computers on your network,
it is recommended you do a search and find/use a IP Address
and Subnet Calculator to make sure you setup exactly the right
number of allowable address's."
Now that
your Internet Connection Sharing is setup it is recommend
that you combine all of the above commands into a script file
so that it can be loaded automatically every time your system
boots up. To do this simply go to the directory that contains
some of the boot up commands, for example cd
/etc/rc.d/, in this
directory you want to create a file say called rc.firewall,
and enter the following into the file:
#!/bin/sh
# DHCP Internet and Connection Sharing Script - IPTables Version
# Coded by Mayhem (C)2002
# Net Sharing
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED
-j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix
"ATTACK"
/sbin/iptables -A INPUT -j DROP
# Add your additional rules here
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j
MASQUERADE
Once
you have finished you will need to make the file executable
by typing chmod u+x
rc.firewall. To make the system run this when it boots
up simply edit rc.local
and add a line at the very bottom that runs your script, i.e.
add the line ./rc.firewall,
now that your done the system should now load your Internet
connection and share it to all your client machines whenever
the server is rebooted.
|
Linuxathome.net
- Linux news and help for home broadband internet users
Sharing The Internet
