Internet connection shareing ?

[hotreca]

Can anyone tell me how to configure Internet connection shareing with the following

Main PC -running MS XP Pro 192.168.0.1
Second PC - running MS ME 192.168.0.3
Third PC - running Red HAT 9 (shrike)192.168.0.2
connected with a hub
the internet connection is a DSL
RED HAT has DHCP switched of as I use it a a testing Server (LAMP). My dev tools are on the Main PC the Internet connection is also run from there. Any help would be appreciated

 

[bcastner]

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309642

 

[onepair]

This is what I use on a rh8, rh9, and a rh7.2

Its a firewall and router...all has comments in it.
Of course you have to configue the PPOE for yourself and then this should work..more secure than windows too. Or go get yourself a LinkSys router for $50 that supports PPOE.
I have static and no changes are made.


Cut below to the end....
---------------------------------------

#!/bin/sh

#nitial SIMPLE IP Firewall test script for 2.4.x
#
# Author: Oskar Andreasson <blueflux@koffein.net>
# (c) of BoingWorld.com, use at your own risk, do whatever you please with
# it as long as you don't distribute this with due credits to
# BoingWorld.com
#
# Modified by Haim Dimermanas (dudle at linuxroot dot org)
#
# To install under Redhat : ckconfig --add iptables
# To install under Debian : update-rc.d iptables defaults 21

# chkconfig specific parameters follow
# iptables:
# chkconfig: 2345 82 80
# description: starts or stops netfilter rules

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
# NOTE : even though I am lucky enough to have a static IP address on my
# interface connected to the Internet, this IP address is never
# mentionned anywhere. This way, if you connect to the Internet
# and receive a dynamic IP, you won't have to change to much stuff.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP_RANGE=&quot;192.168.1.0/24&quot;
LAN_IP=&quot;192.168.1.111/32&quot;
LAN_BCAST_ADRESS=&quot;192.168.1.255/32&quot;
LOCALHOST_IP=&quot;127.0.0.1/32&quot;
INET_IFACE=&quot;eth0&quot;
LAN_IFACE=&quot;eth1&quot;
IPTABLES=&quot;/sbin/iptables&quot;
ANYWHERE=&quot;0/0&quot;
BROADCAST=&quot;255.255.255.0/32&quot;

case &quot;$1&quot; in
start)

#
# CRITICAL: Enable IP forwarding since it is disabled by default.
#
echo -n &quot;Enabling IP Forwarding ... &quot;
echo &quot;1&quot; > /proc/sys/net/ipv4/ip_forward
echo &quot;done.&quot;

# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# option. This enables dynamic-ip address hacking in IP MASQ, making the connection
# with Diald and similar programs much easier.
#
#echo -n &quot;Enabling dynamic IP addressing ... &quot;
#echo &quot;1&quot; > /proc/sys/net/ipv4/ip_dynaddr
#echo &quot;done.&quot;

#
# The allowed chain for TCP connections (tcp_allowed)
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we fuck them. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.
echo -n &quot;Creating tcp_allowed chain ... &quot;
$IPTABLES -N tcp_allowed
$IPTABLES -A tcp_allowed -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -j DROP
echo &quot;done.&quot;

#
# Destination Network Address Translation.
# If you don't know what it is, just comment the lines.
#
# 1 - We want all traffic coming to port 4200 to be redirected to an ssh server
# inside our network.
# 2 - We allow this very traffic to pass the FORWARD chain.
#
# Then we use the same techique to redirect

http://www (port

80) requests to our internal
# web server on port 80.
#
# NOTE : Do not forget to enable the port you want your clients to come into on the firewall
# In this case, it's port number 4200 and 80. Enabling this port is done at the INPUT
# chain level.
# Of course, you can replace 4200 with anything you want. I suggest you use a non
# assigned port though
#
echo -n &quot;Setting up DNAT ... &quot;
# MEDIA_SERVER=&quot;192.168.1.222&quot;
# MEDIA_PORT=&quot;8080&quot;
# $IPTABLES -A PREROUTING -t nat -p tcp -i $INET_IFACE --dport 63637 -j DNAT --to $MEDIA_SERVER:$MEDIA_PORT
# $IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $MEDIA_SERVER -p tcp --dport $MEDIA_PORT -j tcp_allowed
#SSH_SERVER=&quot;192.168.1.111&quot;
# SSH_PORT=&quot;22&quot;
# $IPTABLES -A PREROUTING -t nat -p tcp -i $INET_IFACE --dport 4200 -j DNAT --to $SSH_SERVER:$SSH_PORT
# $IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $SSH_SERVER -p tcp --dport $SSH_PORT -j tcp_allowed
#

http://WWW_SERVER=&quot;192.168.0.10&quot;

#

http://WWW_PORT=&quot;80&quot;

#$IPTABLES -A PREROUTING -t nat -p tcp -i $INET_IFACE --dport 80 -j DNAT --to $

http://WWW_SERVER:$WWW_PORT

#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $

http://WWW_SERVER

-p tcp --dport $

http://WWW_PORT

-j tcp_allowed
echo &quot;done.&quot;


# Enable simple IP FORWARDing and Masquerading
#
# NOTE: The following is an example for an internal LAN, where the lan
# runs on $LAN_IFACE, and the Internet is on $INET_IFACE.
#
# 1 - We masquerade at the 'nat' table, POSTROUTING chain if and only if:
# * It comes from our LAN
# * It goes out through our Internet interface.
# 2 - We ACCEPT to FORWARD if :
# * It goes through our LAN interface ... or ...
# * The connection is in a state ESTABLISHED or RELATED
# 3 - We LOG the rest.
echo -n &quot;Setting up FORWARD chain and MASQUERADE ... &quot;
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level DEBUG --log-prefix &quot;FORWARD : &quot;
echo &quot;done.&quot;

#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
# Guess what? We DROP everything by default!
echo -n &quot;Setting up default policies ... &quot;
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
echo &quot;done.&quot;

#
# Create separate chains for ICMP, TCP and UDP to traverse
#
echo -n &quot;Creating ICMP, TCP and UDP accepting chains ... &quot;
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
echo &quot;done.&quot;

#
# ICMP rules
#
echo -n &quot;Setting up icmp_packets chain ... &quot;
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $ANYWHERE --icmp-type 11 -j ACCEPT
echo &quot;done.&quot;

#
# TCP rules
#
# Allow ssh and smtp.
# Allow 4200 for forwarding.
#
# We also allow port 113 (auth a.k.a. ident). Even if you don't have
# a ident server, I suggest you leave that port open. It will speed
# things up. For more info, visit
#

http://www.amaranth.com/cgi/showport.cgi?prot=tcp&port=113

echo -n &quot;Setting up tcp_packets chain ... &quot;
# $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 22 -j tcp_allowed
#$IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 25 -j tcp_allowed
#$IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 113 -j tcp_allowed
# $IPTABLES -A tcp_packets -p TCP -s $ANYWHERE --dport 63637 -j tcp_allowed
# $IPTABLES -A tcp_packets -p TCP -s $LAN_IFACE --dport 5955 -j tcp_allowed
# $IPTABLES -A tcp_packets -p TCP -s $LAN_IFACE --dport 7100 -j tcp_allowed
echo &quot;done.&quot;

#
# UDP ports
#
# Allow DHCP
#
# Uncomment the following 2 lines if you are running a DNS server on your firewall
# $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 53 -j ACCEPT
# $IPTABLES -A udp_packets -p UDP -s $ANYWHERE --destination-port 53 -j ACCEPT
echo -n &quot;Setting up udp_packets... &quot;
$IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 67 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s $ANYWHERE --source-port 68 -j ACCEPT
echo &quot;done.&quot;

#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's coming to our Internet
# interface
#
echo -n &quot;Blocking private networks ... &quot;
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
echo &quot;done.&quot;

#
# INPUT chain
#
# 1 - We associate each protocol to its own chain in the
# following order:
# * ICMP -> icmp_packets
# * TCP -> tcp_packets
# * UDP -> udp_packets
# 2 - We ACCEPT a packet in the following conditions:
# * It's part of a RELATED or ESTABLISHED connection
# * It comes from our LAN interface and goes to our LAN broadcast
# address
# * It comes from our LAN interface and goes to the 255.255.255.255
# broadcast address (usefull if you have a DHCP server on your fw)
# * It's destination is our localhost (127.0.0.1)
# * It's destination is our LAN ip address.
echo -n &quot;Associating packet types with their chains ... &quot;
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
echo &quot;done.&quot;

echo -n &quot;Setting up the INPUT chain ... &quot;
$IPTABLES -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $BROADCAST -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level DEBUG --log-prefix &quot;INPUT : &quot;
echo &quot;done.&quot;

#
# OUTPUT chain
#
# The idea is to accept everything, even though the default
# policy of the OUTPUT chain is DROP. Basically, if a packet
# doesn't pass the OUTPUT chain, there is something *serious*
# going on.
#
# 1 - ACCEPT all packets coming from localhost
# 2 - ACCEPT all packets coming from our LAN ip address
# 3 - ACCEPT all packets going to localhost
# 4 - ACCEPT all packets going to our LAN ip address
# 5 - ACCEPT all packets going through our Internet interface

echo -n &quot;Setting up OUTPUT chain ... &quot;
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level DEBUG --log-prefix &quot;OUTPUT : &quot;
echo &quot;done.&quot;
;;
stop)

# Flush all rules
echo -n &quot;Flushing all rules ... &quot;
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t nat -X
echo &quot;done.&quot;
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -nL
;;
*)
echo &quot;usage: $0 {start|stop|restart|status}&quot;
exit 1
esac
exit 0