First, im sure i didnt spell that right, sorry. Second. I have a task ahead of me. I am going to install a second NIC into my linux pc, and i want to set it up to share my internet connection, rather than using ICS on my WIN2k machine. I will need to forward some ports to a different machine and i have never done this before. Any suggetsions and help would be nice. Thanks again
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
LInux and IP Masquerading 1
- Thread starter axman505
- Start date
-
1
- #2
Hi,
This is very easy using either ipchains or the newer iptables (2.4.x series kernels). You can just put a few lines in your /etc/rc.d/rc.local or equivalent file :
echo 1 >/proc/sys/net/ipv4/ip_forward
/sbin/modprobe ipchains
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ
or for iptables
echo 1 >/proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/sbin/modprobe ip_conntrack ip_conntrack_ftp
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
In both examples the internet interface is shown as eth1 (change if necessary) and 192.168.1.0/24 is an example of your local lan address range (subnet).
Hope this helps
This is very easy using either ipchains or the newer iptables (2.4.x series kernels). You can just put a few lines in your /etc/rc.d/rc.local or equivalent file :
echo 1 >/proc/sys/net/ipv4/ip_forward
/sbin/modprobe ipchains
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ
or for iptables
echo 1 >/proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/sbin/modprobe ip_conntrack ip_conntrack_ftp
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
In both examples the internet interface is shown as eth1 (change if necessary) and 192.168.1.0/24 is an example of your local lan address range (subnet).
Hope this helps
- Thread starter
- #3
Hi,
I have tried the above commands but i couldnt go to internet with other machines in my local network. Also i tried with my client machines for example 'ping linux200', it works fine. But 'ping doesnt run ..
linux200:~ # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- Flex1300 anywhere
MASQUERADE all -- SGI1000 anywhere
MASQUERADE all -- anywhere Flex1300
MASQUERADE all -- anywhere SGI1000
MASQUERADE all -- anywhere SGI1000
MASQUERADE all -- Flex1300 anywhere
MASQUERADE all -- SGI1000 anywhere
MASQUERADE all -- SGI1000 anywhere
Is it possible that my personal-firewall doesnt accept any routing options, if yes, how can i check it ?
regards sophie
I have tried the above commands but i couldnt go to internet with other machines in my local network. Also i tried with my client machines for example 'ping linux200', it works fine. But 'ping doesnt run ..
linux200:~ # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- Flex1300 anywhere
MASQUERADE all -- SGI1000 anywhere
MASQUERADE all -- anywhere Flex1300
MASQUERADE all -- anywhere SGI1000
MASQUERADE all -- anywhere SGI1000
MASQUERADE all -- Flex1300 anywhere
MASQUERADE all -- SGI1000 anywhere
MASQUERADE all -- SGI1000 anywhere
Is it possible that my personal-firewall doesnt accept any routing options, if yes, how can i check it ?
regards sophie
Hi,
On linuxconf - I don't believe so. Mandrake have a tool in 8.1 but Redhat have fairly primitive stuff on the firewalling/masquerading side at present - unless I missed something !
Sophie - from your mention of yahoo.de I'd be fairly sure you are running Suse like everyone else in Germany. The Suse equivalent of /etc/rc.d/rc.local is /etc/init.d/boot.local (or /etc/rc.d/boot.local which is a symlink to the same file).
The iptables -L output looks OK - Your problem may be that you haven't set the DNS server info on the clients. If you can 'ping 217.12.3.11' (yahoo.de IP address) from a client successfully but can't 'ping then its a DNS problem.
Maquerading just forwards IP packets - the clients still need to have a method of resolving a canonical name to a decimal IP address. So you may just have to set that for the clients (see your /etc/resolv.conf for what linux itself is using). Also, the clients must be on the same subnet and have their default gateway (or other routing) set to the linux box doing the masquerading.
Regards
On linuxconf - I don't believe so. Mandrake have a tool in 8.1 but Redhat have fairly primitive stuff on the firewalling/masquerading side at present - unless I missed something !
Sophie - from your mention of yahoo.de I'd be fairly sure you are running Suse like everyone else in Germany. The Suse equivalent of /etc/rc.d/rc.local is /etc/init.d/boot.local (or /etc/rc.d/boot.local which is a symlink to the same file).
The iptables -L output looks OK - Your problem may be that you haven't set the DNS server info on the clients. If you can 'ping 217.12.3.11' (yahoo.de IP address) from a client successfully but can't 'ping then its a DNS problem.
Maquerading just forwards IP packets - the clients still need to have a method of resolving a canonical name to a decimal IP address. So you may just have to set that for the clients (see your /etc/resolv.conf for what linux itself is using). Also, the clients must be on the same subnet and have their default gateway (or other routing) set to the linux box doing the masquerading.
Regards
- Thread starter
- #7
THis is an error i am getting .. any ideas??
[root@bravo aaron]# echo 1 >/proc/sys/net/ipv4/ip_forward
[root@bravo aaron]# /sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: Can't locate module iptable_nat_ftp
[root@bravo aaron]# echo 1 >/proc/sys/net/ipv4/ip_forward
[root@bravo aaron]# /sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.7-10/kernel/net/ipv4/netfilter/ip_tables.o: Can't locate module iptable_nat_ftp
Hi,
This is probably because you have ipchains active already. On a lot of the most recent distros they have started putting firewalls of a sort and, to date, these have invariably been ipchains based. So, you either need to use the ipchains code or disable the ipchains activity and just use iptables. On Redhat 7.x you could stop the ipchains firewall starting by turning it off at all runlevels (as root)
/sbin/chkconfig --level 2345 ipchains off
To immediately stop it you can do :
/etc/rc.d/init.d/ipchains stop
and you probably also need to remove the ipchains module from memory :
/sbin/rmmod ipchains
Regards
This is probably because you have ipchains active already. On a lot of the most recent distros they have started putting firewalls of a sort and, to date, these have invariably been ipchains based. So, you either need to use the ipchains code or disable the ipchains activity and just use iptables. On Redhat 7.x you could stop the ipchains firewall starting by turning it off at all runlevels (as root)
/sbin/chkconfig --level 2345 ipchains off
To immediately stop it you can do :
/etc/rc.d/init.d/ipchains stop
and you probably also need to remove the ipchains module from memory :
/sbin/rmmod ipchains
Regards
JohnnyProd
Technical User
ifincham, it looks like you really know your stuff here. I'm new to the linux world and wondering what you might recommend for a firewall solution. IPChains or IPTables might become more robust as I learn more, but are they really powerful enough to NAT individual IP addresses and allow/disallow packets based on port numbers? I'm used to dealing with Pix firewalls and I'm looking for a similar solution for my home PC. Thanks in advance!
Hi,
Iptables is the third generation of packet filtering software on linux and has almost certainly got all the granularity of control you'd get on a pix or similar.
There are built-in chains for input, output and forward plus the special nat one but you can define your own and use procedural logical to jump from one chain to the next. You can filter by interface, ip address (individual or ranges using masks or cidr notation), ports, protocol (tcp, udp, icmp) and all of those can be inward or outward in all combinations. There is also stateful filtering, i.e. based on inspection of the tcp flags or even easier with parameters that check for an 'established' connection. Then there's full source nat, destination nat, and masquerading.
Another thing you can do is mark packets that can then be acted upon by the iproute2 utilities to provide advanced routing and ip traffic control facilities. Also, you can 'mangle' the packets (change stuff) for various reasons.
For more info read the documentation at the netfilter site --> .
There is quite a good summary here -->
Hope this helps
Iptables is the third generation of packet filtering software on linux and has almost certainly got all the granularity of control you'd get on a pix or similar.
There are built-in chains for input, output and forward plus the special nat one but you can define your own and use procedural logical to jump from one chain to the next. You can filter by interface, ip address (individual or ranges using masks or cidr notation), ports, protocol (tcp, udp, icmp) and all of those can be inward or outward in all combinations. There is also stateful filtering, i.e. based on inspection of the tcp flags or even easier with parameters that check for an 'established' connection. Then there's full source nat, destination nat, and masquerading.
Another thing you can do is mark packets that can then be acted upon by the iproute2 utilities to provide advanced routing and ip traffic control facilities. Also, you can 'mangle' the packets (change stuff) for various reasons.
For more info read the documentation at the netfilter site --> .
There is quite a good summary here -->
Hope this helps
- Thread starter
- #11
I recompilied the kernel makings sure it was enabled. But now, when i got to run the
/sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/sbin/modprobe ip_conntrack ip_conntrack_ftp
it says it cannot find the modules.
any clues? Is there something more i need to install?
/sbin/modprobe ip_tables iptable_nat iptable_nat_ftp
/sbin/modprobe ip_conntrack ip_conntrack_ftp
it says it cannot find the modules.
any clues? Is there something more i need to install?
Hi,
For iptables you have to specify 'y' to netfilter towards the top of the 'network options' section. However, you also need to go down to the 'IP:Netfilter configuration' option and you will find lots of options within that that also need to be selected. I'd suggest compiling them as modules rather than built-in unless you particularly want the latter.
If you did all the above then if should be OK without the 'modprobe' commands because you would have compiled the stuff into the kernel itself and would not therefore need to load an external kernel module.
Hope this makes sense!
Regards
For iptables you have to specify 'y' to netfilter towards the top of the 'network options' section. However, you also need to go down to the 'IP:Netfilter configuration' option and you will find lots of options within that that also need to be selected. I'd suggest compiling them as modules rather than built-in unless you particularly want the latter.
If you did all the above then if should be OK without the 'modprobe' commands because you would have compiled the stuff into the kernel itself and would not therefore need to load an external kernel module.
Hope this makes sense!
Regards
- Thread starter
- #13
- Thread starter
- #15
- Thread starter
- #16
All up and good .. Thanks again so much
now i have yet another question
here is my setup. I am at college in the dorms, i have the linux box dhcp to the school server for internet and then share it to my computer. I have a windows 2k computer that i want to be able to access shares on via other 2k computers on the schools netwrok. So basically is there a way for linux to forward the windows share commands to windows??
now i have yet another question
here is my setup. I am at college in the dorms, i have the linux box dhcp to the school server for internet and then share it to my computer. I have a windows 2k computer that i want to be able to access shares on via other 2k computers on the schools netwrok. So basically is there a way for linux to forward the windows share commands to windows??
Hi.
I'm assuming that you mean your only connection with the rest of the network is via the linux box - obviously, if not, you don't need linux to access shares between different windows boxes.
The complexity depends on whether you need two way access. It would not be difficult to go from a win box to another windows box somewhere on the rest of the network. However, inbound access to windows boxes via linux as a router is a bit more complex.
Anyway, assuming all the computers are connected to a local hub/switch the next question is how their IP addresses are set. If you can only get a single network address (for linux) then you would have problems because you'd need to leave your other machines on a different subnet and the rest of the network would not have any routing information to find that subnet (assuming the 'other' machines are not directly on the subnet that linux is connected to). In that case you would think of employing source nat but you effectively have that already with the masquerading.
What you can try is just to set the iptables 'forward' chain to 'accept' and set the winboxes to use dhcp. Hopefully, they would then get a dhcp lease in their own right and it should all just work. In the first instance try adding this rule to iptables :
/sbin/iptables -P FORWARD ACCEPT
Then set one of the local winboxs to dhcp and see if it gets a lease from the main network and can see the network neighborhood...
Regards
I'm assuming that you mean your only connection with the rest of the network is via the linux box - obviously, if not, you don't need linux to access shares between different windows boxes.
The complexity depends on whether you need two way access. It would not be difficult to go from a win box to another windows box somewhere on the rest of the network. However, inbound access to windows boxes via linux as a router is a bit more complex.
Anyway, assuming all the computers are connected to a local hub/switch the next question is how their IP addresses are set. If you can only get a single network address (for linux) then you would have problems because you'd need to leave your other machines on a different subnet and the rest of the network would not have any routing information to find that subnet (assuming the 'other' machines are not directly on the subnet that linux is connected to). In that case you would think of employing source nat but you effectively have that already with the masquerading.
What you can try is just to set the iptables 'forward' chain to 'accept' and set the winboxes to use dhcp. Hopefully, they would then get a dhcp lease in their own right and it should all just work. In the first instance try adding this rule to iptables :
/sbin/iptables -P FORWARD ACCEPT
Then set one of the local winboxs to dhcp and see if it gets a lease from the main network and can see the network neighborhood...
Regards
Guest_imported
New member
- Jan 1, 1970
- 0
- 0
- 0
HI,
Im a Linux n00b and just learning the basics, help would be appreciated. I managed to get my linux box (mandrake 8.1, cable internet on eth0, dhcp to chartertn.net and LAN on eth1, static 192.168.0.1) and sharing the internet connection with the included ICS( I also enabled packet routing). I have a WinXP machine (DHCP to Linux box) that serves as a web server (IIS 5.0). How can I set it up to let other people access my web pages over the internet.
Im a Linux n00b and just learning the basics, help would be appreciated. I managed to get my linux box (mandrake 8.1, cable internet on eth0, dhcp to chartertn.net and LAN on eth1, static 192.168.0.1) and sharing the internet connection with the included ICS( I also enabled packet routing). I have a WinXP machine (DHCP to Linux box) that serves as a web server (IIS 5.0). How can I set it up to let other people access my web pages over the internet.
- Status
Similar threads
