Poor Man's Router - Howto

Kalpesh Thaker luminary06 at gmail.com
Mon Aug 3 08:49:45 BST 2009


Hi Alan,

Welcome to ubuntu-zw group!

Thanks for posting the NAT how to... it definitely will help alot of people
out there....

kind regards

kalpesh.


On Sat, Aug 1, 2009 at 8:43 AM, Alan Paardenkooper <abetherabe at gmail.com>wrote:

> Hi all,
>
> This is my first post to this mailing list. I've noticed that there are a
> lot of servers out there running standard squid proxy as the only means
> for clients to share an internet connection. Not because of any reason
> in particular other than the person setting up the server simply doesn't
> know how to set up a simple NAT/router. If proxy has been chosen to help
> conserve bandwidth or to control browsing, then fair enough. But if it's
> just because guys don't know how to set up network address translation
> or only know of squid as the only means to connect more than one
> computer to the internet at one time on a linux machine here's a simple
> howto... A sort of internet connection sharing for debian flavours of
> linux.
>
> Hope this helps.
>
> HOWTO
>
> The Poor Man's Router with NAT & IP Forwarding in Ubuntu 9.04 Part 1
> (Routing between the internet and 1 subnet)
>
>
> You will need the following:
>
>              * A small, but reliable PC which can be set to turn itself
>                on after a power failure. (Trust me this saves you a lot
>                of headaches)
>              * A CDROM/DVDROM drive
>              * 2 x Ethernet Network Interface Cards installed before
>                you install the OS.
>              * An ubuntu 9.04 server cd rom
>              * A broadband internet connection (ADSL/UHF/VSAT) and the
>                connection details: e.g. Your static ip address or PPPOE
>                account settings (provided by the ISP)
>              * A UTP/wireless switch of some sort
>              * A lot of patience
>
> Start by performing a default installation of the OS onto the PC by
> booting up from the CDROM drive. When asked for your default interface
> choose the interface that will connect to the LAN. I like to choose
> eth1. (This is because the 1 helps me to remember i.e. 1 for the L in
> LAN). When asked for a machine name, type gw.example.org (short for
> gateway).
> When asked what type of server you want to install, choose LAMP and SSH
> from
> the options. (I use these because it allows room for expansion later. If
> needed.) That's it. Wait for the OS to finish installing, (you will be
> asked to configure a user. I like to use “administrator† unfortunately
> “admin† is already taken.) Now move onto the next step.
>
> Now we need to configure the interfaces file. This is so that we can
> connect to the server remotely from another machine on the network if
> needed and also so that we can update the OS from either the
> international repository or from the local one (kindly hosted by Yo!
> Africa). Which one you will use depends on the type of internet
> connection. I hope all you people using VSAT have licenced your
> equipment with POTRAZ... hehe :) type the following:
>
> -----------------------------------------------------------------------
> $sudo vi /etc/network/interfaces
> -----------------------------------------------------------------------
>
> Edit it so that it reads like this. (Don't forget to press
> insert before typing in the vim editor.)
>
> ####################################################################
>
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
> #
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The LAN (Primary network interface)
> auto eth1
> iface eth1 inet static
>        address 192.168.0.1
>        netmask 255.255.255.0
>        network 192.168.0.0
>        broadcast 192.168.0.255
>
> # The Internet
> auto eth0
> iface eth0 inet static
>        address 192.168.254.2
>        netmask 255.255.255.0
>        network 192.168.254.0
>        broadcast 192.168.254.255
>        gateway 192.168.254.1
>
> ####################################################################
>
> As you can see I've created the new interface which connects to my ADSL
> modem (gateway 192.168.254.1). If you're doing PPPOE... You're on your
> own, there's quite a bit of help out there on the net though. Maybe I'll
> look into this for my next project.
>
> Now we have to configure the Hosts file so that the PC can resolve its
> own hostname... I.e. we don't want to have to refer to the machine as
> 192.168.0.1 or 127.0.0.1, so lets edit the file. Type the following:
>
> -----------------------------------------------------------------------
> $sudo vi /etc/hosts
> -----------------------------------------------------------------------
>
> Edit it so that reads like so:
>
> ####################################################################
>
> 127.0.0.1       localhost
> 192.168.0.1     gw.example.org  gw
> 192.168.254.2   gw.example.org  gw
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
>
> ####################################################################
>
> We will also have to edit the hostname file. Type the following:
>
> -----------------------------------------------------------------------
> $sudo vi /etc/hostname
> -----------------------------------------------------------------------
>
> Edit it so that it reads:
>
> ####################################################################
> gw.example.org
> ####################################################################
>
> Now we have to edit a file called sysctl.conf in /etc/ so that we tell
> the PC to forward traffic.
>
> A lot of people tend to create a shell script which they place into
> the /etc/init.d/ with the following line:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward.
>
> What this does is to change the value of this file each time the
> computer starts up. I prefer the following as it is a much more elegant
> way. Plus we can also forward IP ver. 6 traffic too if we want.
>
> -----------------------------------------------------------------------
> $sudo vi /etc/sysctl.conf
> -----------------------------------------------------------------------
>
> Uncomment the line which reads net.ipv4.ip_forward = 1
>
> Here's what mine looks like:
>
> ####################################################################
> #
> # /etc/sysctl.conf - Configuration file for setting system variables
> # See /etc/sysctl.d/ for additional system variables.
> # See sysctl.conf (5) for information.
> #
> #kernel.domainname = example.com
>
> # Uncomment the following to stop low-level messages on console
> #kernel.printk = 4 4 1 7
> #
> # Functions previously found in netbase
> # Uncomment the next two lines to enable Spoof protection (reverse-path
> #filter)
> # Turn on Source Address Verification in all interfaces to
> # prevent some spoofing attacks
> #net.ipv4.conf.default.rp_filter=1
> #net.ipv4.conf.all.rp_filter=1
> # Uncomment the next line to enable TCP/IP SYN cookies
> # This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
> # and is not recommended.
> #net.ipv4.tcp_syncookies=1
> # Uncomment the next line to enable packet forwarding for IPv4
> net.ipv4.ip_forward=1 <------------ I uncommented here
> # Uncomment the next line to enable packet forwarding for IPv6
> net.ipv6.conf.all.forwarding=1 <----------- I uncommented here
> #
> # Additional settings - these settings can improve the network
> # security of the host and prevent against some network attacks
> # including spoofing attacks and man in the middle attacks through
> # redirection. Some network environments, however, require that these
> # settings are disabled so review and enable them as needed.
> #
> # Ignore ICMP broadcasts
> #net.ipv4.icmp_echo_ignore_broadcasts = 1
> #
> # Ignore bogus ICMP errors
> #net.ipv4.icmp_ignore_bogus_error_responses = 1
> #
> # Do not accept ICMP redirects (prevent MITM attacks)
> #net.ipv4.conf.all.accept_redirects = 0
> #net.ipv6.conf.all.accept_redirects = 0
> # _or_
> # Accept ICMP redirects only for gateways listed in our default
> # gateway list (enabled by default)
> # net.ipv4.conf.all.secure_redirects = 1
> #
> # Do not send ICMP redirects (we are not a router)
> #net.ipv4.conf.all.send_redirects = 0
> #
> # Do not accept IP source route packets (we are not a router)
> #net.ipv4.conf.all.accept_source_route = 0
> #net.ipv6.conf.all.accept_source_route = 0
> #
> # Log Martian Packets
> #net.ipv4.conf.all.log_martians = 1
> #
> # The contents of /proc/<pid>/maps and smaps files are only visible to
> # readers that are allowed to ptrace() the process
> # kernel.maps_protect = 1
> ####################################################################
>
> As you have probably figured out... The only line(s) you really need in
> this file is(are) the one(s) for forwarding the traffic. Play with the
> others at your own risk.
>
> Now we need to create some rules for the NAT and tell iptables to load
> them each time the eth0 interface comes up. I'm going to do it the
> proper way without using webmin or some new fangled automated way. Lets
> get down and dirty with the nitty gritty details. Type the following:
>
> -----------------------------------------------------------------------
> $sudo iptables -t nat -A POSTROUTING -o eth0 -J SNAT --to 192.168.254.2
> -----------------------------------------------------------------------
>
> Explanation:
>
> I'm telling iptables to append (-A) a rule to the POSTROUTING chain in
> the nat table (-t nat). The rule states that any traffic going out (-o)
> of the eth0 interface should be source natted (-J SNAT) to
> 192.168.254.2. I.e. we are making all outgoing traffic think it is
> coming from 192.168.254.2 and not the actual computer it was sent from.
> Don't worry... when the reply packets come back the kernel generally
> remembers who the packet was originally from and reverses this.
>
> Now type the following:
>
> -----------------------------------------------------------------------
> $sudo iptables-save > /etc/iptables.up.rules
> -----------------------------------------------------------------------
>
> We are basically saving the active iptables rules to a file in /etc/
> called iptables.up.rules (you could call it anything you like...)
>
> Now we need to tell iptables to load these rules everytime the eth0
> interface comes up. In order to do this, we now edit
> the /etc/network/interfaces file again and add the following line at the
> bottom below the configuration of the eth0 interface.
>
> #####################################################################
> post-up iptables-restore < /etc/iptables.up.rules
> #####################################################################
>
> My /etc/network/interfaces file now looks like this:
>
> #####################################################################
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The LAN (Primary network interface)
> auto eth1
> iface eth1 inet static
>        address 192.168.0.1
>        netmask 255.255.255.0
>        network 192.168.0.0
>        broadcast 192.168.0.255
>
> # The Internet
> auto eth0
> iface eth0 inet static
>        address 192.168.254.2
>        netmask 255.255.255.0
>        network 192.168.254.0
>        broadcast 192.168.254.255
>        gateway 192.168.254.1
>        post-up iptables-restore < /etc/iptables.up.rules
>
> #####################################################################
>
> Right... Hopefully all is well. Now it's time to see if what we've done
> works! Reboot the machine. Type: sudo reboot and press enter. Once you
> have rebooted, you should be able to ping your modem 192.168.254.1
> from your lan. Provided your machine's default gateway points to
> 192.168.0.1 and you are on the 192.168.0.0/24 subnet.
>
> I'll leave it up to http://www.ubuntu.org.zw to explain how to change
> your sources.list file to the local repository and keep your server
> software up to date. Next issue I'll expand this for more subnets and
> throw in some bandwidth monitoring and basic firewalling. I'll end off
> with basic traffic shaping.
>
> Alan Paardenkooper
> Cell: 0913 415 034
> skype: abetherabe
>
> B-)
>
>
> --
> Ubuntu-zw mailing list
> Ubuntu-zw at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-zw
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-zw/attachments/20090803/ce51d5c8/attachment.htm 


More information about the Ubuntu-zw mailing list