Poor Man's Router - Howto
Neil Coetzer
neil at ubuntu.org.zw
Mon Aug 3 18:22:13 BST 2009
Howzit Abe,
Thanks for the post - glad you got it all working and thanks for
sharing :) It's about time you posted on the list, having been a
member since way back when..... now we just need to get you to a
meeting!
NC
On 8/3/09, Kalpesh Thaker <luminary06 at gmail.com> wrote:
> Hi Alan,
>
> Welcome to ubuntu-zw group!
>
> Thanks for posting the NAT how to... it definitely will help alot of people
> out there....
>
> kind regards
>
> kalpesh.
>
>
> On Sat, Aug 1, 2009 at 8:43 AM, Alan Paardenkooper
> <abetherabe at gmail.com>wrote:
>
>> Hi all,
>>
>> This is my first post to this mailing list. I've noticed that there are a
>> lot of servers out there running standard squid proxy as the only means
>> for clients to share an internet connection. Not because of any reason
>> in particular other than the person setting up the server simply doesn't
>> know how to set up a simple NAT/router. If proxy has been chosen to help
>> conserve bandwidth or to control browsing, then fair enough. But if it's
>> just because guys don't know how to set up network address translation
>> or only know of squid as the only means to connect more than one
>> computer to the internet at one time on a linux machine here's a simple
>> howto... A sort of internet connection sharing for debian flavours of
>> linux.
>>
>> Hope this helps.
>>
>> HOWTO
>>
>> The Poor Man's Router with NAT & IP Forwarding in Ubuntu 9.04 Part 1
>> (Routing between the internet and 1 subnet)
>>
>>
>> You will need the following:
>>
>> * A small, but reliable PC which can be set to turn itself
>> on after a power failure. (Trust me this saves you a lot
>> of headaches)
>> * A CDROM/DVDROM drive
>> * 2 x Ethernet Network Interface Cards installed before
>> you install the OS.
>> * An ubuntu 9.04 server cd rom
>> * A broadband internet connection (ADSL/UHF/VSAT) and the
>> connection details: e.g. Your static ip address or PPPOE
>> account settings (provided by the ISP)
>> * A UTP/wireless switch of some sort
>> * A lot of patience
>>
>> Start by performing a default installation of the OS onto the PC by
>> booting up from the CDROM drive. When asked for your default interface
>> choose the interface that will connect to the LAN. I like to choose
>> eth1. (This is because the 1 helps me to remember i.e. 1 for the L in
>> LAN). When asked for a machine name, type gw.example.org (short for
>> gateway).
>> When asked what type of server you want to install, choose LAMP and SSH
>> from
>> the options. (I use these because it allows room for expansion later. If
>> needed.) That's it. Wait for the OS to finish installing, (you will be
>> asked to configure a user. I like to use “administrator†unfortunately
>> “admin†is already taken.) Now move onto the next step.
>>
>> Now we need to configure the interfaces file. This is so that we can
>> connect to the server remotely from another machine on the network if
>> needed and also so that we can update the OS from either the
>> international repository or from the local one (kindly hosted by Yo!
>> Africa). Which one you will use depends on the type of internet
>> connection. I hope all you people using VSAT have licenced your
>> equipment with POTRAZ... hehe :) type the following:
>>
>> -----------------------------------------------------------------------
>> $sudo vi /etc/network/interfaces
>> -----------------------------------------------------------------------
>>
>> Edit it so that it reads like this. (Don't forget to press
>> insert before typing in the vim editor.)
>>
>> ####################################################################
>>
>> # This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>> #
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> # The LAN (Primary network interface)
>> auto eth1
>> iface eth1 inet static
>> address 192.168.0.1
>> netmask 255.255.255.0
>> network 192.168.0.0
>> broadcast 192.168.0.255
>>
>> # The Internet
>> auto eth0
>> iface eth0 inet static
>> address 192.168.254.2
>> netmask 255.255.255.0
>> network 192.168.254.0
>> broadcast 192.168.254.255
>> gateway 192.168.254.1
>>
>> ####################################################################
>>
>> As you can see I've created the new interface which connects to my ADSL
>> modem (gateway 192.168.254.1). If you're doing PPPOE... You're on your
>> own, there's quite a bit of help out there on the net though. Maybe I'll
>> look into this for my next project.
>>
>> Now we have to configure the Hosts file so that the PC can resolve its
>> own hostname... I.e. we don't want to have to refer to the machine as
>> 192.168.0.1 or 127.0.0.1, so lets edit the file. Type the following:
>>
>> -----------------------------------------------------------------------
>> $sudo vi /etc/hosts
>> -----------------------------------------------------------------------
>>
>> Edit it so that reads like so:
>>
>> ####################################################################
>>
>> 127.0.0.1 localhost
>> 192.168.0.1 gw.example.org gw
>> 192.168.254.2 gw.example.org gw
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 localhost ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>> ff02::3 ip6-allhosts
>>
>> ####################################################################
>>
>> We will also have to edit the hostname file. Type the following:
>>
>> -----------------------------------------------------------------------
>> $sudo vi /etc/hostname
>> -----------------------------------------------------------------------
>>
>> Edit it so that it reads:
>>
>> ####################################################################
>> gw.example.org
>> ####################################################################
>>
>> Now we have to edit a file called sysctl.conf in /etc/ so that we tell
>> the PC to forward traffic.
>>
>> A lot of people tend to create a shell script which they place into
>> the /etc/init.d/ with the following line:
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward.
>>
>> What this does is to change the value of this file each time the
>> computer starts up. I prefer the following as it is a much more elegant
>> way. Plus we can also forward IP ver. 6 traffic too if we want.
>>
>> -----------------------------------------------------------------------
>> $sudo vi /etc/sysctl.conf
>> -----------------------------------------------------------------------
>>
>> Uncomment the line which reads net.ipv4.ip_forward = 1
>>
>> Here's what mine looks like:
>>
>> ####################################################################
>> #
>> # /etc/sysctl.conf - Configuration file for setting system variables
>> # See /etc/sysctl.d/ for additional system variables.
>> # See sysctl.conf (5) for information.
>> #
>> #kernel.domainname = example.com
>>
>> # Uncomment the following to stop low-level messages on console
>> #kernel.printk = 4 4 1 7
>> #
>> # Functions previously found in netbase
>> # Uncomment the next two lines to enable Spoof protection (reverse-path
>> #filter)
>> # Turn on Source Address Verification in all interfaces to
>> # prevent some spoofing attacks
>> #net.ipv4.conf.default.rp_filter=1
>> #net.ipv4.conf.all.rp_filter=1
>> # Uncomment the next line to enable TCP/IP SYN cookies
>> # This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
>> # and is not recommended.
>> #net.ipv4.tcp_syncookies=1
>> # Uncomment the next line to enable packet forwarding for IPv4
>> net.ipv4.ip_forward=1 <------------ I uncommented here
>> # Uncomment the next line to enable packet forwarding for IPv6
>> net.ipv6.conf.all.forwarding=1 <----------- I uncommented here
>> #
>> # Additional settings - these settings can improve the network
>> # security of the host and prevent against some network attacks
>> # including spoofing attacks and man in the middle attacks through
>> # redirection. Some network environments, however, require that these
>> # settings are disabled so review and enable them as needed.
>> #
>> # Ignore ICMP broadcasts
>> #net.ipv4.icmp_echo_ignore_broadcasts = 1
>> #
>> # Ignore bogus ICMP errors
>> #net.ipv4.icmp_ignore_bogus_error_responses = 1
>> #
>> # Do not accept ICMP redirects (prevent MITM attacks)
>> #net.ipv4.conf.all.accept_redirects = 0
>> #net.ipv6.conf.all.accept_redirects = 0
>> # _or_
>> # Accept ICMP redirects only for gateways listed in our default
>> # gateway list (enabled by default)
>> # net.ipv4.conf.all.secure_redirects = 1
>> #
>> # Do not send ICMP redirects (we are not a router)
>> #net.ipv4.conf.all.send_redirects = 0
>> #
>> # Do not accept IP source route packets (we are not a router)
>> #net.ipv4.conf.all.accept_source_route = 0
>> #net.ipv6.conf.all.accept_source_route = 0
>> #
>> # Log Martian Packets
>> #net.ipv4.conf.all.log_martians = 1
>> #
>> # The contents of /proc/<pid>/maps and smaps files are only visible to
>> # readers that are allowed to ptrace() the process
>> # kernel.maps_protect = 1
>> ####################################################################
>>
>> As you have probably figured out... The only line(s) you really need in
>> this file is(are) the one(s) for forwarding the traffic. Play with the
>> others at your own risk.
>>
>> Now we need to create some rules for the NAT and tell iptables to load
>> them each time the eth0 interface comes up. I'm going to do it the
>> proper way without using webmin or some new fangled automated way. Lets
>> get down and dirty with the nitty gritty details. Type the following:
>>
>> -----------------------------------------------------------------------
>> $sudo iptables -t nat -A POSTROUTING -o eth0 -J SNAT --to 192.168.254.2
>> -----------------------------------------------------------------------
>>
>> Explanation:
>>
>> I'm telling iptables to append (-A) a rule to the POSTROUTING chain in
>> the nat table (-t nat). The rule states that any traffic going out (-o)
>> of the eth0 interface should be source natted (-J SNAT) to
>> 192.168.254.2. I.e. we are making all outgoing traffic think it is
>> coming from 192.168.254.2 and not the actual computer it was sent from.
>> Don't worry... when the reply packets come back the kernel generally
>> remembers who the packet was originally from and reverses this.
>>
>> Now type the following:
>>
>> -----------------------------------------------------------------------
>> $sudo iptables-save > /etc/iptables.up.rules
>> -----------------------------------------------------------------------
>>
>> We are basically saving the active iptables rules to a file in /etc/
>> called iptables.up.rules (you could call it anything you like...)
>>
>> Now we need to tell iptables to load these rules everytime the eth0
>> interface comes up. In order to do this, we now edit
>> the /etc/network/interfaces file again and add the following line at the
>> bottom below the configuration of the eth0 interface.
>>
>> #####################################################################
>> post-up iptables-restore < /etc/iptables.up.rules
>> #####################################################################
>>
>> My /etc/network/interfaces file now looks like this:
>>
>> #####################################################################
>> # This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> # The LAN (Primary network interface)
>> auto eth1
>> iface eth1 inet static
>> address 192.168.0.1
>> netmask 255.255.255.0
>> network 192.168.0.0
>> broadcast 192.168.0.255
>>
>> # The Internet
>> auto eth0
>> iface eth0 inet static
>> address 192.168.254.2
>> netmask 255.255.255.0
>> network 192.168.254.0
>> broadcast 192.168.254.255
>> gateway 192.168.254.1
>> post-up iptables-restore < /etc/iptables.up.rules
>>
>> #####################################################################
>>
>> Right... Hopefully all is well. Now it's time to see if what we've done
>> works! Reboot the machine. Type: sudo reboot and press enter. Once you
>> have rebooted, you should be able to ping your modem 192.168.254.1
>> from your lan. Provided your machine's default gateway points to
>> 192.168.0.1 and you are on the 192.168.0.0/24 subnet.
>>
>> I'll leave it up to http://www.ubuntu.org.zw to explain how to change
>> your sources.list file to the local repository and keep your server
>> software up to date. Next issue I'll expand this for more subnets and
>> throw in some bandwidth monitoring and basic firewalling. I'll end off
>> with basic traffic shaping.
>>
>> Alan Paardenkooper
>> Cell: 0913 415 034
>> skype: abetherabe
>>
>> B-)
>>
>>
>> --
>> Ubuntu-zw mailing list
>> Ubuntu-zw at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-zw
>>
>>
>
--
Regards,
Neil Coetzer
Team Contact
Ubuntu Zimbabwe LoCo Team
-------------------------------------------
http://www.ubuntu.org.zw
http://zimbabwe.ubuntuforums.org
http://www.ubuntu-zw.org
More information about the Ubuntu-zw
mailing list