Linux Forums - Linux Help,Advice & support community:LinuxSolved.com

Linux in General => Linux Tutorials & How To's => Topic started by: Ricky on January 08, 2004, 05:40:46 PM

Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on January 08, 2004, 05:40:46 PM
Here we will learn how to configure your linux box to share one internet connection over your lan
First make a file named 'rc.nat' and put the following script in it.
Code: [Select]


  # Defines the location of iptables executables.
iptables=/sbin/iptables
 
  #Clears if any old iptable rules/ policies are there.
iptables --flush -t nat

 # Now we will do Masquerading ie. we are doing NAT.
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

 # Enabling packet forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward


Now save this rc.nat in /etc/rc.d/ and make it executable by
Code: [Select]
chmod 755 /etc/rc.d/rc.nat

Now add the following lines in your /etc/rc.d/rc.local so that every time you start your computer it get executed  automatically.
Code: [Select]
/etc/rc.d/rc.nat

Now in your clients make sure you have set the gatway as the ip of your computer which is connected directly to internet and also that you have entered right nameserver (DNS) in the dns list of clients.
Now you should be able to share internet after executing this script.

NOTE :: When you run this script you should also use a good firewall.
Title: Internet Sharing in Linux / NAT How to
Post by: digimart on January 08, 2004, 06:38:28 PM
Thanks for good tip.

Pls advise, that in case we have a internet via satellite setup (One-Way). In it the downlinkis through DVB card, and uplink through dialup modem, and the internet is shared on LAN.

As Linux drivers and front-end for our DVB cards ( Technisat B2C2 chip ), are not available on the net <I hv atleast searched at all places, and not able to find>.

So what I did is that I hv set  2 PCs. PC-1 has dialup modem, and running under linux, whereas PC-2 has DVB card, and running under Winxp.

So will your code work in my case too ?
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on January 09, 2004, 04:30:48 PM
Well here we are basically doing Network Address Translation.  So if anyone makes request to internet first it get translated as it is from the server itself and when the server receives back the reply it tanslates that it goto its original place from where it was requested.
So you can use that in the modem for uplink but i suggest if you are not able to find the drivers then.. connect your DVB card and modem to winxp computer and then connect your linux box to winxp and then your linux to lan..
Some thing like this..
Code: [Select]
Satellite & Modem --> WinXP box --> Linux Box -->  your LAN In this setup you can still take full advantage of Linux Flexibility and can keep your LAN secure enough. Also I suggest that you can use your any low end (spare) pc to connect directly to internet.
Title: Thanks for Linux Tutorials
Post by: amith on January 14, 2004, 04:37:50 AM
I will try now all the squid configuration and i will b back/b> :lol:
Title: I NEED YOUR HELP
Post by: ozioma on May 22, 2004, 12:06:59 PM
PLEASE HOW DO I SHARE MY INTERNET CONNECTION OVER MY LAN WITH MY LINUX SERVER WHAT IS THE COMMAND TO MAKE THE FILE rc.nat AND THE COMMAND TO SAVE IT IN /etc/rc.d/

ALSO HOW DO I EDIT IT

THANKS

OZIOMA
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on May 22, 2004, 02:56:55 PM
You are pretty new.. it is very simple.. if u want to do it from command line then can use vi.. ie. to make rc.nat do " vi rc.nat" then it will open a new file.. type stuff i mentioned and then save it using
":save /etc/rc.d/rc.nat"

or u can use graphical editor..
Title: HELP AGAIN
Post by: ozioma on May 22, 2004, 03:25:03 PM
PLEASE IS THERE ANY WAY I CAN BROWSE THE INTERNET FROM MY WORKSTATION WITHOUT SETTING THE CLIENTS GATEWAY AS THE IP ADDRESS OF THE SERVER LIKE CIM MY FORMER SERVER ALL WE NEEDED DO WAS CONFIGURE THE INTERNET EXPLORER TO USE PORT 8080 AND THEN PUT THE IP OF THE SERVER WITHOUT CONFIGURING THE GATEWAY

THANKS

OZIOMA
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on May 23, 2004, 03:21:07 AM
If you are looking for that then you need squid proxy. see Squid proxy configuration (http://www.linuxsolved.com/forums/ftopic116.html).
BTW you can also set dhcp server on ur linux box so that you don't have to configure every box. Just set your clients to obtain ip and other information from dhcp server. See  DHCP server linux how to  (http://www.linuxsolved.com/forums/ftopic16.html)

Lastly I suggest you to read some stuff about networking to clear your concepts..
Title: how to share an internet connection
Post by: kisakye on May 30, 2004, 01:20:26 PM
hi everyone am still wondering after writing out that script which ricky gave will my box linux be able to work as a server hence work with windows machines on the  network??
thanks
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on May 30, 2004, 01:24:13 PM
Yes , I can be gateway for any machine on any OS untill that machine uses universal TCP/IP protocol
Title: VSAT on Linux
Post by: JOJ on June 25, 2004, 12:55:09 AM
javascript:emoticon(%27%3Acry%3A%27). Hi everyone there.... I am connecting to Internet through Very Small Sperture Terminal (VSAT), and according to our ISP it will only work in Windows Servers. I have a lot of problems dealing with my windows now. Presently I have Slackware Linux running connected to our LAN but it will still connect to windows for Internet. Thus, I want to replace my windows server with Slackware. Is it possible to configure VSAT with Linux?. How?. Please help me. Yes please coz I want to get rid off my windows as soon as possible.

Thanks a lot.

Begginner
Title: hello
Post by: tomamodi on August 08, 2004, 06:08:54 PM
please i
for line in /etc/rc.d/rc.local

this line is enough    /etc/rc.d/rc.nat

or with touch  command

touch /etc/rc.d/rc.nat

still i am not succedded
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on August 09, 2004, 07:22:08 AM
well you can create directory using mkdir or also using touch then put that above script in that directory !!
Title: Internet Sharing in Linux / NAT How to
Post by: anil_garg5 on August 13, 2004, 11:30:17 AM
Nice ..really good one.

Ricky, I implement this ...working fine.

Kindly guide us ...

Thanks a lot
Title: Internet Sharing in Linux / NAT How to
Post by: Cytomatrix on August 27, 2004, 09:40:01 AM
If i am using slackware as my linux gateway for my windows PCs, how do i open ports for my windows. I play halo (a online game) and counter strike. How do i open ports for my windows application. Another thing, my ISP binds Mac address. If my mac address is wrong i won't able to connect to internet. I can register upto 3 mac addresses, but i can only connect one computer at a time. Will i able to use this technic to share internet.
thanks  :D
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on August 27, 2004, 11:19:11 AM
Yes..
by this method ie NAT you can do all you want !
Title: Re: Internet Sharing in Linux / NAT How to
Post by: tomamodi on October 10, 2004, 04:45:55 AM
[
First make a file named 'rc.nat' and put the following script in it.
Code: [Select]


iptables=/sbin/iptables


iptables --flush -t nat


1)iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
2)iptables --append FORWARD --in-interface eth0 -j ACCEPT
3)echo 1 > /proc/sys/net/ipv4/ip_forward


dear ricky
is this neccessery to put the above lines in same or  (2-3)in one line
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on October 12, 2004, 08:24:47 AM
line one is for for telling that which interface to be althered ie for actuall net connection for the that is ppp0 ... line to is to  accept connection for eth0 ie lan and line three is to enable packet routing..

so all are required !
Title: Block Messenger
Post by: ziajee on January 03, 2005, 02:31:46 PM
hi
i also wanted for transparent proxy...
and it helps me out and solved my problam....

pls can you help me again for blocking msn messenger and yahoo messenger ..
and many porn sites..with this iptables...

thankx again...

Rgds

Aasim Zia
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on January 04, 2005, 09:16:36 AM
Well, if you look few last post of this forum then you will find the solution for your problem. :)
Title: Regarding Transparent Proxy
Post by: rana28 on January 18, 2005, 08:25:07 AM
Dear Ricky
Thanks for your tutorial for transparent proxy, I have one question regarding this topic, I have installed squid 2.5 on Redhat linux 9.0 (rpm package), is this necessary for installing net filter for transparent proxy, if yes how I installed net filter on red hat linux 9.0 (is there any rpm package avilable for net filter?)
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on January 18, 2005, 03:50:04 PM
netfilter.. are you talking about iptables,
well for transparent proxy (it if you don't want to configure browsers) you need netfilter's Iptables installed and they are now in every std. linux distro.

For simple proxy ie using it by configuring every clien'ts browser then no need of it at all.

You can download. search "iptables rpm download" in any search engine.
Title: Regarding Trasparenet Proxy
Post by: rana28 on January 19, 2005, 09:20:24 AM
Dear Friend
As written by I have try to configure transparent proxy with my linux box, but unfortunately it's won't work. I am using red hat linux 9.0 with iptables (already loaded with linux ). If I specify my server ip and port no 3128 on my windows client then it's working fine. Can u tell me what is the proble. I have tried several times. pls help
Title: Transparenet Proxy
Post by: rana28 on January 19, 2005, 10:12:10 AM
I am using 2 ethernet cards, eth0 for Lan and eth1 for DSL connection (PPP0).
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on January 19, 2005, 01:09:00 PM
You have to check if iptables rules given here and in Transparent proxy tutorials are applied in right way.

to check if routing is fine..
Code: [Select]
cat  /proc/sys/net/ipv4/ip_forward if that give output = 1 then you are fine.

In your client you have to give gateway as ip of the linux box and DNS server as your ISP's DNS server IP. or you can give the ip same as your gateway but depends on other criteria so better give only DNS server ip of your ISP.
Title: Transparenet Proxy
Post by: rana28 on January 20, 2005, 07:55:51 AM
Dear Ricky
Sorry to disturb u, but my problem remains same, I wont start my transparent proxy , as told by u the given code cat  /proc/sys/net/ipv4/ip_forward  returns 1, someone tell me the following solution, pls tell me is this correct ?

Without httpd running on your squid-box you need this line in your iptables-script:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

If you have a httpd running on your squid box, these are the lines you need to insert into your iptables-script:

iptables -t nat -A PREROUTING -p tcp -d localhost --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d / --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s ppp0 --dport 80 -j REDIRECT --to-port 3128
Title: Transparenet Proxy
Post by: rana28 on January 20, 2005, 09:59:30 AM
As told by u the command cat  /proc/sys/net/ipv4/ip_forward  return 1

Some body told me the following suggesstion , is this correct?


Without httpd running on your squid-box you need this line in your iptables-script:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

If you have a httpd running on your squid box, these are the lines you need to insert into your iptables-script:

iptables -t nat -A PREROUTING -p tcp -d localhost --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d / --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s ppp0 --dport 80 -j REDIRECT --to-port 3128
Title: Transparenet Proxy
Post by: rana28 on January 20, 2005, 10:00:10 AM
As told by u the command cat  /proc/sys/net/ipv4/ip_forward  return 1

Some body told me the following suggesstion , is this correct?


Without httpd running on your squid-box you need this line in your iptables-script:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

If you have a httpd running on your squid box, these are the lines you need to insert into your iptables-script:

iptables -t nat -A PREROUTING -p tcp -d localhost --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d / --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s ppp0 --dport 80 -j REDIRECT --to-port 3128
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on January 20, 2005, 11:27:13 AM
you are running httpd on it ? you never told me ! well from my point of view never run trasparent proxy and httpd on same.. when you try that line as mine will cause error.
Title: Trasnparent Proxy
Post by: rana28 on January 20, 2005, 11:50:46 AM
I don't know whether I am running httpd or not , I try following command for testing , pls suggest what should I do
#ps ax| grep httpd
5535 pts/0 S 0:00 grep httpd

#ps ax|grep squid
3501  ?   S 0:00 squid -D
3503  ?   S 2:31 <squid> -D
5619  pts/0  S 0:00 grep squid

#iptables -L -n -t nat
Chain PREROUTING <policy ACCEPT>
target        prot  opt  source            destination
REDIRECT  all     --   0.0.0.0/0       0.0.0.0  tcp dpt:80 redir ports 3128

Chain PREROUTING <policy ACCEPT>
target             prot  opt  source            destination
MASQUERADE  all   ---   0.0.0.0/0          0.0.0.0

Chain PREROUTING <policy ACCEPT>
target        prot  opt  source            destination
Title: how can i run script
Post by: vlinux1 on March 22, 2005, 07:52:24 PM
hi  gaurav  & ricky

I did all procedure. but iwant to know i have direct ip on my linux box so what i need to change in that script please tell me.

and one more if we configure nat firewall must be up or not without fire wall can it is possible. because i configure high firewall on default rules but i stopped service /etc/init.d/iptables stop command. please tell me in details
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on March 23, 2005, 05:33:57 AM
That script especially works for devices having dynamic ips.. , it will still work for you, just change ppp0 with ethX which is directly connected to internet.

Without firewall it will work..
Actually NAT do packet movement in and out without knowing who is doing it.. so it can be security breach. So i suggested to use firewall.. but with default firewall it will not work..
either u install firestarter and do NAT also using that. ..
or use premade firewall script available easily on internet.
Title: Internet Sharing in Linux / NAT How to
Post by: renato on May 21, 2005, 10:15:52 PM
Hello pals,
Great tutorial, but I'm also concerned about security, so I'd like to know if you can give us some more specific details how to get a firewall installed and configured.
Where can we get your firewall script?
How to install it and configure it so it'll work with this NAT setup?
Have you tested other firewalls such as APF?
http://www.r-fx.org/apf.php

cheers,

renato
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on May 23, 2005, 10:58:36 AM
not used that one..
i prefer to made script my self according to my need.
Title: Internet Sharing in Linux / NAT How to
Post by: renato on May 23, 2005, 03:42:55 PM
Hi Ricky,
Where can I find the firewall script you are mentioning a couple of posts above?
I'd like to integrate it with this NAT solution so the system and the LAN are protected.

cheers
Title: Re: Internet Sharing in Linux / NAT How to
Post by: taiwo on August 03, 2005, 06:13:17 PM
.pls does the explanation regarding the NAT also applicable to those using DSL. 'cos i saw ppp in the syntax.[/url]
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on August 06, 2005, 02:33:41 PM
when you are connectied to internet then run "ifconfig" and if it shows ur DSL as eth1 or eth0 then change ppp0 to that one and if it shows it to ppp0 then keep it ppp0 !
Title: setting up iptables rules with some granularity
Post by: anybody1234 on December 26, 2005, 05:15:01 AM
Hello

I have requirement in iptables rules as follows

I would need a script for iptables with some configuration option such that
I should be able to make changes in the iptables script for allowing  or disallowing requests made by specifc clients on specifid ports
Suppose My cleints have their default gateway set as my linux box

What I would like is block/disallow requests made by clients on ports
80 while allow the requests made on port 25 ,110

But What I would like to have is some granularity ie
If the requests come from specific IP addresses  I should have the option of allowing them directly thru port 80  

Would anybody please give me step by step process assumimg that I am starting from scratch
I also remember I saw a simliar script in this forum which almost does the same but I can't locate where it is now
Title: Internet Sharing in Linux / NAT How to
Post by: anybody1234 on December 26, 2005, 11:31:53 AM
To be more specififc I would use the following commands

Please Let me know If I go wrong anywhere

echo "1" > /proc/sys/net/ipv4/ip_forward

for forwarding packets
and Iptables masquerading rle as
#######################################
iptables -t nat -A POSTROUTING -j MASQUERADE
#####################################
/usr/sbin/iptables-save
##########very imp
iptables-save  > /etc/sysconfig/iptables.rules


Now all teh requests thru my gateway would be allowed
FOr blocking requests made on port 80 by all  would add folloing rule
###******** this rule blocks all requests coming on port 80 ******************
iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j DROP
#*****************************************************

Now I would like to make an exception for IP addresses 192.168.0.82, 192.168.0.110

I would add rule

iptables -A FORWARD -i eth0 -p tcp -m tcp -s ! 192.168.0.82,192.168.0.110 --dport 80 -j DROP

Now at any stage I felt I ned to remove this rule what I would have done manually is

iptables -D FORWARD -i eth0 -p tcp -m tcp --dport 80 -j DROP
and
iptables -D FORWARD -i eth0 -p tcp -m tcp -s ! 192.168.0.82,192.168.0.110 --dport 80 -j DROP

Now I want a script to do the same thing with start stop  option
I think our experts can give me a simple script to do the same
Title: Internet Sharing in Linux / NAT How to
Post by: Ricky on December 26, 2005, 08:28:50 PM
Basically this thread is about discussing the NAT in linux. I request you to start a new thread in General networking section about this firewall stuff. The thing you have asked is simple but will take little time sO I think it will be better to discuss it separately to give it full preference. BTW.. you are right. I have already given so many solutions for it that you can find answer already posted in forum so better try to find once more else I m here always to solve the problems which I can solve.
Title: transparent proxy!
Post by: ruejos08 on August 03, 2006, 03:05:30 AM
Will the transparent proxy solve my problem?

My squid is already running(not transparent) but i cannot access my pop3 mail trough my windows client using outlook express.
Heres the error I encountered in my windows client!
Protocol POP3: Port 110 , Secure (SSL): No, Socket Error: 11004, Error Number: 0x800ccc0D
Please help.
Title: Internet Sharing in Linux / NAT How to
Post by: protyne on August 24, 2006, 03:35:43 PM
Hi Ricky,

My ISP provides a DNS server IP. How do I set it on my Linux-NAT so that my DHCP server only need to dish out IP, Subnet Mask and Gateway only with DNS queries being handled by the Linux-NAT?

Thank you!
Title: Internet Sharing in Linux / NAT How to
Post by: dedi on December 06, 2006, 02:31:44 AM
Quote from: "Ricky"
Yes..
by this method ie NAT you can do all you want !

 
particurarly when your ISP set TTL=1  :wink:
Title: Re: Internet Sharing in Linux / NAT How to
Post by: arvindsony on May 19, 2009, 11:38:28 AM
thanks info