HOWTO quick routing
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
Contents |
[edit] The Dirty Way
routing schematics: internet<->server<->client
- the network server is 10.8.0.1
- the client is 10.8.0.2
- it is also supposed that you had enabled the router inside the kernel of the server(if not search it with make xconfig and recompile your kernel),if you do not have it the script won't display :
0 1 1 0
- it is supposed that the server and the client can ping themselves...
if not: type on the server
ifconfig eth0 10.8.0.1 netmask 255.255.255.0
type on the client
ifconfig eth0 10.8.0.2 netmask 255.255.255.0
There are 2 scripts:
[edit] Server
#!/bin/sh cat /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_forward cat /proc/sys/net/ipv4/ip_forward cat /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter cat /proc/sys/net/ipv4/conf/all/rp_filter echo "should be 0110" #all the nic that connect to the internet #this assumes that eth0 is your uplink iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -s 10.8.0.1 -j ACCEPT iptables -A FORWARD -d 10.8.0.1 -j ACCEPT #prevent others ip from conecting to my eth0 iptables -A FORWARD -s ! 10.8.0.1 -j DROP
[edit] Client
route add default gw 10.8.0.1
If it doesn't work, ping www.gentoo.org on the server and write down the IP. Then, ping the same IP on the client: if it works but pinging www.gentoo.org doesn't, you'll need to edit /etc/resolv.conf... See gentoo manual for more information on this.
[edit] The Better, permanent way
I'm assuming both the server/gateway (10.8.0.1) and the client have their network settings working properly. Keep in mind that doing this with only a network card is unsafe, since you'll have to filter the clients by IP and that can be spoofed.
[edit] Enabling kernel forwarding
In the gateway, edit /etc/sysctl.conf with your favourite editor and add (or change) the following:
net.ipv4.ip_forward=1
If you don't want to wait for a reboot, just issue the following as root:
echo "1" > /proc/sys/net/ipv4/ip_forward
[edit] Enabling iptables masquerading
Add the following to the iptables rules of the gateway (change network accordingly):
# Enable masquerading iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Allow all clients from our LAN to connect to the gateway iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.8.0.0/24 -j ACCEPT #prevent others ip from conecting to my eth0 iptables -A FORWARD -s ! 10.8.0.0/24 -j DROP
[edit] Configuring the client
Simply remove the old default route and add this new one
route del default route add default gw 10.8.0.1
[edit] Troubleshooting
If your client(s) can't access the internet through the gateway, make sure those iptables rules weren't added AFTER the "drop-all" rule (iptables -A INPUT -j DROP) common to most rulesets.
If you get an output similar to "iptables v1.4.1.1: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)" check that additionally to the standard iptables-options you also have the following kerneloptions enabled: Networking -> Network options -> Netfilter -> Core Netfilter Configuration:
- Netfilter connection tracking support
- state match support
Networking -> Network options -> Netfilter -> Core Netfilter Configuration:
- IPv4 connection tracking support
You can find more information about correctly setting up iptables under HOWTO_Iptables_for_newbies
