You are not logged in.

#1 2004-05-24 22:15:57

nkw
Member
Registered: 2004-03-26
Posts: 80

Internet connection sharing

Hi, I need to build a router for my home PCs, Any intruction/Tutorial on how to build it using archLinux? Which modules are necessary (iptable only or with iproute2?) and the best practise to put the configuration information in the /etc files? thanks.

Offline

#2 2004-05-24 23:41:44

kakabaratruskia
Member
From: Santiago, Chile
Registered: 2003-08-24
Posts: 596

Re: Internet connection sharing

This is how i do it. Hope it helps.
Have this in /etc/rc.d/firewall

#!/bin/sh
#
# chkconfig: 2345 11 89
#
# description: Loads the rc.firewall-2.4 ruleset.
#
# processname: firewall-2.4
# pidfile: /var/run/firewall.pid
# config: /etc/rc.d/rc.firewall-2.4
# probe: true

# ----------------------------------------------------------------------------
# v05/24/03
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates
# -------
# 05/24/03 - removed a old networking up check that had some
#            improper SGML ampersand conversions.
# ----------------------------------------------------------------------------


# Source function library.
. /etc/rc.conf
. /etc/rc.d/functions
# Check that networking is up.

[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0

[ -x /sbin/ifconfig ] || exit 0

# The location of various iptables and other shell programs
#
#   If your Linux distribution came with a copy of iptables, most
#   likely it is located in /sbin.  If you manually compiled
#   iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/usr/sbin/iptables


# See how we were called.
case "$1" in
  start)
    stat_busy "Starting Firewall"
    /etc/firewall-2.4
    stat_done
    ;;

  stop)
    stat_busy "Stopping Firewall"
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -F -t nat

    # Delete all User-specified chains
    $IPTABLES -X
    #
    # Reset all IPTABLES counters
    $IPTABLES -Z
    stat_done
    ;;

  restart)
        $0 stop
        $0 start
        ;;

  status)
        $IPTABLES -L
        ;;

  mlist)
    cat /proc/net/ip_conntrack
    ;;

  *)
        echo "Usage: firewall-2.4 {start|stop|status|mlist}"
        exit 1
esac

exit 0

In the daemon line in /etc/rc.conf add firewall.
That is for starting the firewall and routing tables. This is the actual script:

#!/bin/sh

EXTIF=eth0
INTIF=eth1
IPTABLES=/usr/sbin/iptables
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#edit: Save this file as /etc/firewall-2.4 If you want to save it somewhere else, or change the name you'll have  to modify the rc script.

By the way you should give both of this files execution permision (chmod 755 /files/files...)


And where were all the sportsmen who always pulled you though?
They're all resting down in Cornwall
writing up their memoirs for a paper-back edition
of the Boy Scout Manual.

Offline

#3 2004-05-25 09:16:33

nkw
Member
Registered: 2004-03-26
Posts: 80

Re: Internet connection sharing

Thanks, also I need to set up a dhcp server to dynamically assign IP address for Intranet (as well as the default gateway)...

Offline

#4 2004-05-25 11:02:36

farphel
Forum Fellow
From: New Hampshire - USA
Registered: 2003-09-18
Posts: 250
Website

Re: Internet connection sharing

Take a look at the 'dnsmasq' Arch package.  It's great for a small home network and does DNS and DHCP.


Follow the link below, sign up, and accept one promotional offer.  If I can get five suckers (err... friends) to do this, I'll get a free iPod.  Then you too can try to get a free iPod. Thanks! http://www.freeiPods.com/?r=11363142

Offline

#5 2004-05-25 21:18:18

kakabaratruskia
Member
From: Santiago, Chile
Registered: 2003-08-24
Posts: 596

Re: Internet connection sharing

I would suggest the same. I used dnsmasq for a long time, and it works pretty well. It also works as a cache dns server, so it makes access to web pages from PCs inside the network a lot faster (at least here in Chile). Anyway I prefer using static IPs and I stopped using it.


And where were all the sportsmen who always pulled you though?
They're all resting down in Cornwall
writing up their memoirs for a paper-back edition
of the Boy Scout Manual.

Offline

#6 2004-05-25 21:26:36

nkw
Member
Registered: 2004-03-26
Posts: 80

Re: Internet connection sharing

Do I still need to do ip masquerade on the router machine? or dnsmasq will handle that too?

Offline

#7 2004-05-25 21:40:56

kakabaratruskia
Member
From: Santiago, Chile
Registered: 2003-08-24
Posts: 596

Re: Internet connection sharing

No, it won't, it will just set your hosts IP and give them the dns info.


And where were all the sportsmen who always pulled you though?
They're all resting down in Cornwall
writing up their memoirs for a paper-back edition
of the Boy Scout Manual.

Offline

#8 2004-06-07 06:20:21

nkw
Member
Registered: 2004-03-26
Posts: 80

Re: Internet connection sharing

Just found that, when using your script, I cannot connect some ftp server. Anyway to allow all kind of connect? I just need to router everything, no firewall...

kakabaratruskia wrote:

This is how i do it. Hope it helps.
Have this in /etc/rc.d/firewall

#!/bin/sh
#
# chkconfig: 2345 11 89
#
# description: Loads the rc.firewall-2.4 ruleset.
#
# processname: firewall-2.4
# pidfile: /var/run/firewall.pid
# config: /etc/rc.d/rc.firewall-2.4
# probe: true

# ----------------------------------------------------------------------------
# v05/24/03
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates
# -------
# 05/24/03 - removed a old networking up check that had some
#            improper SGML ampersand conversions.
# ----------------------------------------------------------------------------


# Source function library.
. /etc/rc.conf
. /etc/rc.d/functions
# Check that networking is up.

[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0

[ -x /sbin/ifconfig ] || exit 0

# The location of various iptables and other shell programs
#
#   If your Linux distribution came with a copy of iptables, most
#   likely it is located in /sbin.  If you manually compiled
#   iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/usr/sbin/iptables


# See how we were called.
case "$1" in
  start)
    stat_busy "Starting Firewall"
    /etc/firewall-2.4
    stat_done
    ;;

  stop)
    stat_busy "Stopping Firewall"
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -F -t nat

    # Delete all User-specified chains
    $IPTABLES -X
    #
    # Reset all IPTABLES counters
    $IPTABLES -Z
    stat_done
    ;;

  restart)
        $0 stop
        $0 start
        ;;

  status)
        $IPTABLES -L
        ;;

  mlist)
    cat /proc/net/ip_conntrack
    ;;

  *)
        echo "Usage: firewall-2.4 {start|stop|status|mlist}"
        exit 1
esac

exit 0

In the daemon line in /etc/rc.conf add firewall.
That is for starting the firewall and routing tables. This is the actual script:

#!/bin/sh

EXTIF=eth0
INTIF=eth1
IPTABLES=/usr/sbin/iptables
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#edit: Save this file as /etc/firewall-2.4 If you want to save it somewhere else, or change the name you'll have  to modify the rc script.

By the way you should give both of this files execution permision (chmod 755 /files/files...)

Offline

#9 2004-06-08 08:08:43

IceRAM
Member
From: Bucharest, Romania
Registered: 2004-03-04
Posts: 772
Website

Re: Internet connection sharing

In /etc/rc.conf make sure you add "ip_conntrack_ftp" to the MODULES=(...) list.

This kernel module checks if FTP active (not passive) connections should be allowed, opens the ports appropriately and closes them when the transfer is done.

Hope that helps.

IceRAM

P.S. I don't know if it works on forwarded connections, because I don't use iptables as a router.

Offline

#10 2004-06-08 15:01:33

nkw
Member
Registered: 2004-03-26
Posts: 80

Re: Internet connection sharing

IceRAM wrote:

In /etc/rc.conf make sure you add "ip_conntrack_ftp" to the MODULES=(...) list.

This kernel module checks if FTP active (not passive) connections should be allowed, opens the ports appropriately and closes them when the transfer is done.

Hope that helps.

IceRAM

P.S. I don't know if it works on forwarded connections, because I don't use iptables as a router.

Thanks, I will try it soon. don't know why ftp need to a kernel module to handle while some other protocal can be handled well...

btw, what else can be used to do ip forward? Is iptables the best one? (since it can be firewall at the sametime?)

Offline

#11 2004-06-09 05:24:04

nkw
Member
Registered: 2004-03-26
Posts: 80

Re: Internet connection sharing

added "ip_conntrack_ftp" to the Modules list and reboot, but FTP still doesn't work...

nkw wrote:
IceRAM wrote:

In /etc/rc.conf make sure you add "ip_conntrack_ftp" to the MODULES=(...) list.

This kernel module checks if FTP active (not passive) connections should be allowed, opens the ports appropriately and closes them when the transfer is done.

Hope that helps.

IceRAM

P.S. I don't know if it works on forwarded connections, because I don't use iptables as a router.

Thanks, I will try it soon. don't know why ftp need to a kernel module to handle while some other protocal can be handled well...

btw, what else can be used to do ip forward? Is iptables the best one? (since it can be firewall at the sametime?)

Offline

#12 2004-06-09 08:57:21

IceRAM
Member
From: Bucharest, Romania
Registered: 2004-03-04
Posts: 772
Website

Re: Internet connection sharing

nkw wrote:

don't know why ftp need to a kernel module to handle while some other protocal can be handled well...

Well, ftp does not need a kernel module to handle connections.
iptables is built within the kernel (or as modules). Therefore, to extend iptables functionality, you can add modules to the kernel. As you probably know, the active connections require port 20/21 (I think) to be opened. If a transfer is being started, a new port (highport > 32000 I think - check specs for detailed info) is opened and the transfer is done on that connection. The module I suggested tracks all the requests on port 20/21 for file transfers and opens in the firewall the corresponding high ports, closing them down when the transfers are done.

nkw wrote:

btw, what else can be used to do ip forward? Is iptables the best one? (since it can be firewall at the sametime?)

I personally don't know anything else for ipforward (all the scripts for IP forwarding are based on iptables, as far as I know).

I use gShield to create my firewall rules. Check http://bbs.archlinux.org/viewtopic.php? … ht=gshield .
It seems to be quite powerfull, altough I don't use all it's capabilities. It also has a nice support for routing (check /etc/firewall/routables after install). Maybe it will get in the Arch repositories.

Offline

#13 2004-06-09 23:39:49

kakabaratruskia
Member
From: Santiago, Chile
Registered: 2003-08-24
Posts: 596

Re: Internet connection sharing

remove this

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

and cahnge this:

$IPTABLES -P FORWARD DROP

by this:

$IPTABLES -P FORWARD ACCEPT

This isn't a very good policy, but if you wan't so...

By the way, I fused the two scripts in one, so that it'll be easer.
Here is my new firewall. Just remove /etc/firewall-2.4 and place this new one in /etc/rc.d/firewall (and give it exec wrights: chmod 755 /etc/rc.d/firewall)

#!/bin/sh
#
# Source function library.
. /etc/rc.conf
. /etc/rc.d/functions
# Check that networking is up.
[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0
[ -x /sbin/ifconfig ] || exit 0

# The location of various iptables and other shell programs
IPTABLES=/usr/sbin/iptables
EXTIF=eth0
INTIF=eth1

# See how we were called.
case "$1" in
  start)
        stat_busy "Starting Firewall"
        echo "1" > /proc/sys/net/ipv4/ip_forward

        $IPTABLES -P INPUT DROP
    $IPTABLES -F INPUT 
        $IPTABLES -A INPUT -i lo -j ACCEPT
        $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPTABLES -A INPUT -i $INTIF -j ACCEPT


        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -F OUTPUT 


        $IPTABLES -P FORWARD DROP
        $IPTABLES -F FORWARD
        $IPTABLES -t nat -F
        $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
        $IPTABLES -A FORWARD -j LOG
        $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
        stat_done
        ;;

  stop)
        stat_busy "Stopping Firewall"
        $IPTABLES -P FORWARD DROP
        $IPTABLES -F FORWARD
        $IPTABLES -F -t nat

        # Delete all User-specified chains
        $IPTABLES -X
        #
        # Reset all IPTABLES counters
        $IPTABLES -Z
        stat_done
        ;;

  restart)
        $0 stop
        $0 start
        ;;

  status)
        $IPTABLES -L
        ;;

  mlist)
    cat /proc/net/ip_conntrack
    ;;

  *)
        echo "Usage: firewall-2.4 {start|stop|status|mlist}"
        exit 1
esac

exit 0

And where were all the sportsmen who always pulled you though?
They're all resting down in Cornwall
writing up their memoirs for a paper-back edition
of the Boy Scout Manual.

Offline

#14 2004-06-21 06:59:34

lytez
Member
Registered: 2003-11-28
Posts: 16
Website

Re: Internet connection sharing

Can this be done the same using kernel v2.6?


.: lytez :.

Offline

Board footer

Powered by FluxBB