[TriLUG] Linux Routers
Greg Brown
gregbrown at mindspring.com
Mon Oct 7 09:39:58 EDT 2002
I'm doing this at work (and at home) and it works great. However, I am using
ipchains, not iptables to perform the NAT function (ip masquade).
In order to do this you'll need a Linux box with two working ethernet cards.
If you are running RH you can check to see how many cards are presenty by
issuing the following command:
/sbin/ifconfig
When you get both cards in your box you will want to make 100% sure that you
know which ethernet card is connected to the network where you would like to
perfom the NAT function and which card is connected to the network where you
would like to route to. For examples sale lets say that eht0 is connected to
the upstream network and eth1 is connected to new NATed network. You can
configure most of the routing information using linuxconf (i.e. enable
routing, set default gateways, blah).
Note that I'm also using Red Hat 7.1, and you should think about using
iptables rather than ipchains as I hear that ipchains will eventually be
totally replaced by iptables. Anyway, as root do the following:
1. check to see if iptables is running:
(as root)#chkconfig --list | grep iptables
If iptables is not running you will see a line looking like this:
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
The fields here are as follows: field one (service name, iptables in this
case), field 2 - 6 are the init levels of the box and if the service is on or
off at that particular level. If ipchains were active at init levels 3-5 the
line you just saw would appear like this:
iptables 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Make sense?
Okay, if iptables is not running check to see if ipchains is running:
(as root)#: chkconfig --list | grep ipchains
If both iptables and ipchains are not running enable ipchains by typing:
(as root)#: chkconfig --levels 2,3,4,5 ipchains on
Check to make sure it worked by issuing:
(as root)#: chkconfig --list | grep ipchains
Also you might want to disable ipchains while we are making changes to the
config file. Do this by:
(as root)#: service ipchains stop
Once that is done cd on over to /etc/sysconfig and vi (or use your favorite
text editor) to edit the file ipchains
There's no telling what's in there at this point but here's how it's laid out:
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -j ACCEPT
The fields you want to be concerned with are the second one (input, forward)
and the last field ACCEPT, DENY, MASQ or others. The example I gave above
simply tells ipchains allow port 22 (ssh) from any mahine on any host
(internal interface or external interface). You'll get the hang of the file
format quicky.
To enable IP Masq (NAT) which would allow multiple IP addresse to pass
through one single ip address you would add the following line to
/etc/sysconfig/ipchains as the first line - we are also going to assume that
eth0 connects to the upstream network and eht1 is the new network which you
are creating and we're also going to assume that the new network has the ip
address range of 192.168.15.x -
-A forward 192.168.15.0/255.255.2255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j MASQ
NOTE that with this command you are telling which interface to NAT THROUGH
(eth0) not NAT FROM (eth1). That detail took me hours to find when I first
tried this. The rest of the lines in ipchains can be the ports that you want
to open up (can you can get the numbers by grepping for the service name in
/etc/services) and, as the last line of ipchians add a deny all. So, with IP
Masq enabled and secure shell, web, and secure ftp ports open your ipchains
file would look something like this:
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A forward -s 192.168.15.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j MASQ
-A input -s 192.168.15.205/32 -d 0.0.0.0/0.0.0.0 -i eth0 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 115:115 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 443:443 -p 6 -j ACCEPT
# uncomment the line below if you want to use AIM
# -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 5190:5190 -p 6 -j ACCEPT
# uncomment the line below if you want to use LimeWire
# -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 6346:6346 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 8008:8008 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j DENY -y
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j DENY -y
Then just restart ipchains:
(as root)#: sevice ipchains start
and you should be good to go. You might want to think about enabling DHCP as
well, it makes life so much easier.
Now your default gateway for all your devices on your new network is whatever
the ipaddress is for eth1.
I might have missed something, but I think that's about it.
I hope this helps!
Greg
On Monday 07 October 2002 08:39 am, you wrote:
> I was wondering if anyone has tried making a linux router to do Network
> Address Translation. I am thinking about making one to try here at work
> but if people have not have good luck with them I don't want to waste my
> time. I would like to use RedHat if possible b/c that is the flavor I know
> best of all. Any suggestions or comments that could help are greatly
> appreciated.
>
>
> John
>
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
> http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
More information about the TriLUG
mailing list