|
-
setting linux as gateway
In my office a windows XP machine is used as a gateway to internet
Of the two NICs one is locally connected to the Localnetwork IP nos from 192.168.0.129 onwards ( netmask 255.255.255.192) and this gateway machine has the nic address 192.168.0.129
The other NIC - internet broadband connection - assigned address by dhcp
(192.168.1.1)
Internet is available in all local machines by sharing the internet interface of gateway machine
Now I want to replace this windows XP gateway machine with a Debian linux machine. I have already installed debian lenny and getting internet on the debian machine.
But I am little confused
Is it require to activate ip_forward for getting Internet to other local machines?
Is is required to set iptables/masqurading for the internet connection sharing?
-
I believe you can create a "route" from one network to the other. But I have installed shorewall (aptitude install shorewall) and when you configure that, the route will be made too. be sure to read a debian specific document, there was some special file you had to edit.
-
At a low level...
 Originally Posted by sunils1973
Is it require to activate ip_forward for getting Internet to other local machines?
Yes. Without that setting, your Linux box will not forward the traffic that it receives on its internal interface, out to its external interface.
(Actually the forwarding logic is a lot more complicated than that, but you don't have to worry about it when you only have two NICs and are doing extremely simple packet forwarding. I've seen Linux setups handle five distinct network interfaces, some of which were VLANs but were still showing up as different interfaces, with vastly different forwarding rules between each pair of networks.)
Is is required to set iptables/masqurading for the internet connection sharing?
Maybe. Masquerading makes it easier for the Internet connection to forward response packets back to whichever machine actually made the request. (Two levels of NAT doesn't help either, but ... meh, whatever.) If you masq the traffic, then the router upstream of your Linux box doesn't need to have a route to your internal subnet.
iptables is much more than just a way to do masquerading, though it is what you use to do that as well. It's a giant firewall, basically. 
But stepping back a level, I'd say you probably just want to install a wrapper around these things. I've heard good things about Shorewall, as folkert suggested. There are a few others, but see if that works for you first. 
-
I can add route by the route command ( I prefer all commandline way and don't like to do any gui packages to do the work)
But how can I add route to the external interface? It is dynamically asigned.
From the replies, I conclude
1) ip forward is necessary
2) It is not necessary to do iptables
I may be wrong
could u please give the details of route, iptables which are necessary
and the commands I need to execute
-
You can always check out Firestarter. I've tried it out for simple packet forwarding.
-
Originally Posted by sunils1973
But how can I add route to the external interface? It is dynamically asigned.
No, the external interface on the machine with two NICs. If that's dynamically assigned (...but why?), then whatever does the dynamic assignment should be adding the proper routes as well (probably just a 0.0.0.0/0 route). The kernel uses the standard routing table for these packet flow decisions...
From the replies, I conclude
1) ip forward is necessary
2) It is not necessary to do iptables
Not quite.
2) is only true IF the plastic box on the other end of your external interface knows the routes to your internal network. It does not by default, and given the general configurability of these devices, it probably can't be told, either. It's certainly easier to use SNAT and avoid having to tell it. And SNAT requires iptables.
could u please give the details of route, iptables which are necessary
and the commands I need to execute
This info can be found in the many, many "how to masquerade using iptables" guides that are floating around the Internet. A "how to think in iptables" guide, if it exists, will also be helpful (but I more or less picked it up by using iptables for a few years).
-
I've tried to do this stuff ages ago and I had no problems simply doing the IP_FORWARD stuff. However, I've also tried it recently and it doesn't seem to work anymore.
I suspect that changes have now been made and it may be necessary to bridge the two interfaces instead. I'll look into it and get back to you.
James
-----------------------------
UseLinux.net
-----------------------------
perl -e 'use Math::Complex;$|=1;for$r(0..24){for$c (0..79){$C=cplx(($c/20.0)-3.0,-($r/12.0)+1.0);$Z= cplx(0,0);for($i=0;($i<80)&&(abs($Z)<2.0);$i++){$Z =$Z*$Z+$C;}print$i>=80?"*":" ";}print"\n";}'
-
is it sufficient?
iptables -A FORWARD -i eth1 -j ACCEPT
-
Originally Posted by sunils1973
is it sufficient?
iptables -A FORWARD -i eth1 -j ACCEPT
Same answer as last time: Not entirely.
This is sufficient if the default policy on the FORWARD table is DROP, and your upstream router knows how to get back to your internal subnet. But since your upstream router doesn't know how to get back to your internal subnet, you need to SNAT. (Or MASQUERADE, if the outer IP is subject to change.)
The iptables manpage will explain that MASQUERADE is only a valid jump target in the "nat" table and in the "POSTROUTING" chain. You don't want any options, just match on the outgoing interface and let the kernel do whatever it needs to do...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
