Setting Up a Linux Gateway

 in
Setting up a Linux gateway can be a rewarding experience in both home and commercial environments.

Networks are extremely common these days—you see them in businesses, schools, even homes. Networking is popular because it allows users to share resources. You can share files, printers and a myriad of other devices in a network. Now, wouldn't it be great if you could share an Internet connection? With Linux, you can.

Setting up Linux as an Internet gateway is not difficult to do. A Linux gateway allows two or more computers to use the Internet at the same time. While doing so, only the gateway's IP address will be visible on the Internet. The rest of the computers will be “hidden” behind the gateway. This is called IP masquerading.

What can you do with this setup? Well, if you have four computers connected to the gateway, you can surf the Web from any of the four computers at the same time. You can run telnet sessions, go on IRC (Internet relay chat), read newsgroups, etc.—almost anything you can do on the Internet can be done. Of course, there are certain things that may need your attention, and I will discuss them as well as setting up both Linux and Windows machines to use the gateway.

What You Need

First of all, you need a working TCP/IP network. I assume your network is up and running, and all your machines are able to “see” each other.

I will discuss setting up IP masquerading using Linux kernel 2.2.x and ipchains 1.3.x. If for some reason you are running an early kernel such as 1.x.x, please refer to Chris Kostick's articles on IP masquerading in issues 27 and 43 of Linux Journal.

Also, please make sure you have a copy of the Linux IP Masquerade mini HOWTO (http://ipmasq.cjb.net/) by Ambrose Au and David Ranch. It contains much more detailed information on setting up IP masquerading, including setting up Macintosh and Windows NT clients. It also contains a useful FAQ should you run into problems. This article is based on that mini HOWTO as well as personal experience.

I also assume you are familiar with basic Linux system administration, and that you know how to recompile your kernel and modify your init scripts.

What Do You Want to Do?

The next thing to figure out is what you want to do. How many machines are on the network? Which machine do you wish to set up as the gateway? Which machines will be the clients? What operating system is each machine running? The answers to these questions can be complex and unique, so for the purposes of this article, we will use the setup shown in Figure 1. This is a three-node network with a Linux gateway (antioch), a Linux client (nazareth) and a Windows 95 client (lystra).

Figure 1. Gateway Setup

Setting Up the Gateway

Let's start by setting up the gateway, which in our case is antioch (192.168.0.1). Antioch runs Linux 2.2.x, and in order for it to become a gateway, we need to turn on certain kernel options. My gateway has the kernel options shown in Table 1 turned on.

Table 1

After booting our newly compiled kernel, we will have to load a few kernel modules using either insmod or modprobe:

/sbin/insmod ip_masq_user
/sbin/insmod ip_masq_raudio
/sbin/insmod ip_masq_ftp
/sbin/insmod ip_masq_irc

It would be wise to add these lines into one of your init scripts so they will run on every startup. There are other kernel modules related to IP masquerading; for a full list, type the command

/sbin/modprobe -l | grep ip_masq
Linux 2.2 does not turn on IP forwarding by default. To find out whether IP forwarding is switched on, check the contents of the file /proc/sys/net/ipv4/ip_forward. If it is 0, IP forwarding is off; if 1, it is on.
# cat /proc/sys/net/ipv4/ip_forward
0
# echo "1" > /proc/sys/net/ipv4/ip_forward
# cat /proc/sys/net/ipv4/ip_forward
1
Again, it is wise to add the line which turns on IP forwarding (the one with the echo command) to one of your init scripts.

Now we come to an interesting situation. How do we know who gets to use the gateway and who doesn't? This is where ipchains comes in. My current policy is to deny access to the gateway from everybody unless explicitly allowed. For example, let's say we want only our client machines nazareth and lystra to access our gateway and no one else. In order to do this, we have to issue the following commands:

ipchains -P forward DENY
ipchains -A forward -s 192.168.0.2/255.255.255.0\
  -j MASQ
ipchains -A forward -s 192.168.0.3/255.255.255.0\
  -j MASQ

If, on the other hand, we want everybody on the network 192.168.0.* to use the gateway, we can issue these commands:

ipchains -P forward DENY
ipchains -A forward -s 192.168.0.0/255.255.255.0\
  -j MASQ
Note that we assume the netmask is 255.255.255.0. If your netmask is different, simply change the values accordingly. There are many other things you can do with ipchains; however, they are beyond the scope of this article. I trust that the two simple examples above will get you started. (See also “Building a Firewall with IP Chains” by Pedro Bueno, http://www.linuxjournal.com/lj-issue/issue68/3622.html.)

That's it! The gateway is now up and running. Remember to add the relevant lines to the startup scripts. Also remember to connect to the Internet before testing your gateway. Now let's set up the clients.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

File upload problem

Omar Faruk's picture

I have configured a Linux gateway and all internet connectivity(download) is okey from client pc but problem is file upload or file attached from client pc.Suppose if I want to attach a file in my gmail but I can not attached. And no error message shown whats the problem??? Please give me an solution....

Setting Up a Linux Gateway

Josh's picture

Great! Also refer the following URL for more details.

http://basilvarghese.co.cc/linux-networking/change-gateway.html

Good Article

Rajesh's picture

This is an amazing article,well done lawrence,do post good articles

Update on this info

Rommel's picture

I know this article is several years old now. But if the author or anybody who still reads this, kindly point me to an updated site. I'm using ubuntu and would appreciate any help to set it up as an internet gateway.

Thanks!

Easy gateway/firewall setup for Ubuntu

UbuntuLANman's picture

It's still a good article!

I just got an Ubuntu 6.10 machine configured as a gateway! After perusing the net for a bit, I found out about the firehol package that sets up an iptables-based firewall. Here are the steps I followed to configure my machine:

  1. Install the firehol package. I used synaptic from the menu (Applications => System => Synaptic Package Manager). Simply search for "firehol", mark it for installation, and Apply.
  2. Edit the /etc/firehol/firehol.conf configuration file. See below for the configuration I used.
  3. Edit the /etc/default/firehol file to enable the firewall to come up at boot time and to wait until all necessary network interfaces are up first.
  4. Start the firewall with the firehol start command.
  5. Your LAN machines will need to know how to reach the Internet through your new gateway machine. You can either set up a DHCP server on your gateway, or manually configure each machine on the LAN with a static route. (Since I only have a couple of machines on my LAN, I just manually configured them.)
  6. Your LAN machines will also need to know how to resolve domain names to IP addresses. If you set up your gateway as a DHCP server, it will pass through the nameservers it uses to each LAN machine. Otherwise, you'll need to edit each LAN machine's /etc/resolv.conf file.

That's it!

You should test your setup with the following steps. If any one of these steps doesn't work, check your configuration files and get it working before proceeding to the next step.

  1. From your newly configured gateway, make sure you can ping a non-stealthed network address such as ns.google.com. Make a note of the IP address (ns.google.com was 216.239.32.10 when I wrote this).
  2. From your gateway, make sure you can ping all the machines on your LAN.
  3. Make sure that you can ping the gateway from each of the machines on your LAN.
  4. From each machine on your LAN, make sure you can ping the network IP address you wrote down in the first test. (DNS may not be working yet, so avoid domain names at this point.)
  5. From each machine on your LAN, make sure domain names get resolved correctly. You can use the host command for this. Try the domain name you used in the first step, and try pinging it too.

 

If all five steps worked, your should have a fully working gateway and LAN! To REALLY make sure, reboot your firewall and use the firehol status command to verify the firewall is running.

Here is the /etc/firehol/firehol.conf file I used:

interface eth0 INET
policy drop
protection strong
client all accept
interface eth1 LAN
policy accept
router LAN_2_INET inface eth1 outface eth0
masquerade
route all accept

In my setup, "eth0" is the interface that connects the gateway to my ISP, and "eth1" is the interface that connects the gateway to my LAN.

Here is my /etc/default/firehol file:

START_FIREHOL=YES
#If you want to have firehol wait for an iface to be up add it here
WAIT_FOR_IFACE="eth1"

In my /etc/network/interfaces file, the interface "eth0" occurs before "eth1", so both interfaces will be active before the firewall gets started at boot time.

This firewall configuration is very basic; it assumes all LAN machines are completely trustworthy, and that there are no services running on the gateway or LAN machines that need to be visible to the internet (such as FTP, SSH, or HTTP). That being said, however, firehol looks like it can handle most situations with ease, and is fairly well documented.

I hope this helps! Please note any corrections needed here (if any).

NOTE: Because firehol is a single bash script, it should work on just about any Gnu/Linux distribution with iptables support. (Your mileage may vary.)

wrong URL

Anonymous's picture

"...Linux IP Masquerade mini HOWTO (http://ipmasq.cjb.net/) by Ambrose Au and David Ranch..."

wrong URL, but still interesting nevertheless. LOL

Re: wrong URL

Anonymous's picture

omg! .... next time give a warning about that link to those of us at school

Re: Setting Up a Linux Gateway

Anonymous's picture

thx! :)

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix