Setting Up a Linux Gateway
Networks are extremely common these days—you see them in businesses, schools, even homes. Networking is popular because it allows users to share resources. You can share files, printers and a myriad of other devices in a network. Now, wouldn't it be great if you could share an Internet connection? With Linux, you can.
Setting up Linux as an Internet gateway is not difficult to do. A Linux gateway allows two or more computers to use the Internet at the same time. While doing so, only the gateway's IP address will be visible on the Internet. The rest of the computers will be “hidden” behind the gateway. This is called IP masquerading.
What can you do with this setup? Well, if you have four computers connected to the gateway, you can surf the Web from any of the four computers at the same time. You can run telnet sessions, go on IRC (Internet relay chat), read newsgroups, etc.—almost anything you can do on the Internet can be done. Of course, there are certain things that may need your attention, and I will discuss them as well as setting up both Linux and Windows machines to use the gateway.
First of all, you need a working TCP/IP network. I assume your network is up and running, and all your machines are able to “see” each other.
I will discuss setting up IP masquerading using Linux kernel 2.2.x and ipchains 1.3.x. If for some reason you are running an early kernel such as 1.x.x, please refer to Chris Kostick's articles on IP masquerading in issues 27 and 43 of Linux Journal.
Also, please make sure you have a copy of the Linux IP Masquerade mini HOWTO (http://ipmasq.cjb.net/) by Ambrose Au and David Ranch. It contains much more detailed information on setting up IP masquerading, including setting up Macintosh and Windows NT clients. It also contains a useful FAQ should you run into problems. This article is based on that mini HOWTO as well as personal experience.
I also assume you are familiar with basic Linux system administration, and that you know how to recompile your kernel and modify your init scripts.
The next thing to figure out is what you want to do. How many machines are on the network? Which machine do you wish to set up as the gateway? Which machines will be the clients? What operating system is each machine running? The answers to these questions can be complex and unique, so for the purposes of this article, we will use the setup shown in Figure 1. This is a three-node network with a Linux gateway (antioch), a Linux client (nazareth) and a Windows 95 client (lystra).
Let's start by setting up the gateway, which in our case is antioch (192.168.0.1). Antioch runs Linux 2.2.x, and in order for it to become a gateway, we need to turn on certain kernel options. My gateway has the kernel options shown in Table 1 turned on.
After booting our newly compiled kernel, we will have to load a few kernel modules using either insmod or modprobe:
/sbin/insmod ip_masq_user /sbin/insmod ip_masq_raudio /sbin/insmod ip_masq_ftp /sbin/insmod ip_masq_irc
It would be wise to add these lines into one of your init scripts so they will run on every startup. There are other kernel modules related to IP masquerading; for a full list, type the command
/sbin/modprobe -l | grep ip_masqLinux 2.2 does not turn on IP forwarding by default. To find out whether IP forwarding is switched on, check the contents of the file /proc/sys/net/ipv4/ip_forward. If it is 0, IP forwarding is off; if 1, it is on.
# cat /proc/sys/net/ipv4/ip_forward 0 # echo "1" > /proc/sys/net/ipv4/ip_forward # cat /proc/sys/net/ipv4/ip_forward 1Again, it is wise to add the line which turns on IP forwarding (the one with the echo command) to one of your init scripts.
Now we come to an interesting situation. How do we know who gets to use the gateway and who doesn't? This is where ipchains comes in. My current policy is to deny access to the gateway from everybody unless explicitly allowed. For example, let's say we want only our client machines nazareth and lystra to access our gateway and no one else. In order to do this, we have to issue the following commands:
ipchains -P forward DENY ipchains -A forward -s 192.168.0.2/255.255.255.0\ -j MASQ ipchains -A forward -s 192.168.0.3/255.255.255.0\ -j MASQ
If, on the other hand, we want everybody on the network 192.168.0.* to use the gateway, we can issue these commands:
ipchains -P forward DENY ipchains -A forward -s 192.168.0.0/255.255.255.0\ -j MASQNote that we assume the netmask is 255.255.255.0. If your netmask is different, simply change the values accordingly. There are many other things you can do with ipchains; however, they are beyond the scope of this article. I trust that the two simple examples above will get you started. (See also “Building a Firewall with IP Chains” by Pedro Bueno, http://www.linuxjournal.com/lj-issue/issue68/3622.html.)
That's it! The gateway is now up and running. Remember to add the relevant lines to the startup scripts. Also remember to connect to the Internet before testing your gateway. Now let's set up the clients.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Profiles and RC Files
- On Your Marks, Get Set...Gutsy Gibbon!
- Astronomy for KDE
- Understanding Ceph and Its Place in the Market
- Git 2.9 Released
- SoftMaker FreeOffice
- Snappy Moves to New Platforms
- OpenSwitch Finds a New Home
- Maru OS Brings Debian to Your Phone
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide