One NIC NAT

Using a DSL-connected Linux box with one NIC to do NAT/masquerading on a home network.

For years I had been content with a 28.8k dial-up connection from my home system to a modem on my computer at work--it was free. The cost of DSL in my area was a little too high for me until competition from the local cable provider brought it down to what I was willing to pay. DSL is great, and because I like to telecommute from home, the extra bandwidth really helps. Also, now that I'm connected full time, I can access my home computer from work as well. Getting DSL working on my Red Hat 8.0 system (rp-pppoe) was only a matter of a few simple clicks.

Then, my wife announced her workplace finally established a Web interface to the MS Exchange mail server. Great, I thought, she can fire up Mozilla on my Linux box and check her work e-mail from home. But when we tried to do that, it was no go. Netscape didn't work either, nor did Konquerer with an IE personality. Okay, I thought, this still isn't a problem--I've got CrossOver Office. So I upgraded IE to version 6, but I still couldn't get to her e-mail. The only thing that would work was IE running on Windows; you've got to love those proprietary protocols.

My wife's laptop runs Window 98, but after installing the SBC DSL software on another Windows machine, I really didn't want to waste time doing another installation again. I also didn't want to run Windows on an exposed network.

IP masquerading/NAT (network address translation) came to mind, of course, but my desktop system is based on a VIA M9000 Mini-ITX board. It has an on-board NIC but only one PCI slot, which I use for a TV/FM tuner card. The on-board NIC was used for my DSL, so where could I put a second NIC?

Because I maintain some Linux-based router/firewall systems as well as some multi-homed servers, it occurred to me that setting up IP masquerading on an aliased interface on my one NIC might work. It did, and it was simple to do. Here's how.

I connected the DSL modem to a 4-port hub (no uplink port) using a reversing cat5 cable. Then, I connected my Linux desktop and the laptop to the hub with normal cat5 cables. The diagram above shows how I connected everything.

Below is the script I use to enable masquerading after my DSL connection is established and my firewall script has been run.

# ------------------ begin nat.sh -----------------
#!/bin/sh
## script to enable masquerading
## must be run as root after the DSL connection is up
## usage: sh nat.sh
#
# bring up alias interface eth0:0 :
 
ifconfig eth0:0 192.168.1.1 netmask 255.255.255.0 \
 broadcast 192.168.1.255 up
# Next, an iptables rule to enable masquerading:
 
iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
# Finally, enable ip forwarding:
 
echo 1 > /proc/sys/net/ipv4/ip_forward
# An optional rule to allow the laptop to talk to 
#  the desktop (otherwise denied by my firewall script) for ssh & samba
 
iptables -I INPUT -s 192.168.1.2 -d 192.168.1.1 \
 -j ACCEPT
# ------------------ end nat.sh -----------------

The Windows 98 laptop has a static IP address of 192.168.1.2, a gateway of 192.168.1.1 and the DNS server addresses of my ISP. I obtained the DNS addresses from /etc/resolv.conf after my DSL connection was up; they don't change.

That's it! Internet access for my home network with only a hub and a couple of patch cables.

Lon Jones has been doing UNIX/Linux/network support at the University of Arkansas at Little Rock since 1983. Anyone out there remember CROMIX or Eunice? His other interests include blacksmithing, jewelry making, woodworking and sailing.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Works perfect

Bhaskar Roy's picture

I use the same configuration with PPPoE, tried this, works perfect, now can hook my laptop to the hub and see internet.

No More

Bhaskar Roy's picture

It was working fine with my previous ISP, but recently my ISP changed, and its not working any more, how can I trace the problem, any log file? My ISP has fixed IP and they also track MAC address.

Any suggestion will be helpful, thanks in advance!

Re: One NIC NAT

pts's picture

Hi,
Good idea. But try an USB NIC. I belive its safer.
I have been reading the comments and by using an additional NIC you avoid a lot of problems.
I use a DSL connection myself and I use a router + firewall lik this

--- <adsl-modem>-- <rtr> --- <gw/fw> -- internal network

PPPOE connection in LINUX

Amit's picture

Hi,
I purchased Broadband connection and its working on dhcp using pppoe drivers, they r not given me any ip or any DNS but i have DNS.
My connectin type is like, switch to switch connection all over the city and so from that switch they pulled a cat 5 cable which directly attached to my lan card (PC) , there is no modem no router, for this connection but they give me a username and passwd to login. I try to loging using adsl-setup adsl-connect adsl start and stop but it ll not responced me. finally i get the mesg the COONECTION IS TERMINATED. kindly help me for my this Query. i m using REDHAT 9 Linux

PPPOE connection in LINUX

Amit's picture

Hi,
I purchased Broadband connection and its working on dhcp using pppoe drivers, they r not given me any ip or any DNS but i have DNS.
My connectin type is like, switch to switch connection all over the city and so from that switch they pulled a cat 5 cable which directly attached to my lan card (PC) , there is no modem no router, for this connection but they give me a username and passwd to login. I try to loging using adsl-setup adsl-connect adsl start and stop but it ll not responced me. finally i get the mesg the COONECTION IS TERMINATED. kindly help me for my this Query. i m using REDHAT 9 Linux

PPPOE connection in LINUX

Amit's picture

Hi,
I purchased Broadband connection and its working on dhcp using pppoe drivers, they r not given me any ip or any DNS but i have DNS.
My connectin type is like, switch to switch connection all over the city and so from that switch they pulled a cat 5 cable which directly attached to my lan card (PC) , there is no modem no router, for this connection but they give me a username and passwd to login. I try to loging using adsl-setup adsl-connect adsl start and stop but it ll not responced me. finally i get the mesg the COONECTION IS TERMINATED. kindly help me for my this Query. i m using REDHAT 9 Linux

Re: One NIC NAT

Anonymous's picture

Why not just dig an old computer out of the closet or find a friend who will give you one and setup a router on that?

I'm using an old 66 Mhz 486 here to route my cable modem to my LAN. It seems much more simple and more secure than your setup is.

Re: One NIC NAT

Anonymous's picture

One issue I can see with this setup is that you could not use DHCP really easily without having a managed switch with VLAN support very easily...

Outlook Web Access

Anonymous's picture

Outlook Web Access works fine with Konqueror, Opera, Mozilla, etc. I have used Konqueror with both 5.5 and 2000 without incident for months. The interface suffers hugely, and IMHO they made it worse moving from 5.5 to 2k.

The only possibility for what you're talking about is that they're using NTLM auth on the webserver, so you can't authenticate. However, if that were the case, then IE running under Crossover would work fine.

I can only guess that someone is hopelessly lost here, either your wife's company, or her husband :-).

Re: Outlook Web Access

Anonymous's picture

Well, I can login with both Galeon and Konqueror. I can read and send mail, too. Problem is, I can't do administrative stuff (e.g., change the password - which I'm *required* to do every 6 months). In both Galeon and Konqueror, I get the java popup asking for uname, old passwd and new passwd. When I enter the new passwd, it even says it succeeded. Problem is, I cannot log in with the new passwd: only with the old one. So it didn't really change the passwd. Tried this several times, btw. With Mozilla I have, however, been able to both log in and change the passwd. Problem is, after I do some successful admin via Mozilla, I can no longer get the browser to go back to the site again. I don't get a log in window or anything: the browser just won't go there. I've had this exact thing happen on 2 different machines with Mozilla 1.4 installed. I have no idea how to troubleshoot this, or even if it can be troubleshot: I'm just a hobbyist when it comes to computers anyway. But I do know that, despite spending several hrs trying to get things to work, they will not work. Wish you could straighten that out for me.

Re: Outlook Web Access

alonzo's picture

The 'linux' browsers couldn't deal with the auth. IE6 under crossover did authenticate ok but then crashed.

- very hopelessly lost
--- alonzo

Re: One NIC NAT

Anonymous's picture

I can understand why this setup is OK for DSL modems. But, is it fair to say that this would be unsecure on a cable modem.

Re: One NIC NAT

Anonymous's picture

in this case, dsl modem == cable modem. so they are equally "secure". why do you think it would be ANY different??

Re: One NIC NAT

Anonymous's picture

With a DSL modem, IP traffic is tunneled through the PPOE connection. Thus all internet traffic will gateway at the termination point of the PPOE connection which is the Mini-ITX computer, not the modem. This makes the setup secure because you can firewall the PPOE connection from the rest of your network. However, a cable modem is a bridge with a layer 2 (MAC) address. So, a hacker that is on the same cable segment as you can send ethernet frames to your cable modem without going through a router. Thus, such a hacker, could send packets with a layer 3 (IP) address of your internal network, and a layer 2 (MAC) destination address of your cable modem, and your cable modem would accept the packets and gateway them onto your internal network. Therefore, the hacker will avoid the firewall on the Mini-ITX machine. Note that the hacker would have to be on the same cable segment as you, since if he has to go through a layer 3 router somewhere, then the packets would be dropped since they have a private (not public) IP address. However, if the hacker had control of any machine on your cable segment through a virus, he could attack you from anywhere, and likely install a IRC virus on your unprotected machines.

This is all just theory, because the part that I don't know is whether the average cable modem is a simple layer 2 bridge, or if it looks at the layer 3 header and blocks any packets with invalid IP destinations, i.e., a firewalling bridge. I suspect that the average cable modem is a simple layer 2 bridge.

Re: One NIC NAT

Anonymous's picture

In an effort to restrict bandwidth, and provide accountability, nearly every DSL provider restricts traffic across their network to PPPOE connections. This means that any traffic that is not encapsulated in a PPPOE packet (I.E. Ethernet frames) is not going to be running across the DSL network.

Cable modems on the other hand generally appear as protocol bridges into a broadcast network.

A reasonably inexpensive route around the 1 interface problem, that simply requires an available USB port is a USB-Ethernet adapter. CompUSA sells a store brand usb1.1 edition for $24.99 or so. More expensive models, on up to usb2 editions for a couple of dollars more.

I have used a couple of these on a 1.1 interface on a laptop to sniff both sides of my firewall to see what is passing, and what isn't. Handy for debugging port-forwarding problems. Granted with the available bw of usb1.1 I only capture headers or a limited number of bytes per packet, but in Promisc mode they do function.

Re: One NIC NAT

Anonymous's picture

I've run into the exact (or pretty close) problems with Linux browsers and MSExchange servers. I tried all the ones I have at home and was able to log in ok with a couple. But I could not administer the account (e.g., change password). It would act like it was taking, but the new password would not be accepted and I would end up locked out of the acct. Then, I tried a new Knoppix install at another computer using Mozilla and, viola! - I was able to change the password. But only once. I tried it again a few days later and was not able to get the login window. From my rather unlearned perspective, it looks very much like MS is trying to be non-interoperative with non-M$ stuff. Not really a surprise, but just seems like their usual tactics. But, where can one find information on the interoperability problem and ways to solve it? If the OSS community can hack things like SMB, can't they hack things like MSExchange server so that Linux browsers can use it much like native Win stuff? Where are the much needed resources on this?!

Re: One NIC NAT

Anonymous's picture

well... i know that mozilla now has extensive active-x support... might want to try and use that since im sure exchange deals a lot w/ that

Re: One NIC NAT

Anonymous's picture

Seems like you could have saved the time doing that by spending a little cash on a bit of hardware like a home router/switch. Presto! instant NAT, firewall, DHCP server, and on some models DMZ. Plus, as somebody else mentioned, you have only one MAC address talking to your ISP so they won't try to charge you extra.

Furthermore, it would seem to me that you're gonna get all sorts of garbage traffic on that hub since it's the first thing jacked into your ISP and that your IP address is basically static. I'd sure hate to accidently plug something unprotected into it.

I don't know about you, but if I can do something without hacking a special script or config file, it's better in the long run when a hard disk fails or my brain fails to recall what I did to get something working.

Then again, if you have been content with 28.8K for so long, I'll just shutup now.

Re: One NIC NAT

Anonymous's picture

A more expensive option would be to get a managed switch. Put the nat client machines - 192.168.1.0/24 - in vlan X and the switch port in a trunk configuration. Configure eth0 to have two ips - one on say vlan Y the other on vlan X - where the nat clients reside.

That'll give you a bit more security - if your dsl/cable provider is snooping traffic they'll only see traffic to/from your linux router pc and 1 mac address. Some companies charge extra if the dsl/cable router sees more then 1 mac address.

Re: One NIC NAT

Anonymous's picture

So if I understand your reasoning, the _IP_ traffic on the hub or switch, can somehow find its way through the modem even if this one is not a router? How? What mecanism is going to encapsulate the IP packets into ppp frame that will subsequently be sent through the modem?

Re: One NIC NAT

pts's picture

The DSL modem don't need to use PPPOE.

Re: One NIC NAT

Anonymous's picture

Vlans--- thats your mechanism.

The managable switch is setup like the following.

port1 - vlan1 - cable/dsl router
port2 - trunk - linux router
port3-port?? - vlan 10 - nat clients

Choose either ISL if you have a Cisco switch or .1q. Probably .1q as I don't know of any open source software packages that work w/ ISL encapsulation.

The Trunk port recieves frames from BOTH vlans - ports 1 and ports3-?? are logically separated in different vlans but join by a trunk port who's interface has a presence on both subnets. No routing(layer 3) changes need be made.

One physical interface on server different subnets isolating traffic. This is networking 101 dude...

P.S. A managed hub won't work... because a hub a is dumb repeater. I don't know if any hubs able to do vlan separation. They're *might* be some out there but its been a while since I've used hubs. I doubt it.

Re: One NIC NAT

Anonymous's picture

You fail to understand the nature of the problem here. How do you discriminate the traffic in order for VLAN to work?

Here only one interface is used so MAC-VLAN is out of question.

Anything looking at IP headers won't work either. pppoe is _NOT_
IP traffic or IPX or anything usually supported by any switch I've used so far. I've even seen a switch that treats pppoe frames as errors (which indeed made the whole thing more secure :-)

ISL tagging should be done both by the linux router (some support exists to do so despite what you believe) and by the modem (ok point me to one that does it)

Hence I don't see how you are going to be able to use VLAN here. Which is besides the point because there is absolutely no reason to use VLAN in the first place.

Did you fail networking 101?

Re: One NIC NAT

Anonymous's picture

More often than not VLAN gets confused by raw ethernet frames.

Re: One NIC NAT

Anonymous's picture

If you have a recent enough distro/version of linux(say RH9) you CAN do vlans with it.

I forgot what distro/version of linux he was using in his example.

Re: One NIC NAT

Anonymous's picture

I'll have to add the the dsl/cable modem will have to be on vlan Y. Other then that it'll work.

Re: One NIC NAT

Anonymous's picture

One thing springs to mind: Wouldn't it be easier to just buy a second $10 NIC?

Re: One NIC NAT

Anonymous's picture

Probably, if he had a free PCI slot.

Re: One NIC NAT

Anonymous's picture

Not enough pci slots from what I gathered.

Re: One NIC NAT

Anonymous's picture

The author stated that he had a built in NIC, and no available PCI slots. That makes installing a second NIC a bit tricky, yes?

Re: One NIC NAT

pts's picture

Anything wrong with USB nics

Re: One NIC NAT

Anonymous's picture

I am using such as system for more than 3 years with exactly the same configuration.

I have a linux server with router functionality with one NIC connected to a hub and 3 other PC connected to the same hub.

In order to reach the the corporate intranet (next to my normal ISP) I have to use a second PPPOE session initiated on my corporate windows portable. Because PPPOE is a bridging protocol my portable needs direct access to the DSL modem. The Linux
server blocks the PPPOE traffic from portable to the dsl modem, unless it is configured as a bridge.

In term of security, there no difference between the one nic server configuration and the 2 nic + bridging server configuration. As such, I prefer the one nic configuration because it is cheaper and I don't have to configure the bridging functionality on the server (btw I don't know how to do that)

On the server I am using Mandrake 9.1; almost everthing is automatically configured my Mandrake configuration center. I first configure the DSL connection and afterwards the LAN using the same NIC. Mandrake gives a warning but it works. I've also configured following services:

  • http
  • imap
  • samba
  • dns
  • dhcp
  • Shorewall

.
The server can be reached from outside (http, ssh, imap ports) . I use the dynds.org service for that. It's free and it works

Internet sharing

Anonymous's picture

Hi,
Could you please tell me settings about how u hav configured ur linux system having only 1 nic for sharing internet with other clients on my E-mail ID below.

pal.kapoor@yahoo.com

Re: One NIC NAT

Anonymous's picture

the bridging is done through a kernel patch... good article on debian's doc site for it

very cool stuff
http://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en....

Re: One NIC NAT

Anonymous's picture

You could buy a USB NIC to add an extra ethernet connection

Re: One NIC NAT

Anonymous's picture

What I would like to know: Can you access your home
computer from outside your home LAN? And if yes, how
would you do it, since you have only local addresses in your LAN?

Re: One NIC NAT

Anonymous's picture

Port forwarding.

Re: One NIC NAT

Anonymous's picture

alt least the word "hub" in your graph shows some bad side-effetd.
A switch _might_ be more secure;
Even if technical working, don't ask for security... ( which might be as bad as a win-pc direct on dsl ); A port-filter on windows-computer is recomended...

Re: One NIC NAT

synthetoonz's picture

Ummmm, even though the computers in the Home network target your NAT (the DSL dialer) host to get to the internet, doesn't the fact you're just using a hub mean everything in your Home network is visible to everything on the internet?

In other words, couldn't anything on the internet still send various broadcasts to your net which may be directly answered by one of your home network computers [ such as a badly behaved Windoze box ] ?

PPPoE

Anonymous's picture

PPPoE encapsulates all traffic going over the DSL modem. The only way to get access to the network is via PPPoE, which is terminated on a redback server in the ISP or Telco's offices.

This means that all traffic is encapsulated until it gets made into regular traffic in pppd and routed from there. Thus, your fears are ill-founded.

Re: One NIC NAT

Anonymous's picture

Read the article again genius, it specifically says he only has one PCI slot:

> IP masquerading/NAT (network address translation) came to mind, of course, but my desktop system is based on a VIA M9000 Mini-ITX board. It has an on-board NIC but only one PCI slot, which I use for a TV/FM tuner card. The on-board NIC was used for my DSL, so where could I put a second NIC?

Re: One NIC NAT

Anonymous's picture

The on-board NIC was used for my DSL, so where could I put a second NIC?

External USB Ethernet adapter

Re: One NIC NAT

Anonymous's picture

>External USB Ethernet adapter

Good point, Bill.

...Suggest use a hardware device that only ships with Windows drivers on a Linux forum (and a device that considerably lowers a quality broadband experience)

Re: One NIC NAT

Anonymous's picture

Of course not !! private network ip is not routed to the internet

Re: One NIC NAT

Anonymous's picture

The point was the sniffing of the internal network or the spoofing if the NAT host is compromised, It will be more easy if everything is on the same physical ethernet wire. Is too much to buy a second ethernet card ?

Re: One NIC NAT

Anonymous's picture

Is too much to buy a second ethernet card ?

Is it too much to ask that you read the article? which part of "there's no room for another card" do you not parse?

Re: One NIC NAT

Anonymous's picture

A PCI interface can accept a two Ethernet port card...

Re: One NIC NAT

Anonymous's picture

BUT .... HE DOESN'T HAVE ANY PCI SLOTS AVAILABLE ... the PC only has ONE PCI slot (the NIC is built in to the board) ... and that ONE PCI SLOT is taken up by a tuner card ...

RTF Article .... PLEASE!

Re: One NIC NAT

Anonymous's picture

Why dont you read the post moron.

The poster said DUAL PORT NIC!

God ... If you are going to flame someone, READ WHAT THE HELL THEY SAID!

Re: One NIC NAT ---Read the ENTIRE article

Anonymous's picture

>Why dont you read the post moron.
That's not nice... you must be a Linux user.

>The poster said DUAL PORT NIC!
He certainly DID say that.

Please, if you know of a way to ADD such a card, while NOT REMOVING the FM Radio Card the author clearly stated he DID NOT WANT TO REMOVE.

Of course, you knew that.

>God ... If you are going to flame someone, READ WHAT THE HELL THEY SAID!

The ultimate authority here is the article's author, who was completely clear in describing his requirements and circumstances.

I think you are a Microsoft troll pretending to be a Linux user (and acting like a jerk). If you want to invert logic, play dumb and twist people's words out of context.. please go somewhere else (like Usenet).

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix