[nSLUG] Need help seting up ICS in Redhat 9

M Taylor mctylr at privacy.nb.ca
Tue Jul 15 21:59:10 ADT 2003


On Tue, Jul 15, 2003 at 03:50:43PM -0300, Michelle and George wrote:
> I'm having a hell of a time trying to get my redhat workstation to share
> it's cable connection with my wifes (acadia u) winxp laptop. She needs
> access from home and I have searched the web for days in vain. I am a
> complete newbie- the documentation out there is WAY over me little head
> and I'm about to scream!! I have two nics in the redhat box, and a wee
> hub. Before you say it, no, I can't go out and buy a router right now.
> Any help you can throw my way would be great.
> 
> George Vincent-Cross

Well, I suspect you will have a very hard time finding anything called
ICS (as in Internet Connection Sharing) for Linux. The more technical
name is NAT (Network Address Translation), this is a generic term, not
platform specific, and there are various forms of NAT. You may find
"IP Masq" or "IP Masquerading", that's just an old term for NAT using
earlier version of the Linux kernel firewall (ipfwadm, ipchains).

The current Linux kernel firewall is known as netfilter / iptables,
and is included with linux-2.4. 

Check the NAT HOWTO[1]:  "I just want masquerading! Help!"
<http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1>

Assuming you have your eth0 connected to your cable modem, and eth1
connected to your internal network (ie. your hub)....

root at linux# modprobe iptable_nat
root at linux# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root at linux# echo 1 > /proc/sys/net/ipv4/ip_forward

This is plain, old fashioned NAT, with basiclly no security whatsoever,
a lot like ICS for MS-Windows. You might feel a bit more comfortable,
reading the Packet Filtering HOWTO[2] as well, to give yourself at least
a few firewall rules, to reduce unncessary security exposure. At the
very least, follow the super-simple example at [3].

## Insert connection-tracking modules (not needed if built into kernel).
root at linux# insmod ip_conntrack
root at linux# insmod ip_conntrack_ftp

## Create chain which blocks new connections, except if coming from inside.
root at linux# iptables -N block
root at linux# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
root at linux# iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
root at linux# iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.
root at linux# iptables -A INPUT -j block
root at linux# iptables -A FORWARD -j block

(I've replaced ppp0 in the docs with eth0, assuming that eth0 is your
ethernet interface connected to your Internet access (cable modem?).)

Good luck, and feel free to ask more questions if you find this
confusing. I've skimmed a few issues, like the WinXP laptop is setup to
expect a DHCP server to give it an IP address, and you likely don't have
a DHCP server configured on your Redhat gateway box. You want to use
RFC 1918 addresses for your home LAN (192.168.0.0 - 192.168.255.255 is
a commonly used set of addresses you can use). So set your eth1 
(the linux ethernet interface connected to your internal network, via
your own hub) to something like 192.168.1.1. 

Here's an excerpt from my first internal subnet (I also run an untrust
subnet for my 802.11b networking). I use Eastlink (in the valley) for
my Internet access, so if you don't, change those and anything that is
24.xxx.xxx.xxx.

(in the file /etc/dhcp.conf)

option domain-name "home";
option domain-name-servers 192.168.1.1, 24.222.0.75, 24.138.0.7;

option subnet-mask 255.255.255.0;
default-lease-time 27000;
max-lease-time 72000;

subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.10 192.168.1.50;
        option routers 192.168.1.1;
        option ntp-servers 192.168.1.1, 24.222.230.1;
        option smtp-server smtp.av.eastlink.ca;
        option pop-server pop.av.eastlink.ca;
        option nntp-server news.eastlink.ca;
}

If you are in the valley and still stuck, let me know.
Good luck!

1] <http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html>
2] <http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html>
3] <http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html>




More information about the nSLUG mailing list