Help File Library: Easy Internet Sharing

Written By: X_console

Introduction

This is a tutorial on sharing your Internet connection by configuring a Linux machine as your gateway/firewall. I've made this tutorial as easy as possible so that the average user can have a running and secure mini-home network. I'm sure you've probably been told that setting up firewall rules and IP masquerading can be difficult. Not so, as you will find out. In fact, we won't even be learning a single firewall rule.

Important Note: At this time of writing, the firewall scripts that I will recommend utilize the ipchains packet filter which is included in every Linux kernel 2.2 system. Therefore this tutorial will not work with kernels under 2.2 as they do not use ipchains. Although the newer Linux kernel 2.4 uses iptables, it is supposed to be backward compatible with ipchains. However, I have not tested this tutorial on Linux kernel 2.4, so I cannot guarantee that it will work.

Equipment

You'll need a few things to get this working.

• At least 2 computers. 1 computer will be configured as the Linux gateway and firewall. The other computers will be the ones sharing the Internet connection. They can be running any operating systems.
• Ethernet adapters. You'll need 2 for the gateway, and at least 1 for every other machine that's going to share the Internet connection. Make sure that you get an Ethernet adapter that's supported in Linux. Check the Hardware-HOWTO for more information on this.
• A hub or a switch. You'll need at least one of these. If you can, get a switch. They're generally much better but a little more expensive. Linksys hubs and switches support Linux so you should be alright if you can get one.
• RJ45 cables. Obviously you'll need these to connect your Ethernet adapters to the hub. You'll need one for each Ethernet adapter you've got. Make sure you get a straight-through cable and not a crossover cable!
• An Internet connection. If you've got a cable or DSL connection, then great! If you've got a dialup connection, don't worry, this will work as well.

That should be about all that you'll need. As you can see, it will cost you a little bit of money. However, you may be able to get some of these items fairly cheap or for free. Once you've got all the things you need, on to the next section.

IP Masquerading and Firewalling

IP masquerading allows you to share your Internet access with other computers under one IP address. Your gateway will usually have 2 IPs. An external one provided by your ISP and an internal one (usually 192.168.0.1). Every other computer behind your gateway will have an IP address of 192.168.0.x (where x is greater than 1 and less than 255). As each of these computers make a connection on the Internet, it will show the external IP of your gateway. So the benefit is that your internal LAN is hidden from the Internet.

A firewall blocks requests to your computer. You may want to have FTP running for instance, but don't want the rest of the world to be able to access it. A firewall can block any connections attempt from the world, while at the same time allow connections coming from your internal LAN. Don't put all your faith in a firewall! Some people think that once they've got a firewall they're secure. That's not true. If you've got a firewall and have a webserver running for instance, you're not secure. You have your webserver (port 80) running! If a bug or security hole is found in the webserver you use, it could be used to crack into your system. So keep that in mind. A firewall does help, but it's not going to keep you completely protected. Linux 2.2 kernels use the ipchains packet filter firewall, and that's what we'll be using.

I'm not going to go through the details of how to configure your kernel for IP masquerading or Firewalling. If you're using a default kernel that came with your distribution, then you've already got these features set for you. If you've upgraded your kernel, then chances are you probably left these features active anyway. First thing to do is to download either gShield or PMFirewall. Both of these will configure your firewall and IP masquerading for you after you answer a few questions. gShield is available from http://muse.linuxmafia.org and PMFirewall is available from http://www.pointman.org.

gShield needs to be configured through a configuration file. It's very well commented, but there's also a graphical frontend available (check the website). Make sure you switch on IP masquerading and pick out which services you want available to the world and which you want closed.

PMFirewall is more interactive. When you run the install script it'll start asking you questions. Once again, make sure you say yes to IP Masquerading. It also gives you the option of having it start at boot up. This is recommended if you plan on getting the gateway to establish your Internet connection upon boot up.

Regardless of whichever one you use, your system should be ready for sharing as soon as you run the firewall script. To start up gShield, execute the /etc/firewall/gShield.rc script. For PMFirewall it should be where you installed it. The default location for the script is /usr/local/pmfirewall/pmfirewall.

If you're using cable or DSL, you probably want to start the connection up during the bootup. So append the commands you use to start the connection in your /etc/rc.d/rc.local file, and right after it, execute the firewall script. So for example:

commands to start connection
# the wait command will execute the next command only after the previous one finishes:
wait
# assume the connection is established and execute the firewall script:
/etc/firewall/gShield.rc

In the above I'm using gShield so replace it with PMFirewall if that's what you're using. Keep in mind that if you've configured PMFirewall to start at boot up during its installation, you don't have to do the above.

Configuring The Other Computers

Each of the computers that will share the Internet connection needs to have their own IP. This can be done in two ways. The easiest way is to configure them to obtain their IP via DHCP. For this to work, you'll need to run dhcpd. I'm not going to get into that. Do a man dhcpd and you'll figure it out. Also, check out the DHCP mini-HOWTO The second method, is a little easier if you're sharing your Internet connection with less than 5 computers. Basically you have to set the IP for each of them manually. So:

Gateway   : IP = 192.168.0.1
Computer 1: IP = 192.168.0.2
Computer 2: IP = 192.168.0.3
Computer 3: IP = 192.168.0.4
Computer 4: IP = 192.168.0.5

How do you set the IP for each computer? In Linux, you should have a program that let's you configure network settings. This varies between distributions. If you know what this program is, use it. A couple of things to try are netconfig and linuxconf. If you don't know what your network setup program is, a general way to set the IP for your machines is to add the following line to /etc/rc.d/rc.local:

/sbin/ifconfig eth0 192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0

You will need to do that for every machine, changing the IP address of course. Then type:

source /etc/rc.d/rc.local

Make sure that no two computers have the same IP or you're going to run into problems. Also note that 192.168.x.x IPs are special and meant for internal networks. You can make up your own internal IP addresses if you like, but you're recommended to follow the above.

Make sure all of the internal computers have their gateway IP address pointed to 192.168.0.1 (or whatever internal IP address you assigned to your gateway). Also don't forget to put in the DNS servers you're using. DNS server addresses go in your /etc/resolv.conf. If you're not sure what the DNS server addresses are, give your ISP a call. You should get a primary and secondary DNS address. Your /etc/resolv.conf should look something like this:

nameserver 123.123.123.123
nameserver 234.234.234.234


Of course you want to replace the IP addresses with the ones assigned to you by your ISP.

Testing The Setup

It's time to see if this worked. If you're using cable or DSL, connect one Ethernet adapter of the gateway to the cable or DSL modem. The other Ethernet adapter should be plugged into the hub or switch. Every other computer needs to have their Ethernet adapter plugged into the hub/switch. If you haven't done so already, activate your firewall script to startup the IP masquerading and firewalling rules.

Start by pinging your internal machines and see if it works. From your gateway, type ping 192.168.0.2 and see if it can see that computer. Do it for each of the internal computers, and then see if you can ping the gateway from each of the internal computers. Next try to ping yahoo.com or some other external website from your gateway and from each of your internal computers. If you get a response, then it's on to the next step. Try to access a webpage somewhere using your browser on the internal computers. If you don't get anything, make sure that the DNS servers are set in the /etc/resolv.conf of the gateway and of the internal computer. If everything works, then congratulations! You're now sharing your Internet connection with your other computers.

It's Not Working

If after all the testing, you still can't get your browsers to view any webpages or to connect to anywhere on the Internet, then it's time to check on some things.

• Make sure you got the right cables. I made this mistake once and it cost me a whole night of wondering what was wrong...
• Make sure the Ethernet adapters are using the right IO address and IRQ. I found out that using the wrong IRQ even though it doesn't conflict with any other device can prevent the Ethernet adapter from working right. The best way to figure out which IRQ is to be used is to look at the documentation that came with your Ethernet adapter. If it didn't come with one, search the Internet for information on it.
• Make sure the hub/switch is plugged in and the lights are on.
• Make sure your kernel has been configured with support for IP masquerading and firewalling. Most kernels are defaulted for this but if you made changes, then you've got to make sure you enabled them.
• Make sure your Ethernet adapters are working and aren't broken or anything. Same thing for the cables.

There could be other things that are going wrong. The next best thing to do is some research. Ask questions on forums or IRC. Read up some other references on networking and such. Hopefully you won't have to go through too much trouble to get it working.

Conclusion

I hope this tutorial was easy to follow and that it worked for your setup. If you want to learn more about IP masquerading or firewalling, make sure you check out the IP-Masquerading-HOWTO as well as the IPCHAINS-HOWTO. Read up on some books or magazines on networking as well. Sharing an IP connection certainly beats having to buy individual Internet accounts for each of your computers.