WARNING: This is a new page.
This is a new page, and might contain technically incorrect information. Please use at your own risk. If you are able to correct any errors or expand this document, please do so.
Contents |
Having a Linux machine as a gateway
Set up your Internet and network connections as normal.
You probably want to run a DHCP server on the gateway to hand out addresses to local machines and tell them about the Internet connection. Look at dnsmasq.
dnsmasq configuration
/etc/dnsmasq.conf:
interface=eth0 # <-- assuming eth0 is the local network dhcp-range=10.0.0.128,10.0.0.250 # <-- change this to the range of IPs you want to provide
Done. Start it up.
# /etc/init.d/dnsmasq restart
Turn on IP Forwarding
Debian (and derivatives)
Set ip_forward to yes in /etc/network/options.
# /etc/init.d/networking start
to enable it for now without rebooting.
RedHat (and derivatives)
Set FORWARD_IPV4 to true in /etc/sysconfig/network
# service network start # <-- someone check this please!!
to enable it for now without rebooting.
Others
Set net.ipv4.ip_forward to 1 in /etc/sysctl.conf
# sysctl -p
to enable it for now without rebooting. (Yes, this will work for all distros, but some have their own methods)
NAT
Put the following in your firewall script.
#!/bin/sh EXTIF=ppp0 # <-- Change this as needed INTIF=eth0 # <-- Change this as needed iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT iptables -A FORWARD -j DROP iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
This basically says (each iptables line is a bullet):
- Allow anything coming back from the Internet that is a response to something started from on our network.
- Allow anything to go out from our network to the Internet.
- Don't allow anything else to pass through this machine.
- When traffic goes out to the Internet, NAT the addresses so that they pretend to come from the gateway.
Controlling the connection
There are serveral options (naturally). Roughly easiest to nastiest:
- You can manually go to the box and
pon/poffor however your distro does it. - masqdialer is a client-server system that allows the connection to be brought up by users. Clients available for most OSs.
- You can use
pppd'sdemandoption. Be careful this can get very expensive if you make a mistake. - If it is an ISDN link, ISDN4linux has built in demand features. Danger warning goes here.
- You can set up diald (which can have very complex rules for when to dial). Same danger warnings apply.
- Write your own cgi-bin / PHP link-control system.
More information
Having a Windows XP machine as a gateway
First of all - unless you can possibly avoid it, don't go this route. ;-)
This setup is for if the machine is not on a Domain.
- Go through the Network setup wizard
If you survived that, you should have the XP box running a working DHCP server. Test it.
Either you can setup the Win box to dial out whenever it wants to (automatic, and costly), or your users need to VNC into it and activate the connection.
Firewall distros
Smoothwall is a Linux distribution that does most of the work for you. It has an excellent web interface that you can access from any machine on your network (Windows/Linux/BSD/MacOS/BeOS).
m0n0wall is a stripped-down FreeBSD based firewall distro. Superb web interface. Runs on <8MB disk space and is perfect for sticking on a compact-flash card for a moving-parts-free firewall.
Maintaing this page
Go for it. If you know a trick, add it. If something is wrong fix it.
