# How to enable Internet sharing?

## dolfin

Hello!

I just Installed Gentoo - and I think it's a great system! (I used Mandrake before) but I've got one problem.

I've got a home network, and I can't enable Internet sharing. I've compiled my kernel with all the options IP MASQ needs, but I don't know what else I should do (edit scripts?  :Smile:  ), please help me!

Thanks!

Gil

----------

## Nitro

I would suggest you take a look @ http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html

It talks about the basics of NAT and will tell you how to NAT.  There are also many other HOWTOs for iptables @  http://www.netfilter.org/documentation/index.html#HOWTO

I know many people use firewall scripts to have this sort of thing done automatically, but I don't, so I can't give you any recommendations there.

If you read that and still are stuck, I can help you with specific examples.  Just I think it is better to learn from the bottom up, instead of what someone tells ya to do and it works without knowing why.

----------

## dolfin

I need it ASAP. And I don't has a lot of time to work on it.

I'm sure I'll try to understand it one day - but if you can post here some examples of common things I should do. It will be great!

Thanks anyway!

Gil

----------

## klieber

 *dolfin wrote:*   

> I need it ASAP. And I don't has a lot of time to work on it.

 

Then you should look into purchasing a device like a linksys router that has that functionality out of the box.  Getting this to work properly on linux takes time and a willingness to learn at least the basics of NAT and netfilter.  If you don't have the time to do that, then this isn't a good solution for you.

--kurt

----------

## Nitro

Reading the HOWTO wouldn't take long, and if you skimmed it, you would have found http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1 already which will do exactly what you want with minimal mess, and little security.

Don't take this the wrong way, but Gentoo is not a quick install it, and use it installation (like RH and MDK) unless you understand what is really going on.  If you want to install it and use it without knowing exactly what's going on I'd recommend you go download RH or MDK.

----------

## dolfin

well, I've read it. and read the part you sent here before. But it still seems not to work. I think something in the configuration of the Local Network is wrong, and have no clue where to check it.

I just installed Gentoo and I really want to learn it (It was one of the reasons I've choosen this disto.). Can you help me?

----------

## klieber

 *dolfin wrote:*   

> Can you help me?

 

There are lots of people on the forums willing to help you, but you need to help us, too -- what have you tried already?  What error messages are you seeing?  What options have you compiled into your kernel?  Are you able to access local network resources?  How is your local network configured?

We need more information in order to provide any sort of troubleshooting advice.

--kurt

----------

## dolfin

My Kernel configured with:

Network packet filtiring and IP: Netfilter Configuration: All but Userspace queueing via  NETLINK, stealth match support, NAT of local connections, ARP Tables support. anything else?

I've tried the script in the IP MASQ HOWTO:

/etc/rc.firewall-2.4

```

#!/bin/sh

#

# rc.firewall-2.4

FWVER=0.63

#

#               Initial SIMPLE IP Masquerade test for 2.4.x kernels

#               using IPTABLES.  

#

#               Once IP Masquerading has been tested, with this simple 

#               ruleset, it is highly recommended to use a stronger 

#               IPTABLES ruleset either given later in this HOWTO or 

#               from another reputable resource.

#

#

#

# Log:

#       0.63 - Added support for the IRC IPTABLES module

#       0.62 - Fixed a typo on the MASQ enable line that used eth0

#              instead of $EXTIF

#       0.61 - Changed the firewall to use variables for the internal

#              and external interfaces.

#       0.60 - 0.50 had a mistake where the ruleset had a rule to DROP

#              all forwarded packets but it didn't have a rule to ACCEPT

#              any packets to be forwarded either

#            - Load the ip_nat_ftp and ip_conntrack_ftp modules by default

#       0.50 - Initial draft

#

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"

# The location of the 'iptables' program

#

#   If your Linux distribution came with a copy of iptables, most

#   likely it is located in /sbin.  If you manually compiled 

#   iptables, the default location is in /usr/local/sbin

#

# ** Please use the "whereis iptables" command to figure out 

# ** where your copy is and change the path below to reflect 

# ** your setup

#

#IPTABLES=/sbin/iptables

IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces for the network

#

#  Each IP Masquerade network needs to have at least one

#  external and one internal network.  The external network

#  is where the natting will occur and the internal network

#  should preferably be addressed with a RFC1918 private address

#  scheme.

#

#  For this example, "eth0" is external and "eth1" is internal"

#

#  NOTE:  If this doesnt EXACTLY fit your configuration, you must 

#         change the EXTIF or INTIF variables above. For example: 

#

#               EXTIF="ppp0" 

#

#            if you are a modem user.

#

EXTIF="eth0"

INTIF="eth1"

echo "   External Interface:  $EXTIF"

echo "   Internal Interface:  $INTIF"

#======================================================================

#== No editing beyond this line is required for initial MASQ testing ==

echo -en "   loading modules: "

# Need to verify that all modules have all required dependencies

#

echo "  - Verifying that all kernel modules are ok"

/sbin/depmod -a

# With the new IPTABLES code, the core MASQ functionality is now either

# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES

# options as MODULES.  If your kernel is compiled correctly, there is

# NO need to load the kernel modules manually.  

#

#  NOTE: The following items are listed ONLY for informational reasons.

#        There is no reason to manual load these modules unless your

#        kernel is either mis-configured or you intentionally disabled

#        the kernel module autoloader.

#

# Upon the commands of starting up IP Masq on the server, the

# following kernel modules will be automatically loaded:

#

# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ 

#        modules are shown below but are commented out from loading.

# ===============================================================

#Load the main body of the IPTABLES module - "iptable"

#  - Loaded automatically when the "iptables" command is invoked

#

#  - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "ip_tables, "

/sbin/insmod ip_tables

#Load the IPTABLES filtering module - "iptable_filter" 

#  - Loaded automatically when filter policies are activated

#Load the stateful connection tracking framework - "ip_conntrack"

#

# The conntrack  module in itself does nothing without other specific 

# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"

# module

#

#  - This module is loaded automatically when MASQ functionality is 

#    enabled 

#

#  - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "ip_conntrack, "

/sbin/insmod ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -en "ip_conntrack_ftp, "

/sbin/insmod ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -en "ip_conntrack_irc, "

/sbin/insmod ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"

#  - Loaded automatically when MASQ functionality is turned on

# 

#  - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "iptable_nat, "

/sbin/insmod iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code

# Required to support non-PASV FTP.

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -en "ip_nat_ftp, "

/sbin/insmod ip_nat_ftp

# Just to be complete, here is a list of the remaining kernel modules 

# and their function.  Please note that several modules should be only

# loaded by the correct master kernel module for proper operation.

# --------------------------------------------------------------------

#

#    ipt_mark       - this target marks a given packet for future action.

#                     This automatically loads the ipt_MARK module

#

#    ipt_tcpmss     - this target allows to manipulate the TCP MSS

#                     option for braindead remote firewalls.

#                     This automatically loads the ipt_TCPMSS module

#

#    ipt_limit      - this target allows for packets to be limited to

#                     to many hits per sec/min/hr

#

#    ipt_multiport  - this match allows for targets within a range

#                     of port numbers vs. listing each port individually

#

#    ipt_state      - this match allows to catch packets with various

#                     IP and TCP flags set/unset

#

#    ipt_unclean    - this match allows to catch packets that have invalid

#                     IP/TCP flags set

#

#    iptable_filter - this module allows for packets to be DROPped, 

#                     REJECTed, or LOGged.  This module automatically 

#                     loads the following modules:

#

#                     ipt_LOG - this target allows for packets to be 

#                               logged

#

#                     ipt_REJECT - this target DROPs the packet and returns 

#                                  a configurable ICMP packet back to the 

#                                  sender.

# 

#    iptable_mangle - this target allows for packets to be manipulated

#                     for things like the TCPMSS option, etc.

echo ".  Done loading modules."

#CRITICAL:  Enable IP forwarding since it is disabled by default since

#

#           Redhat Users:  you may try changing the options in

#                          /etc/sysconfig/network from:

#

#                       FORWARD_IPV4=false

#                             to

#                       FORWARD_IPV4=true

#

echo "   enabling forwarding.."

echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:

#

#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 

#   enable this following option.  This enables dynamic-address hacking

#   which makes the life with Diald and similar programs much easier.

#

echo "   enabling DynamicAddr.."

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP forwarding and Masquerading

#

#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.

#

#  NOTE #2:  The following is an example for an internal LAN address in the

#            192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask

#            connecting to the Internet on external interface "eth0".  This

#            example will MASQ internal traffic out to the Internet but not

#            allow non-initiated traffic into your internal network.

#

#            

#         ** Please change the above network numbers, subnet mask, and your 

#         *** Internet connection interface name to match your setup

#         

#Clearing any previous configuration

#

#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT

#    The default for FORWARD is DROP

#

echo "   clearing any existing rules and setting default policy.."

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT 

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT 

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD 

$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

```

I got an error (Don't know how "real" this error is) that he can't load the modules ip_tables ip_conntrack.

My /etc/conf.d/net looks like this:

```

iface_eth1="192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0"

iface_eth0="dhcp"

```

My Internet cable connection on eth0 is working fine. But I don't know how to check my LAN...

Do you need anything else?

Thanks!

----------

## klieber

 *dolfin wrote:*   

> My Kernel configured with:
> 
> Network packet filtiring and IP: Netfilter Configuration: All but Userspace queueing via  NETLINK, stealth match support, NAT of local connections, ARP Tables support. anything else?

 

Are they loaded? (does lsmod show them as being loaded in the kernel)  Also, did you compile them into the kernel or as modules?

 *dolfin wrote:*   

> I got an error (Don't know how "real" this error is) that he can't load the modules ip_tables ip_conntrack.

 

Without the necessary kernel modules, none of this will work, so this is at least one of your problems.

 *dolfin wrote:*   

> My Internet cable connection on eth0 is working fine. But I don't know how to check my LAN...

 

OK, you do have two NICs installed in the computer, right?  eth0 and eth1?  Is eth1 working correctly? (ifconfig eth1)

--kurt

----------

## dolfin

The modules which are loaded are:

```

ipt_MASQUERADE          1312   1  (autoclean)

ipt_LOG                 3200   1  (autoclean)

ipt_state                576   1  (autoclean)

iptable_filter          1728   1  (autoclean)

ip_nat_ftp              3168   0  (unused)

iptable_nat            14068   2  [ipt_MASQUERADE ip_nat_ftp]

ip_conntrack_irc        2464   0  (unused)

ip_conntrack_ftp        3328   0  [ip_nat_ftp]

```

(and the modules of the NICs)

Yes, I've got eth0 and eth1 - they are both technicaly working but I'm not sure about eth1's configuration.

ifconfig -a:

```

eth1    Link encap:Ethernet  HWaddr 00:50:FC:58:81:FB  

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:284 errors:0 dropped:0 overruns:0 frame:0

          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100 

          RX bytes:57327 (55.9 Kb)  TX bytes:7654 (7.4 Kb)

          Interrupt:11 Base address:0xd000 

```

What are the options in the kernal configure which are responsable to ip_tables and ip_conntrack? maybe I hadn't compiled the kernel right, or maybe I didn't compiled those modules as modules but as part of the kernel.

----------

## klieber

 *dolfin wrote:*   

> The modules which are loaded are:
> 
> ```
> 
> ipt_MASQUERADE          1312   1  (autoclean)
> ...

 

You're missing a few:  ip_conntrack and ip_tables and (I think) iptables_mangle, though you may not need that one.

 *dolfin wrote:*   

> Yes, I've got eth0 and eth1 - they are both technicaly working but I'm not sure about eth1's configuration.
> 
> 

 

eth1's config looks fine.  I'd say you're fine there.

 *dolfin wrote:*   

> maybe I hadn't compiled the kernel right

 

That's my guess.  Can you do the following:

```
cat /usr/src/linux/.config | grep IP_NF
```

and post the output here?

Also, go back through your kernel config (using menuconfig or xconfig, whatever you used originally)  There are two places you need to enable netfilter-related stuff:

Networking Options --> Network packet filtering (replaces ipchains)

Networking Options --> IP: Netfilter Configuration  ---> everything in here except the last two (ipchains and ipfwadm)

Note that you don't need everything checked in the second bullet point, but it's just easier to do it this way.  Also, it shouldn't matter if you compile them as modules or into the kernel, but because most of the tutorials and HOWTOs deal with modules, you might leave it that way, just to make things easier on yourself.

If you find that you missed any of the options in the kernel config, then you'll need to recompile your kernel with those options enabled.

--kurt

----------

## dolfin

Here is it:

```

CONFIG_IP_NF_CONNTRACK=y

CONFIG_IP_NF_FTP=m

CONFIG_IP_NF_IRC=m

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_LIMIT=m

CONFIG_IP_NF_MATCH_MAC=m

CONFIG_IP_NF_MATCH_MARK=m

CONFIG_IP_NF_MATCH_MULTIPORT=m

CONFIG_IP_NF_MATCH_TOS=m

CONFIG_IP_NF_MATCH_AH_ESP=m

CONFIG_IP_NF_MATCH_LENGTH=m

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_MATCH_TCPMSS=m

# CONFIG_IP_NF_MATCH_STEALTH is not set

CONFIG_IP_NF_MATCH_STATE=m

CONFIG_IP_NF_MATCH_UNCLEAN=m

CONFIG_IP_NF_MATCH_OWNER=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_MIRROR=m

CONFIG_IP_NF_NAT=m

CONFIG_IP_NF_NAT_NEEDED=y

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_REDIRECT=m

# CONFIG_IP_NF_NAT_LOCAL is not set

CONFIG_IP_NF_NAT_SNMP_BASIC=m

CONFIG_IP_NF_NAT_IRC=m

CONFIG_IP_NF_NAT_FTP=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_MARK=m

CONFIG_IP_NF_TARGET_LOG=m

CONFIG_IP_NF_TARGET_ULOG=m

CONFIG_IP_NF_TARGET_TCPMSS=m

# CONFIG_IP_NF_ARPTABLES is not set

```

It seems like I've compiled those two sections as part of the kernel and not as modules.

Should I compile them as modules, or there is another solution?

(Don't make me do the process of kernel compiling once agian!!)

----------

## klieber

 *dolfin wrote:*   

> It seems like I've compiled those two sections as part of the kernel and not as modules.

 

Yep -- that looks fine.  Looking over your rc.firewall script, the reason you're getting the error about not being able to load ip_conntrack is because it's trying to load it as a module.  Since yours is compiled into the kernel, it's complaining about that.

From everything I can see, things should be working.  So, obviously, there's something I"m not seeing.  :Smile: 

Other than the error about loading ip_conntrack, what other error messages are you getting?  Any?  And are you able to ping stuff from that box?  (meaning you are getting a usable DHCP address)  Finally, are you using PPPoE or anything funky like that?

--kurt

----------

## dolfin

Thw other box doesn't get any packets at all. Can't ping, can't do anything.

Everything else looks fine.

Maybe I configured my networkng wrong?

I don't know what is PPPoE - so I guess I'm not using it  :Smile: 

eth0 is connect to a cable modem, so I use dhcpcd.

but with eth1 I didn't did anything...

It's module is loaded, that's what I can tell.

----------

## Nitro

Sounds more like a networking problem, as you suggested.  Lets see if we can troubleshoot your problems.  :Wink:   First I need you to provide us with some information.  

What is connected to each ethernet card?  I read that you have eth0 connected to your modem, and am assuming eth1 is connected to internal network, and uses a private IP range. 

Explain your network, like what computers are on your internal network so we know what we can test stuff against.

Give us a dump of your IP configuration with 'ifconfig'.

Show us your routes with 'route -n'

If you could put your info in [code] tags, it would be greatly appreciated, and much easier to read.

----------

## dolfin

1) You right - I've got a cable modem connected to eth0. this card and modem are working perfectly (You see - I can write in this forum!)  :Smile: . eth1 is connected directly to another computer which running Windows 2000 Pro. (It's configurations didn't changed since I mooved to Gentoo)

2) a) my computer - x86 Gentoo machine.

     b) the second computer - x86 Win2000Pro machine.

3) ifconfig

```

eth0      Link encap:Ethernet  HWaddr 00:01:02:9D:F0:F0  

          inet addr:199.203.56.44  Bcast:255.255.255.255  Mask:255.255.255.0

          UP BROADCAST NOTRAILERS RUNNING  MTU:1500  Metric:1

          RX packets:149569 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10242 errors:0 dropped:0 overruns:0 carrier:0

          collisions:160 txqueuelen:100 

          RX bytes:21696321 (20.6 Mb)  TX bytes:4275193 (4.0 Mb)

          Interrupt:11 Base address:0xc400 

eth1      Link encap:Ethernet  HWaddr 00:50:FC:58:81:FB  

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:254 errors:0 dropped:0 overruns:0 frame:0

          TX packets:348 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100 

          RX bytes:26336 (25.7 Kb)  TX bytes:62431 (60.9 Kb)

          Interrupt:11 Base address:0xc000 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:111 errors:0 dropped:0 overruns:0 frame:0

          TX packets:111 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:8118 (7.9 Kb)  TX bytes:8118 (7.9 Kb)
```

4) What this sais?

route -n

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

199.203.56.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

0.0.0.0         199.203.56.254  0.0.0.0         UG    0      0        0 eth0

```

Gil

----------

## klieber

 *dolfin wrote:*   

> eth1 is connected directly to another computer which running Windows 2000 Pro. 

 

Is it connected via a crossover cable or a straight-through cable?

EDIT:  Also, can you post the result of:

```
ipconfig /all
```

 on the windows 2000 box here?

--kurt

----------

## Snoopy

Sounds to me that he is not using a crossover cable but a streight through cable. If all the settinngs are correct then this is a hardware problem (IF all the settings are correct). Wether he is not using a crossover or one of his nics are bad its something in that area.

----------

## kai

The first thing would be to see if you could ping yourself on the client. The second would be to ping the NAT box. Troubleshooting effort is wasted without properly identifying the problem.

----------

