# Newbie Question about Internet Sharing

## Syntech

Hi!

I'm done with my Gentoo 1.4 rc4 install, but I can't get my box to share the internet connection.

I have 2 network adapters in the gentoo box (eth0 = dhcp -> Internet & eth1 at IP:192.168.0.1)

My Windows box has IP: 192.168.0.10 and default gateway 192.168.0.1 connected to eth1 on the gentoo box.

Can someone please just post a simple iptables explanation how to do it since I found the iptables howto's to be a bit confusing to me...

It would be nice to have the firewall stop all incoming traffic (deny all), and a short explanation how to open just certain ports (my girlfriend is playing EverQuest on the window box).

Anders Kallander

----------

## Zombie[BRAAAINS]

OK, here's what I understand of your setup:

Internal interface: eth1

External interface: eth0

Internal IP/SN: 192.168.0.1/24 (or 192.168.0.1/255.255.255.0)

External IP/SN: I don't know, so just enter it where you see ${XIP}

```
# Clear the tables

iptables -t filter -F

iptables -t nat -F

iptables -t mangle -F

# Set the default policies (blocks everything)

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

# Set up SNAT (this is the main thing you were asking about)

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source ${XIP}

# Open up your loopback wide

iptables -t filter -A INPUT -i lo -j ACCEPT

iptables -t filter -A OUTPUT -o lo -j ACCEPT

# Open your internal interface wide

# EDIT: Correcting a typo. Original (incorrect) line commented.

#iptables -t filter -A INPUT -i eth1 -j ACCEPT

# EDIT: AARGH! Double-tard. Original (incorrect) lines commented.

#iptables -t filter -A INPUT -i eth0 -j ACCEPT

#iptables -t filter -A OUTPUT -o eth0 -j ACCEPT

iptables -t filter -A INPUT -i eth1 -j ACCEPT

iptables -t filter -A OUTPUT -o eth1 -j ACCEPT

# Allow all packets to leave

iptables -t filter -A OUTPUT -s ${XIP}/32 -o eth0 -j accept

# Allow forwarding from the inside

iptables -t filter -A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -j ACCEPT

# Allow packets back in that are a part of a connection

# that originated from inside the network, or any that we have explicitly

# allowed elsewhere.

iptables -t filter -A INPUT -d ${XIP}/32 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT

iptables -t filter -A FORWARD -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -o eth1 -j ACCEPT

# Turn on ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward
```

That should get your basic firewall/router set up. As for allowing connections to your services, here's how:

```
# Here's one if you're running a DNS server on the firewall. DNS

# is supposed to listen on both the TCP and UDP protocols, that's why the

# two lines below.

iptables -t filter -A INPUT -d ${XIP}/32 -p tcp -m state --state NEW -i eth0 --syn --destination-port 53 -j ACCEPT

iptables -t filter -A INPUT -d ${XIP}/32 -p udp -m state --state NEW -i eth0 --destination-port 53 -j ACCEPT

# You may notice that only one particular packet is allowed here.

# That's because ESTABLISHED,RELATED section above will recognize

# that a new connection has been established. Also, the UDP does not

# check for a SYN packet. This is because there are no SYN packets in the

# UDP protocol.

# Setting up a connection to another computer inside the firewall is a little

# trickier. You must allow that first packet through, and you must also tell

# the firewall where to send the information.

# First, tell it where to send the packet. This example is for a webserver.

iptables -t nat -A PREROUTING -i eth0 -d ${XIP}/32 -p tcp --dport 80 -j DNAT --to-destination ${YOUR_SERVER_INTERNAL_IP}

# Then allow that initial packet through. Since a web server operates with

# the TCP protocol, we'll check for a SYN packet.

iptables -t filter -A FORWARD -d ${YOU_SERVER_INTERNAL_IP} -p tcp -m state --state NEW -i eth0 -o eth1 --syn --destination-port 80 -j ACCEPT
```

That should about do it. 'man iptables' gives some fairly decent documentation. I don't know if EverQuest requires the ability to accept incoming connections. Their website should have more info. What I would suggest is just getting the NAT set up first, make sure browsing works, and then try out EverQuest. If it fails for you but browsing works, then look into setting up incoming NAT.

Oh, one more thing. You'll probably have to force the DNS to whatever you find in /etc/resolv.conf on the Windows machine. Good luck!

----------

## Syntech

Hi!

Will try it now ...

eth0 is using DHCP and that's why I don't know the IP since my ISP provide me with one. Usually it is in the range 213.65.51.x but I'm sure there is a iptables command for DHCP too ... I'll check it out and post a message if I can't get it to work ...

Thank you for the answer.

Anders Kallander

----------

## ruomad

Hi,

I'm simply doing :

iptables -t nat -A POSTROUTING -j MASQUERADE

And it seems to work...

Is there anything wrong with that ?

Also running iptables as a service (rc-update add iptables default)

and it will save this rule and apply it again when you reboot

Please comment this if I'm wrong ?

----------

## ruomad

oops !

I mean :

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

----------

## Zombie[BRAAAINS]

No, I can't say there's really anything wrong with that, but your computer is acting as simply a router instead of a firewall/router. Also, masquerading is a bit more limited in terms of what it can do and what kind of restrictions you can place on it, and if you want to do any firewall debugging while it's running you're going to take down everyone behind you instead of interrupting the connection for a second or two. None of this is probably a concern on a dialup connection. If you have a static / mostly static IP, you're probably better off with SNAT.

----------

## Syntech

Hi again!

Hmmm ... seems to be a problem here.

I did put all commands in a script. And before I ran it I could ping 192.168.0.10 (from server -> my client), and 192.168.0.1 (from client -> my server) All seems to work ok. But after I run the script I can't ping either way. I tried to lynx www.sunet.se and it seemed to work fine, so the connection from my server to the outside world works, but not my internal network.

The script seems to work ok (no errors displayed anyway) and I changed the ${XIP} to my external IP recieved from my ISP.

Actually I put the line MY_EXT_IP=213.65.51.204 on top in the script and replaced all ${XIP} with $MY_EXT_IP

Any suggestions ?

Anders Kallander

----------

## Zombie[BRAAAINS]

Oops... sorry. There's a typo here:

```
# Open your internal interface wide

iptables -t filter -A INPUT -i eth1 -j ACCEPT

iptables -t filter -A OUTPUT -o eth0 -j ACCEPT
```

eth1 on the first line should be eth0.

----------

## Syntech

This maybee will be of interest:

On my client (windows box):

  IP Address         : 192.168.0.10

  Subnet mask      : 255.255.255.0

  Default gateway : 192.168.0.1

On my Server (linux box):

  IP Address (eth0) : 213.65.51.204

  Subnet mask        : 255.255.255.0

  IP Address (eth1) : 192.168.0.1

  Subnet mask       : 255.255.255.0

Cheers

----------

## Syntech

hehe will try it right on ...

----------

## Syntech

Still no success ....

I'm probably missing something here...

No www connection on the windows box. And when I try to ping my client from the server I got:

 ping 192.168.0.10

 ping: sent 64 octets to 192.168.0.10, ret=-1

 sendto: Operation not permitted

 ...

 ...

----------

## Zombie[BRAAAINS]

Hmm... sounds like there probably is a typo. Could you post the results of these two commands?

```
iptables --list -v

iptables --list -t nat -v
```

----------

## Zombie[BRAAAINS]

Bleh... I gotta stop posting from work. That typo I told you to fix... I told you to fix it wrong. Here's the right lines:

```
# Open your internal interface wide

# EDIT: Correcting a typo. Original (incorrect) line commented.

#iptables -t filter -A INPUT -i eth1 -j ACCEPT

# EDIT: AARGH! Double-tard. Original (incorrect) lines commented.

#iptables -t filter -A INPUT -i eth0 -j ACCEPT

#iptables -t filter -A OUTPUT -o eth0 -j ACCEPT

iptables -t filter -A INPUT -i eth1 -j ACCEPT

iptables -t filter -A OUTPUT -o eth1 -j ACCEPT
```

That SHOULD do it  :Smile: 

----------

## Syntech

I'll try it immediately!

anyway ... here are the dumps: (maybee not needed now)

iptables --list -v

Chain INPUT (policy DROP 1 packets, 60 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere           

   10  1512 ACCEPT     all  --  eth0   any     anywhere             anywhere           

    0     0 ACCEPT     all  --  eth0   any     anywhere             h204n2fls34o282.telia.comstate RELATED,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  eth1   eth0    192.168.0.0/24       anywhere           

    0     0 ACCEPT     all  --  any    eth1    anywhere             192.168.0.0/24     state RELATED,ESTABLISHED 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere           

   10   734 ACCEPT     all  --  any    eth0    anywhere             anywhere           

    0     0 ACCEPT     all  --  any    eth0    h204n2fls34o282.telia.com  anywhere      

iptables --list -t nat -v

Chain PREROUTING (policy ACCEPT 5 packets, 993 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 6 packets, 478 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 SNAT       all  --  any    eth0    192.168.0.0/24       anywhere           to:213.65.51.204 

Chain OUTPUT (policy ACCEPT 6 packets, 478 bytes)

 pkts bytes target     prot opt in     out     source               destination         

----------

## Syntech

Now the pinging works in all directions! whoa!

Now all I have to do to get www to work is like this I guess then:

  iptables -t nat -A PREROUTING -i eth0 -d ${XIP}/32 -p tcp --dport 80 -j DNAT --to-destination ${YOUR_SERVER_INTERNAL_IP}

  iptables -t filter -A FORWARD -d ${YOU_SERVER_INTERNAL_IP} -p tcp -m state --state NEW -i eth0 -o eth1 --syn --destination-port 80 -j ACCEPT

Thanx for your help, appreciated it alot .... now I'm introduced to the wonderful world of iptables and I will study examples alot, kinda fun  :Smile: 

I will also check out the documents on iptables to fully understand what the commands you gave me do.

Thank you

----------

## Zombie[BRAAAINS]

Glad I could help. I've certainly gotten enough help on these forums  :Smile: 

Yep, those are the relevant lines, should work fine.

----------

## djco

This is gonna be a great help, but I have two more questions:

- Is it possible to use iptables directly from the LiveCD, without following through with much of the Gentoo installation?

- Is there a way to handle an IP that changes for this? My ISP sometimes changes my IP (which is assigned by DHCP), and it would be annoying to have to go in and change the code every time they do this.

----------

## Genone

The LiveCD contains iptables, I've used this several times for my router (at least it was on the 1.4-rc1 LiveCD). For a dynamic IP you should use the MASQUERADE target of iptables instead of SNAT. Just change the SNAT line in the script to 

```
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
```

You can also completely automate the iptables stuff if you edit /etc/conf.d/iptables and run the following:

```
/etc/init.d/iptables save

rc-update add iptables default
```

----------

