Linux: Internet Connection Sharing
Despite being a basic task for those who manage Linux networks, the Internet Connection Sharing can be an important issue for those who are beginners and want to use Linux as a gateway from your LAN.
The first thing we need to understand is the NAT or Network Address Translation. Also called masquerading (masking), is the process of transforming or translating IP addresses from one network to another, in the case of Internet sharing, NAT translates between IP network where the Internet IP address, allowing machines your local network to access the Internet. Thus, a single Internet IP address can be shared with all of its IP network.By using a gateway each data packet is translated by NAT and is recognized as coming from the Internet IP, ie, independent of the computer’s IP network, all packets go out to the Internet as the Internet IP. When the packet returns, the NAT is the translation back to direct you to the source computer.
Sharing the Internet connection
Sharing the Internet connection
Before we start to configure our Internet sharing gateway, we check the environment to be used. For the settings to run smoothly you will need an environment like this:
- A connection (which is working) with an Internet service provider;
- A machine with Debian or Ubuntu installed;
- Two network cards installed, one of which should already be with the settings of your Internet service provider;
- A hub or switch to distribute Internet access across multiple computers.
Below is a simple suggestion of network topology:
LAN: a simple network topology
Flushing the routing of packets
The first configuration to do is release the IP packet forwarding. For this we have two alternatives. The first is to change the file ip_forward entering 1 in its content and the second is by changing the sysctl.conf file.
Inserting a file ip_forward :
# echo 1> /proc/sys/net/ipv4/ip_forward
Change the sysctl.conf file:
# vi/etc/sysctl.conf
Remove the # sign from the line:
net.ipv4.ip_forward = 1
Save the file with “:wq”. For more information about the sysctl.conf file, simply enter the command:
# man sysctl.conf
Configuring IP Gateway
Let’s follow the example of topology up and admit that we have two network cards and will use the card named eth0 for Internet access (WAN) and eth1 card to access the local network (LAN).
Tip: To know more information about our network cards, we can use the command:
# cat/var/log/dmesg | grep eth
This command should return the network chipset and the appointment set by Linux.
After properly verify the network cards and we link the cables that were “made” using the standard CAT5e, we then manually configure the network information. Since we are using Debian Lenny (Debian 5.0) or Ubuntu Jaunty (Ubuntu 9.04), then the settings are in /etc/network/interfaces. Let’s edit it:
# vi/etc/network/interfaces
The file should look like the example below:
it self it iface inet loopback allow-hotplug eth0 iface eth0 inet dhcp allow-hotplug eth1 iface eth1 inet static address 192.168.0.1 netmask 255.255.255.0
Note that not inform the gateway address on the card that will be responsible for receiving all traffic on the local network (LAN). This is done because this machine is the gateway of the LAN.
In Ubuntu, the default setting does not mention allow-hotplug eth0 auto eth0 and yes.
If your Internet connection is using fixed IP, then the eth0 settings may be similar to this:
allow-hotplug eth0 iface eth0 inet static address 200.174.144.20 netmask 255,255,255,240 broadcast 200.174.144.31 gateway 200.174.144.17
Using IPTables to share the Internet connection
The IPTables is the software responsible for configuring packet filtering rules. To use IPTables to share Internet access, before we need to tell the kernel modules to be loaded.
# modprobe ip_tables # modprobe iptable_nat
The modprobe command is responsible for, among other tasks, add or remove modules in the Linux Kernel. The modules ip_tables iptables_nat and are meant to add to the kernel the ability to filter data packets and make the “translation” of IP addresses from one network to another.
Now let’s clear any pre-existing rule in iptables, so we can ensure the correct operation of NAT and packet forwarding:
# iptables-F INPUT # iptables-F OUTPUT # iptables-F FORWARD # iptables-t nat-F # iptables-t mangle-F
The clean lines above information input, output, forwarding, “translation” and change packages.
Finally, we will enable packet forwarding via iptables:
# iptables-t nat-A POSTROUTING-o eth0-j MASQUERADE
Understanding the parameters passed to the IPTables on the line above:
-T nat – uses the table of “translation” of IP addresses;
-A POSTROUTING – the rule adds to output packets;
-O eth0 – specifies that the outgoing interface used is eth0;
-J MASQUERADE – says that the focus (target) rule is the IP masquerading.
Testing the Internet connection
To test if the settings worked, just use the ping from a client machine on the network. For example:
# ping www.google.com.br
Monitoring the packet transfer
Monitoring interfaces iftop
Iftop is a great utility for monitoring the transfer of packets between your LAN and the Internet. With it we can see in real time, which sites are accessed and measure the throughput. To install iftop in Debian Lenny (Debian 5.0) or Ubuntu Jaunty (Ubuntu 9.04) just run the command:
# apt-get install iftop
To use it you simply specify the interface (card) you want to monitor network. In our example topology of the board named eth0 is responsible for Internet traffic. To monitor it will use the command:
# iftop-i eth0
If you have created a script with the above settings, then you can add it automatically at system startup with the command:
# update-rc.d defaults
Now, you can try your internet connection.