There are several different ways to set up routing from your LAN to the Internet. You can have a dedicated router or you can have a computer already connected to your LAN that will act as a router. This section describes how to use your Red Hat Linux computer as a router.
A computer may have several network interfaces, such as a loopback, an Ethernet LAN, a direct line to another computer, or a dial-up interface. For a client computer to use a router to reach the Internet, it may have private IP addresses assigned to computers on the LAN, while the connection to a routing computer would act as the gateway to all other addresses.
Here's an example of Red Hat Linux being used as a router between a LAN and the Internet:
The Red Hat Linux system has at least two network interfaces: one to the office LAN and one to the Internet. The interface to the Internet may be a dial-up PPP connection or a higher-speed DSL or cable modem connection.
Packets on the LAN that are not addressed to a known computer on the LAN are forwarded to the router (that is, the Red Hat Linux system acting as a router). So, each client identifies that Red Hat Linux system as the gateway system.
The Red Hat Linux "router" firewall is set up to receive packets from the local LAN, then forwards those packets to its other interface (possibly a PPP connection to the Internet). If the LAN uses private IP addresses, the firewall is also configured to use IP masquerading or Network Address Translation.
The following sections describe how to set up the Red Hat Linux router, as well as the client computers from your LAN (Red Hat Linux and MS Windows clients) that will use this router. Using Red Hat Linux as a router also provides an excellent opportunity to improve the security of your Internet connection by setting up a firewall to filter traffic and hide the identity of the computers on your LAN (IP masquerading).
To configure your Red Hat Linux computer as a router, you need to have a few things in place. Here's what you need to do before you set up routing:
Connect to your LAN.???Add a network card and optionally set up the addresses in /etc/hosts to the computers on your LAN (as described in Chapter 15) or using DHCP (as described in Chapter 23).
Connect to the Internet.???Set up a dial-up or other type of connection from your Red Hat Linux computer to your ISP. This is described earlier in this chapter in the section on setting up outgoing PPP connections.
Configure your Red Hat Linux computer as a router.???See the rest of this section.
The type of IP addresses you are using on your LAN will have an impact on a couple of steps in this procedure. Here are the differences:
Private IP addresses — If the computers on your LAN use private IP addresses (described in Chapter 15), you need to set up Linux as a firewall to do IP masquerading or NAT (as described in Chapter 14). Because those numbers are private, they must be hidden from the Internet when the Red Hat Linux router forwards their requests. Packets forwarded with masquerading or NAT look to the outside world as though they came from the Red Hat Linux computer forwarding the packets.
Valid IP addresses — If your LAN uses addresses that were officially assigned by your ISP or other registration authority, you don't need to do IP masquerading or NAT.
With your Red Hat Linux computer's LAN and Internet interfaces in place, follow the procedure below to set up Red Hat Linux as a router. Once this procedure is completed, any client computer on your LAN can identify your Red Hat Linux computer as its gateway so it can use Red Hat Linux to get to the Internet.
Open the /etc/sysconfig/network file in a text editor as the root user. Then add either a default gateway or default gateway device as described below.
Your default gateway is where IP addresses are sought that are not on any of your local interfaces. This is where you would identify your Internet connection. Here is how you choose which one to enter:
Default Gateway — If there is a static IP address you use to reach the Internet, enter that IP address here. For example, if your Internet connection went through a DSL modem connected to your NIC card at address 192.168.0.1, you would enter that address as follows:
Default Gateway Device — If you reach the Internet using a dynamic address that is assigned when you connect to a particular interface, you would enter that interface here. For example, if you had a dial-up interface to the Internet on the first PPP device, you would enter ppp0 as the default gateway device as follows:
When you are done, the contents of this file should look similar to the following:
NETWORKING=yes HOSTNAME='maple.handsonhistory.com' DOMAINNAME='handsonhistory.com' #GATEWAY= GATEWAYDEV=ppp0
In this case, the computer is configured to route packets over a dial-up connection to the Internet (ppp0).
Turn on IP packet forwarding. One way to do this is to change the value of net.ipv4.ip_forward to 1 in the /etc/sysctl.conf file. Open that file as root user with any text editor and change the line to appear as follows:
net.ipv4.ip_forward = 1
If the computers on your LAN have valid IP addresses, skip ahead to the section on configuring Red Hat Linux routing clients. If your computers have private IP addresses, continue with this procedure.
The lines shown below for configuring your iptables or ipchains firewall to do IP masquerading should be used in addition to your other firewall rules. They do not, in themselves, represent a secure firewall, but merely describe how to add masquerading to your firewall. See Chapter 14 for details about how to configure a more complete firewall and when to use NAT versus IP masquerading.
To get IP masquerading going on your Red Hat Linux router, you need to define which addresses will be masqueraded and forwarded. The procedure is different, depending on whether you are using ipchains or iptables for your firewall.
If you are not sure which, if any, firewall is configured for your computer, type iptables -L and ipchains -L. The resulting output will display firewall rules for the one that is working and an "Incompatible with this kernel" message for the one that is not. In the current Red Hat Linux version, iptables is the default firewall.
The following examples assume that you are masquerading all computers on your private LAN 10.0.0 (i.e. 10.0.0.1, 10.0.0.2, etc.) and routing packets from that LAN to the Internet over your dial-up (ppp0) interface.
For iptables, type the following as root user:
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT # iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT # iptables -A FORWARD -s ! 10.0.0.0/24 -j DROP
The previous commands turn on masquerading in the NAT table by appending a POSTROUTING rule (-A POSTROUTING) for all outgoing packets on the first dial-up PPP interface (-o ppp0). The next two lines accept forwarding for all packets from (-s) and to (-d) the 10.0.0 network (10.0.0.0/24). The last line drops packets that don't come from the 10.0.0 network.
The above lines add rules to your running iptables firewall in the Linux kernel. To make the current rules permanent, save the current rules as follows:
# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.old # iptables-save > /etc/sysconfig/iptables
This copies all the current rules to the iptables file, from which the rules are read each time you reboot your system. If the new rules don't work, just copy the iptables.old file back to the original iptables file.
For ipchains, add these lines to /etc/sysconfig/ipchains file (key lines in bold):
:input ACCEPT :forward ACCEPT -P forward DENY -A forward -i ppp0 -s 10.0.0.0/255.255.255.0 -j MASQ :output ACCEPT
At this point, you may want to restart your network as follows:
# /etc/init.d/network restart
Then, depending on which type of firewall you are using, type one of the following:
# /etc/init.d/iptables restart
# /etc/init.d/ipchains restart
To see if your new rules have gone into effect, type iptables -L or ipchains -L (again, depending on which firewall you are using). All current rules are displayed.
If the route to the Internet from Linux is being provided by a dial-up connection, you probably want to turn on on-demand dialing (as described earlier in this chapter).
In this example, there are a variety of Red Hat Linux and Windows operating system clients on a LAN. One Red Hat Linux computer has a connection to the Internet and is set up to act as a router between the Internet and the other computers on the LAN (as described previously). To be able to reach computers on the Internet, each client must be able to do the following:
Resolve the names it requests (for example, www.redhat.com) into IP addresses.
Find a route from the local system to the remote system, using its network interfaces.
Each Red Hat Linux client computer knows how to find another computer's address based on the contents of the /etc/host.conf, /etc/hosts, and /etc/resolv.conf files. The contents of the host.conf file, by default, is the following:
This tells your system to check for any host names (hosts) that you request by first checking the contents of the /etc/hosts file and then checking with name servers that are identified in the /etc/resolv.conf file. In our case, we will put the addresses of the few hosts we know about on our private network (whether on the LAN, direct connection, or other network interface) in the /etc/hosts file. Then, the system knows to resolve addresses using a DNS server (bind) based on addresses of name servers we add to the /etc/resolv.conf file.
Next, each client machine must know how to get to the Internet. Do this by adding a default route (sometimes called a gateway) to each client. To permanently add a default route on the client Red Hat Linux system, do the following:
Set the default route to point to the router. This entails setting the GATEWAY or GATEWAYDEV value in the /etc/sysconfig/network file as described in the previous procedure. (This time, the address will point to the LAN interface of the router.)
Restart your network interfaces by typing the following as root user:
# /etc/init.d/network restart
When the computer comes back up, type the following:
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
You can see that the default gateway was set to the host at the IP address 10.0.0.1 on the eth0 Ethernet interface. Assuming that router is ready to route your packets to the Internet, your Red Hat Linux client is now ready to use that router to find all IP addresses that you request that you do not already know where to find. (The netstat -r command provides the same output as the /sbin/route command.)
If you have some Microsoft systems on your LAN, you need to configure them so that they can connect to the Internet through your router. To set up the Windows operating system computers on your private network to access the Internet through your routing computer, you can either set up a DHCP server or add a few pieces of information to each Windows system. Here's how to do this from Windows ME and most other Windows systems:
Choose Start ? Settings ? Control Panel.
Open the Network icon in the Control Panel.
Double-click the interface shown that supports connecting to the Linux router. (For a LAN, it may look like this: TCP/IP ? 3Com EtherLink III.)
Click the IP address tab, and then either leave the "Obtain an IP address automatically" button selected (if you are using DHCP to get the IP address, as described in Chapter 23) or select the "Specify an IP address" button (if you intend to add a static IP address). In the second case, you then need to type in the IP address and subnet mask for the host computer.
Click the Gateway tab, type the IP address of your Linux router, and then click Add.
Click the DNS Configuration tab, type in the number of the DNS server that you use to resolve addresses on the Internet, and then click Add. Repeat this step if you have multiple DNS servers.
You may need to reboot your computer at this point, if Windows requires you to do so.
At this point, try accessing a Web site from your Internet browser on the Windows computer. If the Internet connection is up on your Red Hat Linux computer, you should be able to connect to the Internet through your LAN connection to the Red Hat Linux computer.