Internet Connection Sharing screwed up

[deeflex]

---

Hi

Im posting after reading through a lot of articles explaining the same thing
on how to share an internet connection from a computer with two NICs.

I have the following simple setup

Internet <-DHCP-> eth0 Ubuntu eth1 <--192.168.0.0--> LAN

When I first followed this guide
ubuntugeek.com/sharing-internet-connection-in-ubuntu.html

I was able to ping between the GW and a client on the LAN but couldn't access the internet from it. So I started to configure different things to get it to work which failed.

Now I can't ping between GW and the LAN. I tried to follow the same guide over again and even flushing the tables but still...

These are my current settings (without any chains).

GW eth0 as usual DHCP
GW eth1 192.168.0.1

Client on LAN
ifconfig eth0 192.168.0.10
route add default gw 192.168.0.1

(this client also has a wireless connection displayed in 'ifconfig')


Please help!

[coopstah13]

i suggest you restart and follow that exact guide, it should be right based on my quick glances on it

when you did the iptables part, you replaced ethX with your actual device eth1 correct?

after editing sysctl.conf file i recommend running sudo sysctl -p command

[deeflex]

it says "where ethX is the network card that the Internet is coming from"
which is eth0 in my case. But I tried with eth1 just to be sure but still the same.

A second guide:

help.ubuntu.com/community/Internet/ConnectionSharing

which didn't help either

[fragos]

Clearly what you want to do is achievable but I took a different path that required virtually no configuration. I bought a TRENDnet wireless access point (mine was $20). Just plugged my cable modem into the uplink port and my PC into the 1st port of the access point's built in 4 port hub. My ISP, Comcast, blocks all but the MAC address of the Ethernet port originally connected to the cable modem. That issue is solved in the router by cloning the MAC address of the PC (router has a function to do this for you). Set all connected devices, wired or WiFi, to DCHP (the default). All devices on the LAN can address each other as "{hostname}.local" instead of the IP address which avoids the issue of DCHP assigning a different NAT IP when any node starts.

[Mudgen]

The "firestarter" package can help you set this up easily without having to know all the command line and config file stuff. Not that it hurts to know that.

[nimit07]

Hi Deeflex

I am late here but replying you cuase like linux...

you can configure your linux box with two nic and their is only one IPtables commnad you have to fire for to enable internet in linux system.

Accept all connections

iptables -A INPUT -i Internet Interface(eth0) -j ACCEPT
iptables -A OUTPUT -o Internet Interface(eth0) -j ACCEPT

Internet Distribute

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

I hope this information is usefull to you here is i show you basic steps to start INTERNET
if you need any otherhelp feelfree mail me or chat.


Regards
Nimit Gajjar
e-Mail : nimit28ced@gmail.com
nimit07@yahoo.com

Power of the World : Share the Knowledge Get the Knowledge.

Hi

Im posting after reading through a lot of articles explaining the same thing
on how to share an internet connection from a computer with two NICs.

I have the following simple setup

Internet <-DHCP-> eth0 Ubuntu eth1 <--192.168.0.0--> LAN

When I first followed this guide
ubuntugeek.com/sharing-internet-connection-in-ubuntu.html

I was able to ping between the GW and a client on the LAN but couldn't access the internet from it. So I started to configure different things to get it to work which failed.

Now I can't ping between GW and the LAN. I tried to follow the same guide over again and even flushing the tables but still...

These are my current settings (without any chains).

GW eth0 as usual DHCP
GW eth1 192.168.0.1

Client on LAN
ifconfig eth0 192.168.0.10
route add default gw 192.168.0.1

(this client also has a wireless connection displayed in 'ifconfig')

Please help!

[Lazydog]

I have the following simple setup

Internet <-DHCP-> eth0 Ubuntu eth1 <--192.168.0.0--> LAN

This is simple enough.

First ensure forwarding is turned on.
Edit your sysctl.conf and add the following:

Code:

 net.ipv4.ip_forward = 1

The above will ensure forwarding is turned on at every reboot. Mind you forwarding still hasn't been turned on as we want to setup the firewall before giving access.

Now we should setup the iptables rules. these are quick and dirty and allow everything from the LAN to get out and only what was requested by the LAN to come back in.

Code:

# flush, erase and zero all the rules in the filter and nat tables.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

# Setup Firewall Policies
iptables -P INPUT DROP
iptables -p OUTPUT DROP
iptables -P FORWARD DROP

#Set IP ADDRESS to outside interface so connection know how to get back
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Set FORWARDing tables
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD - eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j DROP

Now the above only allows the LAN out to the Internet and doesn't allow the LAN to connect to the Ubuntu box. If you want the LAN to be able to connect to the Ubuntu box then you need to add the following:

Code:

iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j DROP

If you want the Ubuntu box to be able to get out and still want the LAN to access it then skip the above and use this:

Code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j DROP

If you don't want the LAN to be able to access the Ubuntu box but the Ubuntu box should still be able to get out then simple remove the second line from above. This will allow the Ubuntu box to get out but nothing will be able to connect to it directly.

You will get different opinions on the DROP at the end of all rules. Some people will say you don't need the extra DROP rules. I don't leave it to chance for then policy to drop everything that gets that far.

Now run the following to save your firewall rules:

Code:

iptables-save

Only thing left is to setup your system to start iptables on boot.
Sorry, I don't know this command.

Now that you have your firewall setup you can turn on forwarding as follows:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

The above will share the internet connection with your LAN and will also ensure that everything is in place should you ever have to reboot.

I may have missed something as I am going off memory only. You can check everything in this IPTABLES Tutorial. In fact I would highly encourage you to check anything someone is telling you before you do it just to ensure they are not leading you down the wrong path.

Hi Deeflex

I am late here but replying you cuase like linux...

While I find it great that you like linux, you should really consider not giving out any advice on topics you really don't understand. Case in point below....

you can configure your linux box with two nic and their is only one IPtables commnad you have to fire for to enable Internet in linux system.

Accept all connections

iptables -A INPUT -i Internet Interface(eth0) -j ACCEPT
iptables -A OUTPUT -o Internet Interface(eth0) -j ACCEPT

Internet Distribute

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

The above does noting to share the Internet with the LAN and only opens your system up to the Internet. What you did above is the same as not running a firewall at all.

I hope this information is usefull to you here is i show you basic steps to start INTERNET
if you need any otherhelp feelfree mail me or chat.

I would highly recommend not doing this. You have a lot to learn. Have a look at the link I have added above for the Tutorial.

Power of the World : Share the Knowledge Get the Knowledge.

You have this sdrawkcab. First get the knowledge and then share it.

[Mudgen]

Lazydog, that looks pretty good to be done from memory. But the iptables-save command just dumps the current tables to stdout. Not sure what your purpose was there. The iptables commands should be persistent without doing that.

[nimit07]

Lazydog, that looks pretty good to be done from memory. But the iptables-save command just dumps the current tables to stdout. Not sure what your purpose was there. The iptables commands should be persistent without doing that.

you can put that file on startup
in / etc /rc.local
and fire that file on booting time
"sh XYZ.sh"
regards
nimit

[Lazydog]

iptables-save should have written to a file that gets read when you start the firewall. Maybe in Ubuntu there is something else that you must do to save your rules. Or maybe you have to run a script to get the rules loaded. I don't know Ubuntu.

As to memory, those rules are simple. I have configured enough firewalls to do this by memory.