GNU/Linux Desktop Survival Guide by Graham Williams
Desktop Survival Project Home Preface Advocacy History Distributions Installing GNU/Linux Basic Survival Wajig Applications AI, Machine Learning, Data Science Android - GNU/Linux Devices Audio Backup Booting CD Chinese ChRoot Clock Command Line Databases DIA Directories Disks EcoSysL Emacs Email Evolution Files File Systems Firewalls Floppy Disks FreedomBox Glade GNOME Graphics, Images, Photos Hardware Initialisations on Booting Installation Examples Internet IOT Java KDE Kernels Keyboard Konqueror KVM Switch LATEX Log System Login Magellan MATE Mathematics Memory Modems Mounting Devices MS/Windows Music MySQL Nautilus Networks Nextcloud Network File System NFS NT File System Oracle Packages Partitions Passwords PDF Power Management PPP Presentations Printing Python R Remote Desktops Rsync Samba Scanning Science Screens Security Spreadsheet SSH Swap Teradata Data Warehouse Themes TV Unity USB Version Control Video Virtualization Voice over IP WebCam WordPress Web Sites Word Processing and Printing X XML Troubleshooting Index

CLICK HERE TO VISIT THE UPDATED SURVIVAL GUIDE

IP Forwarding: Home Networks

Debian Packages: iptables

Consider a home network of GNU/Linux and MS/Windows machines, connected via ethernet. A GNU/Linux machine can connect to the Internet via PPP. We want to provide network access from all machines. We use iptables (for kernel version 2.4).

Suppose modern () is the host which will connect to the Internet using PPP. After installing iptables do the following on this host which will serve as the Internet gateway:

  # iptables --flush
  # iptables --table nat --flush
  # iptables --delete-chain
  # iptables --table nat --delete-chain
  # iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
  # iptables --append FORWARD --in-interface eth0 -j ACCEPT

This clears the rules for filtering and then adds a rule to provide the IP forwarding. Now we need to turn it on for the kernel:

  # echo 1 > /proc/sys/net/ipv4/ip_forward

And that's it! This host, modern () will now act as a gateway to the Internet for your local machines.

There is some setup needed to have this survive a reboot. One approach is to do this through init.d, as explained in Section 35.2. The first step is to create a script file called /etc/init.d/myfirewall containing:

#! /bin/sh
#
# Set up a firewall for IP Masquerading
#
PATH=/bin:/usr/bin:/sbin:/usr/sbin

case "$1" in
  start)
    echo -n "Starting IP Masquerading: myfirewall"
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
    iptables --append FORWARD --in-interface eth0 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo "." 
    ;;
  stop)
    echo -n "Stopping IP Masquerading: myfirewall"
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo "." 
    ;;
  reload)
    echo "Not implemented." 
    ;;
  force-reload|restart)
    sh $0 stop
    sh $0 start
    ;;
  *)
    echo "Usage: /etc/init.d/myfirewall {start|stop|restart|force-reload|reload}"
    exit 1
    ;;
esac

exit 0

Then the firewall can be turned on and off with:

  $ wajig start myfirewall
  $ wajig stop myfirewall

To have it started at boot and stopped at shutdown:

  # update-rc.d myfirewall start 40 S . stop 89 0 6 .

This creates the following links:

   /etc/rc0.d/K89myfirewall -> ../init.d/myfirewall
   /etc/rc6.d/K89myfirewall -> ../init.d/myfirewall
   /etc/rcS.d/S40myfirewall -> ../init.d/myfirewall

Another approach is to only turn it on and off as a PPP connection is established. See the scripts in /usr/share/doc/iptables/examples for details.

Now rose () and inco (36.50), machines on the local home network, can have their network interface set up:

iface eth0 inet static
        address 192.168.1.2
        network 192.168.1.0
        netmask 255.255.255.0
        gateway 192.168.1.5             (modern)