[TriLUG] Linux Routers

Greg Brown gregbrown at mindspring.com
Mon Oct 7 09:39:58 EDT 2002 

I'm doing this at work (and at home) and it works great.  However, I am using 
ipchains, not iptables to perform the NAT function (ip masquade).

In order to do this you'll need a Linux box with two working ethernet cards.  
If you are running RH you can check to see how many cards are presenty by 
issuing the following command:

/sbin/ifconfig

When you get both cards in your box you will want to make 100% sure that you 
know which ethernet card is connected to the network where you would like to 
perfom the NAT function and which card is connected to the network where you 
would like to route to.  For examples sale lets say that eht0 is connected to 
the upstream network and eth1 is connected to new NATed network.   You can 
configure most of the routing information using linuxconf (i.e. enable 
routing, set default gateways, blah).

Note that I'm also using Red Hat 7.1, and you should think about using 
iptables rather than ipchains as I hear that ipchains will eventually be 
totally replaced by iptables.  Anyway, as root do the following:

1. check to see if iptables is running:
	(as root)#chkconfig --list | grep iptables

If iptables is not running you will see a line looking like this:
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off

The fields here are as follows:  field one (service name, iptables in this 
case), field 2 - 6 are the init levels of the box and if the service is on or 
off at that particular level.  If ipchains were active at init levels 3-5 the 
line you just saw would appear like this:

iptables 0:off 1:off 2:off 3:on 4:on 5:on 6:off

Make sense?

Okay, if iptables is not running check to see if ipchains is running:

(as root)#: chkconfig --list | grep ipchains

If both iptables and ipchains are not running enable ipchains by typing:
(as root)#: chkconfig --levels 2,3,4,5 ipchains on

Check to make sure it worked by issuing:
(as root)#: chkconfig --list | grep ipchains

Also you might want to disable ipchains while we are making changes to the 
config file.  Do this by:
(as root)#: service ipchains stop


Once that is done cd on over to /etc/sysconfig and vi (or use your favorite 
text editor) to edit the file ipchains

There's no telling what's in there at this point but here's how it's laid out:
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -j ACCEPT

The fields you want to be concerned with are the second one (input, forward) 
and the last field ACCEPT, DENY, MASQ or others.  The example I gave above 
simply tells ipchains allow port 22 (ssh) from any mahine on any host 
(internal interface or external interface).  You'll get the hang of the file 
format quicky.

To enable IP Masq (NAT) which would allow multiple IP addresse to pass 
through one single ip address you would add the following line to 
/etc/sysconfig/ipchains as the first line - we are also going to assume that 
eth0 connects to the upstream network and eht1 is the new network which you 
are creating and we're also going to assume that the new network has the ip 
address range of 192.168.15.x - 
-A forward 192.168.15.0/255.255.2255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j MASQ

NOTE that with this command you are telling which interface to NAT THROUGH 
(eth0) not NAT FROM (eth1).  That detail took me hours to find when I first 
tried this.  The rest of the lines in ipchains can be the ports that you want 
to open up (can you can get the numbers by grepping for the service name in 
/etc/services) and, as the last line of ipchians add a deny all.  So, with IP 
Masq enabled and secure shell, web, and secure ftp ports open your ipchains 
file would look something like this:


:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A forward -s 192.168.15.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j MASQ
-A input -s 192.168.15.205/32 -d 0.0.0.0/0.0.0.0 -i eth0 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 115:115 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 443:443 -p 6 -j ACCEPT
# uncomment the line below if you want to use AIM
# -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 5190:5190 -p 6 -j ACCEPT
# uncomment the line below if you want to use LimeWire
# -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 6346:6346 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 8008:8008 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j DENY -y
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j DENY -y

Then just restart ipchains:
(as root)#: sevice ipchains start

and you should be good to go.  You might want to think about enabling DHCP as 
well, it makes life so much easier.  

Now your default gateway for all your devices on your new network is whatever 
the ipaddress is for eth1.

I might have missed something, but I think that's about it.

I hope this helps!

Greg


On Monday 07 October 2002 08:39 am, you wrote:
> I was wondering if anyone has tried making a linux router to do Network
> Address Translation.  I am thinking about making one to try here at work
> but if people have not have good luck with them I don't want to waste my
> time. I would like to use RedHat if possible b/c that is the flavor I know
> best of all.  Any suggestions or comments that could help are greatly
> appreciated.
>
>
> John
>
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list