There are several different ways to set up routing from your LAN to the Internet. You can have a dedicated router or you can have a computer already connected to your LAN that will act as a router. This section describes how to use your Fedora system as a router.
A computer may have several network interfaces, such as a loopback, an Ethernet LAN, a direct line to another computer, or a dial-up interface. For a client computer to use a router to reach the Internet, it may have a private IP address assigned to it on the LAN. A connection to a routing computer would act as the gateway to all other addresses.
Here’s an example of Fedora being used as a router between a LAN and the Internet:
The Fedora system has at least two network interfaces: one to the office LAN and one to the Internet. The interface to the Internet may be a dial-up PPP connection or a higher- speed DSL or cable modem connection.
Packets on the LAN that are not addressed to a known computer on the LAN are forwarded to the router (that is, the Fedora system acting as a router). So, each client identifies that Fedora system as the gateway system.
The Fedora router/firewall is set up to receive packets from the local LAN, then forwards those packets to its other interface (possibly a PPP connection to the Internet). If the LAN uses private IP addresses, the firewall is also configured to use IP masquerading or Network Address Translation.
The following sections describe how to set up the Fedora router, as well as the client computers from your LAN (Fedora and MS Windows clients) that will use this router. Using Fedora as a router also provides an excellent opportunity to improve the security of your Internet connection by setting up a firewall to filter traffic and hide the identity of the computers on your LAN (IP masquerading).
To configure your Fedora computer as a router, you need to have a few things in place. Here’s what you need to do before you set up routing:
Connect to your LAN. Add a network card and configure the computers on your LAN (as described in Chapter 15).
Connect to the Internet. Set up a dial-up or other type of connection from your Fedora computer to your ISP. This is described earlier in this chapter in the section on setting up outgoing PPP connections.
Configure your Fedora computer as a router. See the rest of this section.
The type of IP addresses you are using on your LAN will have an impact on a couple of steps in this procedure. Here are the differences:
Private IP addresses — If the computers on your LAN use private IP addresses (described in Chapter 15), you need to set up Linux as a firewall to do IP masquerading or NAT (as described in Chapter 14). Because those numbers are private, they must be hidden from the Internet when the Fedora router forwards their requests. Packets forwarded with masquerading or NAT look to the outside world as though they came from the Fedora computer forwarding the packets.
Valid IP addresses — If your LAN uses addresses that were officially assigned by your ISP or other registration authority, you don’t need to do IP masquerading or NAT. (Actually, for any machine you want to expose to the world, such as a public server, you will want to have a valid, public IP address.)
With your Fedora computer’s LAN and Internet interfaces in place, follow the procedure below to set up Linux as a router. After this procedure is completed, any client computer on your LAN can identify your Fedora computer as its gateway so it can use Fedora to get to the Internet.
Open the /etc/sysconfig/network file in a text editor as the root user. Then add either a default gateway or default gateway device as described below.
Your default gateway is where traffic destined for networks outside of your own is sent. This is where you would identify your Internet connection. Here is how you choose which one to enter:
Default Gateway — If there is a static IP address you use to reach the Internet, enter that IP address here. For example, if your Internet connection goes through a DSL modem connected to your NIC card at address 192.168.0.1, enter that address as follows:
Default Gateway Device — If you reach the Internet using a dynamic address that is assigned when you connect to a particular interface, you would enter that interface here. For example, if you had a dial-up interface to the Internet on the first PPP device, you would enter ppp0 as the default gateway device as follows:
When you are done, the contents of this file should look similar to the following:
NETWORKING=yes HOSTNAME='maple.handsonhistory.com' DOMAINNAME='handsonhistory.com' #GATEWAY= GATEWAYDEV=ppp0
In this case, the computer is configured to route packets over a dial-up connection to the Internet (ppp0).
Turn on IP packet forwarding. One way to do this is to change the value of net.ipv4.ip_forward to 1 in the /etc/sysctl.conf file. Open that file as root user with any text editor and change the line to appear as follows:
net.ipv4.ip_forward = 1
You need to reboot for this change to take effect. To have the change take place immediately without rebooting, you can type echo 1 > /proc/sys/net/ipv4/ip_forward.
If the computers on your LAN have valid IP addresses, skip ahead to the "Configuring network clients" section. If your computers have private IP addresses, continue with this procedure.
The lines shown below for configuring your iptables firewall to do IP masquerading should be used in addition to your other firewall rules. They do not, in themselves, represent a secure firewall, but merely describe how to add masquerading to your firewall. See Chapter 14 for details about how to configure a more complete firewall and when to use NAT versus IP masquerading.
To get IP masquerading going on your Fedora router, you need to define which addresses will be masqueraded and forwarded, using iptables.
The following examples assume that you are masquerading all computers on your private LAN 10.0.0 (that is, 10.0.0.1, 10.0.0.2, and so on) and routing packets from that LAN to the Internet over your dial-up (ppp0) interface.
Type the following as root user:
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT # iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT # iptables -A FORWARD -s ! 10.0.0.0/24 -j DROP
The previous commands turn on masquerading in the NAT table by appending a POSTROUTING rule (-A POSTROUTING) for all outgoing packets on the first dial-up PPP interface (-o ppp0). The next two lines accept forwarding for all packets from (-s) and to (-d) the 10.0.0 network (10.0.0.0/24). The last line drops packets that don’t come from the 10.0.0 network.
The previous lines add rules to your running iptables firewall in the Linux kernel. To make the current rules permanent, save the current rules as follows:
# service iptables save
This copies all the current rules to the /etc/sysconfig/iptables file, from which the rules are read each time you reboot your system. If the new rules don’t work, just copy the iptables.save file back to the original iptables file.
At this point, you may want to restart your network as follows:
# /etc/init.d/network restart
Then, to restart your firewall, type the following:
# /etc/init.d/iptables restart
# /etc/init.d/ipchains restart
To see if your new rules have gone into effect, type iptables -L. All current rules are displayed.
If the route to the Internet from Linux is being provided by a dial-up connection, you probably want to turn on on-demand dialing (as described earlier in this chapter).
In this example, there are a variety of Linux and Windows operating system clients on a LAN. One Fedora computer has a connection to the Internet and is set up to act as a router between the Internet and the other computers on the LAN (as described previously). To be able to reach computers on the Internet, each client must be able to do the following:
Resolve the names it requests (for example, www.redhat.com) into IP addresses.
Find a route from the local system to the remote system, using its network interfaces.
Each Linux client computer knows how to find another computer’s address based on the contents of the /etc/host.conf, /etc/hosts, and /etc/resolv.conf files. The contents of the host.conf file, by default, is the following:
This tells your system to check for any host names (hosts) that you request by first checking the contents of the /etc/hosts file and then checking with name servers that are identified in the /etc/resolv.conf file. In our case, we will put the addresses of the few hosts we know about on our private network (whether on the LAN, direct connection, or other network interface) in the /etc/hosts file. Then, the system knows to resolve addresses using a DNS server (bind) based on addresses of name servers we add to the /etc/resolv.conf file.
Next, each client machine must know how to get to the Internet. Do this by adding a default route (sometimes called a gateway) to each client. To permanently add a default route on the client Fedora system, do the following:
Set the default route to point to the router. This entails setting the GATEWAY or GATEWAYDEV value in the /etc/sysconfig/network file as described in the previous procedure. (This time, the address will point to the LAN interface of the router.)
Restart your network interfaces by typing the following as root user:
# /etc/init.d/network restart
When the computer comes back up, type the following:
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
You can see that the default gateway was set to the host at the IP address 10.0.0.1 on the eth0 Ethernet interface. Assuming that router is ready to route your packets to the Internet, your Fedora client is now ready to use that router to find all IP addresses that you request that you do not already know where to find. (The netstat -r command provides the same output as the /sbin/route command.)
If you have some Microsoft systems on your LAN, you need to configure them so that they can connect to the Internet through your router. To set up the Windows operating system computers on your private network to access the Internet through your routing computer, you can either set up a DHCP server or add a few pieces of information to each Windows system. Here’s how to do this from Windows ME and most other Windows systems:
Choose Start ® Settings ® Control Panel.
Open the Network icon in the Control Panel.
Double-click the interface shown that supports connecting to the Linux router. (For a LAN, it may look like this: TCP/IP ® 3Com EtherLink III.)
Click the IP address tab, and then either leave the Obtain an IP address automatically button selected (if you are using DHCP to get the IP address, as described in Chapter 23) or select the Specify an IP address button (if you intend to add a static IP address). In the second case, you then need to type in the IP address and subnet mask for the host computer.
Click the Gateway tab, type the IP address of your Linux router, and then click Add.
Click the DNS Configuration tab, type in the number of the DNS server that you use to resolve addresses on the Internet, and then click Add. Repeat this step if you have multiple DNS servers.
You may need to reboot your computer at this point, if Windows requires you to do so.
At this point, try accessing a Web site from your Internet browser on the Windows computer. If the Internet connection is up on your Fedora computer, you should be able to connect to the Internet through your LAN connection to the Fedora computer.