User Tools

Site Tools


unix:gateway

This is an old revision of the document!


Linux Gateway

Due to the wholesome failure of my ISP to do things in a nice way my ADSL router was rendered useless and I was forced to either setup my own router or be content with a single PC on the internet in a house of 6 computers… I chose to setup my own gateway.

The 1 NIC problem

At first I didn't have a PC with two network cards, so I found a way to do it with one network card and a lot of ugly hacks and tricks. Sadly I did this long before I wrote this page, so I can't recall the details. But for those having similar problems here was my solution.

My Solution

I use WinXP on my laptop, and happened to have a copy of VMware1) installed so I setup a new virtual machine with two NICs and inserted my trusty Knoppix Linux LiveCD2). Once booted I used the Linux IP Masquerade HOWTO to get things going.

Amazingly, this worked! I had 3 IPs on one NIC: 2 for the virtual machine running Knoppix, and 1 for Windows itself. Actually, IIRC, all 3 actually had seperate MAC addresses too.

I didn't keep this setup for long, as my laptop is portable and I didn't want it tied to the house.

My rc.firewall-iptables script

The famous (perhaps even “standard”) way of making a Linux platform into a NAT router is to use a script called rc.firewall-iptables from the Linux IP Masquerade HOWTO. While this definately works, it's a bit tricky to use, especially adding new port-forwarding rules which is something I do fairly regularly.

So I spent an afternoon doing a bit of BASH scripting and, based on the original script, produced the script below, which I hope some will find useful.

Download rc.firewall (14kB)

What's so special about it?

Well, it has a very nice block where you can set up portforwarding via simple lists using the Windows computer names, which means that if your network using DHCP and the IP addresses of your computers change sometimes, you'll have no problem if you simply schedule the script to run periodically. It also is nice in that it closes ports when the computer they are being forwarded to is offline.

Example of configuration block of script:

        EXTIP=`ifconfig eth0 | egrep -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -n1`
        echo "   External IP detected as $EXTIP";
 
        # Local services exposed
        LOCALTCPPORTS="22"
        LOCALUDPPORTS=""
 
        # PCs to forward connections to, using names in /etc/hosts or NetBIOS
        PORTFWPC[0]="Ikari"
        TCPPORTS[0]="80 26346 113 4899 1024 5190"
        UDPPORTS[0]="26346"
 
        PORTFWPC[1]="Kirara"
        TCPPORTS[1]="5443 2902 56881"
        UDPPORTS[1]="2902 56881"
 
        PORTFWPC[2]="Mum"
        TCPPORTS[2]="4662 26346"
        UDPPORTS[2]="4672 26346"

Notes

  • My internet connection is on eth0, my first network interface card (NIC), and the IP address changes when we have a power-cut or my ISP decides to cut us due to bad managment and faulty hardware :-|
  • I want port 22 of the gateway machine to be exposed. (Anything not listed there is closed to the public)
  • The computers are called “Ikari”, “Kirara” and “Mum”.

Running the script will produce output like so:

Loading simple rc.firewall version 0.78..

   External Interface:  eth0
   Internal Interface:  eth1
   loading modules:
----------------------------------------------------------------------
ip_tables, ip_conntrack, ip_conntrack_ftp, ip_conntrack_irc, iptable_nat, ip_nat_ftp,
----------------------------------------------------------------------
   Done loading modules.

   Enabling forwarding..
   Clearing any existing rules and setting default policy..
   External IP detected as 10.150.47.24
   Closing all external ports but allowing ICMP...
    - TCP 22 reopened
  Allowing existing and related connections to local servives, rejecting all other non-ICMP traffic
   Ikari found in /etc/hosts
   Forwarding incoming connections to Ikari (192.168.0.4) by port...
   - TCP 80
   - TCP 26346
   - TCP 113
   - TCP 4899
   - TCP 1024
   - TCP 5190
   - UDP 26346
   Using NetBIOS to ask for Kirara
   Forwarding incoming connections to Kirara (192.168.0.12) by port...
   - TCP 5443
   - TCP 2902
   - TCP 56881
   - UDP 2902
   - UDP 56881
   Using NetBIOS to ask for Mum
    Unable to obtain valid IP address, skipping Mum
   FWD: Allow all connections OUT and only existing and related ones IN
   Enabling SNAT (MASQUERADE) functionality on eth0

rc.firewall-iptables v0.78 done.

Notice that it skips “Mum” as it (the computer) is not on at the moment.

In case you're thinking “External IP of 10.x.x.x??”, you're quite right. But that's the IP my ADSL provider gives me, so for all intents and purposes, it's my external IP, even if it isn't what the rest of the net sees.

==

«< Request for Feedback ::: Feel free to contact me about this script, or anything else mentioned/implied by this page. »>

1)
A “PC Emulator”, it creates a blank virtual PC for you to do what you like with.
2)
This is a bootable copy of Debian Linux, which is famous for having a complete toolset and great hardware auto-detection
unix/gateway.1177633428.txt.gz · Last modified: 2009/07/12 15:52 (external edit)