Internet sharing on Linux

How I set up Internet and Intranet sharing between two workstations, one Linux and one Windows. Guess which one gave me trouble.

The LAN in question is:

       Cable modem
            |
        eth0 dhcp
fw.imc.invalid (mdv2009.1)
     eth1 192.168.0.2
            |
           hub
            |
           dhcp
      xp (WinXP SP2)

fw.imc.invalid is a DHCP client on eth0, getting an IP assignation from the upstream Internet service provider. Apache, an Intranet web app, and shorewall are installed and working; squid is not installed. fw is using OpenDNS. eth0 is a Realtek RTL-8139; it is configured and can fully use the Internet. eth1 is a VIA VT6102 (Rhine-II); it is physically present but not configured.

xp is a DHCP client. The Windows firewall and a third party firewall (PC Tools Firewall Plus 4.0.0.45) are both temporarily disabled for this exercise.

What we will accomplish is:

  • fw continues to use the Internet, continues to host an Intranet web app, and continues to have a secure firewall
  • xp will be able to access the Intranet web app on fw, will be able to fully use the Internet through fw, and will be protected by fw’s firewall

We will proceed thus:

  1. Configure eth1 on fw, thus connecting fw to the LAN
  2. Install and configure DHCP on fw, thus assigning IPs to boxes on the LAN
  3. Set up Internet sharing, thus instructing fw to allow boxes on the LAN to access the Internet through it
  4. Configure firewall, thus allowing boxes on the LAN access to fw and the Internet
  5. Configure Apache, thus allowing boxes on the LAN access to the Intranet
  6. Configure the Windows box’s connection

TODO: Document when service shorewall clear needs to be used below.

CONFIGURE ETH1
On fw, I configured eth1 in the Mandriva Control Center (MCC) – Network & Internet – Set up a new network interface: Ethernet, VIA VT6102, Manual configuration, IP 192.168.0.2. Automatically filled in by the wizard were netmask 255.255.255.0, gateway 192.168.0.1, DNS server 1 192.168.0.2, hostname fw.imc.invalid. I overwrote the DNS server, specifying #1 as 208.67.222.222 and #2 as 208.67.220.220 (both from OpenDNS). I left Advanced – Search domain blank. I left the advanced settings at their defaults. I checked “Allow users to manage the connection” and “Start the connection at boot”.

TODO: Document the above using distro-agnostic tools, which might be worth spitting off into a separate article.

Doing so caused the Internet to be lost on fw, so I manually edited as root two files in /etc/sysconfig/network-scripts:

  • ifcfg-eth0: added “DOMAIN=imc.invalid”
  • ifcfg-eth1: changed “GATEWAY=192.168.0.1” to “10.130.32.1”, this being the gateway of eth0 when connected to the Internet, as seen by mousing over the net_applet in the system tray

Then as root, service network restart. fw has Internet again. The Network Center (MCC – Network & Internet – Network Center) shows eth1 as disconnected, but this is incorrect: service network status as root correctly shows eth1 as active.

INSTALL AND CONFIGURE DHCPD
On fw, go to MCC – Network Services – Configure DHCP). I set lowest/highest IP addresses to 192.168.0.65-254, gateway 10.130.32.1, PXE disabled.

Insure that the dhcpd service is configured to run on boot and is running now.

TODO: Document how to set up and later administer DHCP using distro-agnostic tools, which might be worth spitting off into a separate article. Document how to increase the lease period; the default is very short and generates needless traffic.

In xp, configure the network adapter to receive its IP address automatically via DHCP. Reboot xp. From the command line, use ipconfig /all to confirm that xp is now using DHCP, has a valid IP address with a valid lease, and that the gateway and DNS servers are correct. From xp, “ping 192.168.0.2” and “ping fw” should both work. Likewise, pinging xp (using its leased IP) from fw should work.

TODO: Check if the firewall needs to be cleared before the boxes can ping one another.

SET UP INTERNET SHARING
In MCC, go to Network & Internet – Share the Internet connection with other local machines. Follow the on-screen instructions. In DNS configuration, clear the checkbox next to “Use this gateway as DNS” and enter 208.67.222.222 (OpenDNS) as DNS Server IP. In DHCP Server Configuration, open the advanced settings and insure that the DHCP start and end ranges match those entered in DHCPD settings (192.168.0.65-254). Being appropriate for this installation, I set higher than suggested default and maximum lease periods. To keep things simple I chose to not use squid.

TODO: Document how to achieve the above using distro-agnostic tools, perhaps Webmin. Document setting up squid.

Reboot xp. Now xp should see the Internet, although not the web app on fw.

TODO: Is this correct? Doesn’t the firewall need to be configured before xp can see the Internet? And how about clearing the firewall?

CONFIGURE FIREWALL
To configure the firewall I edited Shorewall’s configuration files, using as examples the sample files found at /usr/share/doc/shorewall-common/Samples/two-interfaces/.

/etc/shorewall/zones
This file defines network zones. Here we will have three zones, “net” (the Internet, untrusted), “fw” (the firewall itself), and “loc” (local, trusted). Add the following:

#ZONE   TYPE      OPTIONS   IN        OUT
#                           OPTIONS   OPTIONS
net     ipv4
fw      firewall
loc     ipv4

/etc/shorewall/interfaces
This file defines the NICs on the firewall and maps them to zones. Here there are two interfaces: eth0, mapped to zone net, and eth1, mapped to zone loc. Add the following:

#ZONE INTERFACE BROADCAST OPTIONS
net   eth0      detect    dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc   eth1      detect    tcpflags,nosmurfs

/etc/shorewall/policy
This file defines what to do with different packets on the different interfaces. Taken mostly from the sample, we have:

#SOURCE   DEST   POLICY   LOG   LIMIT:BURST
#                LEVEL
loc       net    ACCEPT
loc       $FW    ACCEPT
loc       all    REJECT   info

# Policies for traffic originating from the firewall ($FW)
#
$FW       net    ACCEPT
$FW       loc    ACCEPT
$FW       all    REJECT   info

# Policies for traffic originating from the Internet zone (net)
#
net       $FW    DROP     info
net       loc    DROP     info
net       all    DROP     info

# THE FOLLOWING POLICY MUST BE LAST
all       all    REJECT   info

Then as root, “service shorewall restart”. xp and fw can now ping one another, indicating that the firewall now allows connections to and from the LAN.

CONFIGURE APACHE
xp should be able to view a web page on the Internet, but attempting to view a page on the Intranet (e.g. http://fw/) will fail with the Apache error message “You don’t have permission to addess the requested directory”. Review the apache error log: as root, “tail /var/log/httpd/error_log”. You will see an error message such as:

[Fri Oct 23 17:28:24 2009] [error] [client 192.168.0.65] client denied by server configuration: /var/www/html/

Back up /etc/httpd/conf/httpd.conf and open it as root. Find the “virtual hosts configuration section”, probably near the end, and within it:

<Directory /var/www/html>
  ...other stuff...
  Order allow,deny
  Allow from 192.168.0. 127.0.0.1
</Directory>

“Directory” should indicate your Apache document root, usually /var/www/html. “Order allow,deny” is required exactly as shown here. “Allow from” should be followed by the IPs to be allowed: in this case the box running apache (127.0.0.1) and the LAN (192.168.0.1-254). Edit as indicated, save the file, and as root service httpd restart.

CONFIGURE THE WINDOWS BOX
xp may already see the Intranet and Internet. If not, check it’s network configuration: Open Control Panel – Network Connections, right click on local area connection, and open Properties. In the General tab, select the “Internet Protocol (TCP/IP) Protocol” and press Properties. In the General tab, select “Obtain an IP address automatically”. If you use a DNS provider such as OpenDNS, then select “Use the following DNS server addresses” and provide their IP addresses. Accept as needed and reboot. Confirm that xp now sees the Intranet and Internet.

NEXT STEPS
Now that you have a working local network, you may want to set up file and printer sharing between your Linux and Windows boxes.

REFERENCES
Introduction to Shorewall
Basic Two-Interface Firewall

Advertisements

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s