From Mageia wiki
Jump to: navigation, search


Introduction

This document describes how to use Network Address Translation (NAT) to share your network connection.

Consider this situation: you have a laptop computer connected via wireless connection to your Internet service. The laptop has an unused Ethernet port. You would like to connect other devices via the Ethernet port to share the connection to the Internet. Note that you may also have a tunnelled connection via the Internet link which you would like to share with devices via Ethernet.

The method presented here has been implemented and tested using an OpenVPN connection over wi-fi and sharing that via the ethernet port.


Phase One: Verify Ethernet connectivity

Step 1: Connect the Ethernet interface

If you are connecting a single device, you can simply use an Ethernet "cross-over" cable to connect to the device that you want to offer to share the connection to. Alternatively, use a dedicated hub or switch for the new subnet and connect to that. Then connect any other devices that are going to share the connection to that hub/switch.


Step 2: Define a static IP address and subnet on the Ethernet interface

Select an unused subnet for use on the Ethernet interface.

If your wireless interface is using 192.168.1.0/24 then, for the Ethernet interface, choose from the range 192.168.2-255.0/24. For example: select 192.168.10.0/24 to use on the Ethernet interface.

Choose a number from 1 to 254 (example: 12) for the host and so define the IP address: 192.168.10.12.

Use the Mageia Control Center => Network & Internet => Set up a new network interface => Wired (Ethernet) to configure the Ethernet interface.

Choose "Manual configuration" and define (as per this example):

IP address 192.168.10.12

Netmask 255.255.255.0

At this point, we do not define the gateway and we do not define the DNS because the first step will be simply to make sure we can ping between the laptop's Ethernet address 192.168.10.12 and another device connected via Ethernet.

Complete and finish the network setup in MCC. Note that you may see a message about "unable to connect to Internet". Don't worry about this just now. Exit MCC and in a terminal, type:

$ /sbin/ifconfig   # display network settings

Check that the Ethernet interface (sometimes called eth0 or something like enp0s25) has the IP address defined. Example: 192.168.10.12


Step 3: Define static IP address on 2nd device's Ethernet interface

Since in this example, the laptop's ethernet has been defined as 192.168.10.12 we need to choose a different address in the same subnet for the 2nd device. Let's choose 192.168.10.22 for this example.


Step 4: Check connectivity with ping between the two Ethernet interfaces

From the laptop, try to ping the 2nd device's IP address:

$ ping 192.168.10.22

Check also that you can ping from the 2nd device to the laptop's Ethernet interface IP address:

$ ping 192.168.10.12

If all is working OK now, we can move on to the next phase.


Phase Two: Adding DHCP server for devices connecting via Ethernet

Install DHCP server

If not already done, install the DHCP server thusly:

# /usr/sbin/urpmi dhcp-server


Configure DHCP server

All we need the DHCP server to do is allocate an IP address via the ethernet interface.

Here is an example /etc/dhcpd.conf using the IP address range we defined earlier:

$ cat /etc/dhcpd.conf
	# default gateway
	option routers 192.168.10.12;  # static IP address of ethernet on our server
	option broadcast-address 192.168.10.255;
	option subnet-mask 255.255.255.0;

	option domain-name "domain.org";

	# Setting up an ip address is better here
	option domain-name-servers 192.168.10.12;
	# option nis-domain "domain.org";

	range dynamic-bootp 192.168.10.128 192.168.10.254; # range of IPs handed out to clients
	default-lease-time 21600;
	max-lease-time 43200;

	# we want the nameserver to appear at a fixed address
	# host ns {
	#	next-server fixed.domain.org;
	#	hardware ethernet 12:34:56:78:AB:CD;
	#	fixed-address 192.168.0.10;
	#}
}


Start the DHCP server

# systemctl start dhcpd.service


Re-configure Ethernet on client to use DHCP address

Earlier (see above) we defined a static IP address on the ethernet network interface of the 2nd device (client). Now, we need to change this to use a DHCP address (provided by our server we just configured).

Use the Mageia Control Center => Network & Internet => Set up a new network interface => Wired (Ethernet) to configure the Ethernet interface. On the 2nd machine, select "Automatic IP (BOOTP/DHCP)".

Verify the connectivity by using the ping command.


Phase Two: Adding DNS server for devices connecting via Ethernet

Install DNS server

We are going to use a "Cacheing only" DNS server to service DNS resolution requests from our DHCP clients.

Install:

# /usr/sbin/urpmi bind  

There is no need to make any configuration changes because we are running the DNS server in "Cacheing only" mode.


Start DNS server

# systemctl start named.service


Phase Three: Start your VPN tunnel

If you are using openvpn, a new network interface tun0 will be created. You will need to run Mageia's firewall configuration tool, /usr/bin/drakfirewall and ensure that tun0 has been defined.


Phase Four: Start NAT

Save the script in Appendix-1 as a file called "start_NAT_firewall". Edit "start_NAT_firewall" and check the external and internal network interface names are correctly defined for your machine. For example, on my netbook, the external interface is tun0 and the internal interface is the ethernet which is enp1s0.

Then, as root, run the start_NAT_firewall script. For example:


# ./start_NAT_fw
Starting NAT firewall - external interface is tun0, internal interface is enp1s0
Step-1: enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Step-2: configure iptables to forward the packets from your internal network to external network
/sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
/sbin/iptables -A FORWARD -i tun0 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i enp1s0 -o tun0 -j ACCEPT
NAT firewall configuration completed.
iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 


Phase 5: testing the connection

Connect your client machine via ethernet to your server and verify connectivity by using the ping command to addresses. Start with the server's IP address (in this example: 192.168.10.12) then try an IP address at the other end of the VPN tunnel.


Appendix-1: start_NAT_firewall script

#!/bin/sh
#
# Name:     start_NAT_firewall
# Purpose:  script to configure NAT firewall using iptables on Linux.
# Usage:    Below, change internal_if=" and "external_if=" 
#           to the internal and external network interfaces
 
# sanity check
 
cmd=$(basename $0)
 
if [ $(whoami) != "root" ]; then
        echo "You need to be root to run ${cmd}. Bye" >&2
        exit 1
fi
 
#internal_if=eth0
internal_if=enp1s0

#external_if=wlan0
#external_if=wlp2s0
external_if=tun0
 
echo "Starting NAT firewall - external interface is ${external_if}, internal interface is ${internal_if}"

 
echo "Step-1: enable IP forwarding"
echo "echo 1 > /proc/sys/net/ipv4/ip_forward"
echo 1 > /proc/sys/net/ipv4/ip_forward
 
echo "Step-2: configure iptables to forward the packets from your internal network to external network"
 
echo "/sbin/iptables -t nat -A POSTROUTING -o ${external_if} -j MASQUERADE"
/sbin/iptables -t nat -A POSTROUTING -o ${external_if} -j MASQUERADE
 
echo "/sbin/iptables -A FORWARD -i ${external_if} -o ${internal_if} -m state --state RELATED,ESTABLISHED -j ACCEPT"
/sbin/iptables -A FORWARD -i ${external_if} -o ${internal_if} -m state --state RELATED,ESTABLISHED -j ACCEPT
 
echo "/sbin/iptables -A FORWARD -i ${internal_if} -o ${external_if} -j ACCEPT"
/sbin/iptables -A FORWARD -i ${internal_if} -o ${external_if} -j ACCEPT
 
echo "NAT firewall configuration completed."
 
echo "iptables --list"
iptables --list


Return to top