Contents
- 1 Introduction
- 2 Phase One: Verify Ethernet connectivity
- 3 Phase Two: Adding DHCP server for devices connecting via Ethernet
- 4 Phase Two: Adding DNS server for devices connecting via Ethernet
- 5 Phase Three: Start your VPN tunnel
- 6 Phase Four: Start NAT
- 7 Phase 5: testing the connection
- 8 Appendix-1: start_NAT_firewall script
Introduction
This document describes how to use Network Address Translation (NAT) to share your network connection.
Consider this situation: you have a laptop computer connected via wireless connection to your Internet service. The laptop has an unused Ethernet port. You would like to connect other devices via the Ethernet port to share the connection to the Internet. Note that you may also have a tunnelled connection via the Internet link which you would like to share with devices via Ethernet.
The method presented here has been implemented and tested using an OpenVPN connection over wi-fi and sharing that via the ethernet port.
Phase One: Verify Ethernet connectivity
Step 1: Connect the Ethernet interface
If you are connecting a single device, you can simply use an Ethernet "cross-over" cable to connect to the device that you want to offer to share the connection to. Alternatively, use a dedicated hub or switch for the new subnet and connect to that. Then connect any other devices that are going to share the connection to that hub/switch.
Step 2: Define a static IP address and subnet on the Ethernet interface
Select an unused subnet for use on the Ethernet interface.
If your wireless interface is using 192.168.1.0/24 then, for the Ethernet interface, choose from the range 192.168.2-255.0/24. For example: select 192.168.10.0/24 to use on the Ethernet interface.
Choose a number from 1 to 254 (example: 12) for the host and so define the IP address: 192.168.10.12.
Use the Mageia Control Center => Network & Internet => Set up a new network interface => Wired (Ethernet) to configure the Ethernet interface.
Choose "Manual configuration" and define (as per this example):
IP address 192.168.10.12 |
Netmask 255.255.255.0 |
At this point, we do not define the gateway and we do not define the DNS because the first step will be simply to make sure we can ping between the laptop's Ethernet address 192.168.10.12 and another device connected via Ethernet.
Complete and finish the network setup in MCC. Note that you may see a message about "unable to connect to Internet". Don't worry about this just now. Exit MCC and in a terminal, type:
$ /sbin/ifconfig # display network settings
Check that the Ethernet interface (sometimes called eth0 or something like enp0s25) has the IP address defined. Example: 192.168.10.12
Step 3: Define static IP address on 2nd device's Ethernet interface
Since in this example, the laptop's ethernet has been defined as 192.168.10.12 we need to choose a different address in the same subnet for the 2nd device. Let's choose 192.168.10.22 for this example.
Step 4: Check connectivity with ping between the two Ethernet interfaces
From the laptop, try to ping the 2nd device's IP address:
$ ping 192.168.10.22
Check also that you can ping from the 2nd device to the laptop's Ethernet interface IP address:
$ ping 192.168.10.12
If all is working OK now, we can move on to the next phase.
Phase Two: Adding DHCP server for devices connecting via Ethernet
Install DHCP server
If not already done, install the DHCP server thusly:
# /usr/sbin/urpmi dhcp-server
Configure DHCP server
All we need the DHCP server to do is allocate an IP address via the ethernet interface.
Here is an example /etc/dhcpd.conf using the IP address range we defined earlier:
$ cat /etc/dhcpd.conf # default gateway option routers 192.168.10.12; # static IP address of ethernet on our server option broadcast-address 192.168.10.255; option subnet-mask 255.255.255.0; option domain-name "domain.org"; # Setting up an ip address is better here option domain-name-servers 192.168.10.12; # option nis-domain "domain.org"; range dynamic-bootp 192.168.10.128 192.168.10.254; # range of IPs handed out to clients default-lease-time 21600; max-lease-time 43200; # we want the nameserver to appear at a fixed address # host ns { # next-server fixed.domain.org; # hardware ethernet 12:34:56:78:AB:CD; # fixed-address 192.168.0.10; #} }
Start the DHCP server
# systemctl start dhcpd.service
Re-configure Ethernet on client to use DHCP address
Earlier (see above) we defined a static IP address on the ethernet network interface of the 2nd device (client). Now, we need to change this to use a DHCP address (provided by our server we just configured).
Use the Mageia Control Center => Network & Internet => Set up a new network interface => Wired (Ethernet) to configure the Ethernet interface. On the 2nd machine, select "Automatic IP (BOOTP/DHCP)".
Verify the connectivity by using the ping command.
Phase Two: Adding DNS server for devices connecting via Ethernet
Install DNS server
We are going to use a "Cacheing only" DNS server to service DNS resolution requests from our DHCP clients.
Install:
# /usr/sbin/urpmi bind
There is no need to make any configuration changes because we are running the DNS server in "Cacheing only" mode.
Start DNS server
# systemctl start named.service
Phase Three: Start your VPN tunnel
If you are using openvpn, a new network interface tun0 will be created. You will need to run Mageia's firewall configuration tool, /usr/bin/drakfirewall and ensure that tun0 has been defined.
Phase Four: Start NAT
Save the script in Appendix-1 as a file called "start_NAT_firewall". Edit "start_NAT_firewall" and check the external and internal network interface names are correctly defined for your machine. For example, on my netbook, the external interface is tun0 and the internal interface is the ethernet which is enp1s0.
Then, as root, run the start_NAT_firewall script. For example:
# ./start_NAT_fw Starting NAT firewall - external interface is tun0, internal interface is enp1s0 Step-1: enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward Step-2: configure iptables to forward the packets from your internal network to external network /sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE /sbin/iptables -A FORWARD -i tun0 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -i enp1s0 -o tun0 -j ACCEPT NAT firewall configuration completed. iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
Phase 5: testing the connection
Connect your client machine via ethernet to your server and verify connectivity by using the ping command to addresses. Start with the server's IP address (in this example: 192.168.10.12) then try an IP address at the other end of the VPN tunnel.
Appendix-1: start_NAT_firewall script
#!/bin/sh # # Name: start_NAT_firewall # Purpose: script to configure NAT firewall using iptables on Linux. # Usage: Below, change internal_if=" and "external_if=" # to the internal and external network interfaces # sanity check cmd=$(basename $0) if [ $(whoami) != "root" ]; then echo "You need to be root to run ${cmd}. Bye" >&2 exit 1 fi #internal_if=eth0 internal_if=enp1s0 #external_if=wlan0 #external_if=wlp2s0 external_if=tun0 echo "Starting NAT firewall - external interface is ${external_if}, internal interface is ${internal_if}" echo "Step-1: enable IP forwarding" echo "echo 1 > /proc/sys/net/ipv4/ip_forward" echo 1 > /proc/sys/net/ipv4/ip_forward echo "Step-2: configure iptables to forward the packets from your internal network to external network" echo "/sbin/iptables -t nat -A POSTROUTING -o ${external_if} -j MASQUERADE" /sbin/iptables -t nat -A POSTROUTING -o ${external_if} -j MASQUERADE echo "/sbin/iptables -A FORWARD -i ${external_if} -o ${internal_if} -m state --state RELATED,ESTABLISHED -j ACCEPT" /sbin/iptables -A FORWARD -i ${external_if} -o ${internal_if} -m state --state RELATED,ESTABLISHED -j ACCEPT echo "/sbin/iptables -A FORWARD -i ${internal_if} -o ${external_if} -j ACCEPT" /sbin/iptables -A FORWARD -i ${internal_if} -o ${external_if} -j ACCEPT echo "NAT firewall configuration completed." echo "iptables --list" iptables --list