Saturday, April 28, 2012

Internet Connection Sharing on Linux using iptables


Internet Connection Sharing on Linux using iptables


It is very easy to setup an internet connection sharing in Linux system using iptables. This method can be used to share an internet connection from a Linux system(I used CentOS 6.2, but it should work on other distributions that support iptables). Another method of doing this is using a proxy server like squid.

Enable IP forwarding

Run as root
sysctl -w net.ipv4.ip_forward=1
To enable it in system startup, edit the file /etc/sysctl.conf and set
net.ipv4.ip_forward = 1

iptables

Run command as root
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save

Configuration

The configuration should be like this

Router

Connected to the internet provider
IP : 192.168.1.1

Internet Connected System

eth0 (LAN Card 1)

Connected to router
  • IP : 192.168.1.10
  • Netmask : 255.255.255.0
  • Gateway : 192.168.1.1 (IP of the router)

eth1 (LAN Card 2)

Connected to the other system
  • IP : 192.168.0.20 (Not the same network as the first card)
  • Netmask : 255.255.255.0
  • Gateway : 192.168.1.1 (IP of the router)
You can even use Squid as transparent proxy as website access log for your LAN. Just add the command given below after installing and configuring squid as transparent proxy.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 

Basics to configure a CISCO router to Share Internet


Any Cisco router you have around you say Cisco 1000, 1600, 2500, 2600, And 3600 Series Routers. Any cisco router you have the below configurations will be able to workout. These configurations will help you connect your LAN onto internet, Provide basic security to your Local Area Network (LAN) so that no other network connects if not defined in the configs. 
I will go straight to what I have around me to have this configuration done successfully.


1. Router: Cisco 1600 series.
2. ISP Addresses: [IP Address: 192.168.23.11 SubMask: 255.255.255.0 Gateway:192.168.23.1].
3. LAN Addresses: [IP Address: 10.100.10.1 SubnetMask: 255.255.255.0]
4. Console Cable.
Step 1:
-    Connect your router into power and connect your console cable (will need an RJ-45 to DB-25 adapter). Power up that router without wasting a lot of time.
-    Open up your HyperTerminal: Start -> All Programs -> Accessories ->Communications -> HyperTerminal.
-    You can name anything your “Connection Description” mine is “ictmagazine” and choose 2nd icon.
hyperterminal
-    Press OK , Then on the next interface choose a “COM” port your console is connecting to from the router. Mine was COM3 then press OK.
-    On the next screen restore to defaults “Restore Defaults” and you should be having something similar to that below.Restore Defaults
Then press OK. You should be in your router now.
Well I will avoid you all the boring talk and just dive straight into the really thing “configuring a router to internet”, so let us go straight to step 2.
Please note that the names and password have used those are as per on my router. You can use anything you prefer to make sure your configurations are secure and matching to your standards.
..............Step 2:  Configure Basics
Router>en
Router# config t
Router(config)# hostname ICT
ICT(config)# enable password joinict
ICT(config)# enable secret m@g@z1n3
ICT(config)# ip name-server 208.67.222.222
...............Step 3: Configuring the Line console and vty 0 4
ICT(config)# line console 0
ICT(config-line)# password g3t1n
ICT(config-line)# login
ICT(config-line)# exit

ICT(config)# line vty 0 4
ICT(config-line)# password b0b0ut
ICT(config-line)# login
ICT(config-line)# exit
................Step 4: setting up the LAN interface
ICT(config)# interface Ethernet1/0
ICT(config-if)# Description ICTMAGAZINE LAN
ICT(config-if)# ip address 10.100.10.1 255.255.255.0
ICT(config-if)# ip nat inside
ICT(config-if)# no shutdown
ICT(config-if)# exit

....................Step 5: setting up the INTERNET interface (this interface has IP Addresses provided by Internet provider –ISP)
ICT(config)# interface FastEthernet0/0
ICT(config-if)# Description Broadband Internet
ICT(config-if)# ip address 192.168.23.11 255.255.255.0
ICT(config-if)# ip nat outside
ICT(config-if)# no shutdown
ICT(config-if)# exit


....................Step 6: Configuring NAT and Routing statements.
ICT(config)# ip nat inside source list 1 interface FastEthernet0/0 overload
ICT(config)# ip route 0.0.0.0 0.0.0.0 192.168.23.1

...................Step 7: Configuring the Access-list 1 (This allows the LAN to get connection to the internet).
ICT(config)# access-list 1 permit 10.100.10.0 0.0.0.255

..................Step 8: Run show commands to confirm your configurations
ICT(config)# show interface ethernet1/0 (verify the LAN IP configuration)
ICT(config)# show interface fastethernet 0/0 (verify External/ISP IP configuration and status)
ICT(config)# Show ip route (show your routing statement if its correct)
ICT(config)# show ip nat translations (This is to confirm if your nat statements are right)
ICT(config)# show access-lists (configured access lists)

.................Step 9: Save your router configurations
ICT(config)#wr
Pheeeeeeeewwwwwwwwwww………….atlast we are done! At this point you should be in position to access internet using your cisco router.
There is a lot you can do with your cisco router. Let me know what you want to do on your cisco router. We shall be glad to help you out.

CentOS Proxy Configuration


CentOS Proxy Configuration

It took me a while to figure this out, being used to Windows and having IE generally used as a central repository for proxy settings, I was looking for something similar in CentOS. I am afraid in this case, as far as I can make out, proxy settings are mostly application specific. That said I believe there are locations that are apparently meant to be used for central proxy configuration and programs should try to get the proxy info from them. The central locations are split between GUI programs and command line programs.

So in this post I show how to configure the proxy settings in 4 locations, 2 of which are “apparently” central locations for other programs to use and the other 2 are program specific (as they seem to ignore the central settings). The 4 locations are

Gnome Proxy (used by GUI programs)
Proxy Environment Variables (used by command line programs)
YUM (Software updater and installer)
Firefox (Web browser)
Gnome Proxy setting

The Gnome desktop interface provides proxy configuration settings and apparently a lot of GUI programs will use this settings. This said, I am afraid these settings need to be changed for each user. (I can’t remember where I cam across this information and if it wrong maybe someone can let me know and I will update this.)

Gnome-Desktop proxy settings can be changed from a GUI tool or you can edit the file directly. The image below shows where to find the GUI tool under

System –> Preferences –> Network Proxy

You can edit the proxy settings here. I have a proxy configuration file available so I have set the automatic proxy config setting, however you can set the proxy manually here as well. The advanced tab allows you to specifically define addresses to ignore the proxy for (i.e. the local subnet).

When using this GUI tool Gnome stores the proxy config settings in the following folders and files. ~ indicates the users home directory and the . hides the folder or file(see notes below for further explanation)

~/.gconf/system/proxy/%gconf.xml (used for the manual and advanced settings)
~/.gconf/system/http_proxy/%gconf.xml (used for the automatic settings)

I can’t tell you why it is split into two files but it appears to be so.

Proxy Environment Variables

Like the Gnome proxy settings above, the Environment variables are apparently for Command Line programs to provide a central area that these programs can look to for proxy config.

There are a number of proxy environment variables but I will concentrate on just 3 that apply to my network setup. These are

http_proxy
https_proxy
ftp_proxy
I think these are pretty self explanatory.

To set these there is no GUI (that I am aware of), so we have to go to the command line. We need to fire up Terminal this is found in

Applications–> Accessories –> Terminal



The terminal should start in the users home folder ~ (see notes), you should see a prompt like this

[@ ~]#

or

[@ ~]$

should be the logged on user 
should be the computer name you are on. 
The # or the $ is dependent on whether you are logged in as a user or root. # indicates root, $ indicates normal user.

We can set the environment variables at the command prompt by typing

http_proxy=”http://:

Now the same applies to the other environment variables. However at the moment these environment variables are only valid within this particular Terminal session. If we were to fire up another program or terminal session theses environment variables would not exist in their scope. So to make the environment variables global we need to export them, this is done using the export command. We can export any number of variables by separating them with a space.

export http_proxy https_proxy ftp_proxy

Another issue here is that this is not a permanent change, if we reboot these variables will be lost. So to get around that we need to change a log on script called profile. The script is found here

/etc/profile

OK, so how do we edit a file? I am going to give a brief introduction to vi (mainly because I have only just got my head into it) and some basic bash commands.

So in the terminal window change directory to /etc/.

To get to this directory use the following bash commands

CD / (will take you to the root directory)

CD etc (will take you into the /etc directory)

Now we are in this folder, we can use the following command to list the contents..

ls

In the list of files and folders you should see the file profile listed.

OK now type

vi profile

This puts us into the vi editor, a command line text editor. Now I found this a bit weird a first but I am gradually getting the hang of it. The editor opens up in a mode called command mode. It will allow you to scroll up and down, but not allow you to modify text. This is where you have to change modes, in this case we want to go to insert mode. This can be achieved by hitting the escape key and then i or a

a/i

You should see at the bottom of the terminal window that – INSERT – appears, to indicate you are in INSERT mode. You can now modify the file. To quit out of this mode hit at anytime (—INSERT –) should disappear from the bottom of the terminal window.

OK so now we need to enter some the commands to set the variables. So somewhere in the profile file enter the following.

http_proxy=http://: 
https_proxy=$http_proxy
ftp_proxy=$http_proxy

export http_proxy https_proxy ftp_proxy

In my case the same proxy handles http, https and ftp. My script therefore sets the http_proxy variable and then sets the others to the http_proxy value. If you have different settings for https and ftp get rid of the $http_proxy and replace with the direct setting (as with the http_proxy above). Once these have been set I then export the variables to make them global.

OK so we need to save the file by issuing the write command. Hit escape and enter :w

:w

The bottom line should change to show something like

"profile" 60L, 1062C written

Now we have saved the file, we need to quit the editor. The quit command is

:q

While using the editor you may find you want to quit without saving, although you have made changes. Now if you just issue the command above it will complain that there are unsaved changes. so to quit without saving changes you can force it by typing

:q!

In addition you can combine commands, so to quit and save type

:wq

You should now reboot.

You can test that the changes have worked by firing up the terminal (as above) and typing the following command

echo $http_proxy

You should get the value you set in the profile file. The same applies to the other variables if you want to check them.

YUM - Software Updater and Add/remove Software - Proxy Setting

There are two locations within CentOS GUI to run software update tools (software updates and software installations). These are

Applications –> System Tools –> Software Updater
Applications –> Add/Remove Software
 

They both run the same underlying command line application YUM (Yellowdog Updater, Modified) but the Software updater allows for installed software (packages) to be updated, where as the Add/Remove Software option will allow you to add and remove software (packages) from defined repositories. (Repositories are locations on the web/network that software packages can be downloaded/updated from, CentOS comes with a set of predefined repositories but you can add custom repositories when needed).

Now the proxy setting for YUM cannot be configured within any of the GUIs, it has to be done within the configuration files. I will quickly go through this, but it will involve using the vi editor, I will not explain the commands here please see the previous section on environment variables for more details on the each command.

The YUM configuration is yum.conf and is found in /etc/

/etc/yum.conf

Enter the vi editor

vi /etc/yum.conf

enter insert mode

i

find the line that says proxy= and change it to your proxy server settings, if your file does not contain this setting just add it in the first clear line in the [main] section.

proxy=http://:

Quit and save vi.

:wq

Now fire up either the Software updater or the Add/Remove Software. You should find that both tools are able to connect to the defined repositories. you can install any updates you require.

Firefox – Proxy Settings

Now I talked about GUI programs respecting the Gnome proxy settings and I believe Firefox does. I really only include this here as a FYI (I messed with the settings when I was trying to work out what was going on with all the proxies). It appears that the default for the proxy settings in Firefox is to “Use System Proxy settings” which means it looks for the Gnome settings. So if you make the changes above you should not have to worry about this.



Open up Firefox and select preferences

Edit –> Preferences



In the advanced section, under the network tab, click settings





Once in Connection settings you can change the your proxy settings.

Notes

The folder ~ is actually a shortcut referring to the logged on users home folder (you can see why the setting must be configured for each user). The physical user home folder can be located here /home/.
The . on the beginning of the file or folder name is a way to hide the file or folder from normal folder browsing.


Source : http://mumblestiltskin.blogspot.in/2009/07/install-linux-centos-for-windows-sys_20.html