TechSpot

Sharing Internet in Fedora Core 3

By rekha_divgikar
Mar 10, 2005
  1. Hi!

    I am facing problems with internet sharing from Linux to windows..

    I have Linux (Fedora Core 3) installed on server. The eth0 of the server is used for LAN while eth1 is used for Internet.

    On the LAN card of the server, I use Ip address as 192.168.0.1, subnet:255.255.255.0.

    On the client i have two OS installed one is WinXP and the other is Fedora Core 3, I assing the Ip address as 192.168.0.2, subnet:255.255.255.0, gateway=Ip address of eth0 LAN.

    I can surf the internet from the server. From server, I can ping ip address of client and can ping LAN IP of server from client. But I am unable to surf the internet from the client..

    What's the problem? What more settings do I need to do??

    I am unable to surf the net from both the OS of the Client i.e from win XP as well as Fedora Core 3..
     
  2. Nodsu

    Nodsu TS Rookie Posts: 9,431

  3. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    Hi!

    yes, I have already tried the solution link you've mentioned earlier but it is not working for me that's when I posted the question...

    I even had downloaded the Firestarter and installed it on my server and then after enabling the "internet sharing" in Firestarter I tried accessing the net from my client PC but it doesn't seem to work...

    I should have mentioned the above earlier...
     
  4. Nodsu

    Nodsu TS Rookie Posts: 9,431

    What exactly isn't working? What exactly did you do? What is the network setup on the server and the client?
     
  5. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    Hi!

    Like I've mentioned earlier, my problem is I cannot access internet from my client PC...

    I did exaclty as was mentioned in the solution link, that is setting up the network, and then for the "internet sharing", i chose to download the "firestarter GUI Firewall". Then I installed it on my "server" pc and did the required setting for sharing the internet...

    My network setup is as follows:

    "The server PC has two network cards"
    eth0 => is used for LAN, the settings of which are
    Ip address = 192.168.0.1
    subnet=255.255.255.0
    gateway=<empty>

    eth1 => is used for accessing the internet. It's connected to a cable modem.
    Ip address = 10.10.10.46
    subnet =255.255.255.252
    gateway=10.10.10.1

    "The Client PC has one network card"
    eth0=> is for LAN, the setting of which are
    Ip address = 192.168.0.2
    subnet:255.255.255.0
    gateway=192.168.0.1 (i.e. Ip address of eth0 LAN.)

    the LAN network cards are connected via a cable..
     
  6. Nodsu

    Nodsu TS Rookie Posts: 9,431

    OK. Lets' stick with the pretty and straightforward Firestarter.
    What error messages does it give you?
    What do you get out of "ifconfig -a" and what is in the /etc/firestarter/configuration file?
     
  7. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    Hi!

    When i run the firestarter i don't get any errors as such. But with the firewall button on, i cannot access any of the websites on the server machine, but when i click the stop firewall button in "Firestarter" i can access the websites.. what's the reason for this.

    ==========================================================

    In the /etc/firestarter/configuration file the settings are:

    #-----------( Firestarter Configuration File )-----------#

    # --(External Interface)--
    # Name of external network interface
    IF="eth1"
    # Network interface is a PPP link
    EXT_PPP="off"

    # --(Internal Interface--)
    # Name of internal network interface
    INIF="eth0"

    # --(Network Address Translation)--
    # Enable NAT
    NAT="on"
    # Enable DHCP server for NAT clients
    DHCP_SERVER="off"
    # Forward server's DNS settings to clients in DHCP lease
    DHCP_DYNAMIC_DNS="on"

    # --(Inbound Traffic)--
    # Packet rejection method
    # DROP: Ignore the packet
    # REJECT: Send back an error packet in response
    STOP_TARGET="DROP"

    # --(Outbound Traffic)--
    # Default Outbound Traffic Policy
    # permissive: everything not denied is allowed
    # restrictive everything not allowed is denied
    OUTBOUND_POLICY="permissive"

    # --(Type of Service)--
    # Enable ToS filtering
    FILTER_TOS="off"
    # Apply ToS to typical client tasks such as SSH and HTTP
    TOS_CLIENT="off"
    # Apply ToS to typical server tasks such as SSH, HTTP, HTTPS and POP3
    TOS_SERVER="off"
    # Apply ToS to Remote X server connections
    TOS_X="off"
    # ToS parameters
    # 4: Maximize Reliability
    # 8: Maximize-Throughput
    # 16: Minimize-Delay
    TOSOPT=8

    # --(ICMP Filtering)--
    # Enable ICMP filtering
    FILTER_ICMP="off"
    # Allow Echo requests
    ICMP_ECHO_REQUEST="off"
    # Allow Echo replies
    ICMP_ECHO_REPLY="off"
    # Allow Traceroute requests
    ICMP_TRACEROUTE="off"
    # Allow MS Traceroute Requests
    ICMP_MSTRACEROUTE="off"
    # Allow Unreachable Requests
    ICMP_UNREACHABLE="off"
    # Allow Timestamping Requests
    ICMP_TIMESTAMPING="off"
    # Allow Address Masking Requests
    ICMP_MASKING="off"
    # Allow Redirection Requests
    ICMP_REDIRECTION="off"
    # Allow Source Quench Requests
    ICMP_SOURCE_QUENCHES="off"

    # --(Broadcast Traffic)--
    # Block external broadcast traffic
    BLOCK_EXTERNAL_BROADCAST="on"
    # Block internal broadcast traffic
    BLOCK_INTERNAL_BROADCAST="off"

    # --(Traffic Validation)--
    # Block non-routable traffic on the public interfaces
    BLOCK_NON_ROUTABLES="off"

    # --(Logging)--
    # System log level
    LOG_LEVEL=info

    =============================================================

    I get the following out of "ifconfig -a"

    eth0 Link encap:Ethernet HWaddr 00:80:48:31:B4:34
    inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
    inet6 addr: fe80::280:48ff:fe31:b434/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 b) TX bytes:1302 (1.2 KiB)
    Interrupt:5 Base address:0xc400

    eth1 Link encap:Ethernet HWaddr 00:0D:88:45:AA:2E
    inet addr:10.10.10.46 Bcast:10.10.10.47 Mask:255.255.255.252
    inet6 addr: fe80::20d:88ff:fe45:aa2e/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:7331 errors:0 dropped:0 overruns:0 frame:0
    TX packets:7355 errors:0 dropped:0 overruns:0 carrier:0
    collisions:38 txqueuelen:1000
    RX bytes:4018358 (3.8 MiB) TX bytes:1003296 (979.7 KiB)
    Interrupt:11 Base address:0xc800

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:1966 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1966 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2832848 (2.7 MiB) TX bytes:2832848 (2.7 MiB)

    ppp0 Link encap:point-to-Point Protocol
    inet addr:202.149.49.210 P-t-P:202.63.169.94 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
    RX packets:5834 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6892 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:3753690 (3.5 MiB) TX bytes:823730 (804.4 KiB)

    sit0 Link encap:IPv6-in-IPv4
    NOARP MTU:1480 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    ============================================================
     
  8. Nodsu

    Nodsu TS Rookie Posts: 9,431

    You mean there are some websites hosted on the server machine? Or do you mean that you cannot browse the web using the server?

    If it is the latter then try resolving some names with nslookup. Or enable ping in firestarter and try pinging something.
     
  9. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    Hi!

    No there are no websites hosted on the server machine(gateway), what I meant was that I could not browse the Internet using the server with firestarter on...

    If I have to do the "Internet sharing" from the server machine without using firestarter how do i go about it????

    Have installed fedora core 3 all over again on the server machine and have given the same settings as I had mentioned earlier... I can surf the Internet from the server machine, now how do i go about sharing the internet from the server machine, so that I can access the Internet from the client machine too...

    My network is working fine, I can ping to and from both the machines...
     
  10. Nodsu

    Nodsu TS Rookie Posts: 9,431

    The simplest setup with iptables:

    iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
    eth0 is the external interface here.
    Edit the /proc/sys/net/ipv4/ip_forward to contain "1"
     
  11. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    when I tried to edit the /proc/sys/net/ipv4/ip_forward to contain "1" and save the changes to the file it gives me an error saying cannot save the file...

    So, how do i proceed form here..
     
     
  12. Nodsu

    Nodsu TS Rookie Posts: 9,431

    Try "echo 1 > /proc/sys/net/ipv4/ip_forward"?
     
  13. Phantasm66

    Phantasm66 TS Rookie Posts: 6,504   +6

    Don't you mean


    "echo 1 >> /proc/sys/net/ipv4/ip_forward"

    ??

    Make a copy of config files before editing them. Use VI if possible.
     
  14. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    Yes, have tried "echo 1 > /proc/sys/net/ipv4/ip_forward", I get an output as "1" but I still can't access the internet from the client machine...
     
  15. Nodsu

    Nodsu TS Rookie Posts: 9,431

    Hmm..
    I just set this this on my FC3 machine to test and it worked flawlessly.

    What is the network setup on the client machine? TCP/IP and DNS.

    Do you have iptables active on the server (try "/etc/init.d/iptables restart")? Do you have any other firewall rules on the server? (What do you get out of "iptables -L" and "iptables -L -t nat")?
    You could run tcpdump on the server LAN interface and see what traffic goes through when the client tries to connect..

    PS
    The >> syntax is no good. ip_forward has to contain exactly one byte valued ASCII "1" so we have to use > (write to file) instead of >> (append to file).
     
  16. Phantasm66

    Phantasm66 TS Rookie Posts: 6,504   +6

    Ah, OK. I am just not in the habbit of using > incase I overwrite something, thinking I was using >>.
     
  17. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    Hi!

    The network setup on the client machine is as follows..

    IP: 192.168.0.254
    subnet:255.255.255.0
    gateway:192.168.0.1 (IP address of the server machine)
    DNS:192.168.0.1

    Yes I have iptables active on my server machine.. No I have no other firewall rules on the server..

    [root@localhost ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    -----------------------------------------------------------------

    [root@localhost ~]# iptables -L -t nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    ----------------------------------------------------------------------

    I ran the "tcpdump" on the server, the traffic is as follows when the client tries to connect to the server..

    [root@localhost ~]# tcpdump
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    17:08:26.758918 IP 192.168.0.254.32855 > 202-63-164-17.broadband.isp.exatt.net.domain: 62515+ AAAA? www.gizmodo.com. (33)
    17:08:29.815979 IP 192.168.0.254.32853 > 202-63-164-17.broadband.isp.exatt.net.domain: 64199+ AAAA? www.tomshardware.com. (38)
    17:08:31.758518 IP 192.168.0.254.32856 > 202-63-164-18.broadband.isp.exatt.net.domain: 62515+ AAAA? www.gizmodo.com. (33)
    17:08:34.815717 IP 192.168.0.254.32854 > 202-63-164-18.broadband.isp.exatt.net.domain: 64199+ AAAA? www.tomshardware.com. (38)
    17:08:36.758225 IP 192.168.0.254.32855 > 202-63-164-17.broadband.isp.exatt.net.domain: 62515+ AAAA? www.gizmodo.com. (33)
    17:08:39.815536 IP 192.168.0.254.32857 > 202-63-164-17.broadband.isp.exatt.net.domain: 27249+ A? www.tomshardware.com. (38)
    17:08:41.779705 IP 192.168.0.254.32856 > 202-63-164-18.broadband.isp.exatt.net.domain: 62515+ AAAA? www.gizmodo.com. (33)
    17:08:44.815220 IP 192.168.0.254.32858 > 202-63-164-18.broadband.isp.exatt.net.domain: 27249+ A? www.tomshardware.com. (38)
    17:08:46.778776 IP 192.168.0.254.32859 > 202-63-164-17.broadband.isp.exatt.net.domain: 60049+ A? www.gizmodo.com. (33)
    17:08:49.814930 IP 192.168.0.254.32857 > 202-63-164-17.broadband.isp.exatt.net.domain: 27249+ A? www.tomshardware.com. (38)
    17:08:51.778457 IP 192.168.0.254.32860 > 202-63-164-18.broadband.isp.exatt.net.domain: 60049+ A? www.gizmodo.com. (33)
    17:08:54.814669 IP 192.168.0.254.32858 > 202-63-164-18.broadband.isp.exatt.net.domain: 27249+ A? www.tomshardware.com. (38)
    17:08:56.778171 IP 192.168.0.254.32859 > 202-63-164-17.broadband.isp.exatt.net.domain: 60049+ A? www.gizmodo.com. (33)
    17:08:59.814509 IP 192.168.0.254.32861 > 202-63-164-17.broadband.isp.exatt.net.domain: 58496+ A? www.tomshardware.com. (38)
    17:09:01.777908 IP 192.168.0.254.32860 > 202-63-164-18.broadband.isp.exatt.net.domain: 60049+ A? www.gizmodo.com. (33)
    17:09:04.814215 IP 192.168.0.254.32862 > 202-63-164-18.broadband.isp.exatt.net.domain: 58496+ A? www.tomshardware.com. (38)
    17:09:06.777789 IP 192.168.0.254.32863 > 202-63-164-17.broadband.isp.exatt.net.domain: 15901+ A? www.gizmodo.com. (33)

    17 packets captured
    17 packets received by filter
    0 packets dropped by kernel

    ---------------------------------------------------------------------------------
     
  18. Nodsu

    Nodsu TS Rookie Posts: 9,431

    You have set the DNS server for the client to be your FC3 machine, but you haven't set up DNS on it so you won't be able to resolve any names on the client.
    It would be the easiest to tell the client machine the address of the DNS of your ISP or whatever the server is using.
     
  19. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    How do I set up DNS on the server??? Please could u guide me???

    I have tried giving DNS of the ISP on the client machine, but it doesn't work...
     
  20. Nodsu

    Nodsu TS Rookie Posts: 9,431

    What DNS server is the server machine using? Look in the /etc/resolv.conf file. You are really better off not overcomplicating things.

    I suppose all you need to do is install the nameserver package (if not installed already) and start the daemon (/etc/init.d/named start)
     
  21. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    Hi!

    The nameserver package is already installed and have also started the daemon (/etc/init.d/named start)..

    etc/resolv.conf file show's the foll:

    serach localhost
    nameserver 202.63.164.17
    nameserver 202.63.164.18
     
  22. Nodsu

    Nodsu TS Rookie Posts: 9,431

    OK. And these are the same DNS servers you told the client machine to use?
     
  23. rekha_divgikar

    rekha_divgikar TS Rookie Topic Starter

    yes... I used this DNS for the client system...
     
  24. Nodsu

    Nodsu TS Rookie Posts: 9,431

    In that case either the masquerading is set up wrong or you have a firewall somewhere that blocks the traffic.

    Just set up a mock ICS with two Linux machines:

    MACHINE1 (the server):
    MACHINE2 (the client):
    The steps roughly to set it up..
    Server side:
    Client:
     
  25. sifonell

    sifonell TS Rookie

    Hi,

    Let's do this in a few very easy steps. First this will run on any sysV based distribution (ie Fedora, Mandrake etc)

    Firs, make sure that you have uninstalled or at least disabled the firestarter or whatever other external trick you have enabled

    Let the stepping begin ...

    Step 1:

    We configure the ip_forwarding which will let the packats "flow" from one interface to another.
    In order to do this, in your favorite text editor, open the file /etc/sysctl.conf
    Initially, the line looks like this


    # Controls IP packet forwarding
    net.ipv4.ip_forward = 0

    You have to change it to

    net.ipv4.ip_forward = 1

    save and exit.

    Now, why did we do it like this instead of just echoing in /proc/sys/net ... ? Because changin if the file in /proc, only ensures it running until the next restart. It will not work after that, because at startup, the netwqork service, via sysct, parses the file /etc/sysctl.conf, where it will read "do not enable ip_forward".

    Step 2:

    # service network restart
    (# as in ... you have to be root)

    Step 3: we add the firewall and nat rules in iptables

    You arfe running on a kernel newer than 2.4 so we can safely do this:

    # iptables -t nat -I POSTROUTING -s 192.168.0.1/24 -j SNAT --to-source 10.10.10.10

    i didn't remember your outgoing address soi said ... 10.10.10.10 . You replace it with yours!

    Step 4:
    We ensure that the next time the system starts the rule will be loaded

    # service iptables save

    Step 5:

    Double check the config of interfaces :

    eth0 (the lan interface), must have no gateway set

    the interfaces in the network must have as gateway, the ip of your eth0

    Step 6:

    The final check

    from your linux based client machine (from the net 192.168.0.)
    # traceroute [an external ip address]

    from your windows based client machine
    > tracert [an external ip address]

    It is important that you check it with ip addresses
    first and then with hostnames. This way we also check for name resolution failures.

    Hope this is helpfull.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.