Sharing Internet in Fedora Core 3

[rekha_divgikar]

Hi!

I am facing problems with internet sharing from Linux to windows..

I have Linux (Fedora Core 3) installed on server. The eth0 of the server is used for LAN while eth1 is used for Internet.

On the LAN card of the server, I use Ip address as 192.168.0.1, subnet:255.255.255.0.

On the client i have two OS installed one is WinXP and the other is Fedora Core 3, I assing the Ip address as 192.168.0.2, subnet:255.255.255.0, gateway=Ip address of eth0 LAN.

I can surf the internet from the server. From server, I can ping ip address of client and can ping LAN IP of server from client. But I am unable to surf the internet from the client..

What's the problem? What more settings do I need to do??

I am unable to surf the net from both the OS of the Client i.e from win XP as well as Fedora Core 3..

 

[Nodsu]

Search feature and you eyes are your friend.
Here is a thread from the very first page of this very forum:
https://www.techspot.com/vb/topic22575.html

 

[rekha_divgikar]

Hi!

yes, I have already tried the solution link you've mentioned earlier but it is not working for me that's when I posted the question...

I even had downloaded the Firestarter and installed it on my server and then after enabling the "internet sharing" in Firestarter I tried accessing the net from my client PC but it doesn't seem to work...

I should have mentioned the above earlier...

 

[Nodsu]

What exactly isn't working? What exactly did you do? What is the network setup on the server and the client?

 

[rekha_divgikar]

Hi!

Like I've mentioned earlier, my problem is I cannot access internet from my client PC...

I did exaclty as was mentioned in the solution link, that is setting up the network, and then for the "internet sharing", i chose to download the "firestarter GUI Firewall". Then I installed it on my "server" pc and did the required setting for sharing the internet...

My network setup is as follows:

"The server PC has two network cards"
eth0 => is used for LAN, the settings of which are
Ip address = 192.168.0.1
subnet=255.255.255.0
gateway=<empty>

eth1 => is used for accessing the internet. It's connected to a cable modem.
Ip address = 10.10.10.46
subnet =255.255.255.252
gateway=10.10.10.1

"The Client PC has one network card"
eth0=> is for LAN, the setting of which are
Ip address = 192.168.0.2
subnet:255.255.255.0
gateway=192.168.0.1 (i.e. Ip address of eth0 LAN.)

the LAN network cards are connected via a cable..

 

[Nodsu]

OK. Lets' stick with the pretty and straightforward Firestarter.
What error messages does it give you?
What do you get out of "ifconfig -a" and what is in the /etc/firestarter/configuration file?

 

[rekha_divgikar]

Hi!

When i run the firestarter i don't get any errors as such. But with the firewall button on, i cannot access any of the websites on the server machine, but when i click the stop firewall button in "Firestarter" i can access the websites.. what's the reason for this.

==========================================================

In the /etc/firestarter/configuration file the settings are:

#-----------( Firestarter Configuration File )-----------#

# --(External Interface)--
# Name of external network interface
IF="eth1"
# Network interface is a PPP link
EXT_PPP="off"

# --(Internal Interface--)
# Name of internal network interface
INIF="eth0"

# --(Network Address Translation)--
# Enable NAT
NAT="on"
# Enable DHCP server for NAT clients
DHCP_SERVER="off"
# Forward server's DNS settings to clients in DHCP lease
DHCP_DYNAMIC_DNS="on"

# --(Inbound Traffic)--
# Packet rejection method
# DROP: Ignore the packet
# REJECT: Send back an error packet in response
STOP_TARGET="DROP"

# --(Outbound Traffic)--
# Default Outbound Traffic Policy
# permissive: everything not denied is allowed
# restrictive everything not allowed is denied
OUTBOUND_POLICY="permissive"

# --(Type of Service)--
# Enable ToS filtering
FILTER_TOS="off"
# Apply ToS to typical client tasks such as SSH and HTTP
TOS_CLIENT="off"
# Apply ToS to typical server tasks such as SSH, HTTP, HTTPS and POP3
TOS_SERVER="off"
# Apply ToS to Remote X server connections
TOS_X="off"
# ToS parameters
# 4: Maximize Reliability
# 8: Maximize-Throughput
# 16: Minimize-Delay
TOSOPT=8

# --(ICMP Filtering)--
# Enable ICMP filtering
FILTER_ICMP="off"
# Allow Echo requests
ICMP_ECHO_REQUEST="off"
# Allow Echo replies
ICMP_ECHO_REPLY="off"
# Allow Traceroute requests
ICMP_TRACEROUTE="off"
# Allow MS Traceroute Requests
ICMP_MSTRACEROUTE="off"
# Allow Unreachable Requests
ICMP_UNREACHABLE="off"
# Allow Timestamping Requests
ICMP_TIMESTAMPING="off"
# Allow Address Masking Requests
ICMP_MASKING="off"
# Allow Redirection Requests
ICMP_REDIRECTION="off"
# Allow Source Quench Requests
ICMP_SOURCE_QUENCHES="off"

# --(Broadcast Traffic)--
# Block external broadcast traffic
BLOCK_EXTERNAL_BROADCAST="on"
# Block internal broadcast traffic
BLOCK_INTERNAL_BROADCAST="off"

# --(Traffic Validation)--
# Block non-routable traffic on the public interfaces
BLOCK_NON_ROUTABLES="off"

# --(Logging)--
# System log level
LOG_LEVEL=info

=============================================================

I get the following out of "ifconfig -a"

eth0 Link encap:Ethernet HWaddr 00:80:48:31:B4:34
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::280:48ff:fe31:b434/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:1302 (1.2 KiB)
Interrupt:5 Base address:0xc400

eth1 Link encap:Ethernet HWaddr 00:0D:88:45:AA:2E
inet addr:10.10.10.46 Bcast:10.10.10.47 Mask:255.255.255.252
inet6 addr: fe80::20d:88ff:fe45:aa2e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7331 errors:0 dropped:0 overruns:0 frame:0
TX packets:7355 errors:0 dropped:0 overruns:0 carrier:0
collisions:38 txqueuelen:1000
RX bytes:4018358 (3.8 MiB) TX bytes:1003296 (979.7 KiB)
Interrupt:11 Base address:0xc800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1966 errors:0 dropped:0 overruns:0 frame:0
TX packets:1966 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2832848 (2.7 MiB) TX bytes:2832848 (2.7 MiB)

ppp0 Link encapoint-to-Point Protocol
inet addr:202.149.49.210 P-t-P:202.63.169.94 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:5834 errors:0 dropped:0 overruns:0 frame:0
TX packets:6892 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:3753690 (3.5 MiB) TX bytes:823730 (804.4 KiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

============================================================

 

[Nodsu]

i cannot access any of the websites on the server machine

You mean there are some websites hosted on the server machine? Or do you mean that you cannot browse the web using the server?

If it is the latter then try resolving some names with nslookup. Or enable ping in firestarter and try pinging something.

 

[rekha_divgikar]

Hi!

No there are no websites hosted on the server machine(gateway), what I meant was that I could not browse the Internet using the server with firestarter on...

If I have to do the "Internet sharing" from the server machine without using firestarter how do i go about it????

Have installed fedora core 3 all over again on the server machine and have given the same settings as I had mentioned earlier... I can surf the Internet from the server machine, now how do i go about sharing the internet from the server machine, so that I can access the Internet from the client machine too...

My network is working fine, I can ping to and from both the machines...

 

[Nodsu]

The simplest setup with iptables:

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
eth0 is the external interface here.
Edit the /proc/sys/net/ipv4/ip_forward to contain "1"

 

[rekha_divgikar]

when I tried to edit the /proc/sys/net/ipv4/ip_forward to contain "1" and save the changes to the file it gives me an error saying cannot save the file...

So, how do i proceed form here..

 

[Nodsu]

Try "echo 1 > /proc/sys/net/ipv4/ip_forward"?

 

[Phantasm66]

Try "echo 1 > /proc/sys/net/ipv4/ip_forward"?

Don't you mean


"echo 1 >> /proc/sys/net/ipv4/ip_forward"

??

Make a copy of config files before editing them. Use VI if possible.

 

[rekha_divgikar]

Yes, have tried "echo 1 > /proc/sys/net/ipv4/ip_forward", I get an output as "1" but I still can't access the internet from the client machine...

 

[Nodsu]

Hmm..
I just set this this on my FC3 machine to test and it worked flawlessly.

What is the network setup on the client machine? TCP/IP and DNS.

Do you have iptables active on the server (try "/etc/init.d/iptables restart")? Do you have any other firewall rules on the server? (What do you get out of "iptables -L" and "iptables -L -t nat")?
You could run tcpdump on the server LAN interface and see what traffic goes through when the client tries to connect..

PS
The >> syntax is no good. ip_forward has to contain exactly one byte valued ASCII "1" so we have to use > (write to file) instead of >> (append to file).

 

[Phantasm66]

Ah, OK. I am just not in the habbit of using > incase I overwrite something, thinking I was using >>.

 

[rekha_divgikar]

Hi!

The network setup on the client machine is as follows..

IP: 192.168.0.254
subnet:255.255.255.0
gateway:192.168.0.1 (IP address of the server machine)
DNS:192.168.0.1

Yes I have iptables active on my server machine.. No I have no other firewall rules on the server..

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

-----------------------------------------------------------------

[root@localhost ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

----------------------------------------------------------------------

I ran the "tcpdump" on the server, the traffic is as follows when the client tries to connect to the server..

[root@localhost ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:08:26.758918 IP 192.168.0.254.32855 > 202-63-164-17.broadband.isp.exatt.net.domain: 62515+ AAAA? www.gizmodo.com. (33)
17:08:29.815979 IP 192.168.0.254.32853 > 202-63-164-17.broadband.isp.exatt.net.domain: 64199+ AAAA? www.tomshardware.com. (38)
17:08:31.758518 IP 192.168.0.254.32856 > 202-63-164-18.broadband.isp.exatt.net.domain: 62515+ AAAA? www.gizmodo.com. (33)
17:08:34.815717 IP 192.168.0.254.32854 > 202-63-164-18.broadband.isp.exatt.net.domain: 64199+ AAAA? www.tomshardware.com. (38)
17:08:36.758225 IP 192.168.0.254.32855 > 202-63-164-17.broadband.isp.exatt.net.domain: 62515+ AAAA? www.gizmodo.com. (33)
17:08:39.815536 IP 192.168.0.254.32857 > 202-63-164-17.broadband.isp.exatt.net.domain: 27249+ A? www.tomshardware.com. (38)
17:08:41.779705 IP 192.168.0.254.32856 > 202-63-164-18.broadband.isp.exatt.net.domain: 62515+ AAAA? www.gizmodo.com. (33)
17:08:44.815220 IP 192.168.0.254.32858 > 202-63-164-18.broadband.isp.exatt.net.domain: 27249+ A? www.tomshardware.com. (38)
17:08:46.778776 IP 192.168.0.254.32859 > 202-63-164-17.broadband.isp.exatt.net.domain: 60049+ A? www.gizmodo.com. (33)
17:08:49.814930 IP 192.168.0.254.32857 > 202-63-164-17.broadband.isp.exatt.net.domain: 27249+ A? www.tomshardware.com. (38)
17:08:51.778457 IP 192.168.0.254.32860 > 202-63-164-18.broadband.isp.exatt.net.domain: 60049+ A? www.gizmodo.com. (33)
17:08:54.814669 IP 192.168.0.254.32858 > 202-63-164-18.broadband.isp.exatt.net.domain: 27249+ A? www.tomshardware.com. (38)
17:08:56.778171 IP 192.168.0.254.32859 > 202-63-164-17.broadband.isp.exatt.net.domain: 60049+ A? www.gizmodo.com. (33)
17:08:59.814509 IP 192.168.0.254.32861 > 202-63-164-17.broadband.isp.exatt.net.domain: 58496+ A? www.tomshardware.com. (38)
17:09:01.777908 IP 192.168.0.254.32860 > 202-63-164-18.broadband.isp.exatt.net.domain: 60049+ A? www.gizmodo.com. (33)
17:09:04.814215 IP 192.168.0.254.32862 > 202-63-164-18.broadband.isp.exatt.net.domain: 58496+ A? www.tomshardware.com. (38)
17:09:06.777789 IP 192.168.0.254.32863 > 202-63-164-17.broadband.isp.exatt.net.domain: 15901+ A? www.gizmodo.com. (33)

17 packets captured
17 packets received by filter
0 packets dropped by kernel

---------------------------------------------------------------------------------

 

[Nodsu]

You have set the DNS server for the client to be your FC3 machine, but you haven't set up DNS on it so you won't be able to resolve any names on the client.
It would be the easiest to tell the client machine the address of the DNS of your ISP or whatever the server is using.

 

[rekha_divgikar]

How do I set up DNS on the server??? Please could u guide me???

I have tried giving DNS of the ISP on the client machine, but it doesn't work...

 

[Nodsu]

What DNS server is the server machine using? Look in the /etc/resolv.conf file. You are really better off not overcomplicating things.

I suppose all you need to do is install the nameserver package (if not installed already) and start the daemon (/etc/init.d/named start)

 

[rekha_divgikar]

Hi!

The nameserver package is already installed and have also started the daemon (/etc/init.d/named start)..

etc/resolv.conf file show's the foll:

serach localhost
nameserver 202.63.164.17
nameserver 202.63.164.18

 

[Nodsu]

OK. And these are the same DNS servers you told the client machine to use?

 

[rekha_divgikar]

yes... I used this DNS for the client system...

 

[Nodsu]

In that case either the masquerading is set up wrong or you have a firewall somewhere that blocks the traffic.

Just set up a mock ICS with two Linux machines:

MACHINE1 (the server):

[root@mihkel ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:10C:7B:92:5E
inet addr:192.168.135.19 Bcast:192.168.135.255 Mask:255.255.255.0
inet6 addr: fe80::210:dcff:fe7b:925e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1432 Metric:1
RX packets:84041 errors:0 dropped:0 overruns:0 frame:0
TX packets:60583 errors:0 dropped:0 overruns:0 carrier:0
collisions:6799 txqueuelen:1000
RX bytes:63820444 (60.8 MiB) TX bytes:8026743 (7.6 MiB)

[root@mihkel ~]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:00:86:1C:45:71
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::200:86ff:fe1c:4571/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:586 errors:0 dropped:0 overruns:0 frame:0
TX packets:609 errors:0 dropped:0 overruns:0 carrier:0
collisions:53 txqueuelen:1000
RX bytes:44566 (43.5 KiB) TX bytes:566468 (553.1 KiB)
Interrupt:3 Base address:0x300

[root@mihkel ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mihkel ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mihkel ~]# tail /etc/resolv.conf
search sidetk.pvasise .pvasise
nameserver 192.168.111.1
nameserver 192.168.111.3
nameserver 192.168.111.223
[root@mihkel ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.135.0 * 255.255.255.0 U 0 0 0 eth0
10.0.0.0 * 255.0.0.0 U 0 0 0 eth1
default privador.sidetk 0.0.0.0 UG 0 0 0 eth0

MACHINE2 (the client):

Ren:~ # ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0D:60:7B:1D:00
inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20d:60ff:fe7b:1d00/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:656 errors:0 dropped:0 overruns:0 frame:0
TX packets:622 errors:0 dropped:0 overruns:0 carrier:0
collisions:103 txqueuelen:1000
RX bytes:575031 (561.5 Kb) TX bytes:51942 (50.7 Kb)
Base address:0x8000 Memory:c0220000-c0240000

Ren:~ # tail /etc/resolv.conf
nameserver 192.168.111.1
search valper
Ren:~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default 10.0.0.1 0.0.0.0 UG 0 0 0 eth1

The steps roughly to set it up..
Server side:

iptables -F
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/iptables restart
ifconfig eth1 10.0.0.1
ifconfig eth1 up

Client:

ifconfig eth1 10.0.0.2
iconfig eth1 up
route add default gw 10.0.0.1
vi /etc/resolv.conf

 

[sifonell]

Hi,

Let's do this in a few very easy steps. First this will run on any sysV based distribution (ie Fedora, Mandrake etc)

Firs, make sure that you have uninstalled or at least disabled the firestarter or whatever other external trick you have enabled

Let the stepping begin ...

Step 1:

We configure the ip_forwarding which will let the packats "flow" from one interface to another.
In order to do this, in your favorite text editor, open the file /etc/sysctl.conf
Initially, the line looks like this


# Controls IP packet forwarding
net.ipv4.ip_forward = 0

You have to change it to

net.ipv4.ip_forward = 1

save and exit.

Now, why did we do it like this instead of just echoing in /proc/sys/net ... ? Because changin if the file in /proc, only ensures it running until the next restart. It will not work after that, because at startup, the netwqork service, via sysct, parses the file /etc/sysctl.conf, where it will read "do not enable ip_forward".

Step 2:

# service network restart
(# as in ... you have to be root)

Step 3: we add the firewall and nat rules in iptables

You arfe running on a kernel newer than 2.4 so we can safely do this:

# iptables -t nat -I POSTROUTING -s 192.168.0.1/24 -j SNAT --to-source 10.10.10.10

i didn't remember your outgoing address soi said ... 10.10.10.10 . You replace it with yours!

Step 4:
We ensure that the next time the system starts the rule will be loaded

# service iptables save

Step 5:

Double check the config of interfaces :

eth0 (the lan interface), must have no gateway set

the interfaces in the network must have as gateway, the ip of your eth0

Step 6:

The final check

from your linux based client machine (from the net 192.168.0.)
# traceroute [an external ip address]

from your windows based client machine
> tracert [an external ip address]

It is important that you check it with ip addresses
first and then with hostnames. This way we also check for name resolution failures.

Hope this is helpfull.