分类: LINUX
2007-03-30 15:37:08
|
Ubuntu-ICS and NAT Ubuntu-ICS (now combined with the Ubuntu-firewall project), is a network address translating (NAT) router script written specifically for Ubuntu Linux Systems. This how-to will explain each step in configuring your network settings to make a Linux router, as well as provide you with Ubuntu-firewall. The Ubuntu-ICS script is now obsolete... due to the fact that Ubuntu-firewall now allows the ability for the user to select 'NAT router only' functionality. Ubuntu-firewall also has more features (such as port forwarding to more than one internal host) than Ubuntu-ICS. Ubuntu-firewall can be downloaded here:
This how-to was written specifically for The Ubuntu Linux Distribution. However, most all of the information contained herein, will apply to nearly ANY Linux Distribution. The only exceptions might be the scripts that I recommend for configuring the NAT functions. If you aren't using Ubuntu, I list an alternative which should work for most other distributions of Linux so read on! If you have an Ubuntu Linux Box with 2 network interface cards (NICs), then you have the makings for a very capable and powerful NAT-routing solution! Using Linux to provide Internet Services to other PCs on your local area network affords much more flexibility and control than other NAT-routing solutions available from common, "off the shelf" plug-n-pray devices. The ability to firewall, throttle, prioritize, transparently redirect, port forward, and content cache/filter your network traffic are only a few examples of what can be done! Also, logging almost any kind of network traffic also becomes much easier using a Linux Box as your Internet Gateway Device. I've mentioned a variety of useful features that can easily be implimented on a Linux Gateway Device. However, this how-to will specifically cover Internet Connection Sharing - the basic framework upon which any of the previously mentioned features can be built. Even if you only have a beginner-intermediate level of Linux experience, you should be able to successfully create a NAT-routing gateway, using your Linux Box, by following this how-to.
There are only a few requirements for building a basic NAT-routing gateway: 1. a working Internet Connection. (duh!) 2. an internal NIC configured with a static IP address on your local area network segment. This should be within private IP address space (commonly something similar to 192.168.1.1 with a subnet mask of 255.255.255.0). 3. a local area network (or other PC) configured within private IP address space (commonly something similar to 192.168.1.2 thru 192.168.1.254 with a subnet mask of 255.255.255.0). Please note that if you are connecting another PC directly to your Linux Box without going through a hub or switch, then you MUST use a cross-over cable in order for them to communicate. These can be purchased or easily hacked by cutting the TX and RX pairs and then connecting the RX pairs to the TX pairs (you'll basically be doing 4 splices). 4. a configuration utility or script to configure the Linux Kernel's ability to do packet forwarding and Network Address Translation. I happen to have a few options from which you can choose, listed below... There are a variety of ways to accomplish the network configuation of your internal hosts. If you have only one or two, you may opt to manually assign static IP addresses and other networking info (such as subnet mask, DNS, gateway, etc.). However, if you have several tens of hosts or more, you'll appreciate the advantages of using a DHCP server to handle assigning network parameters to the hosts automatically. Yes! Your Linux box can also provide this function too! You'll need to install a DHCP server and configure it to provide services for your internal network. I won't be covering the specifics of installing a DHCP server here though. Maybe in another how-to :-) For the DNS IP addresses on the internal hosts, use the same ones that are listed in your Linux Box's /etc/resolv.conf file. You can view what they are by opening up a command prompt on your Linux Box and pasting the following: cat /etc/resolv.conf | grep nameserver | cut -d ' ' -f2 Just use the first two that are listed. For the default gateway on the internal hosts, you need to use the IP address that you assigned to the Linux Box's internal network interface (192.168.1.1 in our example). This is important so don't overlook it! Since your internal hosts will be reaching the 'Net via your Linux Box, it's internal interface becomes their default gateway. While on the subject of default gateways, please note that only your Linux Box's external interface should have a gateway listed. Having more than one gateway listed on a host makes it more difficult to ensure proper routing to the 'Net. Your internal network interface should NOT have a gateway configured. Once you have your local area network configured, take the time to verify proper internal and external networking functionality. This usually starts with disabling any firewalls on the internal hosts AND the Linux Box. The Linux Box probably doesn't have any firewalling active unless you have specifically configured it. By default, there are no firewall rules established. Once all firewalls are de-activated, verify that the internal hosts can "talk" to eachother AND to the Linux Box (use ping). With connectivity to your local area network from the Linux Box, double-check that you also still have connectivity to the 'Net from that box. This is important because troubleshooting potential problems will be much easier if you start from a "known good" network configuration on BOTH of your Linux Box's NICs. If everything checks out good, you're ready to proceed with selecting your preferred utility or script to configure packet forwarding and NAT. Please don't continue until you achieve a working network configuration! Now that you have a working network configuration, you're 95% there! All you have left to do is install a packet forwarding and Network Address Translation configuration utility. I recommend using to accomplish this for you. It's a utility that can be configured to provide robust NAT-routing capabilities for your Linux router. It was specifically written for Ubuntu Linux systems but may also work with other distributions. When configured for, 'NAT only' functionality, it provides no other packet filtering or firewalling other than to make sure the NAT traffic that it handles, is legit (comes from your local network, out to the Internet). Simply download it, open a console, and enter the directory to which you downloaded it. Unpack it using the command, "tar -zxvf ubuntu-firewall.tgz." It will unpack into a directory called, "ubuntu-firewall." You'll find a README file inside it. Just follow the simple steps to install Ubuntu-firewall on your Linux Box. For, 'NAT only' functionality, set the, "NAT_ONLY" option to, "yes" within the configuration file.
If you require firewalling in conjunction with NAT-routing, Ubuntu-firewall can also be configured to provide that as well. Again, it is specifically geared toward Ubuntu and Debian distributions but it may work with others. It was designed for Ubuntu servers and hence, there's no graphical user interface for it. However, configuration is very easily accomplished via a small config file. Ubuntu-firewall is more of an, "install it and forget it" NAT/firewall solution. For more information, see . For those using other distributions, there's a firewall configuration utility called Firestarter. It has a nice graphical user interface. I've never used Firestarter to configure NAT-routing but it does have the capability. For more information, go to the Firestarter Website. Whatever method you choose to configure your box, you'll be ready to enjoy your new Linux NAT-routing Gateway! Have fun! | |
| Last Updated ( Monday, 05 March 2007 ) |
