لطفا منتظر باشید ...
Chapter 16 how to share some useful network-based services. You find out how to share files and printers, dole out IP addresses to your LAN devices, configure a Domain Name Server (DNS), and — ta-da! — build a Web server.)
One essential network function is to be connected to the Internet. Chapters 5 and 6 show you how to connect a single, stand-alone Linux computer to the Internet. We expand that process a step further and show you how to turn the Internet connection into one that can be used by the entire private network. Any computer connected to your LAN subsequently has Internet access. Sharing is good, and your mom should be pleased.The remainder of this chapter deals with building an Internet gateway. We assume that you have a working Internet connection, as we describe in Chapters 5 and 6. This connection is the conduit from your LAN to the Internet. You only have to configure a Linux computer to redirect Internet-bound traffic from your LAN to the Internet (routing) and modify the firewall we describe in Chapter 8 to work with the gateway.
Understanding IP forwarding and network address translation (NAT)
An Internet gateway requires a Linux computer that has two network connections. You need one Ethernet or wireless NIC to connect to your LAN. The other network connection is used to make the Internet connection; this connection may be a traditional telephone-based modem, a DSL modem, or a cable modem. You use an Ethernet NIC to make the second connection.Suppose that you open Mozilla on the sample Red Hat Linux computer Cancun (with the IP address 192.168.1.1) and enter the URL www.redhat.com. Network packets bound about your LAN and then fly out to the Internet (and back again), and Mozilla ends up displaying the Red Hat Web page.Lots of things have to happen to make all these things happen. Here’s a simplified version of how it all works:
Mozilla asks Linux to look up the address — via the Domain Name Service (DNS) — which translates www.redhat.com to the numeric IP address 66.187.232.56.
Linux compares the IP address to its internal routing table. The operating system directs network traffic to the default route if the address doesn’t match its local networks. (In other words, if the IP address belongs to a machine on the private network, Linux directs its communication to the Ethernet device connected to the LAN. However, if the IP address is external to the LAN, Linux forwards the packets to the appropriate router.)
In this case, 66.187.232.56 doesn’t exist on the LAN, so all traffic for the browsing session is directed to the default route.
On your private network, the default route of each host is directed toward the sample Internet gateway, the Red Hat Linux computer Veracruz. All the network packets that Cancun produces that are destined for the Internet, for example, are sent to Veracruz.
The Internet gateway Veracruz receives the outbound packets from Cancun on its internal connection and forwards them to its external connection. Packets going through its external connection are directed to the Internet.
Veracruz (192.168.1.254) also converts the source address of packets from Cancun (192.168.1.1) to the source address of its external connection. For example, if Veracruz has a DSL Internet connection with the address 192.168.32.254, the source address of Cancun packets is changed to 192.168.32.254. (This supposedly external Internet address has been changed to protect the innocent.)
The packets go to their intended destination. The www.redhat.com server responds to the query and sends back the requested information.
Veracruz receives the return packets, converts their destination address back to that of Cancun, and forwards them to the private network.
Cancun receives the packets, and the browser displays the information.
Forwarding network traffic through your gateway
This section describes how to configure a Linux computer to work as an Internet gateway. The process requires you to configure the Linux kernel to forward packets from one network interface to another — between the LAN port and the Internet port. Because Red Hat Linux turns off forwarding by default, the steps in this section describe how to turn on forwarding (you also need a Linux computer with two network connections in order to construct a gateway):
One network connection should be either an Ethernet or wireless NIC that connects the gateway to the LAN. We refer to it as the internal network connection.
The other connection is either the telephone-based modem or an Ethernet NIC connected to a DSL or cable modem. We refer to it as the external network connection.
Figure 15-2 shows Veracruz modified to work as an Internet gateway.
Figure 15-2: Veracruz with an Internet connection.
Turn off your external network connection for now. You turn on IP forwarding to enable the transmitting of network traffic between the Internet and your private network, which can be a security hazard. Disconnecting your Internet connection removes the insecurity: Unplug your modem’s (DSL, cable, or telephone) external (Internet) cable.These steps describe how to configure a Linux computer as the Internet gateway for a LAN:
Add the appropriate internal and external network connections to your intended Internet gateway.
For example, the internal network connection is eth0, and the external network connection is eth1.
Log in to your Internet gateway (in the example, Veracruz) as root.
Click the GNOME Menu button, choose AccessoriesText Editor, and click the Open button.
The Open File window opens.
Enter /etc/sysctl.conf in the Selection text box and click the OK button.
The gedit program displays the contents of sysctl.conf, as shown in Figure 15-3.
Locate this line (which should be close to the top of the file):
net.ipv4.ip_forward = 0
Change the 0 to a 1:
net.ipv4.ip_forward = 1
Click the Save button and then choose FileQuit to close gedit.
You can view the change by clicking the Nautilus Refresh button. You have to restart Linux networking for the change to take effect.
Open the Service Configuration utility by clicking the GNOME Menu button and choosing System SettingsServer SettingsServices.
Enter the root password, if you’re prompted.
Locate and click the Network service.
Click the Restart button to turn on IP forwarding.
Figure 15-3: The gedit editor opens the sysctl.conf file.
Connecting your Internet gateway
After you configure your Internet gateway to forward network traffic from your private network to your Internet connection (see the preceding section), you need to make that connection. In this section, we describe how to use the Internet connections introduced in Chapters 5 and 6. You build on those instructions to connect your entire network to the Internet through these connections.From a functional viewpoint, the type of Internet connection you use — telephone, DSL, or cable — doesn’t matter because all these Internet connections send and receive the same network traffic. (Practically speaking, of course, the higher throughput and lower latency of broadband make it more desirable than old telephone modems.) For this reason, you can treat as interchangeable the Internet connections you may have read about in Chapters 5 and 6.The forwarding we describe in the preceding section takes care of routing the packets to and from the Internet via your Internet gateway. Follow these steps to configure the Internet gateway:
Install the Ethernet or Wi-Fi NIC on your Red Hat Linux Internet gateway to connect it to your private network.
Install the Ethernet NIC on your Red Hat Linux Internet gateway to connect it to your DSL or cable gateway.
Connect the gateway to its Internet connection device.
You either connect the second Ethernet NIC to the DSL or cable modem or connect your computer’s serial cable to the telephone modem (or simply to the internal telephone modem).
Configure your Internet gateway to allow packet forwarding.
(Refer to the preceding section.)
Assign an IP address to each NIC. For example, assign the address 192. 168.1.254 to your internal connection (eth0) and 192.168.32.254 to the external connection (eth1).
Note that when you’re using a telephone or cable modem, this action is done automatically for you — modems connect directly to your gateway and not through an Ethernet NIC; some DSL modems can also plug directly into your computer and don’t require an Ethernet connection. For this book, we assume that you’re connecting via an Ethernet NIC.
Tiip Telephone modems use the Point-to-Point Protocol (PPP), whereas cable and some DSL modems use DHCP, which assigns an IP address to their respective interfaces.
Assign a default route that points to the Internet connection device.
The PPP and DHCP protocols do this step automatically.
Follow these steps to configure computers or network devices on your private network to connect to the Internet through the gateway:
Configure your computer with its network parameters.
In other words, assign an IP address and netmask (and optionally, but highly recommended, a host and network name) to each computer when using an Ethernet-based LAN. On a wireless network, you have to assign the IP address, netmask, common network name, and encryption key.For example, Chapter 7 describes how to set up the sample computer Cancun. You assign it the host name cancun; the network name paunchy. net; the IP address 192.168.1.1; and the netmask 255.255.255.0.If you use a Wi-Fi NIC on Cancun, you can assign the network name (ESSID) myfi and the encryption key iamnotanumber.
Configure the default route on each device to point to the Internet gateway.
Rinse and repeat. (Repeat these steps for each computer on your private network.)
After you have configured your Internet gateway and each additional computer on your private network, you should test whether they can communicate with the Internet. Consult Chapter 18 for pointers on troubleshooting network problems if you encounter difficulties. After you’re satisfied that you have your LAN happily connected to the Internet, turn that puppy off. You still need to set up your firewall (as we describe in the following section) because you don’t want to stay connected without one.
Protecting your LAN with a firewall
After you have configured your gateway for IP forwarding, you need to protect your network from the bad guys of the Internet. This section describes how to turn your gateway into a firewall. You use the same process and many of the same rules we describe in Chapter 8; however, this firewall is designed to protect your entire network, whereas the one in Chapter 8 is oriented toward protecting a single machine.
The firewall you’re building helps to protect both your computer and network. The firewall also provides the network address translation (NAT) function, which allows the computers on your private network to access the Internet. NAT, you may recall, converts the nonroutable source IP addresses (192.168.1.1, for example) into the routable source IP address of your Internet connection.TipNetwork address translation is also referred to as IP masquerading, or simply masquerading.The basic configuration of the firewall we describe in Chapter 8 works in the new configuration. The firewall performs these functions:
Block all incoming, outgoing, and forwarded packets: Start by blocking all network traffic by default. This firewall completely protects your private network but also makes it useless! Start with this policy to ensure that the firewall blocks all except the connections you explicitly allow.
Allow all loopback traffic: You must allow all network traffic on the Internet gateway’s internal loopback (lo) interface. The loopback interface is used by the Linux operating system for its own, internal communication. Many internal processes communicate over this virtual network.
Allow all internal NIC traffic: Allowing computers on the private network to communicate with the gateway provides convenience. For example, you may want to administer the gateway via SSH. Take a lenient approach and allow any internal machine to communicate with the gateway; this strategy makes constructing the firewall easier. You may decide to limit internal access if your security needs demand it.
Allow all outgoing traffic from the firewall: Allow all outgoing connections from within the firewall. The firewall needs to perform its own internal processes, such as making DNS queries.
Allow forwarding: A gateway needs to pass traffic from one interface to another. You change the forwarding policy to permit communication from the private network to pass through the firewall to the Internet. The downside is that traffic from the Internet can pass through the firewall to the private network — not a good idea. You fix that problem by adding NAT. It effectively prevents external access through the firewall.You may want to set up specific forwarding rules to provide more protection to your private network. We believe that using NAT to effectively block externally originated connections is adequate for your needs.
Use NAT for outgoing connections: Create a NAT rule to make all connections originating on the private network appear to be coming from the Internet gateway. All private network machines have their source addresses and port numbers changed to that of the gateway.The network address translation isn’t necessary if your Internet connection device (telephone, DSL, or cable modem) performs NAT. However, by providing a NAT filtering rule, you ensure that your Internet gateway works with any connection device — whether or not it performs NAT. NAT also prevents external access to your private network.
Allow incoming SSH connections: Secure Shell (SSH) is a protocol for encrypting network connections. SSH provides a reasonably secure system for connecting to your private network from the Internet. We configure the firewall to allow SSH connections into our firewall.
The firewall on the Internet gateway is similar to the firewall we describe in Chapter 8, except that you add IP forwarding and NAT. IP forwarding allows packets from the private network to pass through the firewall and on to the Internet. In this case, NAT makes all Internet-bound traffic appear to be coming from the firewall or gateway and prevents incoming packets from being forwarded into your private network.
