All files are for educational and/or historic purposes only. [back to library]
Dial-Up Modem Connection Sharing by Boris Kurktchiev aka MANOWAR^ <[email protected]> for BlackSun Research Facility http://blacksun.box.sk July 31, 2001 A mini HOWTO on a simple way to securely share your dial-up modem connection between Slackware and Windows 9x and Win2k using IPtables and IP Masquerading. 1. Introduction This is a mini HOWTO that describes an easy and secure way of setting up your Home Connection Sharing using Slackware Linux 7.0, 7.1, and 8.0. What you need in order for this to work: - A Network Card - A Ethernet Hub / or a Cross Over Cable - The 2.4.* kernel version - And most important Slackware Linux installed. If you do not have anything from the above list, then you might have to work your own way of doing this. 1.1 Copyright Copyright (c) 2001, Boris Kurktchiev You can distribute this document under the terms of the GNU General Public License, which you can get at http://www.gnu.org/copyleft/gpl.html. Information and other contents in this document are the best of my knowledge. However, this may have made errors. So you should determine if you want to follow the instructions given in this document. Nobody is responsible for any damage to your computer and any other loss derived from the use of the information contained herein. THE AUTHOR AND MAINTAINERS ARE NOT RESPONSIBLE FOR ANY DAMAGE INCURRED DUE TO ACTIONS TAKEN BASED ON INFORMATION CONTAINED IN THIS DOCUMENT. Of course, I am open to all type of suggestions and corrections on the content of this document. 2. Configuring Networking I am assuming that you have not tried hooking up the two or more PC so I am going to start from scratch. So you have your network card plugged in, you have your modem up and running, but now your mom needs to get on the internet and she is definitely not a Linux lover. Well lets start setting up the network so we can keep your mom happy: 2.1 Configuring Slackware 1. Log in as root 2. In your console run netconfig 3. Go through first few windows where you specify the name of your machine and the host name you want to have 4. The third window you should see is SETUP IP FOR "your host name" 5. Click on Static IP 6. You are going to be prompted a window and you are going to put 192.168.0.1 in it. That is going to be your IP on your home network. 7. Leave the default net mask as 255.255.255.0 8. When you are asked for a gateway just hit enter, when you are asked if you are going to run name server click no, and after that you should be good to go. 9. You are going to be prompted for your network card to be detected just let the program find the module for your card (if the system has that module compiled) 10.If netconfig tells you that you don't have the module for your network card than you better find out what your card name is and compile it in the kernel (if you don't know how to do that go and read the Kernel-HOWTO at www.linuxdocs.org). 2.2 Configuring Windows 1. Log in (the use of admin privileges are necessary) 2. Right click on network neighborhood 3. Right click on local connections 4. Then click on TCP/IP protocol and go to properties (if you don't have the protocol installed just hit install go to Protocols and select TCP/IP and click install. 5. There click use static IP: in the IP box put 192.168.0.2 then go to netmask and enter 255.255.255.0 and for the default gateway enter 192.168.0.1 6. Now for DNS services you are going to add the IP your ISP (Internet Service Provider) had provided you with if you don't know it then Connect to the Internet in windows and then go to Start/Run and type winipcfg and a window with at least 2 IP's will be shown. Those two are the two DNS servers provided by your ISP. Put them both in the DNS service at the TCP/IP configuration. 7. Click ok and go back to your Slackware machine. 3. Setting up the connection sharing Well her goes the most exciting part of the exercise. Setting up the sharing script. Right now I can only tell you how to start the script we are going Create using KPPP. So start up your favorite text editor (I usually use Pico for simple editing) and copy this script echo "1" > /proc/sys/net/ipv4/ip_dynaddr iptables -F iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -A INPUT -i ppp0 --source 192.168.1.0/24 -j DROP iptables -A INPUT -i ppp0 --source 10.0.0.0/8 -j DROP iptables -A INPUT -i ppp0 --source 172.16.0.0/12 -j DROP iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m limit --limit 5/minute --limit-burst 5 The first iptables line is flushing the iptables rules. The second is setting your ppp0 ( your modem ) interface to masquerading, the third linedenies any connection to your ppp0 interface from the three "C" class IP's used for home networking, the forwarding lines are the ones that are doing the magic they are allowing your Network Card to be used as an ISP that serves the 192.168.0.2 PC. That's it you are done. Now exit and save do chmod a+x filename then do cp filename /usr/bin and now you are good to go. You are all set. Now in order to run this script upon connection using KPPP go to setup and then select the name of the account and then go to execute in the upon connect space put the name of the file you just put the iptables rules and then connect to the Internet using KPPP. IF you are using PPP the only way I can figure out right now for you to execute the rules is to do it manually. wait for ppp-on/go do its job and then execute the file. Now go to the Windows computer and try connecting to a site. If you did everything right you should be able to surf the net without any problem. If you want to be able to do dial on demand go to www.sourceforge.net and do a search for daild there is a good HOWTO on configuring diald on www.linuxdocs.org. 4. Some Security Additions Well everything is cool now and you have your network connection sharing up and running. Here are a few tips on how to make you computer and network a little more secure. 1. log in as root and go to /etc 2. pico(or whatever your favorite text editor is) hosts.deny. Now put this line in there ALL: ALL This deny's any access to any service on your PC. The bad thing is that you blocked yourself and your network too that way. 3. now do pico hosts.allow and put this in there on separate lines ALL: 127.0.0.1 ALL: 192.168.0. now you have granted access to the services to your localhost and your network. That's it now you can go and edit the inetd.conf file and comment in all the services you don't need. 5. Credits I would like to thank: Ghost_Rider for adding the 3 INPUT rules in order to make more secure script. Paul Ramsey <[email protected]> for his Home Networking mini Howto that inspired me to write mine mini Howto.