[Dirk Gently]

OK, I've finally figured out that I should netfilter/iptables to use my linux PC as a router (um... right?). The netfilter website says that it is usually included in modern kernels and has a ton of documentation, but I'm having a hard time understanding it; it all seems to fall either on one side (very abstract with metaphors and generalizations) or the other (chunks of code and commands without context) of the "documentation spectrum." For example, the section I just want masquerading! Help! (which is my position exactly). If anyone even sees simply where that stuff should go, it would be very helpful. I know I should probably figure this out myself but I've just been going in circles with it Or if you're feeling in a particularly wonderful mood, how would I go about doing the following? I need to set up a linux PC with 3 network cards, one with IP assigned by DHCP which provides/accesses an internet connection and 2 connected to other PC's which need to access the connection. I don't need anything fancy at all, just the most basic system to get all 3 machines using the connection. Thanks in advance for any response!

[Squashman]

I have some documentation on setting up NAT and IP masquerading, but I have to dig it out.

Keep bugging me until I give it too you. I am not at home right now.

[Dirk Gently]

Ok Squashman. Have I mentioned lately that I love you?

P.S. And I wish I could help with your question (I've never seen one from you before), but I don't use either of those systems

[lynch]

Alternatively, you could try a Firewall Distribution
Most of the firewalls that come with a regular distro are just front-ends for setting up netfilter/iptables.
HTH
lynch

[Dirk Gently]

Oh yeah, thanks! I had considered that a while ago but it slipped my mind. "Running Linux, a 486 with 16megs of RAM, worth almost nothing, can outperform a dedicated firewall costing several thousand dollars." Sweet I'd still like to know how to use netfilter/iptables myself (I had intended to finally get Slackware running) but just the same this sounds perfect, I'll try SmoothWall, I think.

EDIT: Smoothwall site's down right now, apparently... well, hopefull that's just temporary. I'll try back later.

EDIT #2: Well, it's back up and I'm downloading the Smoothwall Express 2.0 ISO now. I know this is a highly specialized distro, but would it be possible to get other linux programs running on top of smoothwall, do you think? Non-GUI of course...

[codejockey]

Quote:

For example, the section I just want masquerading! Help! (which is my position exactly). If anyone even sees simply where that stuff should go, it would be very helpful.

This section actually shows what you would enter on the command line or put in a script (typcially in a file such as /etc/rc.d/rc.inet2 or /etc/rc.d/rc.firewall). The commands set up NAT on your Linux system and enable ipforwarding. The comments in the section (i.e., those lines that begin with a '#' character) explain what is going on. You should be able to enter these commands as root at the command line and have IP masquerading take effect. Once you are sure that things are working properly, you can add the commands to an initialization script that runs when Linux is booted, so masquerading will be done automatically each time.

Hope this helps.

[Dirk Gently]

Ah! Exactly! I understand now. That helps a lot. See, I was thinking those looked like commands, but the comments confused me (I mean, I'm not about to enter comments into a terminal, now am I? ) It's all... well, not quite crystal-clear, but much closer to it! One quick question, in that set of code, could I just change ppp0 to eth0 to get that to work? (Assuming at this point i just have eth0 and eth1)... I've never had anything "ppp" on linux with this connection before, just "eth". Well, either way I'm going to go fiddle around with it now Thanks again!

[Dirk Gently]

Gah! Smoothwall it is then, I guess, for now. On knoppix I tried using the "ADSL/PPoE Configuration" program, even though my connection worked fine, because I could only see eth0. After that I could see eth0, eth1, and ppp0. Connection acted the same. what is ppp0, then? PPPoE confuses me Anyway, the commands didnt' seem to do anything, after trying them for eth0 and ppp0 both I got this:

knoppix@ttyp1[knoppix]$ netstat -M
netstat: no support for `ip_masquerade' on this system.

I'm going to burn and run the smoothwall ISO and try that out, finally. I'm probably just screwing something simple up but that seems like the best path. Thanks again for all your help.

[codejockey]

Quote:

One quick question, in that set of code, could I just change ppp0 to eth0 to get that to work? (Assuming at this point i just have eth0 and eth1)...

I wondered about your initial description of your network (i.e., 3 network cards). In general, your local workstations are typically on the same subnet (not always, and certainly not required, but true more often than not) so you need only two network cards: (1) the NIC that interfaces to your external network (WAN, typically your cable/DSL modem) and (2) the NIC that interfaces to your local network. If, in fact, you have two local networks (perhaps a wired and a wireless network that you wish to separate for security reasons), then you would need an additional card to interface to the second local network.

If, in fact, your eth0 interface is the interface to the WAN, then I believe you could (and should) substitute eth0 for ppp0, since it is your eth0 interface that will be doing the mapping from internal IP addresses to a single WAN IP address.

Hope this helps.

[Dirk Gently]

Well, I tried both and got the same result (nothing). What I meant by 3 cards was that I need to get all 3 PC's online, so the router one needs one card to access the WAN (internet through DSL modem in this case) and 2 other cards to connect to the two other PC's. At this point I don't actually *have* the router one; my connection goes modem > PC1 > PC2 , so PC1 has 2 cards. I figured to get all of the up I'd need 3 cards (well really this means one integrated ethernet port and 2 ISA cards, but anyway) for the router, so:

Code:

modem --- router PC ---- other PC
              |
              `--------- other PC

Perhaps I'm missing something?

[codejockey]

Quote:

What I meant by 3 cards was that I need to get all 3 PC's online, so the router one needs one card to access the WAN (internet through DSL modem in this case) and 2 other cards to connect to the two other PC's.

I don't think this is quite right (but I may have misunderstood something, as well). You're right that the router needs one NIC to access the WAN (internet via DSL modem), but it should need only one additional card to access all other workstations on your LAN (assuming they are all on the same subnet). That leaves your third card for use in one of the workstations. This also assumes that you are not mixing connection types on your LAN (e.g., wired ethernet and HPNA); if you are mixing connection types, then you will need one NIC for each connection type in your router PC.

Hope this helps.

[Dirk Gently]

As usual, I'm definitely missing something ... How can I use a single card to connect to the other 2? There is nothing involved here but 3 comptuers, NIC's inside them, and network cables (it's all ordinary wired ethernet by the way)

EDIT: A little bit more clarification, they definitely are all on the same subnet, it is (it will be, that is, hopefully) and extremely simply set-up. And on another note, thanks for sticking with this for this long!

[codejockey]

OK, it's entirely possible I'm misunderstanding something fundamental (I specialize in spectacular mistakes! ), but it seems as though what you want to do is to connect 2 workstations with a third workstation that will be functioning as a router, and all workstations are using the same type of connection and are on the same subnet. So let's back up a little (and my apologies if I've missed the obvious -- just let me know, and we'll go from there ...).

For a moment, let's forget about having a router PC at all; let's just assume that you have a working network. How many cards are in each workstation on the network (again, assuming the configuration given above)? As far as I know, you need only one card in each workstation to communicate with any other workstation on the network (even those on other subnets, with proper routing) -- if this were not true, you would need to add a card to each workstation every time a new workstation was added to the network (which might be great for the hardware vendors, but hardly practical for most of us! ).

Your router PC is (almost) no different -- it is a workstation on the local network, and so needs one card to communicate with all other workstations on the local network -- just like any of your other workstations that are not performing routing duties. As you point out (and quite correctly), the router PC also has to communicate with the outside world (i.e., the internet and your modem); this requires an additional card because your router PC must be able to forward outgoing requests from your LAN to the outside world, and to accept incoming data from the outside world and forward it to workstations on your LAN. The outside world is (usually) on another network.

So let's stop there for the moment, just in case I've (already!) missed the obvious (). Please feel free to clarify/correct as needed.

Hope this helps.

[Dirk Gently]

Well, that all makes sense to me, except for one bit. Forgetting the router PC, like you said, there are two workstations. The one has 1 card and is the "end of the line" in any case. The other currently has two cards, one connected to the modem and one connected to the other PC. But assuming I'll have the configuration I want, you're right, those two will both only need one card each. The part I still don't understand Is how I could physically connect one computer (the eventual router one) to multiple others through a single card for the "LAN".

[lynch]

A hub or a switch.
HTH
lynch