Sunday, June 15, 2008

Private network with Ubuntu and Cisco router as dhcp server

I share my internet connection at my house and I wanted to set up my own network to connect my laptops with the desktops. Using the wireless was not the best option to transfer large files between systems therefore I set up a small network.

The "house" network is on the 192.168.0.0/24 and connects to the internet, my private network is on the 192.168.1.0/24. The devices are connected through a 10/100 switch and except one PC the ip are set by a dhcp server (I don't have more than 5 pcs at the time).

My main pc is an Ubuntu desktop with 2 network cards.
wlan0 - connects to the internet through a wireless router. Uses network 192.168.0.0/24
eth0 - ethernet card to use on my private network. Uses network 192.168.1.0/24

First check your iptables.. run the command iptables -L

user@pc:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
user@pc:~$

This shows the table is empty. Now to enable internet sharing on the Desktop PC I run the following rules:

$sudo iptables -A FORWARD -i wlan0 -o eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$sudo iptables -A POSTROUTING -t nat -j MASQUERADE

rule1 allows forwarded packets (initial ones)
rule2 allows forwarding of established connection packets (and those related to ones that started)
rule3 does the NAT

Running iptables -L now shows the following:

user@pc:/home$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.1.0/24 anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
user@pc:/home$

This change is only valid until next reboot, therefore we need to make it permanent. Read the links at the of this post but what I did was the following.

a. First save the current configuration on a local file by running:

sudo sh -c "iptables-save > /home//iptables.rules" 


Many post I read suggest saving the file on /etc/iptables.rules but in my case the file was not being saved at all. Checking logs I found messages of "permission denied" when the system was trying to save the file therefore I used my own directory that I guess is not the best option regarding security.

Another note found was that this process was done on every shutdown. I my case I did it once and will use the same file for every reboot. If I need to change something I will do it live and save the file again.

b. Second set a small script to load the file save with the iptables configuration on boot. This can be done by creating a little shell on the /etc/network/if-pre-up.d directory named iptaload.

user@pc:/etc/network/if-pre-up.d$ ls -l
-rwxr-xr-x 1 root root 65 2009-01-06 20:46 iptaload
user@pc:/etc/network/if-pre-up.d$

The file iptload reads as follows:

user@pc:/etc/network/if-pre-up.d$ more iptaload
#!/bin/sh
iptables-restore < /home//iptables.rules
exit 0
user@pc:/etc/network/if-pre-up.d$

Now at this stage you changed your iptables and should work on every reboot.

Next configure the gateway for routing between two interfaces by enabling IP forwarding. First check the current state using:

cat /proc/sys/net/ipv4/ip_forward

It will show either a 0 or a 1 where:

0=disabled
1=enabled

If the value is 0 to enable it run the following command:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

Many webpages mention that to make the above change permanent you need to edit /etc/sysctl.conf and add these lines:

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1

And run the command:

sudo sysctl -p

That gives the following output:

user@pc:~$ sudo sysctl -p
kernel.printk = 4 4 1 7
kernel.maps_protect = 1
fs.inotify.max_user_watches = 524288
vm.mmap_min_addr = 65536
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
user@pc:~$

You should now see new forward state using cat /proc/sys/net/ipv4/ip_forward and the change should persist after reboot but the sysctl -p didn't work on my case.

Again another trick, I edited the /etc/rc.local file to execute the change of the ip_forward value on boot. Some people run this with cron every x minutes.. don't know why so often. The rc.local file looks as follows:

user@pc:/etc$ more rc.local
#!/bin/sh -e

sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
exit 0
user@pc:/etc$


At this stage you should have a pc that can forward packets from your eth0 that is the private network to your wlan0 that is the "public" network, but remember that your pc does not do DHCP or DNS (at least mine, you can set that up too) so I also set up a DHCP server on an old Cisco 805 router, set the IP of the router to 192.168.1.2 and added a dhcp server config as follows:

ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
!
ip dhcp pool mynetwork
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.0.1
!

Where 192.168.1.1 is the ip of my Ubuntu PC and 192.168.1.2 is the ip assigned to the Cisco router.

Why use the Cisco switch? Is it really necessary? No it is not. I know that the ubuntu desktop could also be the dhcp server, and dns server or forward the dns setup of my isp but this gives me a reason to start playing with cisco routers. Next plan is to connect it to a 1700, a pc on that end access the internet from it.

The following link - where I copied this from - shows the step mentioned above and gives more examples and a better explanation about it:
https://help.ubuntu.com/community/Internet/ConnectionSharing?action=show&redirect=InternetConnectionSharing

and

https://help.ubuntu.com/community/IptablesHowTo

No comments: