Re: Sharing a Cable Modem

[Adam C Powell IV <hazelsct@mit.edu>]

Tuomas Kuosmanen wrote:

> On Fri, 2001-09-07 at 18:08, Bastien Nocera wrote:
>
> > > The box will have to do IP Masquerade, this is
> > > ipchains right? I think I can do ipchains.
> > I have that as a script on my iMac to offer masquerading to my laptop.
> >
> > # install ipchains modulemodprobe ipchains
> > # enable IP forwarding
> > /sbin/sysctl -w net/ipv4/ip_forward=1 > /dev/null
> > # Deny all forwarding
> > ipchains -P forward DENY
> > # Forward (masquerade) to eth0 (internet) what comes from 192.168.1.2
> > ipchains -A forward -i eth0 -s 192.168.1.2/32 -j MASQ
>
> This works, or you can simply "apt-get install ipmasq" on the
> masquerading machine.
>
> First setup the networking so that the masq. machine can see outside
> world (the dsl/cable modem) and also the internal network (192.168.1.X
> for example, the hub), and if your masq. box has the internal network ip
> 192.168.1.1 for example, set that as the GATEWAY on the other machines.
Right.  One word of caution: I'd suggest dhcp-client instead of dhcpcd. 
What you do is put something in /etc/network/interfaces like:

auto eth1
iface eth1 inet dhcp

Then this will automatically get a lease on eth1.

If you really want to use dhcpcd (I've heard security trouble rumblings, 
maybe not a good idea), then don't put the above in 
/etc/network/interfaces.  But you'll have to configure the ipmasq 
package to start after network services have been started, which is 
*not* the default, since otherwise dhcpcd might not start until *after* 
ipmasq, which will leave your networking in an inconsistent (read: 
*bad*) state until you fix the config and reboot.  (Restarting ipmasq 
doesn't do it, neither does restarting networking, then dhcpcd, then 
ipmasq, tried lots of different combinations.  Wasted about a month on 
this one earlier this summer!)

> Then apt-get install ipmasq and it should start working. Of course one
> can do it by hand also, but the ipmasq package's scripts seen to have
> the nice effect of also working with dynamic ip addresses etc.
Indeed.  It even auto-detects at boot-time which interface is on the 
internet, and configures appropriately.  A very nice package.

> In fact,
> as I am currently without a broadband connection (aaaargh! :) my
> ipmasquerading stuff works fine with a 33.6bps modem dialup on the same
> machine, I just start ppp instead of configuring eth0, and things work
> fine.
Right, it also auto-detects each time ppp connects/disconnects.  Very cool!

(Why don't other distros do something like this?  Why is this not more 
widely publicized/known?  It makes this task so trivially simple for 
Debian users!)

> Of course you very likely want to tune the firewall for security if you
> are on a broadband connection, but that is another topic. I have a
> separate script for that purpose I run after the ipmasq thingy.
I haven't looked at this in detail, but ipmasq's firewall rules seem 
very conservative, and not too hard to customize.  What additional 
restrictions do you feel need to be added?

> * Yes, I dont claim to be a networking expert, but it works for me, and
> maybe this was useful information for someone else :o)
Me neither. :-)

Zeen,
--

-Adam P.

GPG fingerprint: D54D 1AEE B11C CE9B A02B  C5DD 526F 01E8 564E E4B6

Welcome to the best software in the world today cafe! 
<http://lyre.mit.edu/%7Epowell/The_Best_Stuff_In_The_World_Today_Cafe.ogg>