WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: HOWTO: Internet Connection Sharing using TC with iptables, nat, masquerading  (Read 6044 times)

Offline mcewanw

  • Full Member
  • ***
  • Posts: 102
1. The following two command lines set up TC to perform the function of Internet connection sharing on your local area network.
Code: [Select]
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

I have only tested this with a dialup modem using interface ppp0 (as indicated above by -o ppp0). However, I expect the same technique will also work for other interfaces/connection methods instead of ppp dialup. You should just need to change the above ppp0 to the appropriate interface name (such as eth0, wlan0 etc...)

2. Of course, you first have to get the appropriate interface and connection method working. For dialup, for example,  you need to install the tc extension pppd (e.g. pppd.tcel) and pppsetup (which furthermore needs bash to be installed). This brief howto however does not cover the setting up of ppp dialup, but you can find details for how to do so in the following two tc forum threads:


3. Apart from having a suitable interface and connection method already configured and working, you also need to install the following two tc extensions: iptables (e.g. iptables.tcel) and firewall.x.x.x (e.g. firewall.2.6.26.tcem, which provides the necessary NAT modules).

4. Though you can run the given commands in a terminal at any time, you will probably prefer to have the Internet connection sharing running automatically whenever your TC machine is booted. For that to happen you just need to edit the file /opt/bootlocal.sh with your favourite text editor and append the two commands given in step 1 above.

5. You do of course need to set up the other computers on your local network such that their default route is to your TC Internet Connection Sharing computer (for which you could, for example, set up its ethernet interface to use local area network address, or any other unique private local area IP address of your choosing). These connecting machines which are to share the Internet connection also need to be set up such that they know an appropriate DNS server address or addresses (usually those of your Internet Service Provider) and have each of their relevant LAN ethernet connections configured with unique private local area network addresses (such as 192.168.0.x). Such details are however beyond the scope of this simple HowTo.

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 10156
Just to say masquerading everything is not recommended practise, and adding say "-i eth0" to the first rule would add a good check for packets.
The only barriers that can stop you are the ones you create yourself.

Offline mcewanw

  • Full Member
  • ***
  • Posts: 102
liberal masquerading - the good, the bad, and the ugly
« Reply #2 on: April 05, 2009, 04:34:24 AM »
Not sure which recommender you are referring to, but anyway, my intention was just to help users get started by giving this quick to set up example of  liberal masquerading. I didn't say it was a secure firewall; and table rules can indeed be added. I have used such a simple setup often though as a quick hack to get my whole family on the net, and it may prove useful to some who would like to use TC but quickly need to share a connection . . .

For those wanting to know more, some good/succinct general info about such techniques is provided at the following site (the attached extract concerns my example of liberal masquerading):


The strict way: iptables -t nat -A POSTROUTING -o ppp0 -j SNAT \ 
                               --to $PPPIP

The liberal way: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

The liberal form is better for temporary connections:
MASQUERADE automatically chooses address
MASQUERADE forgets old connections when interface goes down
For dial-up, cable modems and ADSL: MASQUERADE wins
. . .

Now that you have it going, if you want to improve the basic scheme in terms of security, look here: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html

« Last Edit: April 05, 2009, 06:06:50 AM by mcewanw »