Monday, March 12, 2007
linux for an entire sunday
For a linux security expert like my friend Florin which is handling the www.riss.ro this would have taken 20 minutes ... it took me the entire day. doh ...! But finally I'm quite proud of myself for finally not requesting any help and doing it my own way (google is my friend)
So, here the story goes: my wife (as always, women cause all the trouble ...) choose to add to the house a second computer.
All good for me as I will no longer have to let her share my computer, you say :) Well, yes, that too. But I had to make this second computer share the single IP on my computer, as the provider will not allow two home computers without extra payment. Since I am not going to extra pay for my wife's browsing, I needed to digg into NAT'ing and iptables of my Fedora Core 6 installation.
This is what I did:
- I installed a second network card on my computer and connected with a crossover cable to the second machine. So I have eth0 device with external IP given by the provider, and the eth1 device with 192.168.1.1/24 statically asigned. My wife's computer got the 192.168.1.2/24. This was the easiest part :)
- Testing connection between the two computers, everything works.
- It took me the entire day googling and reading to finally end up with the following /etc/rc.local file:
# add a static route to the internal host (not sure why it didn't worked without it)
/sbin/route add -host 192.168.1.2 dev eth1
#load the NAT module of iptables
#tell the system we want to route
echo 1 > /proc/sys/net/ipv4/ip_forward
#mangle with the TTL on eth0. The provider thought that setting TTL=1 would stop me :)
/sbin/iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 64
/sbin/iptables -t mangle -A OUTPUT -j TTL --ttl-set 64
#enable masquerading (or NAT) between external eth0 and the internal network
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j MASQUERADE
iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#finally, allow DNS queries from internal network
iptables -A OUTPUT -p udp -o eth1 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --sport 53 --dport 1024:65535 -j ACCEPT
above instructions would be better in another file which could be loaded by /etc/rc.local. However, this did the trick, now I can have the computer for myself :)
I would also evaluate switching to Ubuntu (Ferdy's article triggered the curiosity), however I've done some things on my fedora which would be rather annoying to remember and do again on ubuntu. Then, what is the fun with linux if not digging with google how to do certain things ? If Ubuntu works kind of 'out of the box', I would miss the entire fun of discovering new things :)
For instance, the next challenge on my fedora is to discover how to configure udev and hal to perform automounting and gnome linking of an external usb hdd (80gb) which I've been recently using. Manually mounting works beautifully, but it won't automount. If this would work in Ubuntu, I wouldn't learn about udev and hal, would I ?
Disclaimer: The information in this weblog is provided "AS IS" with no warranties whatsoever, and confers no rights to any institution/person/organization. These are my personal thoughts and ideas. When I am inspired by others I give credit, I do not assume other's work and efforts. This site is NOT supported, approved, blessed etc. by Lotus Software and/or IBM Corporation.
This work is licensed under a Creative Commons Attribution 3.0 License.