Simple Internet sharing with Knoppix, settings, wizard, GUI?

**stukennedyuk** · 10-06-2003, 01:21 PM

I'm looking forward to the day I can replace Window$ 98SE with Knoppix/Debian and with that in mind, I have configured my PC dual boot. (Well..... W98SE is an unsupported obsolete OS!).

What I an trying to do is check that I can do 'what I need to' using Knoppix. Here is the first one of the things I'm struggling with:-

I need Knoppix to do the equivalent of ICS. I've read LOTS! on the web and this is what I understand so far.

1). I need to use the Linux feature 'masquerading' - which is built in to the Kernal.
2). Knoppix is based on kernal 2.4.x so I need to use 'iptables' (not 'ipchains' used in earlier kernals).
3). I understand that my internet ethernet port is 'eth0' and uses DHCP and is autoconfigured by Knoppix. (and works just fine).
4). My intranet port is 'eth1' - Knoppix tries to configure DCHP and (naturally fails) - I understand that I can use 'ifconfig ethx' to check the ethernet port settings and 'netcardconfig' to change them.

So, I found this and tried it out:-

echo '1' > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

So, it also says that I need to start/stop iptables before making these changes, eg.

service iptables stop

But 'service' is not recognised. .....and when I try and use netcardconfig to set eth1 to 192.168.0.1 and all that good stuff for the intranet, it just comes back 'fail, network down' or similar and it even stops eth0 from working.

Dang, dang, dang! I'm no stranger to the obscure and difficult being a former Nortel DMS switch translations engineer..... but this is hard work!

I also tried without success to get 'linuxconf' 'ipmasq' 'firewall-easy' and 'firestarter' working.....

Cheers, Stuart.....

**stukennedyuk** · 10-06-2003, 04:11 PM

I just found out that the Debian equivalent of:-

service iptables 'command'

is:

/etc/init.d/iptables 'command'

Anyone know what I'm (still) missing?

Stu.....

**sobriket** · 10-06-2003, 05:30 PM

ifconfig eth1 192.168.0.1

will change eth1's ip address from the command line. I don't know anything about netcardconfig but using ifconfig directly is tried and true. Typing it as I've specified without further options will set you up for subnet of 255.255.255.0 and broadcast of 192.169.0.255 so you needn't do anything there (unless you need other settings, man ifconfig is helpful).

Hopefully this will help with the ethernet config.. As for the iptables setup, to my eyes, what you have should work. Were I not at school I'd test your config right now. To my knowledge, You shouldn't have to start/stop iptables to add your settings... Additionally, you might what to utilize iptables -L to see what's going on with your tables before you're adding your rules. If there are other entries, flush them with iptables -F INPUT
iptables -F OUTPUT et cetera.

~Kevin

**rickenbacherus** · 10-06-2003, 06:54 PM

Originally Posted by stukennedyuk

I just found out that the Debian equivalent of:-

service iptables 'command'

is:

/etc/init.d/iptables 'command'

Anyone know what I'm (still) missing?

Stu.....

Your options are:

/etc/init.d/iptables start|restart|reload|force-reload

So an example would be:

/etc/init.d/iptables start

Maybe something like the following will get you started. Of course this just allows ICS- you'll still need to configure a firewall.

echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -I forward -s 192.168.0.0/24 -d 0/0 -j MASQ

This is THE Linux firewall site A few more links:

http://tldp.org/HOWTO/Authentication...WTO/setup.html
http://tldp.org/HOWTO/Masquerading-S...O/summary.html

**stukennedyuk** · 10-06-2003, 07:23 PM

Many thanks, I'll try these suggestions out and let you know how I get on!

Stuart.....

**aay** · 10-06-2003, 07:58 PM

You might want to do an apt-get install firestarter.

Firestarter has a nice internet connection sharing option. It's all gui based. It's just another option you might try.

**stukennedyuk** · 10-06-2003, 09:14 PM

The key problem I seem to have is this:-

root@ttyp0[knoppix]# ipchains -I forward -s 192.168.0.0/24 -d 0/0 -j MASQ
ipchains: Protocol not available

What does it mean? I checked in Kpackage and it says ipchains is installed.....

[whole transaction:-

root@ttyp0[knoppix]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ttyp0[knoppix]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:02:8A:66:33:5D
inet addr:81.101.112.140 Bcast:255.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17630 errors:0 dropped:0 overruns:0 frame:0
TX packets:1332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1116705 (1.0 MiB) TX bytes:84677 (82.6 KiB)

root@ttyp0[knoppix]# ifconfig eth1 192.168.0.1
root@ttyp0[knoppix]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0A:E6:76:4E:48
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:2052 (2.0 KiB)
Interrupt:11 Base address:0xd000

root@ttyp0[knoppix]# echo 1 > /proc/sys/net/ipv4/ip_forward
root@ttyp0[knoppix]# ipchains -I forward -s 192.168.0.0/24 -d 0/0 -j MASQ
ipchains: Protocol not available
root@ttyp0[knoppix]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ttyp0[knoppix]#

]

Cheers, Stu.....

**rickenbacherus** · 10-07-2003, 12:15 AM

Ummm- I deserve a kick in the pants for that one. Like an idiot I posted ipCHAINS not iptables. Old habits are hard to break.

I don't know if it's an option for you or not but I have an old pc that I use for a router and NAT (network address translation) or ICS as they say in wondoworld. I will have another look at ipTABLES and perhaps post something a bit more useful next time.

Sorry- sometimes I am such a moron.

**Stephen** · 10-07-2003, 01:04 AM

You may want to look at Arno's IPtables-Firewall the instructions are pretty easy to understand you should only have to change a couple of lines in the config files and put the files in the right place with proper permissions and be up running in no time.

**stukennedyuk** · 10-07-2003, 08:40 AM

Rickenbacherus wrote:

Ummm- I deserve a kick in the pants for that one. Like an idiot I posted ipCHAINS not iptables. Old habits are hard to break.
I don't know if it's an option for you or not but I have an old pc that I use for a router and NAT (network address translation) or ICS as they say in wondoworld. I will have another look at ipTABLES and perhaps post something a bit more useful next time.

I typed it in and didn't notice, the 'problem' is working with the command-line, and the human aspect of not really reading! S'pose this is why the GUI was invented! - your help is appreciated..

Stephen wrote:-

You may want to look at Arno's IPtables-Firewall the instructions are pretty easy to understand you should only have to change a couple of lines in the config files and put the files in the right place with proper permissions and be up running in no time.

I'll take a look at this today!

Many thanks, Stu.....

www.stuartkennedy.org.uk