Everyone's got a LAN at work or at home these days. Here's how to use Linux to let every computer on your LAN, including Windows boxes, access the Internet through a single connection.
Remember the dim and distant past, about five years ago, when networking was something only big companies and those hopelessly addicted to computers did? Thanks to plummeting hardware prices, that’s all changed now, and it’s common to find LANs (Local Area Networks) in even the smallest business or home.
There are many advantages to networking your local computers. First, having a LAN allows you to easily share and centralize data — no more swapping disks or sending bulky e-mails when you can just save directly to any disk on any machine in your network. Second, LANs allow everybody in a home or office environment to share peripheral components like printers, scanners, and zip drives. Instead of buying a printer for every computer, for instance, you can buy one excellent printer for all the computers, get higher quality output, and save money.
Finally, using Linux, you can hook up your entire LAN to the Internet through a single connection, save a bundle of money, and still enjoy excellent performance. All you need is at least one computer running Linux (the other machines in you LAN can use just about any OS), a modem, and an Internet service provider. The setup process is surprisingly easy. In this article, we’ll show you how to do it.
Before we dive into the details, it’s worth pointing out a few items. First, we won’t cover setting up a modem under Linux, or the basics of installing a network board, or general networking principles. If you need help in these areas, see the Web Links sidebar on page 54 for some of the almost endless Linux documentation that’s available on various networking issues.
Second, in the interest of simplicity we will ignore issues about security and interaction with other networking software and hardware. Everything discussed here is based on fresh, stock installations of Red Hat Linux 6.1, using supported networking hardware. It’s possible that some of the configuration files and directories will be different on other distributions, or even on earlier versions of Red Hat, but these differences shouldn’t pose great difficulties.
|Figure One: Gateway has the only direct connection to the Internet. Other systems access the net through gateway.|
Figure One is a high-level view of the system we’ll be describing in this article. We’ll refer frequently to the computers by the names in the figure (gateway, client1, etc.), and we’ll also talk about their network addresses (192. 168.1.1). If you don’t know what network addresses are, don’t panic, we’ll get to those shortly.
Finally, remember that a little planning can have a big payback. For example, decide up-front which of your systems will be the gateway. Typically, this should be the system that’s already set up with an Internet connection, since it will require the least amount of change. Also, make sure you have all the needed information from your ISP (Internet Service Provider), such as the names of the mail and news servers, and the IP (Internet Protocol) address of the DNS (Domain Name System) server.
In order to connect your LAN to the Internet, you’ll have to know a bit about how networked computers communicate. Every computer on a network has a unique IP address (“IP” stands for Internet Protocol), which consists of four numbers, each one between 0 and 255 (e.g., 127. 16.5.132). Computers and other networking hardware use these addresses to route information to the right destination.
Each time it receives a packet of data over the Internet, a computer checks the packet’s IP address label to see whether that computer is the data’s intended recipient. If it is, the computer keeps the data; if it isn’t, it forwards the data in the right direction. When operating as a LAN’s gateway, a computer must recognize and catch data packets addressed to itself and to every other machine on the LAN. It must then forward packets addressed to the various LAN computers to their proper destinations while keeping those packets addressed to itself.
ISPs charge more if they have to allocate more than one IP address to you. Luckily, it’s possible to connect an entire LAN to the Internet through a single IP address. With the type of configuration we’ll show you how to set up, all incoming data is addressed to the gateway and then forwarded to its proper destination within the network. All outgoing data uses the gateway’s return address, thereby fooling outside computers into thinking that all traffic from the LAN is coming from a single computer. This process is called IP masquerading.
To see how IP masquerading works, let’s start with the network shown in Figure One. This network is connected to the Internet through a dial-up PPP (point-to-point protocol) connection by the Linux system gateway that uses IP masquerading. If a user on client1 wants to browse a Web page from webserver, which can be any Web server anywhere on the internet, IP masquerading can make it all work transparently to client1 and webserver.
When client1 opens a TCP connection by transmitting a packet to webserver, the data goes first to gateway. Gateway creates a fictional TCP port number and remembers both it and the real port number associated with client1‘s data. Gateway then changes the originating information in the data packet so that it appears to have come from this fictional port on gateway itself, then sends the data out into the Internet. When webserver sends data back, it naturally uses the modified addressing information from gateway. When the data arrives at gateway, it’s able to use the routing information (including the fictional port number it assigns to all data from a particular local computer) to determine which other PC on the LAN should really receive it. Gateway once again patches the address information in the packet, this time fooling the local computer into thinking it contacted webserver directly, and then sends it the data.
Basic LAN Setup
|Figure Two: Three blocks of IP addresses are set aside for private networking. These addresses are used for TCP/IP networks that aren’t directly accessible by any host on the Internet. As far as the Internet as a whole is concerned, none of these IP addresses even exists.|
To set up a LAN so that your systems can talk to one another, you can assign each computer an IP address, using one of the values that are reserved for private use. The suggested values are shown in Figure One, with 192.168.1.1 being the gateway, client1 being 192.168.1.2, etc. The classes of IP addresses are shown in Figure Two (pg. 54).
To assign a static IP address to a Red Hat 6.1 system, open an X terminal window and enter the command netcfg. Click on the “Interface” button on the netcfg interface, and you should see an entry for the loopback network device, with the address of 127.0.0.1, as well as one for your Ethernet board, typically called eth0. Click on the entry for eth0, then click on the “Edit” button to display the configuration dialog shown in Figure Three (pg. 54).
|Figure Three: The netcfg tool makes it very easy for you to set the|
static IP address of your network adapter.
In this dialog, enter the IP address that you have chosen for the system, enter a netmask of 255.255.255.0, and make sure that the option that allows the interface to start at boot time is selected. You can then deactivate the interface from the netcfg screen and reactivate it to make the address change go into effect.
If the activation step makes netcfg hang, as it invariably does on my systems, you can always cancel the program by clicking on the “close” button on its window with your right mouse button. After you do this, the new address should still be in effect. Now, just repeat these steps for each of your computers using the address you’ve chosen for each.
To make sure that all of your systems can find one another over the network, use the ping command from each one. From the gateway system, enter ping 192.168.1.2, and you should see a series of messages telling you how long each message took to travel to client1, the system whose address you passed on the command line. Make sure that you remember to press ctrl-c to stop pinging, or it will go on forever.
Setting Up Your Gateway
Now it’s time to set up the computer that’s connected to the Internet so that it can also serve as a gateway for the rest of your LAN. The first step requires us to make sure you have a PPP (Point to Point Protocol) adapter on your gateway system, and that it’s set up properly.
|Figure Four: Creating a PPP adapter for dial-on-demand usage.|
|Figure Five: Adding a DNS server address to a configuration.|
Run netcfg and, this time, go to the “Interfaces” section. Click on the “Add” button and then select the “PPP” option from the dialog, which opens the dialog shown in Figure Four (pg. 56), using the name “ppp0″ for the new adapter. Enter the phone number of your ISP, and click the “Configure” button. On the configuration dialog, you want to select the “Communication” button and then configure the “Expect” and “Send” strings to handle the password prompting and responses you need to use to log on to your ISP account. If your ISP uses PAP (Password Authentication Protocol) you can simply enter your account name and password on the “PAP” section of this same dialog box.
Next click on the “Networking” button and make sure the options “Activate interface at boot time,” “Set default route when making connection,” and “Restart PPP when connection fails” are selected. Click “Done” to save your changes. Next, click on the “Routing” button and select the “IPv4″ forwarding option. Now click on the “Names” button and enter the IP address of the DNS server you got from your ISP into the lower part of the screen, as shown in Figure Five. This is critical, since it tells your system where it can get name-translation services that let it map human-friendly names, like http://www.linux-mag.com, to the more computer-friendly form of an IP address.
To make PPP work exactly as we’d like, edit the file /etc/ppp/options and add these three lines at the end:
The :10.0.0.1 is a phony address that merely keeps pppd (the PPP daemon program) happy while it’s running until it gets a dynamically assigned IP address from your ISP. demand configures the PPP link to use on-demand dialing, so that it will automatically dial in to your ISP whenever ppp0 needs the connection. idle 60 determines how long, in seconds, the modem will stay connected while the line is idle before disconnecting. Since it takes 30 seconds or longer for most dial-up connections to start, make this delay long enough that it won’t drop your line while you are reading a Web page. Browsing the Web can be slow enough without redials.
To test your system, do the following from a command line:
This will make sure that pppd isn’t running, start it, and then ping IBM. If everything is working properly the ping command should make your modem dial and connect to your ISP, and the output of ping should start appearing. Stop ping with ctrl-c, and your modem should hang up after 60 seconds, or whatever idle value you used in /etc/ ppp/options.
Next we add IP masquerading to gateway, by using a text editor to insert the following lines into the file /etc/ rc.d/rc.local.
Listing One: Enabling IP Masquerade from a Start-up Script
# remove any existing forwarding rules to be safe
/sbin/ipchains -F forward
# set the default forwarding policy to DENY
/sbin/ipchains -P forward DENY
# turn on IP masquerading for outgoing packets
/sbin/ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0
# stop NetBIOS broadcast packets from causing an autodial
/sbin/ipchains -A forward -j DENY -p tcp -s 0.0.0.0/0 137:139
/sbin/ipchains -A forward -j DENY -p udp -s 0.0.0.0/0 137:139
# load some proxy modules into the kernel
MODULES = ‘ftp irc raudio’
for SERVICE in $MODULES; do
The SERVICE loop in Listing One loads proxy modules, which ensure that certain protocols, like FTP and Quake, which are normally broken by IP masquerading, will still work. You can list the masquerading proxy modules on your system with the command /sbin/modprobe -l | grep ip_masq.
Setting up a client system on your LAN so it can access the Internet through your gateway system is very easy — all you have to do is tell each system to use your gateway system as its default gateway, and also provide it with the IP address of the DNS server provided by your ISP.
Run netcfg and enter the DNS server addresses in the bottom box on the”Hosts” screen. Then, click the “Routing” button and enter the IP address of your gateway (192.168.1.1 in our example). You should stop and restart the network interface with the “Deactivate” and “Activate” buttons in netcfg before closing it down.
If your client machine is running Windows, you can configure it to use the same static IP address, net mask, DNS server addresses, and gateway address as we did with the Linux-based client.
There’s no configuration needed for most browsers when they run on a client or the gateway system. This is because the browsers default to using a direct connection to the Internet. You can simply start Netscape Navigator or Communicator and it will find what it thinks is the Internet, which will cause gateway to connect to your ISP, as needed, or use the existing connection, if there is one.
|Figure Six: Use the values provided by your ISP to set the mail-server addresses in your mail client.|
A mail client takes a bit more work, and it’s another area where you have to rely on information from your ISP. For example, when I set up KMail, the mail client that comes with KDE, I had to enter the values shown in Figure Six, including my e-mail address and the name of the SMTP (simple mail transfer protocol) and POP (post office protocol) mail servers, which in this case happen to be the same, but at some ISPs they’re different.
I’ve touched on just the barest details of Linux networking in this article, but you should be able to set up the configuration I’ve described without too much trouble. Try to remember that while networking is probably the most finicky and frustrating part of computer system configuration, you have a lot of resources in the Linux community to rely on, including the HOW-TOs listed in the Web Links sidebar (pg. 54).
|Figure Seven: Configuring the driver module for a second Ethernet adapter using linuxconf.|
If you’re lucky enough to have a cable modem, sharing your one connection over your entire LAN is all the more interesting, since you have far more raw speed to spread around. Luckily, setting it up is even easier than the on-demand dialing. In my case, I have a Time Warner RoadRunner subscription, which works effortlessly with Linux, since it no longer requires an explicit login program. I have my first Ethernet adapter (which is how a cable modem connects to a PC), eth0, configured to use DHCP (dynamic host configuration protocol). When I boot the system it gets an IP address for itself as well as DNS name servers from my ISP.
My system also has a second Ethernet adapter, which is connected to my LAN. To make it work like gateway in our example in the main part of this article, I used netcfg to add a new adapter, eth1, for the second Ethernet board, and basically configured eth1 as we did ppp0 in the main article. The hardest part was remembering to use Red Hat’s linuxconf program, as shown in Figure Seven, to set up the proper driver module for the second adapter.
John Blair is the author of Samba: Integrating Unix and Windows. He can be reached at firstname.lastname@example.org.