Quote:
Originally posted by Tox1cThreat
While were on linux as server, wahts the best way to set up a Kubuntu box as a basic wireless router?
I have 6 people in my dorm suite, adn we want to use wireless in he common room, but we dont want to buy a router, I have a laptop thats running Kubuntu and I want to set it up so we can all share a connection. |
IPtable: You can setup a router or manage your firewall with it. Basically it's a packet filtering engine of the Linux kernel. You can setup a basic 1:1 NAT, assuming you have two network cards, 1 connected to an ISP device like a modem, the 2nd one connected to a switch providing other computers access to the Internet. For NAT to work, IPforward
If you want to turn the box into an access point, well that's just something I haven't seen yet, but you can enable an ad hoc, which is a wireless card connected to another wireless card or device.
Below is an example of setting up IPTable on Fedora Core. You should try searching for a tutorial for Kubuntu, but the same thing done on FC can be appied to your distro.
Sharing an Internet Connection Using NAT
On the Internet there are a lot of scripts available that set up Internet connection sharing using iptables. Each of the scripts boils down to the same few basic iptables commands with minor differences. This section discusses those few statements to explains how a connection can be shared.
There are two ways you can share a single connection to the Internet (one IP address). Both involve setting up NAT to alter addresses in and forward packets. The first allows clients (browsers, mail readers, and so on) on several systems on a LAN to share a single IP address to connect to servers on the Internet. The second allows servers (mail, web, FTP, and so on) on different systems on a LAN to provide their services over a single connection to the Internet. You can use iptables to set up one or both of these configurations. In both cases, you need to set up a system that is a router: It must have two network connections—one connected to the Internet and the other to the LAN.
For optimum security, use a dedicated system as a router. Because data transmission over a connection to the Internet, even a broadband connection, is relatively slow, using an slower, older system as a router does not generally slow down a LAN. This setup gives you some defense against intrusion from the Internet. A workstation on the LAN can also function as a router, but this setup means you have data on a system that is directly connected to the Internet. The following sections discuss the security of each setup.
The examples in this section assume that the device named eth0 connects to the Internet on 10.255.255.255 and that eth1 connects to the LAN on 192.168.0.1. Substitute the devices and IP addresses that your systems use. If you use a modem to connect to the Internet, you need to substitute ppp0 (or another device) for eth0 in the examples.
In order for the examples in this section to work, you must turn on IP forwarding. First, give the following command and make sure everything is working:
# /sbin/sysctl -w net.ipv4.ip_forward=1
Once you know that iptables is working the way you want, change the 0 to a 1 in the following line in /etc/sysctl.conf to make the kernel always perform IP forwarding:
net.ipv4.ip_forward = 0
Connecting Several Clients to a Single Internet Connection
Configuring the kernel of the router system to allow clients on multiple, local systems on the LAN to connect to the Internet requires you to set up IP masquerading, or SNAT (source NAT). IP masquerading translates the source and destination addresses in the headers of network packets that originate on local systems and the packets that remote servers send in response to those packets. These packets are part of connections that originate on a local system. The example in this section does nothing to packets that are part of connections that originate on the remote systems (on the Internet): These packets cannot get past the router system, providing a degree of security.
The point of rewriting the packet headers is to allow systems with different local IP addresses to share a single IP address on the Internet. The router system translates the source or origin address of packets from local systems to that of the Internet connection, so that all packets passing from the router to the Internet appear to come from a single system, 10.255.255.255 in the example. All packets sent in response by remote systems on the Internet to the router system have the address of the Internet connection, 10.255.255.255 in the example, as their destination address. The router system remembers each connection and alters the destination address on each response packet to that of the local, originating system.
The router system is established by four iptables commands, one of which sets up a log of masqueraded connections. The first command puts the first rule in the FORWARD chain of the FILTER (default) table (–A FORWARD):
# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
To match this rule, a packet must be
1. Received on eth0 (coming in from the Internet): –i eth0.
2. Going to be sent out on eth1 (going out to the LAN): –o eth1.
3. Part of an established connection or a connection that is related to an established connection: --state ESTABLISHED,RELATED.
The kernel accepts (–j ACCEPT) packets that meet these three criteria. Accepted packets pass to the next appropriate chain/table. Packets that are not accepted pass to the next rule in the FORWARD chain. Packets from the Internet that attempt to create a new connection are not accepted by this rule.
The second command puts the second rule in the FORWARD chain of the FILTER table:
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
To match this rule, a packet must be
1. Received on eth1 (coming in from the LAN): –i eth1.
2. Going to be sent out on eth0 (going out to the Internet): –o eth0.
The kernel accepts packets that meet these two criteria, which means that all packets that originate locally and are going to the Internet are accepted. Accepted packets pass to the next appropriate chain/table. Packets that are not accepted pass to the next rule in the FORWARD chain.
The third command puts the third rule in the FORWARD chain of the FILTER table:
# iptables -A FORWARD -j LOG
This rule has no match criteria so it acts on all packets it processes. This rule's action is to log packets, which means it logs packets from the Internet that attempt to create a new connection.
Packets that get to the end of the FORWARD chain of the FILTER table are done with the rules set up by iptables and are handled by the local tcp stack. Packets from the Internet that attempt to create a new connection on the router system are accepted or returned, depending on whether the service they are trying to connect to is available on the router system.
The fourth command puts the first rule in the POSTROUTING chain of the NAT table. Only packets that are establishing a new connection are passed to the NAT table. Once a connection has been set up for SNAT or MASQUERADE, the headers on all subsequent ESTABLISHED and RELATED packets are altered the same way as the first packet. Packets that are sent in response to these packets automatically have their headers adjusted so that they return to the originating local system.
# iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE
To match this rule, a packet must be
1. Establishing a new connection (otherwise it would not have come to the NAT table).
2. Going to be sent out on eth0 (going out to the Internet): –o eth0.
The kernel MASQUERADEs all packets that meet these criteria, which means that all locally originating packets that are establishing new connections have their source address changed to the address that is associated with eth0 (10.255.255.255 in the example).
Following are the four commands together:
# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# iptables -A FORWARD -j LOG
# iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE
You can put these commands in /etc/rc.local or in a script called by this file on the router system to have them executed each time the system boots. Or you can put them in /etc/sysconfig/iptables, leaving off the iptables command at the start of each line. When you put the commands in the iptables file, they are be executed by the iptables init script each time it is called.
To limit the local systems that can connect to the Internet, you can add a –s (source) match criterion to the last command as shown following:
# iptables -t NAT -A POSTROUTING -o eth0 -s 192.168.0.0-192.168.0.32 -j MASQUERADE
In the preceding command, –s 192.168.0.0-192.168.0.32 causes only packets from an IP address in the specified range to be MASQUERADEd.
Connecting Several Servers to a Single Internet Connection
DNAT (destination NAT) can set up rules to allow clients from the Internet to send packets to servers on the LAN. This example sets up an SMTP mail server on 192.168.1.33 and an HTTP (Web) server on 192.168.1.34. Both protocols use TCP; SMTP uses port 25 and HTTP uses port 80, so the rules match TCP packets with destination ports of 25 and 80. The example assumes the mail server does not make outgoing connections and uses another server on the LAN for DNS and mail relaying. Both commands put rules in the PREROUTING chain of the NAT table (–A PREROUTING –t NAT):
# iptables -A PREROUTING -t NAT -p tcp --dport 25 --to-source 192.168.0.33:25 -j DNAT
# iptables -A PREROUTING -t NAT -p tcp --dport 80 --to 192.168.0.34:80 -j DNAT
To match these rules, the packet must use the TCP protocol (–p tcp) and have a destination port of 25 (first rule, --dport 25) or 80 (second rule, --dport 80).
The --to-source is a target specific to the PREROUTING and OUTPUT chains of the NAT table; it alters the destination address and port of matched packets as specified. As with MASQUERADE and SNAT, subsequent packets in the same and related connections are appropriately altered.
The fact that the servers cannot originate connections means that neither server can be exploited to participate in a DDoS attack on systems on the Internet and cannot send private data from the local system back to a malicious user's system.
Summary
The iptables utility is used to set up firewalls that help to prevent unauthorized access to a system or network. An iptables command sets up or maintains in the kernel rules that control the flow of network packets; rules are stored in chains. Each rule has a criteria part and an action part, called a target. When the criteria part matches a network packet, the kernel applies the action from the rule to the packet.
There are three tables that hold chains: Filter, NAT, and Mangle. Filter, the default table, DROPs or ACCEPTs packets based on their content. NAT, the Network Address Translation table, translates the source or destination field of packets. Mangle is used exclusively to alter TOS (Type of Service), TTL (Time To Live), and MARK fields in a packet. The connection tracking machine, handled by the conntrack module, defines rules that match on the state of the connection a packet is part of.
In an emergency you can give the following command to unload all iptables modules from the kernel and set a policy of DROP for all tables.
# /sbin/service iptables panic
</center> 
.
Linear Mode
