Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: How to share an internet connection in Linux

  1. #1
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default How to share an internet connection in Linux

    This "How To" is a work in progress. People can respond in this thread and we'll work together to find the best solution.
    Unfortunately I've only got access to one PC right now so I can't test any of this stuff out.

    Let's say you have a small wired network of three computers all connected together by means of a hub.

    Code:
            PC1
             |
          [hub]--- PC2
             |
            PC3
    Next you come along with your laptop and your Alfa. You use your Alfa to connect to a wireless network, and you want to share your internet connection with this little network of 3 PC's. On your laptop, your Alfa is wlan0 and your wired Ethernet card is eth0.

    The objective is to hook up your laptop to the hub and to provide the other three computers with Internet access.

    So here goes, there's two ways of sharing the Internet connection:

    1) Simple Layer-2 Ethernet Bridging

    You can create a simple Layer-2 bridge between the interfaces wlan0 and eth0. All this does is share all frames between the two interfaces. For instance, if a broadcast frame is received on wlan0, it will be forwarded on to eth0. It's exactly as if you were to take wlan0 and eth0 and connect them into a hub together so that they can both see each others frames.
    When one of the wired computers on the LAN sends out a DHCP request, it will be received at eth0 on your laptop and from there it will be forwarded to wlan0, and from there the DHCP request will reach the access point. When the DHCP reply comes back from the access point, it will be received at wlan0 on your latop and from there it will be forwarded to eth0. So each of the three PC's will get an IP address directly from the access point. It will be exactly as though the three PC's were connected directly to the AP.

    2) Make eth0 act as a router that leads to the network on wlan0

    You make eth0 behave as a NAT-enabled router. eth0 will be part of a private network containing the three PC's. eth0 will have its own DHCP server. When eth0 responds to a DHCP request, it specifies itself as the default gateway, meaning that when the other 3 computers want to access the internet, they treat eth0 as the router.
    When eth0 receives an IP packet that has a destination IP address other than its own, it will perform NAT on the packet and then forward the packet on to wlan0. Later when a reply is received on wlan0, your eth0 NAT-enabled router will perform NAT on the packet and forward it on to the appropriate computer. This, by the way, is how Microsoft Internet Connection Sharing works.

    ---------------------------------

    I find the 2nd choice to be preferable, because if you were to change the wifi network that wlan0 is connected to, then the three LAN PC's don't need to know about it, all they need to do is treat eth0 as their default gateway, there's no need for them to perform a DHCP request all over again.

    --------------------------------

    Now here's the thing. I know exactly how to achieve both of these methods in MS-Windows, but since MS-Windows is gay and I don't use it anymore, I want to be able to achieve both of them at the command line in Linux, hence I started this thread.

    ------------------------------

    The First Method
    So far I've been playing around with creating a Layer-2 Ethernet bridge, and it seems as though it's easier than I could ever have imagined. Here's how you create a bridge between wlan0 and eth0:

    Code:
    sudo brctl addbr vhub        #This creates the virtual hub
    sudo brctl addif vhub eth0   #This connects eth0 to the virtual hub
    sudo brctl addif vhub wlan0  #This connects wlan0 to the virtual hub
    sudo ifconfig vhub up
    By the way I found out how to do this from: https://help.ubuntu.com/community/NetworkConnectionBridge

    If I'm not mistaken that should be it. Now just connect your laptop by Ethernet cable into the physical hub and let the 3 PC's do a DHCP. They'll end up with an internet connection. (Sadly I can't test this out because I've only got one computer at my disposal so if I'm wrong then post here and correct me).

    ------------------

    The second method
    This one will be somewhat more complicated. I haven't done much research on this, but it looks like this is achieved by means of using iptables to do "IP masquerading". Basically you set up iptables so that it will create a virtual NAT-enabled, DHCP-enabled router between eth0 and wlan0.
    If anyone has experience with this and has gotten it working, then feel free to beat me to the punch and post your solution here. Otherwise if nobody replies then I'll have a go at it myself and post what I find later.
    ------------------

    Sorry for posting a half-finished How To but I reckon it's better than nothing because this is a topic I'm really interested in. Plus everyone can contribute to find the best solution.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  2. #2
    Good friend of the forums spawn's Avatar
    Join Date
    Jan 2010
    Posts
    280

    Default

    The second method:

    # echo '1' > /proc/sys/net/ipv4/ip_forward

    # iptables -t nat -A POSTROUTING -o wlan0 src <YOURNETWORK> -j MASQUERADE

  3. #3
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Thanks for the reply Spawn.

    I tried it out just there and iptables rejected the src argument, I think you meant -s instead.

    It accepted the following syntax:

    Code:
    sudo iptables -t nat -A POSTROUTING -o wlan0 -s 10.10.10.0/24 -j MASQUERADE
    I wish I could try this out but I've only got 1 computer at my disposal.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by Virchanza View Post
    Thanks for the reply Spawn.

    I tried it out just there and iptables rejected the src argument, I think you meant -s instead.

    It accepted the following syntax:

    Code:
    sudo iptables -t nat -A POSTROUTING -o wlan0 -s 10.10.10.0/24 -j MASQUERADE
    I wish I could try this out but I've only got 1 computer at my disposal.
    Assuming syntax and the like, spawn's method works equally as well.

    The cool feature with your original though, the bridging, comes into play especially when we think of MiTM attacks. Traceroute through a Layer-2 bridge does not degrade the hop counter.

    I'll give you a moment to think about that.

    Basically, a properly implemented bridge can firewall, MiTM, log, cache, protect or otherwise interact with a network stream. It can forward or deny ARP requests and the like, and it can do all sorts of neat tricks, all without being seen on the network. Certainly the results can be seen, but not the device causing them.

    Personally I use (among other things) bridged devices to firewall out my DMZ networks silently. A proper bridge does not have management interfaces for the bridge* and thus can not be cracked by an intruder**. It is also useful from other networking points of view (protecting 10.0.0.0/8 from Windows broadcast floods for example) though a lot of these "features" are now protected by VLAN's in this day and age.

    Besides which it's good fun to toy with people who can not figure out why their system is doing stupid things when it can ping the server just fine

    *Generally 3 NIC's - two to bridge, one to manage with - the latter having an IP, the former not
    **Short of things like snort-DoS attacks and the like, as well as one-way-shellcode execution, which is why you should never have a default gateway on a management network.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Good friend of the forums spawn's Avatar
    Join Date
    Jan 2010
    Posts
    280

    Default

    yes sorry my fault ....

    I have written many firewalls with PF
    i'm forgetting how write a iptables rule

    Quote Originally Posted by [QUOTE=Virchanza View Post
    I wish I could try this out but I've only got 1 computer at my disposal.
    Why you not test it in vmware or similar ?

  6. #6
    Member Mr-Protocol's Avatar
    Join Date
    Jan 2010
    Location
    Ohio
    Posts
    142

    Default

    I have tried this and I couldn't get it to work as I desired.

    I have a Fonera router I am trying to hook to my ethernet card on my laptop via Crossover Cable. The Fonera's IP is static to 10.11.1.1

    My wireless card is hooked up to my WAP for internet with the ip 192.168.0.100

    Commands I entered:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o wlan0 -s 10.11.1.0/24 -j MASQUERADE

    My BT4 laptop can contact both the Fonera and outside world. But people connecting to the Fonera cannot access the internet.

    Any ideas? Do i need to use a normal CAT5/6 cable after i have the iptables in place? (I don't think I do but i could be wrong)

  7. #7
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by Mr-Protocol View Post
    I have a Fonera router I am trying to hook to my ethernet card on my laptop via Crossover Cable.
    This Fonera device, is it an access point? Are all you friends connected to the Fonera wirelessly?

    What slot of the Fonera are you connected into? Are you connected into a normal LAN slot, or is it some sort of WAN slot that performs NAT? (For the rest of this post I'm gonna assume it's a normal LAN slot)

    The Fonera's IP is static to 10.11.1.1
    OK so does that mean that your friends have IP addresses such as:

    10.11.1.5
    10.11.1.6
    10.11.1.7

    that right?

    My wireless card is hooked up to my WAP for internet with the ip 192.168.0.100

    Commands I entered:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A POSTROUTING -o wlan0 -s 10.11.1.0/24 -j MASQUERADE


    My BT4 laptop can contact both the Fonera and outside world. But people connecting to the Fonera cannot access the internet.
    What''s your computer's IP address on eth0? I presume it's something like 10.11.1.8?

    What you're trying to do is get all of your friends' computers to treat your computer as the default gateway. You need the IP address of your computer (10.11.1.8) to be in their routing table as the default gateway.

    My guess would be that your Fontera device has a built-in DHCP server. When you friends' computers perform a DHCP request, the Fontera device replies and supplies them with an IP address, and I can bet that it also tells them that the default gateway is 10.11.1.1 (of course, you don't want this, you want them to treat 10.11.1.8 as the default gateway).

    What you want to do is disable the built-in DHCP on the Fontera device.

    From there you want to set up a DHCP server on your own computer. So when your friends' make a DHCP request, your own computer replies and tells them that the default gateway is 10.11.1.8.

    I've never actually set up a DHCP server on a Linux machine so I'll let someone who's experienced with it fill you in on that one. For now though, you could try using static IP's. For instance, on your friends' computers, just do:

    Code:
    sudo ifconfig wlan0 10.11.1.5 netmask 255.255.255.0 up  #Set IP
    sudo route add default gateway 10.11.1.8  #Set Default Gateway
    sudo sh -c "echo nameserver 208.67.222.222 > /etc/resolv.conf"  #Set DNS
    Then just open up Firefox on your friend's computer and see if you have a connection.

    Get back to us on this because I hope you get it working. I'd be playing around with this myself right now but I only have one computer

    Any ideas? Do i need to use a normal CAT5/6 cable after i have the iptables in place? (I don't think I do but i could be wrong)
    Cross-over cables are pretty much a thing of the past. All modern equipment will sense that the wrong cable is being used and with automatically adapt to it.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  8. #8
    Member Mr-Protocol's Avatar
    Join Date
    Jan 2010
    Location
    Ohio
    Posts
    142

    Default

    The Fonera is a wireless router with 1 ethernet port for internet. I have modified it with OpenWRT firmware and it has DHCP disabled. It gave the connected wifi user an IP of 169.254.x.x
    So my first problem is DHCP needs to be running somewhere.

    When i DHCP Client the eth0 which is cross over cable to the Fonera. It assigns me an IP 10.11.1.212 so DHCP is enabled on that "internet" port on the Fonera.

    It's a 6 year old laptop so i'll stick with my crossover cable Hopefully this fills in the blanks a bit.

    I tried following this guide hxxp://dimitar.me/?p=277
    But some things didnt mesh up well with BT4

  9. #9
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by Mr-Protocol View Post
    The Fonera is a wireless router with 1 ethernet port for internet. I have modified it with OpenWRT firmware and it has DHCP disabled. It gave the connected wifi user an IP of 169.254.x.x
    So my first problem is DHCP needs to be running somewhere.

    When i DHCP Client the eth0 which is cross over cable to the Fonera. It assigns me an IP 10.11.1.212 so DHCP is enabled on that "internet" port on the Fonera.
    At the beginning I thought that the Ethernet slot on your Fonera was a normal LAN slot that would put you on the same network as all the wireless devices, but that isn't the case. You're actually connecting into a WAN port.

    So you've got two separate networks:
    1) There's the one with all the wireless devices on it
    2) There's the one that comes out of the Ethernet WAN port

    These two networks have a router between them, and the router performs NAT.

    As I see it, you have two options:
    1) You can go into your router settings and see if it's possible to treat that WAN slot as if was just another LAN slot, meaning that the two networks would be merged.

    If you can't do that, then the next option would be:
    2) Turn DHCP back on for the wireless network (so that they won't get 169.*.*.* addresses). Next, go into the router settings, and go to the WAN settings. In the WAN settings, you want to specify the default gateway as your laptop (i.e. the IP address used by eth0 on your laptop).

    So your networks might be as follows:
    The wireless network: 10.1.1.0/24
    The WAN network the contains eth0: 10.2.2.0/24
    The network that contains wlan0: 192.168.0.0/24

    So when a computer on the wireless network sends a packet to the internet, here's where it will go:

    1) The packet will first reach the LAN side of the access point
    2) The access point will perform NAT on the packet and shoot it out the WAN side
    3) On the WAN side, it will reach eth0 of your laptop
    4) Your laptop will perform NAT on the packet and shoot it out wlan0
    5) Once it's on wlan0 it will reach the access point and get to the Internet. . .

    By the way, what's the model number of your Fonera device?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  10. #10
    Member Mr-Protocol's Avatar
    Join Date
    Jan 2010
    Location
    Ohio
    Posts
    142

    Default

    I'll give those suggestions a shot later today.

    La Fonera 2100 is the model. UK has La Fonera+ which has a LAN and WAN port.

    My model is for USA and only has a WAN port to host internet for the WIFI router which the Fonera is.

    Edit: ok i found this link that shows what i want to do, except instead of running ferret and hamster I want to run SSLStrip.

    http://www.dc425.org/dhcp

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •