Past Meetings

ICS Internet Connection Sharing

We used IP tables rules and Network Address Translation to share the connection (NAT).  We also started a DHCP server and a Nameserver.  Here are the config files:

The DHCP server: /etc/dhcpd.conf
=============================
option domain-name-servers 192.168.123.1;
option subnet-mask 255.255.255.0;
option routers 192.168.123.1;
subnet 192.168.123.0 netmask 255.255.255.0 {
range 192.168.123.150 192.168.123.250;
}
==============================

The nameserver:   /etc/dnsmasq.conf
========================
interface=enp32s0
========================
(Yea, that's it, just one line...)

Here are the iptables rules that actually do the IP forwarding:
=============================
iptables -t nat -A POSTROUTING -o wlp8s0b1 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp32s0 -o wlp8s0b1 -j ACCEPT
===========================

Here is ics.sh (the commands that will turn on ICS and start nameserver and DHCP servers:
===============================
ip addr add 192.168.123.1/24 dev enp32s0
sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o wlp8s0b1 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp32s0 -o wlp8s0b1 -j ACCEPT
systemctl start dhcpd4
systemctl start dnsmasq
=================================

Here is kill-ics.sh
================================
sysctl net.ipv4.ip_forward=0
systemctl stop dnsmasq
systemctl stop dhcpd4
iptables -t nat -D POSTROUTING -o wlp8s0b1 -j MASQUERADE
iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i enp32s0 -o wlp8s0b1 -j ACCEPT
================================

I was asked the question; “Why would I be interested in letting a PC do router functions?” to which I did not give an adequate response. The short answer is that not everyone will be interested and possibly most will leave all such things to a router and that router might just have all the options we need, but there is always the chance that some of us will find a router lacking in some areas and may want to transfer some, if not all, router functions to a PC. Whether it’s a small low power machine such as a Raspberry PI, or an old laptop, or maybe even the desktop PC we use for normal day to day tasks, everyone’s wants / needs vary to one degree or another.

There are router / firewall distributions that make all this a bit easier such as iPcop, Smothwall, SME Service, pfSense, IPFire, Endian [just to name a few]. There will always be some of us that prefer the learning experience of a roll-your-own approach. I suppose the main reason someone would want to do this is simply; “Because I can”! But there are a few features we may not find fully supported in many off-the-shelf routers, such as policy-based routing, load balancing, traffic shaping / quality of service, multiple uplinks, uplink failover, demilitarized zone, intrusion detection / intrusion prevention, web ftp and E-Mail antivirus, antispam, and content filtering. It boils down to the rather attractive notion of having a full featured Router / Firewall that goes beyond what most routers will do. Now we may not need all the features I listed above but just one or two may be all it takes to spark this type of venture, (and the above list is not totally complete either, I’m sure I left some out).
Just to be able to say, “I built my own”, may be all it takes.

The main interest is the Firewall aspect and not just any old firewall but one that is fully customizable. Building a NAT Firewall puts lots of advanced routing features at our disposal.

Let’s say we want to redirect port 25 mail server traffic to a mail server of our choosing and you want to block everyone except traffic from your own mail server from sending traffic out. Maybe you want to block outside access for a particular IP maybe even incoming and outgoing traffic for security purposes so that it’s only able to communicate within your LAN. Maybe you want to block an outside IP, or a range of outside IP’s. Maybe you want to block ping requests to one PC or another or to block incoming ping requests to all. Maybe you want to redirect a certain port to a non-standard one to some server you may have. Experimenting and learning iptables and network address translation can be interesting.

Building your own router may just be an experiment or sort of a hobby, [just for fun], but it may turn out to be useful in one way or another – in other words, it may turn out to have some practical aspects.