Sharing your Internet connection

on Linux
Edmund Ochieng’
April 7, 2010

Abstract
With only one IP address from your Internet Service Provider(ISP)
and multiple PCs, it may appear impossible to share Internet; a router
may become handy in mapping the public address to multiple internal
addresses to be used by the multiple PCs. Routers generrally aren’t cheap
and are often purchased by big and have the financial muscle. However,
this guide should help a home user or small businesses turn a Linux box
into an affordable router.

1
1 Introduction
There exist several guides on the internet that guide users how to share internet
however, many of them make it look like rocket science even to everyday Linux
users. This document will attempt to make this process as easy as it can be.
If its still difficult to understand let me know. Perhaps, I will be able to do
something about it. Hope you enjoy the guide.

2 Planning your network

Planning is crucial and is dependent on the number of computers you would wish
to share the internet connection. It greatly determines the speeds accessible by
each client. For instance if an entire class C network such as 192.168.1.0 /
255.255.255.0 is used, the internet speed will be divided by 254 -the number of
valid hosts. Thus, if the number of IP addresses used is less than 254 then an
operation known as subnetting is necessary to optimize the internet speeds.

3 Doing the job

This section takes us step-by-step through the configuration process giving mul-
tiple solutions where applicable.

3.1 Choosing size of the network

The size of the network should be equal or greater than the number of hosts to
be networked. A slightly larger subnet is preffered to allow for easy expansion
without necessitating the need to change the network configurations. For this
guide we shall assume we have four PCs that we would wish to connect to the
internet excluding the connected Linux PC. This makes a total of five hosts.

Each network should have two additional addresses for the network address
and broadcast address. Thus we shall add 2 to 5 to make 7 hosts.

7 ≤ 2y , where y is the number of host bits

7 ≤ 23 ⇒ 7 ≤ 8
8 − 7 = 1 extra IP address

W e can instead take y = 4 to increase number of f ree slots

but,
x+y =8
x=8−y
x = 4 network bits

This implies the netmask shall be, 255.255.255.240. Taking the first subnet,
our network address shall be, 192.168.1.0 and netmask 255.255.255.240.

Here is how we obtain 240 in our last octet And since, x = 4 the last octect
of our netmask becomes 240.

2
 bit 1 bit 2 bit 3 bit 4 bit 5 bit 6 bit 7 bit 8
128 192 224 240 248 252 invalid invalid

Our new subnet will therefore be have the following properties:

Network address: 192.168.1.0
Netmask: 255.255.255.240
Broadcast address: 192.168.1.15
Valid hosts: 192.168.1.1 to 192.168.1.14
Gateway: 192.168.1.1 (Our Linux bos IP address)

The details of subnetting are beyond the scope of this document. However,
for further reading you may visit the Subnetting tutorial [3] in the references
section.

3.2 Configuring DHCP

To reduce the task of assigning network configurations to individual hosts, we
may choose to set up a DHCP server. If anything in the config file is unclear,
kindly refer to “Linux DHCP Server configuration“[4]. Our configuration shall
be as shown below:

[stuart@desert ~]$ cat /etc/dhcpd.conf

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.128 {

# --- default gateway

option routers 192.168.1.1;
option subnet-mask 255.255.255.240;

option nis-domain "sandstorm.org";

option domain-name "sandstorm.org";
option domain-name-servers 192.168.1.1, 212.49.70.xx;

option time-offset 10800; # East African Time

# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don’t change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;

range dynamic-bootp 192.168.1.2 192.168.1.10;

default-lease-time 21600;
max-lease-time 43200;

3
 # we want the nameserver to appear at a fixed address
host ns {
next-server desert.sandstorm.org;
hardware ethernet 12:34:56:78:AB:CD;
fixed-address 207.175.42.254;
}
}

where, 212.49.70.xx is the DNS IP address provided by my ISP.

3.3 Enabling ip forwarding

This can be done in either of the two ways below,

1. Adding a line in /etc/rc.local

Open the file /etc/rc.loacal, as root and append the line below.

echo "1" > /proc/sys/net/ipv4/ip_forward

2. Editing the file sysctl.conf

Login as root and open the file /etc/sysctl.conf

[root@desert ~]# vi /etc/sysctl.conf

Go to the line shown below, and change the 0 to 1.

# Controls IP packet forwarding

net.ipv4.ip_forward = 0

Finally, restart the network service to activate the new configuration. This
step is applicable for both the solutions above.
[stuart@desert ~]$ /sbin/service network restart

3.4 Configuring the firewall

If at all you’ve attempted to access the internet, you must have noticed the
request times out. So to have it working we must masquerade. Which is done
in the firewall. This is done as below:

1. Flush any default rules

[root@desert ~]# iptables -F

[root@desert ~]# iptables -t nat -F
[root@desert ~]# iptables -t mangle -F

2. Delete any additional chains in our tables

[root@desert ~]# iptables -X

[root@desert ~]# iptables -t nat -X
[root@desert ~]# iptables -t mangle -X

4
3. Save configuration and restart the firewall

[root@desert ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[root@desert ~]# service iptables save
[root@desert ~]# service iptables restart

4. Test configuration Finally, we can test the configuration to ascertain

that out configuration works using the ping command on a client. Output
as that shown below shows that we are connected to the internet.

[root@desert ~]# ping google.com

PING google.com (64.233.181.147) 56(84) bytes of data.
64 bytes from ni-in-f147.1e100.net (64.233.181.147): icmp_seq=1 ttl=49
time=379 ms
64 bytes from ni-in-f147.1e100.net (64.233.181.147): icmp_seq=2 ttl=49
time=379 ms
64 bytes from ni-in-f147.1e100.net (64.233.181.147): icmp_seq=3 ttl=49
time=368 ms

--- google.com ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 368.635/376.084/379.839/5.267 ms
[root@desert ~]#

Alas! you learnt a new magic trick. It works!

5
References
[1] Anonymous, 2ND February 2008, ”CentOS / RedHat Linux Internet
Connection sharing.“
http://www.cyberciti.biz/faq/rhel-fedora-linux-internet-connection-sharing-howto/
Accessed Wednesday, April 07 2010 19:47:13 hours.
[2] Phd, 16TH January 2008, ”How to Masquerade on Linux(Internet connec-
tion sharing).”
http://www.howtoforge.com/internet-connection-sharing-masquerading-on-linux
Accessed Wednesday, April 07 2010 20:04:21 hours.
[3] Becker, Ralph, 25TH January 2007, ”IP Subnetting Tutorial.“
http://www.ralphb.net/IPSubnet/
Accessed Wednesday, April 07 2010 21:25:45 hours.
[4] Ochieng, Edmund, 3RD March 2010, ”Linux DHCP Server configuration.”
http://www.scribd.com/full/27775817?access key=key-303haxdvitgb29x4ohs
Accessed Wednesday, April 07 2010 21:49:54 hours.

Figure 1: Makmende amerudi