Saturday, July 10, 2004

1) NAT (Masquerading)
You need NAT in order to use a single computer as a masquerading
gateway and share a single external connection to all the computers in
your lan. This method simply masks the IP packets coming from your lan
computers (while trying to communicate to the internet) as they where
generated by the gateway itself. This way simplyfies the sharing but
doesn't provide any kind of authentication and user control. With
Linux you use IPTABLES (and IPCHAINS if you have a <2.4 kernel).

2) HTTP/S Proxy
A proxy does something similar to NAT (as seen by the user), taking in
charge the job related to HTTP, HTTPS and FTP traffic (what your
browser do). It's totally different at a technical level because a
http proxy does not translate any packet at all, it simply receives
requests from the clients (the browsers of your lan), it requests then
the same resource from internet creating totally different kind of
packets, receives the answers from internet and sends properly
generated packets to the local browsers as an answer to the
originating request.
With Linux you will most probably use Squid which handles
authentication too, and it does it in a very flexible way, allowing
you to set limitations based on users, IPs, hours, dates, bandwidth
and so on. It does not provide any kind of connection sharing for
protocols other then HTTP,HTTPS and FTP (only passive mode), i.e. you
cannot use a HTTP proxy for videoconferenging, irq, online games and
so on (if not specifically supported by the application).

The solution depends on what you really want to provide to users of
your lan.
Generally the solution is a mix of the two above, where Squid takes
care of what it can (requesting authentication too) and IPTABLES makes
the rest.
Squid gives you also a boost in Internet browsing because it's a
caching proxy server, and stores stuff on your storage hardware in
order to minimize the access to outside.
IPTABLES works at packet level, is very flexible and will help
building a firewall too, so you will have connection sharing and
protection from outside (and maybe from inside too), you can stop
unwanted internet traffic, eventually log intrusion attempts, and even
redirect traffic from outside to inside (port address translation) for
internal servers which need to be reached from outside too.

The hardware you have is enough for a simple masquerading firewall
(RAM and CPu are enouh), but will need a fast and reliable harddisk if
you want to build a caching proxy server which would be slowed down if
the harddisk is not speedy.
I use Coyote Linux very often for such masquerading firewalls which
uses IPCHAINS (old kernel) and does not need harddisk (you will need
some RAM, let's say 16MB, and a floppy; that's it). I had a lot of
prolems with Suid when the harddisk is slow or gets corrupted. Squid's
efficiency is not so good if the browsing traffic is very
etherogeneous or the cache is too small (harddisk are very cheap by
the way :-).

Los siguientes comandos sirven para establecer un Linux box para servir de Internet Gateway

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
wvdial New PPPDx


Notas:
1) En la línea 5, el interface ppp0 se refiere al interface de salida (hacia Internet), en este caso es ppp0 porque está diseñado para un ISDN, si fuera ADSL habría que poner el eth1

2) En la línea 6 el eth0 se refiere al interface hacia la LAN.
3) La línea 7 es para habilitar el ip forwarding del Linux box