Book Image

Linux Networking Cookbook

By : Agnello Dsouza, Gregory Boyce
5 (1)
Book Image

Linux Networking Cookbook

5 (1)
By: Agnello Dsouza, Gregory Boyce

Overview of this book

Linux can be configured as a networked workstation, a DNS server, a mail server, a firewall, a gateway router, and many other things. These are all part of administration tasks, hence network administration is one of the main tasks of Linux system administration. By knowing how to configure system network interfaces in a reliable and optimal manner, Linux administrators can deploy and configure several network services including file, web, mail, and servers while working in large enterprise environments. Starting with a simple Linux router that passes traffic between two private networks, you will see how to enable NAT on the router in order to allow Internet access from the network, and will also enable DHCP on the network to ease configuration of client systems. You will then move on to configuring your own DNS server on your local network using bind9 and tying it into your DHCP server to allow automatic configuration of local hostnames. You will then future enable your network by setting up IPv6 via tunnel providers. Moving on, we’ll configure Samba to centralize authentication for your network services; we will also configure Linux client to leverage it for authentication, and set up a RADIUS server that uses the directory server for authentication. Toward the end, you will have a network with a number of services running on it, and will implement monitoring in order to detect problems as they occur.
Table of Contents (19 chapters)
Linux Networking Cookbook
About the Author
About the Reviewer

Enabling NAT to the outside

Connecting two local networks is useful, but these days it's more common to want to connect a local network to the Internet. The basic concept works the same, but with the necessary addition of NAT. NAT rewrites your packet headers in order to make them appear as if they come from your router, thus effectively hiding your system's address from the destination.

How to do it…

Create a third NIC (eth2) on server 1 and connect it to your cable modem or ISP's router.

  1. Configure eth2 to receive an IP address via DHCP:

    auto eth2
    iface eth2 inet dhcp
  2. Use iptables to enable NAT on packets heading out through eth2:

    # /sbin/iptables -t nat -A POSTROUTING -o eth2 \
    # /sbin/iptables -A FORWARD -i eth2 -o eth0 -m \
      state --state RELATED,ESTABLISHED -j ACCEPT
    # /sbin/iptables -A FORWARD -i eth0 –o eth2 -j ACCE PT

How it works…

In the last section, we discussed how in order for two systems on different networks to be able to talk to each other, they need to have routes defined which will forward packets to a router that can deliver the packet to the appropriate destination. The same is true on the Internet.

If server 2 attempts to contact an IP address on the Internet, for example Google's nameserver at, your router will pass them onto the destination. Let's give that a try:

# ping -c 2
PING ( 56(84) bytes of data.
--- ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

No responses were received. So what went wrong here?

You'll recall that I said the IP addresses that we were using were defined by RFC1918 as internal IP address space. Due to this, these IP addresses are not directly usable as Internet hosts. In our example, one of the two following things will happen:

  • Our router will send packets out of the Internet-facing interface, where it will travel across the Internet to our destination, which will respond to the packet. The response will not be able to find its way back to our system due to the un-routed nature of the destination.

  • Our router will send the packets out of its Internet-facing interface, where the next hop will drop the packets due to implementing egress filtering of traffic with invalid source addresses.

Iptables is a command-line tool in Linux for interfacing with the Linux kernel firewall, which is implemented as a part of the netfilter subsystem.

Let's break down the first command line:

  • The -t option specifies the packet matching table to use. In this case, we're going to use the nat table.

  • f-A indicates that the specified rule should be appended to the selected chain, which in this case is POSTROUTING. The POSTROUTING chain is processed after the kernel handles packet routing.

  • -o specifies the output interface. In our example, the eth0 interface contains the internal IP systems and eth2 leads to the Internet.

  • -j specifies what to do if the packet matches the rule. In this case, we're going to masquerade the packet (modify the IP).

Put them together and we have matching packets heading out on eth2; rewrite the source IP address and track it in the NAT table.

The second command is added in the -m command, which matches a packet property, in this case state. For the packets that came in on eth1 (from the Internet), and destined to eth0 (lan), check to see if they are related to or are a part of an established connection. If so, accept the packet and assign it to the FORWARD chain. The FORWARD chain handles any packet that is being passed through your router rather than the packets originating from the system (OUTPUT chain) or packets destined to your system (INPUT chain).

Finally, any packets that come in on eth0 (lan) and are heading out on eth2 (Internet) are just automatically accepted.