NAT and "Connection sharing"

One machine has some sort of Internet connection (modem, dsl, whatever; it doesn't matter) and a network interface card (Ethernet, USB, Firewire; it doesn't matter) for the "Local Area Network" (LAN) or "internal network". This machine is known as the "gateway machine" or perhaps "external machine", or even "router". Whatever you call it, it has two network interfaces: the "external" interface for the Internet, and the "local" or "internal" network.

One or more other machines are attached to the local network; these are "internal" machines and will not be directly available from the outside world of the Internet. This creates a natural firewall-like setup, where the internal machines can get out, but the outside world can't get in. All of these machines are typically connected together with a switch/hub.

It is important to think of this very common scenario as two different internal and external networks. Do not think of it as "sharing a connection", because that is a strained analogy that is difficult to really explain. "Internet Connection Sharing" is a marketing term invented by Microsoft and is not used by anyone that does networking. The correct term is "Network Address Translation" (NAT).

I found some great diagrams, particularly basicnat.gif at megapath.net.

The first thing you want to do is make sure the internal network works, all machines on the local network should be able to ping each other (including the gateway machine). The gateway machine should be able to ping the outside world *and* the internal machines.

The internal network should have RFC-reserved IP numbering such as 192.168.X.Y with a subnet mask of 255.255.255.0. If you use these values, make sure all machines have the same X and different Y numbers (ie, all machines have a unique IP within 192.168.23.1 and 192.168.23.254; .0 and .255 are not valid addresses). The use of RFC-reserved IPs is significant; these are ranges of IPs that cannot be used directly on the Internet. Any network that uses RFC-reserved IPs cannot generally be reached from the Internet; creating an somewhat protected and isolated network.

The "gateway" or "default route" of the internal machines should be the internal interface of the gateway machine; ie, if the internal interface of the gateway machine has an IP of 192.168.23.1, the gateway of the other internal machines should all be 192.168.23.1. The gateway machine's gateway IP will be assigned by your ISP. To check the gateway IP of any Linux machine, run 'netstat -rn', if the last line starts with "0.0.0.0", the second IP is the destination of the default route. In Mandrake, this is set as the "GATEWAY" option in /etc/sysconfig/network. If you set or change this value, 'service network restart' as root will apply the change. This example clearly shows the gateway of "192.168.0.1" of my home desktop:

[garrick@zorak garrick]$ grep GATEWAY /etc/sysconfig/network
GATEWAY=192.168.0.1
[garrick@zorak garrick]$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.0.0     0.0.0.0         255.255.255.0   U        40 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U        40 0          0 lo
0.0.0.0         192.168.0.1     0.0.0.0         UG       40 0          0 eth0

The nameserver IP of the internal machines could be that of the gateway machine (but only if you've installed 'bind' on the gateway machine), but most commonly it is the public nameserver IPs supplied by your ISP. In this example, I run bind on the gateway machine:

[garrick@zorak garrick]$ cat /etc/resolv.conf 
domain gs.speculation.org 
nameserver 192.168.0.1
search usc.edu

Unless you've specifically set it up, your various machines won't know the hostnames of the other machines on the network. So you should test by pinging by the IP addresses. Once you can ping by using the IPs, you can setup proper internal name resolution (which is another topic entirely).

Once all of the above criteria is met, and all of your machines can ping each other, and the gateway machine can simultaneously ping internal and external IPs, then use your favorite method of applying NAT with iptables. If you have no idea, or have no preference, try the wizard in the Mandrake Control Center (icon on your desktop or type 'mcc' in a shell). Advanced users can read the iptables documentation and write their own commands; but since that requires detailed knowledge of networking concepts, most people use one of the many "iptables scripts" such as shorewall, IPKungFu, killerwall, or one of the many found at freshmeat or sourceforge. IPKungFu is written by a few freenode/#mandrake regulars. killerwall is written by an EFnet/#mandrake regular.

The Mandrake wizard seems to not work correctly in all cases. If it works for you, great. If it doesn't, forget about it and move on. IPKungFu seems to be much more flexible and reliable overall. Simply download the tarball, unpack it, and read the README. The instructions are simple and clear. The config files are easy with self-documenting comments. You must, at least, edit /etc/ipkungfu/ipkungfu.conf.

killerwall is interesting in that it has an "auto configuration mode" that will probe your machine and automatically guess an appropriate NAT configuration. Like all automated guesses, it isn't correct 100% of the time, but I had a hand in shaping how it guesses, so I feel it does a pretty good job.

Note, no matter how you set it up, the NAT'ing is done by iptables rules in the kernel. The various firewall/nat scripts are not daemons, they generate complicated iptables commands based on their configuration to load rules in the running kernel and then exit. These rules won't survive a reboot and must be re-applied after every boot. Most scripts clear all existing iptables rules when they start, so if you have multiple iptables scripts (don't forget that Mandrake has some built-in scripts), typically the last one that runs wins. Most scripts come in the form of an initscript designed to easily run at boot-time; "starting" the service sets up the rules, "stopping" the service clears the rules.

Note, All Linux firewalling and advanced routing concepts are handled by iptables. Most scripts advertised as "firewalls" will support NAT, and vice versa.

Note, setting up DHCP for your internal network has no direct relevance on setting up NAT, it is merely a convenient way of assigning IPs to internal machines (the internal IP of the gateway should *never* be assigned by DHCP).