Friday, January 02, 2009

Sharing an Internet Connection on Mandriva 2009.0

Sadly and frustratingly, the Mandriva Linux wizard intended to set up Internet sharing, drakgw, is broken* and has not been well maintained. Until they fix it, here's how to do it by hand, assuming that ppp0 is your Internet-facing connection and eth0 connects to your local LAN. Thanks in part to mheanre and the folks at TWUUG.

1. Mandriva uses shorewall as the default firewall. It needs to be told to pass the data we want to allow. Edit the contents of /etc/shorewall/policy to look like this:

loc net ACCEPT
fw loc ACCEPT

fw net ACCEPT
net all DROP info
all all REJECT info
loc $FW ACCEPT -

2. Set up ip-masquerade in the kernel:

# echo 1 > /proc/sys/net/ipv4/ip_forward

To make this permanent, add the following to /etc/sysctl.conf:

net.ipv4.conf.default.forwarding = 1

3. Tell iptables to use NAT:

# /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

I found that I needed to add that line to the end of /etc/rc.d/rc.local for it to survive a reboot.

4. Turn on syncookies to help with DOS attacks (this is optional):

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Again, to make it permanent, add the following to /etc/sysctl.conf:

net.ipv4.tcp_syncookies = 1

5. Modify /etc/sysconfig/network-scripts/ifcgf-eth0 as follows:


This makes eth0 use the default gateway that is established for ppp0 when it dials in to the ISP.

Now your computer will act as a gateway to the Internet for your LAN if you designate its IP address as the GATEWAY address. In my case, I use a Linksys router between the laptop that has a port for the EVDO modem and my LAN. There are Linksys-like routers that can use my EVDO modem, but they cost $$$ and I had a spare laptop. It would, of course, be better to use a router that accepts my EVDO modem, but I already had a spare Aspire 5315 laptop I picked up at Wal-Mart when they were on sale (I purchased 4 of them for family members).

* It seems that the wizard fails to detect any/all/wrong Ethernet devices for the LAN connection. In my case, it detects the wireless device which I do not want to use, but does not detect the Ethernet device I do want. From posted comments, it may have something to do with the firewall application shorewall interfering with the detection, but in my case, disabling shorewall had no effect nor did blacklisting the wireless device (although that did cause it not to show up among the selections).

No comments: