Routing Documentation

To be able to run the LANdialler server you need a Unix box configured to do some sort of Network Address Translation (NAT) or IP Masquerading. You can use any modern Unix system, so long as it can run Python software. I use Linux, so I've included information on that here. You could use any of the BSD variants (e.g. FreeBSD, OpenBSD, NetBSD), Solaris, etc. instead if you prefer.

Linux Documentation

If it wasn't for the excellent documentation then setting it up would be quite a long and painful process for the uninitiated. First find out which version of the Linux kernel you are running (type uname -r) and then follow the relevant links below.

David Ranch's Linux IP Masquerade HOWTO contains full instructions for Linux kernel versions 2.0 and 2.2.
Rusty Russell's Unreliable Guides provide full coverage of the new routing features of 2.4 kernels. Of particular use are the sections that tell you how to configure a simple yet secure home firewall;
- I just want masquerading! Help!
- Rusty's Really Quick Guide to Packet Filtering

Example Scripts

These are the scripts that I use to run iptables on a Linux 2.4 kernel. They provide both NAT and a firewall. If you want to re-use these scripts just drop them in the /etc/ppp/ip-up.d directory to have them automatically run when dialling up. Once you've dialled up you can check that they've run by running iptables -L.

packet-filter-up

These commands are copied almost verbatim out of the HOWTOs mentioned above. If you have configured your kernel so that all the iptables functionality is compiled directly into the kernel (rather than as modules) then you should comment out all the modprobe or insmod commands.

#!/bin/sh
#
# $Id: routing-docs.html,v 1.4 2004/03/14 15:12:42 graham Exp $
#
# Home firewall script, put together from commands in the NAT and
# packet filtering HOWTO documents.
#
# Suitable for dropping into /etc/ppp/ip-up.d if you're running
# Debian, to be automatically run by /usr/bin/pon after dial up.

# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# insmod ip_conntrack (autoloaded by iptable_nat by the looks of it)
insmod ip_conntrack_ftp

# Clear all current rules, so we start from a clean slate.
iptables -F

# Create chain which blocks new connections, except if coming from inside.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP

# Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

packet-filter-down

This script cleans up when the dial up connection is closed down. I really ought to make it unload the kernel modules loaded by the packet-filter-up script...

#!/bin/sh
#
# $Id: routing-docs.html,v 1.4 2004/03/14 15:12:42 graham Exp $
#
# Home firewall stop script.
#
# Suitable for dropping into /etc/ppp/ip-down.d if you're running
# Debian, to be automatically run by /usr/bin/pon after dial up.

# Turn off IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward