A gateway computer provides a local network with access to another network or the Internet. Linux is easily configured for use as a low-cost, dependable gateway. This Daily Drill Down details a step-by-step process for configuring a Linux server for use as a gateway. It will not cover network security or the procedures for installing networking hardware for use with Linux.
What you will need
To set up this gateway, you’ll need a Linux server with IP forwarding enabled in the kernel, a desktop computer running any operating system, three Linux-compatible network interface cards (NICs), and a hub or a crossover cable.
You should consult the hardware compatibility guide on your Linux vendor’s Web site (or check the Linux Hardware Compatibility Site) to confirm that the network interface cards you select are compatible.
There are five steps in configuring a network to work with a Linux gateway:
- Enable IP forwarding in the Linux kernel on the gateway computer.
- Configure the gateway computer.
- Configure IP masquerading on the gateway.
- Configure the host computer(s).
- Test the network.
Step 1: Enabling IP forwarding
The IP forwarding process enables a gateway to send, or forward, IP packets to destination IP addresses on another network. This ability is required whether the destination address is located within the same office building or on a network a continent away.
To configure a Linux server as a gateway, IP forwarding support must be built into the kernel. To determine whether IP forwarding is enabled or not, run the command
If the output is 1, IP forwarding is enabled; if the output is 0, IP forwarding is not enabled. If the output is 0, run the command
echo 1 > /proc/sys/net/ipv4/ip_forward
again. If the answer this time is 0, you’ll need to recompile the kernel with support for IP forwarding. This is accomplished with the following commands:
make menuconfig or make xconfig
You must make two changes to enable IP forwarding:
- Go to the Networking Options menu and select IP: Advanced Router.
- Go to the Filesystems menu and select Support For /proc Filesystems.
After choosing these options, you’ll need to recompile the kernel. Reboot with the new kernel configuration, then run the two commands mentioned earlier to confirm that IP forwarding is enabled and to enable IP forwarding if necessary.
Step 2: Configuring the gateway
An IP address gives a network, a network server, or a network host a unique identity. There are three blocks of reserved IP addresses. These addresses may be used on a private network, but because they are nonroutable addresses, they are invisible to the Internet. The three groups of nonroutable IP addresses are shown in Table A.
For this Daily Drill Down, we’ll be using the network address 10.28.3.0 for the local network and the address 192.168.1.21 for the gateway supplied by the ISP.
This method is quite often the only method available on a Linux server. All that is required is a text editor like pico, emacs, or vi. At least one of these editors will probably be available on any Linux system you’re likely to use. If not, any text editor will suffice. Also note that this method is the best way to learn how Linux networking operates. After using this method, you’ll be aware of the networking-related files and settings that need to be configured. The other methods work fine, but this method provides you with the most insight into how your system works.
The first network interface we’ll configure is the interface that forwards IP packets. To configure this interface using a text editor, the following steps are necessary. (I’ll use the emacs editor for this example, but any text editor will suffice.)
First, create the network configuration file for the gateway computer with the command
Next, enter the following information into this file:
Let’s take a look at the information in this file:
- The NETWORKING=yes line specifies that networking support is required.
- The FORWARD_IPV4 line must be set to yes for the server to function as a gateway.
- The HOSTNAME line specifies the name for this host, which is normally set during Linux installation. The standard syntax for this line is hostname.domainname. The domain name listed must be the same as the domain name listed in the next line.
- The DOMAINNAME line specifies the domain name for this network and is normally set during Linux installation.
- The next two lines specify information necessary to determine the default gateway for this computer. Although this server will function as a gateway, it actually accesses the Internet through another gateway. In this case, that gateway is supplied by the ISP. The GATEWAYDEV line is necessary when more than one network interface is configured on a system. When multiple interfaces are configured, the GATEWAYDEV line always specifies the device that’s connected to the default gateway provided by the ISP.
Save the network file. Ensure that root is the owner, and set the file’s permissions to (rw-r–r–) with the command
chmod 644 /etc/sysconfig/network
Once the /etc/sysconfig/network file is configured, the next step is to create configuration files for each of the network interface cards on the gateway. The first interface card for which we’ll create a configuration file is the interface that forwards packets to the outside world. The first Ethernet interface configured on a Linux system is always eth0.
To configure the first network interface, create the /etc/sysconfig/network-scripts/ifcfg-eth0 file. To do this, run the command
Then enter the following information into this file:
Let’s look at the information in this file:
- The DEVICE= line specifies the name for this interface. Because this is the first interface configured, it is named eth0.
- The IPADDR= line specifies the IP address for the interface.
- The NETMASK= line specifies the subnet mask (netmask) for this network.
- The NETWORK= line specifies the address of this network.
- The BROADCAST= line specifies the broadcast address for this network.
- The ONBOOT= yes line ensures that this interface will be activated when the system is booted.
To configure the second interface (eth1), use a text editor to create the file /etc/sysconfig/network-scripts/ifcfg-eth1 and enter the IP information for this interface. A typical configuration file for eth1 is shown below:
Step 3: Configuring IP masquerading
IP masquerading makes computers outside your network think that all IP packets from your LAN are coming from the same IP address, regardless of which host computer actually sent the information. To configure IP masquerading on your gateway, enter the following lines into the /etc/rc.d/rc.local file:
#remove any existing forwarding rules
/sbin/ipchains -F forward
#set the default forwarding policy to DENY
/sbin/ipchains -P forward DENY
#enable proxy modules in the kernel. This will allow ftp, irc and audio services to run
#with IP masquerading enabled
MODULES= `ftp irc audio’
SERVICE in $MODULES;
Step 4: Configuring the host computer
The host computers are the desktop computers on the network. To configure the host computers, each host needs to know the network address, the local subnet mask, and the gateway device.
Configuring a Linux host
To configure a Linux host, perform these steps. First, using a text editor, create the /etc/sysconfig/network file with the following command:
Then add the following entries to the network file. Use IP information appropriate for your network:
You will notice that the GATEWAY= line in this file is not the same as the one in the network file on the server. This is because the host computer uses the IP address (of device eth0) of the Linux server as a gateway, while eth0 on the Linux server uses the IP address provided by the ISP as its gateway.
Next, create the /etc/sysconfig/network-scripts/ifcfg-eth0 file on the host. This file contains the TCP/IP information that identifies this computer on the network. Remember that this is the first network interface installed on this computer, so it must be named eth0. Use the command
Add the following entries to the ifcfg-eth0 file. (Use IP information appropriate for your network.)
Configuring a nonLinux host
To configure a nonLinux host, use the network configuration tools appropriate to the desktop operating system you’re using.
Step 5: Testing the network
Before we test the network, let’s review the configuration. The gateway computer now has two network interfaces installed, eth0 and eth1. Eth0 is the gateway for your local network, and it is connected to its Internet device. This may be a cable modem, an ADSL jack, or a network connection that connects to another router or gateway. The gateway for this interface is the gateway IP address supplied by your ISP.
The second interface in the gateway computer is connected directly to the local hub, allowing access by the local network. Ipv4 (internetwork protocol version 4) forwarding is enabled in the kernel and is activated. IP masquerading is enabled on the gateway.
Each host (desktop) computer has one interface installed, and each interface is connected directly to the hub. The gateway device for each host is the IP address of eth0 on the gateway computer.
Once you’ve confirmed the configuration, you’re ready to test your network.
To remove all DNS-related issues from the testing, use only IP addresses during the network test.
There are three tests to perform to confirm that your network is working correctly. First, from a host computer, use the ping command to ping another host computer on the network. For example, from host 10.28.3.1, try to ping host 10.28.3.2. If you don’t get a reply to the ping command, check both network configuration files (/etc/sysconfig/network and /etc/sysconfig/network-scripts-eth0). Correct any problems and run the command /sbin/ifconfig eth0 down to deactivate the interface. Then reactivate the interface using the command /etc/sysconfig/network-scripts/ifup eth0. Once you’re able to ping another host computer on the network, try the next test.
Ping the gateway computer from a host on the network. If you don’t get a reply to the ping command, check the gateway computer’s configuration files. Bring the interface down, then reactivate it after you’ve made any changes. When you can ping the gateway from hosts on the network, you’re ready for the last test.
Ping a host on the Internet from a host computer on the local network. If you’re unable to ping a host on the Internet, run the command /sbin/traceroute IP address to determine whether or not IP packets are reaching the gateway. If the traceroute output shows that ping requests are making it to the gateway but are not being forwarded to the Internet, the problem is occurring at the gateway. Now run the cat /proc/sys/net/ipv4 ip_forward command. If the output from this command is 0, IP forwarding is either not activated or is not enabled in the kernel. Follow the steps mentioned earlier to either activate IP forwarding or enable it in the kernel.
At this point, you should have a functional network, with Internet access through a shared Internet connection via a Linux gateway.
In this Daily Drill Down, I discussed the five-step procedure required to configure a Linux server as a gateway and to configure host computers on a local network to use the Linux gateway for shared Internet access through a single connection.
Jim McIntyre has been training users on IT-related subjects since 1988. He began his training career as a sonar operator in the Canadian Navy. After retiring early from the military in 1996, Jim completed the Novell CNE program, the Adult Education program at Saint Francis Xavier University, and the Webmaster Program at Dalhousie University. He also graduated from the Train the Computer Trainer program at Dalhousie, where he now serves as a contract instructor. Jim has extensive technical support experience, and he tries to see technical problems as training opportunities. If Jim had a motto, it would be: “Share what you know; learn what you don’t.” He didn’t come up with that phrase, but he likes it.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.