Professional Documents
Culture Documents
SunMoon
Internet Sharing
Why?
Your ISP gives you a single IP addr (external IP addr)
But you can't assign this single addr to all your PCs
How?
Build a private network
Setup a PC in the network takes that IP and helps other PCs
to access the Internet
This is the gateway of your network, your router basically acts like a
gateway
2
Internet Sharing
Build a private network
Your PCs are given IP addrs that belongs to a
private subnet (e.g. 192.168.1.0/24)
You should use ”DHCP server” to automatically
assign IP addr, but now assume you setup
manually. (using ifconfig)
3
Internet Sharing
Setup the gateway
First it should forward packets between the private
network and the Internet
# echo 1 > /proc/sys/net/ipv4/ip_forward
But your PCs are using private IP addrs
So you need to setup NAT on the gateway
4
Internet Sharing
Setup NAT on gateway
What should the NAT do?
Replace ”src addr” of out-going packets with the external
IP addr
Iptables help you do the tricks
In Iptables, the table ”nat” is for this purpose
You need to alter the ”POSTROUTING” chain
To list the rules in the “nat” table (-n gives faster result by eliminating dns lookup)
Iptables –t nat –L –n
Other iptables options
Iptables –t nat –F: clear the table
Iptalbes –t nat –D POSTROUTING 1: delete the first rule in the POSTROUTING chain
Iptalbes –t nat –R POSTROUTING 2 …: replace the 2nd rule with new one
Iptalbes –t nat –I PREROUTING 3 …: insert a rule between the 3rd and 4th rule
6
Internet Sharing
The above slides are about the gateway, how
about the other PCs?
They should know who will forward the packet
for them
This is done by setting the gateway address:
route add default gw 192.168.1.1
7
Internet Sharing
8
Port forwarding
Say, you are hosting a web server at PC A
You want to open the server to people outside your network
They contact your server at <external IP address, port 80>
Your router should decide which PC should receive the packet
Change the dst address of IP packet, forward the packet to the
destination PC
NAT again!
9
Port forwarding
Similar to the previous rule, but we now change the dst IP addr
instead of src one
Which chain to modify? PREROUTING or POSTROUTING?
The dst IP addr is modified before the packet is routed, so
answer is: PREROUTING
(iptables -t nat –A PREROUTING -d 137.189.90.91 -s !
192.168.1.0/24 –p tcp –dport 2222 –j DNAT –to-destination
192.168.1.78)
11
Packet filtering
There are three chains in the “filter” table
For traffic that not originated from nor headed
to the router, modify the FORWARD chain
Packets PREROUTING FORWARD POSTROUTING Packets
from LAN or to LAN or
WAN WAN
Routing
Rules
INPUT OUTPUT
The desired feature:
Internet sharing is only for authenticated users
Upon browsing external pages, non-authenticated users are
redirected to the login page
After successful login, the users are redirected back to the
external pages
There are three problems
How do you redirect users to the login page?
How do you NOT redirect authenticated user to the login
page?
How do you bring users back to the external pages?
ERGWAVE-style login system
Problem 1 – Redirection to login page
Like port forwarding, we use DNAT, modify the dst addr (and port if
needed) of packets from home PCs
Add a rule to the PREROUTING chain to modify the dst addr to the
router ip
The Apache server on the router should respond to the request
But note that the URL (document path) in the HTTP request packet are
left unchanged
e.g. http://company_a.com/file.txt --> http://192.168.1.1/file.txt
Your Apache server will blame you with error 404
You should setup a different web server to handle this
Setup a new Apache virtual host (covered in last tutorial), or
Write a simple web server (sample code released)
Method of redirection: HTTP response 302 -- Moved temporarily (try to
Google the protocol)
ERGWAVE-style login system
Problem 2 – Avoid redirection
The IP addresses of authenticated users are known
The redirection rule should be by-passed
Insert a rule to the PREROUTING chain, before the
redirection rule
Rules in a chain are executed from top to bottom
Iptables –t nat –I PREROUTING 1 ….
This rule check if the IP addr is authenticated, if so, let the
packet through and ignore the remaining rules
You may use “-j ACCEPT” (or “–j RETURN” which rely on default
policy of the chain)
ERGWAVE-style login system
Problem 3 - Returning to the external site
The site URL should not be forgotten
How do you know the URL?
From the GET and HOST fields in HTTP request message
Read it in your own simple web server, or PHP, or…
Problem 3 - Returning to the external site
How do you remember it?
Encode into the URL of the router Web UI, or
Store in cookies (refer to the lecture notes), or
Store in router storage (Maintain a mapping between
user IP address and external page URL)
Timeout
Feature:
In “login mode”, user got the right to access Internet
after logged in.
This access right got timeout after a specified time
period
The user will need to login again
This job of removing access right from user is
automatic, perform at a certain time
This can be done by cron
cron, crontab
Cron is a daemon to execute scheduled commands
Crontab is a utility that manipulate the schedule of cron
The schedule is in a table format, you may modify by using a
text editor (try: crontab -e)
Example - Adding a task in command prompt:
# echo “* * * * * date >> /root/beat.txt” | crontab -u root -
This will write the date and time info to the file every minute
Format of a line of task:
minute hour day month day_of_week command
e.g. “30 7 * * 1-5 alarm” means for every week day, makes the alarm call
at 7:30
crontab
The above command would override the cron
schedule
To append jobs to crontab, use “crontab -l” to
dump the contents to a file first, append the
new job to the file, and reload the crontab by
“crontab filename”
Note that cron is for repeating routines, for one-
time-only jobs, you may use “atd”:
Restart atd daemon first: /etc/init.d/atd restart
echo “date > test.txt” | at NOW + 5 minutes
Questions?