My favorite is a quick and easy GUI tool for setting up the masquerading such as http://firestarter.sourceforge.net/

You can edit the iptables or you can use a script to set up Masquerading. This site has a wonderful collection of scripts. http://www.linuxguruz.com/iptables/

1. Setup the local network
Eth0 gets an IP address from your ISP

edit: if you are connected to the Internet by a modem then you won't need two nics. The modem will probably be called ppp0.
and the nic connected to your other computers may be called Eth0.

Eth1 gets a static IP address ( 192.168.0.1 ) and is connected to the local network.
Your Linux computer acts as the dhcp server for the client computers.
All of the computers are connected through a hub or switch.
The client computers are set to obtain address automatically.

2. Edit the files /etc/dhcpd.conf and /etc/resolv.conf

3. Start the named and dhcpd services

4. Install firestarter and make sure the firestarter service is started.

5. Start the client computer and start surfing. :)

Examples...

/etc/dhcpd.conf

ddns-update-style ad-hoc;
option domain-name "workgroup";
default-lease-time 604800;
max-lease-time 604800;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.2 192.168.0.50;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
}

Note: you can use your ISP name servers instead of 192.168.0.1 . That way, you won’t need to start the named service on your computer.


/etc/resolv.conf

; generated by /sbin/dhclient-script
search YOURISP.com

nameserver YOUR ISP IP ADDRESS #1
nameserver YOUR ISP IP ADDRESS #2
nameserver YOUR ISP IP ADDRESS #3
nameserver 127.0.0.1



Check / edit the file /etc/named.conf

// generated by named-bootconf.pl

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

include "/etc/rndc.key";

Do you have to have dhcpd install if your planning to have internet shaeing?:confused:

Yep! The Linux box acts as a dhcp server to the client computers.
You don't have to do it this way but then you would have to put the IP address , subnet , gateway and ISP dns information into each client computer.

I had 2 nic card install on a dial-up and got the dhcp error.Why is that?:confused:

If you are using dialup, the modem acts as the first nic so you only need to have one nic which will get a static IP address and is connected to the other computers at a switch/hub.
So the setup would look like this.....
ppp0 has a connection to your ISP
Eth0 or Eth1 gets a static IP address ( 192.168.0.1 ) and is connected to the local network.

My favorite is a quick and easy GUI tool for setting up the masquerading such as http://firestarter.sourceforge.net/ (http://firestarter.sourceforge.net/)

Originally posted by elite_syntax
Do you have to have dhcpd install if your planning to have internet shaeing?:confused:


NO!! you do not have to have dhcpd installed, to get around dhcpd though you have to d the following:

give the win box a static ip on the same subnet:

i.e. if linux box is 192.168.0.1 then windows box has to be
192.168.0.XXX (anything other than 1)

you will also have to set the gateway, if the linux box
has internal ip of 192.168.0.1...then that is your default gateway

the netmask will be 255.255.255.0

DNS servers:

ifyou setup the caching DNS server the way he did you can use
192.168.0.1
but i'd put in the DNS servers of the ISP


dhcp just allows for all that stuff to be configured automatically,

hard coding is the alternate route.

again i say NO DHCP IS NOT NECESSARY...IT'S A LUXURY.

if you have 7,000 hosts (serveral dorms on a campus) then
that's where you would not want to have everybody trying
to hard code information.

I realize that some peoples would rather use a " roll your own " approach to Internet Connection Sharing instead of using an automatic GUI tool such as Firestarter.
With that in mind, here are my notes on how I did that....

You should be able to copy the enclosed script which I pieced together from the web. Save it as a text file with no extension. Try it out with the command: sh firewall

This part allows the firewall to survive a reboot. :)

Do this while logged in as Root
Save the firewall script as /etc/sysconfig/firewall.
Important: On the file called firewall, set the permissions for root to read, write and exec. Also, read and exec for group and others.
Edit the /etc/rc.d/rc.local file with a path to the script /etc/sysconfig/firewall
Run the command: service iptables stop
Type: source /etc/sysconfig/firewall
Type: iptables-save > /etc/sysconfig/iptables
Run the command: service iptables restart

_______________________________________________

#!/bin/sh
#
# The location of the iptables binary file on your system.
IPTABLES="/sbin/iptables"

# The Internet interface. For ADSL or Dialup users, this should be "ppp0".
# For a cable modem connection, this will probably be "eth0".
EXT="eth0"

# Out with the old stuff.
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

# These will setup our policies.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Use this for NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

# This rule protects your fowarding rule.
$IPTABLES -A FORWARD -i $EXT -m state --state NEW,INVALID -j DROP

# Port forwarding looks like this.
#$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp --dport 25 -j DNAT --to 192.168.0.50
#$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp --dport 53 -j DNAT --to 192.168.0.50
#$IPTABLES -t nat -A PREROUTING -i $EXT -p udp --dport 53 -j DNAT --to 192.168.0.50
# These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i $EXT -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.50
#$IPTABLES -t nat -A PREROUTING -i $EXT -p udp --dport 2300:2400 -j DNAT --to 192.168.0.50

# This rule will accept connections from local machines.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/24 -d 0/0 -p all -j ACCEPT

# DROP bad packets.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# DROP icmp, but only after letting certain types through.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j DROP

# To open up port 22 (SSH Access) to various IP's edit the IP's below
# and uncomment the line. To enable SSH access from anywhere,
# uncomment the second line only.
#$IPTABLES -A INPUT -i $EXT -s 200.123.10.2 -d 0/0 -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A INPUT -i $EXT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
#$IPTABLES -A INPUT -i $EXT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

# Some basic state-matching.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to DROP port 137 netbios packets silently.
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP

# So we don't get silent DROPs.
$IPTABLES -A INPUT -j DROP

What is ipt?

In this case it is just a name that points to /sbin/iptables.....
IPT="/sbin/iptables"

Edit: I changed that to remove confusion...
IPTABLES="/sbin/iptables"

I also changed the name of the Internet nic from INT to EXT to remove confusion in that area....
EXT="eth0"

I see now.:)

Have you had any luck getting your ICS going yet?

Nope i didn't start yet.I want to put spoofing in my firewall and make sure there no backdoors around my firewall:)


I want to do some hacking to:)