iptables question

Discuss Networking
Post Reply
Stryker
scripter
scripter
Posts: 98
Joined: Thu Jan 23, 2003 8:50 pm
Contact:

iptables question

Post by Stryker »

Me and a few friends are working on building a small ISP for the city. Before I feel comfortable jumping into it I'd like to feel a little bit more comfortable about whats ahead of me.

So lets say that there's a user who has the ip of 4.2.2.2, The router's IP is 4.2.2.1. All traffic to 4.2.2.2 from the internet would need to be sent through the router, so the router would also have to listen for 4.2.2.2. The gateway's internet connection is on eth0, the users are connected via eth1. So the gateway would need to look and see if the packet is meant for it, or some user, and if its for the user route it out to eth1.

What i'im doing now is using a home network to test some of this stuff. I have a gateway that shares the internet with the rest of the house. It's 192.168.0.1 and running linux with iptables. I've been able to easily redirect all traffic to the public ip address to a single host on the network (192.168.0.2). But instead of 192.168.0.2 having that ip address, I'd like to give it the public ip address. The problem is that if i told the router to direct all traffic for 4.2.2.2 to 4.2.2.2 then it would just deliver it to itself. Is there a rule I can create to send it out of eth1, or will it be necessary to change the routing table. Sorry I'm not the best at explaining things. Basically I want people to have a public ip address. Any suggestions?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

You can't just assign any addresses and have anything on the internet get to them. You have to own the IP address range that you want to assign.

For instance, say I have a T1 line coming in to my company. I rent that T1 line from a service provider. Let's say I use Sprint. Sprint has large blocks of IP addresses that they can break up into smaller blocks for their customers. Say I rented this T1 line and I said I needed 200 IP addresses then it would logical for me to rent a Class C subnet of addresses from them (total of 254 usable addresses). Say that network I am assigned is 4.2.2.0/24 or 4.2.2.0/255.255.255.0. That network means I can assign addresses on 4.2.2.1 through 4.2.2.254.

Sprint has several backbone routers that are responsible for routing traffic between all of the networks they are responsible for and the internet. I have a small router at my company which is at the fringe of the Sprint network. There are routing protocols in all the routers on the sprint network that are responsible for keeping track of what other routers are out there and what networks are assigned to them. They might be using EIGRP or similar (RIP is a very basic routing protocol). They could also use static routes but on large networks that is very difficult to manage, hence the need for routing protocols.

But basically on my small router (a *real* router, not a DSL/Cable modem which is not a true router, one that has necessary routing protocols), I assign an address to the inside interface of 4.2.2.1 with a netmask of 255.255.255.0 and this will become the gateway for all of my hosts. The routing protocol senses that the network interface on this router is responsible for the 4.2.2.0/24 network and passes that information on to the other routers in the Sprint network. Now all the routers on Sprints network know how to get packets to and from my IP addresses.

On the Internet backbone routers there are higher level routes that might say all 4.0.0.0/8 traffic goes to the Sprint backbone routers. Likewise they would have routes for every other provider out there.

For home users with Cable/DSL modems they usually only get one IP address. They do not have the real router at their house but it is at the service provider (Charter/SBC/RR/etc). The IP address they get also will have an associated gateway address that points to the provider's fringe routers. Say I run iptables and do IP masquerading so I can have several machines each with their own address. The addresses I assign would be off-net addresses (not routed by internet routers) in the range of 10.0.0.0/8, or 172.16.0.0/16 or 192.168.0.0/16. I point each machine assigned one of these addresses to my iptables machine which translates the off-net address to the on-net address that I was given by my provider.

The only address ever seen outside of my house is the address given by my provider because that is the only one that the routers beyond my house know about. iptables keeps track of which connections to the outside world belong to which machine is connected on the inside and does the IP address translation automatically.

This is a high level description but I can go into much more detail if you like. Basically you have to work with your provider to get a range of addresses to use. This may involve finding a different network provider with a different grade of service. I don't know if this helps but if I am way off track from what you are asking I can go into much more detail on any area of this.

Stryker
scripter
scripter
Posts: 98
Joined: Thu Jan 23, 2003 8:50 pm
Contact:

Post by Stryker »

I know that I need to get the ip addresses, the problem is that whenever i've configured iptables its always worked just like a home router, there's 1 public ip address that the network shares. hmm, basically if I were to have 200 ip addresses, how would I route them to the other machines.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

It depends. Are you talking a T1 line? If so you'll need a real router with a either an external or built-in CSU/DSU. Probably something in the 1700 range if you go with Cisco. The provider that you go with might have special requirements or provide equipment depending on the type of line you are provisioning.

Also, I may still not understand exactly what you want to do. You need 200 addresses that need to be directly routed on the Internet? Or you just need 200 off-net addresses that need to be able to get out to the Internet but nothing should be able to get directly to them from the internet? If it's the latter then all you would need is that one public address and configure uptables to do IP Masquerading. For instance, here at my house I have several machines that can talk to each other and they can get out to the Internet but I only have one public IP address from my Cable provider. Is this the type of setup you are referring to except with many more machines?

If so I have a machine with 3 interfaces, one with my public IP address from my provider, another configured with an off-net address (172.16.x.x) which is my DMZ interface and then I have the 3rd interface configured with another off-net range (192.168.x.x) that is my inside interface that most of my machines use as their gateway. I have a couple of machines in my DMZ that point to the DMZ interface for their gateway. I used to use just iptables directly but for the last year or two I've been using Shorewall which is really nothing more than an iptables wrapper:

http://www.shorewall.net/

Of course if I still don't have it right then I guess I need a few more details or examples so I can get a good picture of what you have in mind.

Stryker
scripter
scripter
Posts: 98
Joined: Thu Jan 23, 2003 8:50 pm
Contact:

Post by Stryker »

basically i want to make my linux box a real router. I dont want there to be any private ip addresses. I'd be using a t1, but I don't know much about T1s as i've never had one before. What's csu/dsu?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

If you are going to run a T1 or Frame Relay circuit then you will need a CSU/DSU which is either built in to a regular router or external to a regular router that connects to a special serial interface on the router (not even close to the type of serial interface you are used to on a PC). They do make T1 cards that have built in CSU/DSU units and some of them have Linux support but I would have to seriously recommend a regular router like a 17xx series Cisco. A T1 line is basically just a special dedicated phone circuit. It is capable of 1.544 Mbps and usually runs anywhere from a few hundred to a thousand dollars a month.

Now, you certainly can run a Linux box between your real router and all of your clients for several possible reasons like transparent proxy or firewall, etc, etc. I'm thinking it might be wise to pick up a book on networking. Let me search around and see if I can find some things online.

EDIT: Here looks like a nice site with some good introductory information that might be useful to you:

http://www.t1-t3-dsl-line.com/

Nice little chart:

http://www.t1-t3-dsl-line.com/solutions.php

Read over everything on that site and digest as much as you can. Where I work we have a couple of full T3 lines for internet access at around $8,000/month each (which is actually a pretty good deal for a full T3). We also have some cross-town fibre and thousands of frame relay and satellite links. All of the frame relay circuits have a Cisco router and a switch at the end of them.

EDIT2: And this page pretty much sums up what I was trying to say about needing a real router with a CSU/DSU:

http://www.t1-t3-dsl-line.com/page/41/

Stryker
scripter
scripter
Posts: 98
Joined: Thu Jan 23, 2003 8:50 pm
Contact:

Post by Stryker »

thanks, that answered a few of my questions. I've got a problem though, I want to use a computer as the gateway so that I can have registered mac addresses go to the internet, and unregistered mac addresses be blocked from the internet and go to our sign up page, and unpayed bills can go to their account management page. I have it all worked out with how to do this with iptables, but how would i have it set up so that the users have to use this machine as their gateway?

edit:
its going to be a long distance wi-fi network for boats in the bay, and they'll need the special wi-fi antennas which we'll provide so doing it by mac address is ok.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

It's no problem having your Linux box be the gateway for all of those devices. The only thing I am saying is that you probably aren't going to have much luck having that Linux box being the router on your end of the T1 line (or whatever other type of line you might want). For one, you have to have the CSU/DSU and for another the provider probably wants Cisco IOS with a high end routing protocol (not RIP). That really shouldn't concern you though because there are many other routers between you and the rest of the internet that you have no control over, the only difference is that one of them resides on your property. You can put your Linux box in and use IP tables to do what you want. It will reside between your router (Cisco router) and all of your clients. Your Linux box will point to the Cisco router as it's gateway and it can have all of your addresses assigned to it's outside interface if that is what you want.

Stryker
scripter
scripter
Posts: 98
Joined: Thu Jan 23, 2003 8:50 pm
Contact:

Post by Stryker »

that was exactly what i was thinking, but i'm not sure how to configure the linux machine to allow the clients to have public ip addresses. The closest thing i've done is ip masquerading

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Well, to be honest with you I am still not 100% clear on what your objective is. Maybe it would be best to step back a couple of steps and look at it from a requirements standpoint rather than having something already made up in your mind like running a Linux iptables gateway.

List your requirements as accurately as you can. I guess you want to act a little like a cable or DSL service provider except instead of cable or DSL connections you want to provide wireless connections. Is that pretty much what you are after? Could you describe the wireless equipment a little more? I am familiar with home wireless and with Cisco Aironet wireless with special antennaes to communicate over 10 miles at around 4-11Mbps.

Stryker
scripter
scripter
Posts: 98
Joined: Thu Jan 23, 2003 8:50 pm
Contact:

Post by Stryker »

basically, we'll be using standard wi-fi equipment for the network, with the exception of home made antennas for longer distance. We'll be selling internet access to boats in the bay. There are a lot of people that live at the docks, and some who just would like the internet on their yaht (or however u spell it). I would like them to be able to communicate with themselves at an unmetered rate, which i dont think i have control over anyways. They'd be able to each have their own public ip address, so it'd be a real internet connection. If the mac address is not registered with us, it will redirect them to a page on the gateway (or another computer on the network running apache) for signing up. If they have not paid their bill I would like them to be redirected to their account management page. I think this can be easily done with a background process and iptables. There will be 1 access point to start out with, with 3 antennas pointing in different directions in the west, none of them going east. I suppose technically i'd need 3 access points at the same place, but i'd like it to appear as one, which isnt a problem because i dont want it to be an actual access point like a home network, but rather a computer with 3 wireless network cards in it (unless i can rig up a weird 3 direction antenna on 1 network card).


and i didnt know you had experience with it, i would've asked before... is it possible to do a 4 mile network on the ground with no good line of sight (like, going through trees and stuff)? Me and a friend wanna network ourselves

edit:
did some googling, apparently what i'm looking for is how to do a 1:1 nat with iptables... i think

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Actually I think everything you want to do can be done with the wireless devices themselves. I know something very similar to what you want to do is being done in a lot of places. I don't think you would even need a separate Linux box. You would just configure the DHCP on the wireless device to hand out addresses in the public range and have them point to the Cisco Router for their gateway.

In fact at home I have my wireless access point configured to act as a wireless->Ethernet bridge. I don't even use the WAN interface on the wireless unit. The unit has a 5 port switch that is bridged with the WLAN interface. I have one of the ports on the switch plugged into my normal wired LAN and I have a Linux machine that acts as my DHCP/DNS server on that LAN. When my laptop associates with the access point it picks up it's IP address from my Linux DHCP server and points to my Linux gateway (which in your case would be the Cisco router). You could do a similar thing except your DHCP server would be configured to hand out addresses in your public range rather than private addresses like I am doing. The access point itself can do the DHCP and it's probably better that it does. If you wanted to be geeky you could even get an access point that runs Linux like the one I run and customize it to do whatever you want (it runs iptables, dhcpd, etc).

I would suggest two other places to post for advice where I also frequent:

http://openwrt.ksilebo.net/forum/
http://www.sveasoft.com/modules/phpBB2/

Of course these mainly deal with the LinkSys unit like I run at home (and a few devices with the same chipsets). These are running Linux. Another great wireless resource:

http://www.seattlewireless.net/

Of course here's a web server running on one of my home access points:

http://voidmain.is-a-geek.net:81/

:) So yes, I think what you want to do is very doable. I would just check around for other people who are doing something similar and see how they are doing it. You could use the MAC filtering built in to the wireless unit to restrict access. This would probably not be the best way to do it though. Having some sort of enctyption with individual keys would be the best method (IPSec based would be the most secure). I've done a little war driving and it's quite amazing how insecure most wireless systems are.

EDIT: Forgot to address your 4-mile with no line of site question. I don't know how you would do that other than get some really tall antennae. We had a 10 mile line of site (from the top of a 25 story building).

Also, for long distances you are going to need a directional antennae on both ends. How is this going to work on a boat? I certainly won't admit to being a wireless expert (because I am not) so there may be ways I am not aware of. Of course you could strategically place a few access points in the harbor and use regular omnidirectional. You could then have one directional between the harbor and the main office with the router. I don't know what you would do for boats out on the water (not docked) if you were even worried about them. I know they run Satellite receivers on airliners now so they could probably do satellite connections on boats as well which would give them unlimited range. I suspect that would be very expensive though.

Stryker
scripter
scripter
Posts: 98
Joined: Thu Jan 23, 2003 8:50 pm
Contact:

Post by Stryker »

yeah i know some people that use satellite on boats, i'm trying to provide a cheaper alternative. I figured unless I figure out a better solution, i'd give the customers the locations of the access points and tell them to point the antenna in that direction. I've read that some people have done 5 miles without a line of site with an amplified antenna, but thats like an extra $500... which is a bit much for personal use.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I work with someone who was working on a wireless solution for neighborhoods. I'll ask him how he was designing his network. I know they were going to run several towers with antennaes on them. I think they were doing basically what you want to do.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I talked with my coworker today and they ended up not doing that "neighborhood" solution but the plans they had in place were very much like what we have already been talking about wireless->Ethernet bridge. Antennae on towers with around 2-mile range. He didn't have any info on the security plans (ensuring only those authorized can connect).

He also mentioned that he helped install a wireless solution for one of the local casino boats. They had two T1 lines and a dish on the roof of a tall building that pointed down the river. They had an omni on the boat and apparently the boat had constant network access during the short cruises. They used Cisco equipment much like I mentioned I was familiar with. In my case I used a very directional Yagi antennae on both ends.

Another guy I work with also has some experience in this area and he suggested calling this local shop who is really expert in this area. I am sure my area is a long way from where you are and you can probably find local experts to help you out but I can give you the number of of this local place and the name of the person who you need to talk to (he's the owner).

Here are some links you might want to browse over, if for no other reason than to gain a little more understanding:

http://www.cisco.com/en/US/products/hw/wireless/

I suggest if nothing else that you look over the antennae options and specs. There is some really good info there.

Post Reply