evan_tech -- quickly sharing a net connection

02:17 pm, 8 Jul 07

quickly sharing a net connection

I seem to often (at least often enough to know I've done it more than a few times) need to quickly share a computer's net connection. This time it's because we had to pull the net connection from my desktop because the building was getting repainted; my laptop has wireless but my desktop doesn't. I always just barely remember how to do this each time I need to, so I may as well write it down even though it's relatively simple.

Three steps:

Get the two computers speaking via IP. Pick addresses that aren't already used elsewhere. A fancy way of doing this might be avahi-autoipd, which implements 'IPv4LL, "Dynamic Configuration of IPv4 Link-Local Addresses" (IETF RFC3927)', but that's only in Ubuntu feisty. In any case you need to tell the internet-less machine to route through the gateway one (as well as give it the upstream DNS server address).
Tell the laptop machine to forward packets routed to it:
echo 1 > /proc/sys/net/ipv4/ip_forward
Tell iptables to masquerade (NAT) packets going out the wireless interface:
iptables -t nat -A POSTROUTING -o ath0 -j MASQUERADE

This probably has security problems (I imagine maybe other machines on the wireless could masquerade through the laptop) but it's fine in a private network setting. To undo, echo 0 into the ip forwarding control and clear ("flush") the nat iptable: iptables -t nat -F .

edge_walker

Small tip: since I am never ever logged in as root unless the system is in single user mode, I prefer to use sysctl instead of writing into /proc directly, because that’s straightforward to invoke with sudo:

sudo sysctl -w net.ipv4.ip_forward=1

If you use redirection to write in /proc, the shell executing the command has to run as root, so you need contortions like

sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

which involves quotes, and can hence be a pain.

reply to this

loganb

The link-local addresses generally should not be routable, although I doubt Linux enforces that. The set of routable, private addresses are: 10.0.0.0/8 (10.0.0.0 - 10.255.255.255), 172.16.0.0/12 (172.16.0.0 - 172.31.255.255), and 192.168.0.0/16 (192.168.0.0 - 192.168.255.255).

Also, to be slightly more safe on your masquerade rule you should make sure you only masquerade connections from your internal LAN. You can add a "-i " as in: iptables -t nat -A POSTROUTING -i eth0 -o ath0 -j MASQUERADE

reply to this

mart

I've always loved how easy it is to get stuff like this running in Linux. Just the other day when I was having that problem with VMWare I just did your step 2 here and had an instant router without any further ado.

On the other hand, when I've had to do similar things to the above with Windows Server 2003 boxes at work I've almost wanted to either cry or take a hammer to the server.

reply to this

evan	I thought OS X and Windows have some sort of "connection share" function? I sorta imagined it'd be easier on those platforms (though I'd be I have more control over it on mine...).
reply to this

crackmonkey	OS X does, but I've not used it extensively. I have used Windows (XP) from time to time and it's pretty bad, largely because of the assumptions it makes (inflexible configuration), and the reliability is poor.
reply to this

trs80 [typekey.com]	If some of the clients only support DHCP, simpledhcpd (http://www.joachim-breitner.de/blog/archives/243-Spontanious-DHCP-Server-Done..html) is useful.
reply to this