Setting up a mandrake Linux PC to
share its Internet connection.
Assumes you have tried to use the Mandrake wizard - it
Mandrake internet connection sharing (ICS) wizard goes a little over
the top for a small network - it installs a nameserver (BIND), a
proxy server (squid) and a DHCP server (dhcpd). Furthermore, it sets up
the firewall to redirect all http requests (your browser asking for a
web page) to the squid proxy server.
None of these servers are really necessary, and add complexity and
multiple potential failure points to your network. (Although the set up
is a valid one and simplifies sharing when it works!)
We will however leave them running for now, just in case. When you have
it all working, they can be turned off one by one (to make it easier to
locate any problems) by typing drakxservices as root.
Also consider plugging all your PCs into the router, or a
hub/switch attached to the router, and allow the router to do ICS and
firewalling if it supports it,
but we are assuming you wish to use the firewall in Linux, or don't
wish to buy a hub. Firewalling is not discussed here - see the shorewall
Let's try to do it manually!
For the following environments:
Note: Setup is slightly different for a dial-up modem - see ics_modem.html
To set up a Linux 'client' see simple_net_setup.html
Where 'This_PC' is the one we are working on - it has 2 network cards.
One is connected to your internet connection (we will assume eth0) and
the other is
connected to your internal private local area network (LAN) (we will
assume eth1). It will forward all
outbound internet traffic to the internet, receive any replies, and
forward them to the correct PC on your LAN.
First check your cabling
you have a dual boot machine, is Windows internet connection sharing
working ? Do the cables work on a known good network?
For our purposes:
Network interface cards (NIC
are called eth0, eth1 etc in Linux
short for internet
connection sharing - sharing a single internet connection with only 1
public IP address between multiple computers.
is a number
uniquely identify a network interface. Notice network INTERFACE - this
means each device (eg computer) can (and in this case, should) have
more than one IP address
IP address of the device connected to the internet eg. your router, or
PC running internet connection sharing.
The address to use is the one allocated to the interface connected to
your internal network. It will almost certainly be in one of the ranges
in "Note about IP addresses" below. Most likely 192.168.0.1 ,
192.168.1.1 or 10.0.0.1
address is the
address of your internet service providers (ISP) nameserver - used to
look up the corresponding IP address of a human readable address like
is a unique name
your computer - anything you like, for example linux.mylan.home or
zeus.greekgods or kevin but not www.google.com, www.microsoft.com...
Note about IP addresses:
Each interface on your network must have a different IP address. The
usual numbering schemes for private networks are 192.168.x.x or
10.x.x.x . Furthermore, each 'side' of a router (in this case your ICS
machine is acting as a router) must be on a different subnet, so we
will number the LAN side 192.168.3.1. Don't worry if you don't
understand this as yet - just follow the instructions...
The numbering scheme used on eth0 (the internet side of 'This_PC')
should match that of your gateway device
(router,cable modem etc). For example, if your router manual says the
IP address is 192.168.1.1 you will number your computer network
You need to find out what your IP address and default gateway are -
these can be obtained from a working windows installation if you dual
boot, or your router/cable modem manual as above. You will also need
your nameserver IP address (get it from your ISP)
You will need to be root (administrator) to edit the files here.
To sign on as root - type su in a terminal (console), press enter
followed by your root password
Let's get started then:
- This is the main
config file for the first (internet facing) interface.
It should read : (you can leave out anything on a line after #)
- This is the main
config file for the second (LAN facing) interface.
It should read :
the nameserver address(es) - put the address of your ISPs nameserver
right at the top. eg:
You can have multiple nameserver xxx.xxx.xxx.xxx lines - the resolver will try them all in turn if one fails
The default gateway and your hostname go in /etc/sysconfig/network
We then need to set up packet
GATEWAY=192.168.1.1 # or the IP address of your gateway device - the default gateway
Put the following command at the beginning of /etc/sysctl.conf
Then 'turn off' the redirection
Install iptables - type "urpmi iptables" as root, or use the package
manager in the start menu or mcc
Add the following code to the bottom of
iptables -t nat -D PREROUTING -i eth0 -j loc_dnat
This will delete a rule from your firewall - later, when you understand
more, you can change shorewall and remove this line, but for now we'll
keep it simple.
Then try it all out:
Try pinging your computers 'internet side' NIC (type "ping 192.168.1.2
" or whatever your
IP address is) If you get errors,
then your NIC is not working - ask for help (see below).
If OK - Try pinging the gateway
If OK - try pinging the LAN side (ping 192.168.3.1)
If OK - Try browsing.
Then try all the above from another PC connected to the LAN - If this
is a linux box and it doesn't work, see Simple
net set up
If you are still having problems
post the following information in the Mandrakeusers.org networking forum:
Overview of your problem - not just "I can't connect to the internet" -
what have you done/tried so far, what works, what doesn't?
Physical network set up - what plugs in to what
Output of "ifconfig" , "route -n" , "iptables -nvL" and "iptables -nvL
Summary of the results of all pings above.
If you are using DHCP for your external interface, you should comment
out the IPADDR, NETMASK, NETWORK and BROADCAST entries in
/etc/sysconfig/network-scripts/ifcfg-eth0 by placing a # at the
beginning of the line. You should add the following to
your firewall (you could put the rules at the end of
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Please pass on your comments
improvements, mistakes or omissions to me - consider this work in
If you live on the Isle of Wight (UK) and you are still
stuck, give me a call!