The problem: The boss wants me to set up a server and two workstations which can plug into various customer’s networks and connect to the internet as a kind of mobile demo of our client/server product. I have one hour to do it. The workstations run Windows XP and the server is Debian 3.1 “Sarge”.

The solution: Make the server a DCHP client and provide NAT functionality. Put the workstations onto a private subnet with static IPs.

So how to do that ? Read on…

DHCP

Fortunately, this is pretty easy in Debian. Just edit /etc/network/interfaces. Here is what I ended up with:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

# Our private subnet
auto eth0:1
iface eth0:1 inet static
address 192.168.166.1
netmask 255.255.255.0

eth0 will be our connection to the internet (via DHCP) and eth0:1 is a secondary interface which will connect to our private subnet.

Get these new settings running by typing the following commands. Do it from the local console, not a telnet session or you will be in trouble :). Rebooting would also work.

# ifdown eth0
# ifup eth0
# ifup eth0:1

Next I set the two Windows workstations to IP addresses 192.168.166.5 and 192.168.166.6 and set their gateway and DNS settings to 192.168.166.1. I chose 192.168.166.x as a kind of unusual subnet so there would be little chance of it clashing with any other private subnets the client might have.

I can now use ping to check that it is all working

DNS

The workstations need to see the internet so they will need DNS. This is not a problem since the default install of BIND is set up to relay DNS requests. All I need to do is install it and it just works:

# apt-get install bind

And people say Linux is complicated and difficult, I just set up DNS server with one command!

NAT

This was the most difficult part. The first thing I need was for the server to relay traffic from the workstations out to the internet. To do this, edit the file /etc/network/options and change one line thus:

ip_forward=yes

UPDATE – I recently had to do this on Debian Etch. This step is a little different. Instead of editing /etc/network/options, you need to edit /etc/sysctl.conf and uncomment the line which reads net.ipv4.ip_forward = 1

Then we need to fiddle with IPTABLES. Once again it is only one line to do this but it is not a trivial one, actually, before we do that, make sure the iptables package is installed.

# apt-get install iptables

Now we can type our magical incantation…

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The final stage is to set it up so that IPTABLES line gets run each time the system is booted. I wrote a little script which must be placed in the /etc/network/if-up.d directory. Any script placed here will be automatically run whenever the network is started up. I called my script /etc/network/if-up.d/iptables and here it is:

#!/bin/sh

# Set up firewall rules.
/sbin/iptables-restore /etc/network/iptables.rules

Next make the script executable.

# chmod 755 /etc/network/if-up.d/iptables

and finally, create the configuration file for the script to use:

# iptables-save > /etc/network/iptables.rules

Testing and conclusion

Once that is done, it should all be working. I rebooted to make sure it all came up in a working state. After that I yanked the power cord and then started up from cold just to test the kind of abuse it will experience in the field (thank God for journalling filesystems!).

All was done in twenty minutes flat which included time spent Googling for that magical IPTABLES command.

Be warned that I have not set up any kind of firewall here. IPTABLES can do that but was not required for this job. I’ll leave that up to you if you want to do it.