Share a wireless network over a Wired connection

[twilightomni]

Use case: I possess a laptop with ethernet and wifi. Little brother's XBox-720 has wired but no wireless (wireless is sold separately).

Desire: hook the XBox to a laptop running Fedora, which will log on to a Home Wireless network, and link the XBox to the wireless network. Essentially, the fedora laptop will serve as an expensive wireless router. (It's a cheap leftover Dell laptop, so this isn't a horrible idea).

Can I do this? I know that F10 can share a wired/3G network over a wireless connection, but I want to share a wireless network over a wired connection.

Windows can do it. But can Fedora? (If NetworkManager can't do it but there is a capable Linux tool which can, I am willing to try it. I'm just not sure what I need to set it up).

[David Becker]

Quote:

Originally Posted by twilightomni

Use case: I possess a laptop with ethernet and wifi. Little brother's XBox-720 has wired but no wireless (wireless is sold separately).

Desire: hook the XBox to a laptop running Fedora, which will log on to a Home Wireless network, and link the XBox to the wireless network. Essentially, the fedora laptop will serve as an expensive wireless router. (It's a cheap leftover Dell laptop, so this isn't a horrible idea).

Can I do this? I know that F10 can share a wired/3G network over a wireless connection, but I want to share a wireless network over a wired connection.

Windows can do it. But can Fedora? (If NetworkManager can't do it but there is a capable Linux tool which can, I am willing to try it. I'm just not sure what I need to set it up).

Using the (Microsoft) "sharing" term is distracting you from the solution, at least generating poor results for search queries using such terms.

Seems to me you want the Fedora system to do "routing", in this case forwarding of IP packets.

1. Enable IP fowarding on the Fedora system (how?).
2. Depending on which Fedora release you're using; Disable the last firewall FORWARD rule, i.e. "-A FORWARD -j REJECT --reject-with icmp-host-prohibited"

I think that should do it.

David

[twilightomni]

I'll need something a bit more specific than that.

IP forwarding what? I can select the eth0 interface under system-config-firewall->IP Fowarding, but what that does, I don't know. There's no further functionality; I can either check an interface to be "forwarded" or not.

Under NetworkManager, I can create a wired connection of type "Link-Local Only". When I do this and connect to the XBox, it fires some AVC Denials (something about Avahi requests being denied) and the XBox-360 itself still hasn't been assigned an IP address.

I would prefer to do this with the graphical tools (system-config-firewall, networkmanager-gui) if possible. Do you have any more information?

Remember, the goal is to locally connect to the XBox (local network between Fedora laptop and Xbox by wired connection) and then share the wireless connection with them.

[stevea]

Here's a script I've been playing with - still needs some work:
do_forward:

Code:

#!/bin/bash

# defaults
WAN=eth0
LAN=eth1
LANIP="192.168.133.1"
DHCPRANGE="192.168.133.2,192.168.133.253"

usage() {
    echo "USAGE: $0 [-v][-d] [WAN=$WAN] [LAN=$LAN] [LANIP=$LANIP] [DHCPRANGE=$DHCPRANGE]"
    echo "USAGE: $0 [-v][-d] [WAN=$WAN] [LAN=$LAN] # disable forwarding"
    echo "USAGE: $0 [-v][-l] # print status"
}

list() {
    echo "Forwarding information"
    iptables -L
    echo ""
    iptables -L -t nat
    echo -e "\n/proc/sys/net/ipv4/ip_forward: $(cat /proc/sys/net/ipv4/ip_forward)"
}

listsettings() {
    echo "WAN=$WAN, LAN=$LAN LANIP=$LANIP DHCPRANGE=$DHCPRANGE"
}

# setup forwarding and the dnsmasq service
fwd() {
    iptables -A FORWARD -i $LAN -j ACCEPT
    iptables -A FORWARD -o $LAN -j ACCEPT
    iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
    echo 1 >  /proc/sys/net/ipv4/ip_forward

    ifconfig $LAN $LANIP/24 up

    /usr/sbin/dnsmasq -C /dev/null >/dev/null 2>&1 \
        --bind-interfaces \
        --listen-address=$LANIP \
        --dhcp-range=$DHCPRANGE,12h \
        
    echo "to disable: $0 -d WAN=$WAN LAN=$LAN"
}

# remove forwarding and the dnsmasq service
unfwd() {
    pkill -9 dnsmasq
    ifconfig $LAN down

    echo 0 >  /proc/sys/net/ipv4/ip_forward

    iptables -D FORWARD -i $LAN -j ACCEPT
    iptables -D FORWARD -o $LAN -j ACCEPT
    iptables -t nat -D POSTROUTING -o $WAN -j MASQUERADE
}

# calculate DHCPRANGE
mkrange() {
    PRE=$(echo $LANIP | cut -d. -f-3)
    SUF=$(echo $LANIP | cut -d. -f4)
    DHCPRANGE="$PRE.$(($SUF+1)),$PRE.253"
}

#--------

for arg in "$@"
do
    case "$arg" in
        WAN=*|LAN=*|LANIP=* )
            eval $arg
            ;;
        DHCPRANGE=* )
            eval $arg
            DHCPFLAG=true
            ;;
        -d )
            echo "deleting forwarding"
            DISABLE=true
            ;;
        -l )
            LIST=true
            ;;
        -v )
            VERBOSE=true
            ;;
        * )
            usage
            exit 0
            ;;
    esac
done


[ $DHCPFLAG ]   || mkrange
[ $VERBOSE ]    && listsettings
[ $LIST ]       && list && exit 1

if [ ! $DISABLE ] ; then
    fwd
else
    unfwd
fi

Do "yum -y dnsmasq" betore trying it.
You probably want something like:
do_forward WAN=wifi0 LAN=eth0


Also note that one of the firewall tools .... "Firewall Builder" I think will set up forwarding too.

system-config-firewall has the features you need.

[twilightomni]

So I have found several resources that describe how to set up this IP masquerading stuff. But they are only concerned with the IPTables rules.

Call me picky, but I'm not entirely sure how to apply IPTables rules. I mean, don't get wrong -- I can run a console "iptables [whatever]" command.

But that doesn't mean they'll work -- I have no clue if system-config-firewall is interfering or changing my iptables settings behind my back, or whether or not NetworkManager should manage my eth0 or not -- and whether that ignores any settings in /etc and in iptables.

In short, I lack an understanding of how Fedora's network components interact. That was why I was hopeful there was an easy way to do this that involved Network Manager and system-config-firewall -- they are the two user-facing places that I can configure these settings and know that at least they're doing something.

It would be wonderful if I could have a setup that let me set the masquerading rules (and I KNOW system-config-firewall has a section for this -- why can't I get the darn feature to work?) _and_ still let Network Manager manage my wireless and do it's cool auto-magic voodoo.

My first idea was that I need to adopt the IP Masquerading rules into a sort of iptables script, which I could then add using the Custom Rules feature of system-config-firewall. But then, S-C-F has its own section for Masquerading (I just can't figure out how to use it), so that would be redundant.

And I'm still not sure whether Network Manager should manage the eth0 device or not (you can set this in System-Config-Network).

Any extra advice?

[David Becker]

Quote:

Originally Posted by twilightomni

So I have found several resources that describe how to set up this IP masquerading stuff.

If your Fedora host is connecting to an access point, then the AP is likely doing the masquerading already.

Assuming that;

-You'll have to assign an IP address to your fedora's ethernet interface.
-Assign an IP address to your xbox. Ask the xbox to use fedora's ethernet interface's IP address as it's default gateway. (double genitive in previous sentence) I don't own or have ever accessed an xbox and can't tell you if that's in any way possible.
-Rearrange your iptables setup on the fedora host to allow IP forwarding. How you do that is up to you(r paranoia).

David

[stevea]

David B - you've missed the point.

He needs to make his laptop act as a masquerade/forwarding router. The fact he *MAY* have another layer of masquerading router outboard of the router is completely irrelevant. Only a very few protocols like SIP cannot deliver behind two NAT routers but that's a secondary concern.

Twilighttomni - you have a valid concern. I would suggest disabling *advanced* firewall features (not blocking) ON THE LAPTOP and only use port blocking. IF yo uhave an outboard router then if should be doinf g the firewall-ing anyway.

98% of firewall protection is provided by preventing incoming TCP requests on all ports except for a few critical ones (ssh, whatever). NAT or masquerading allows a router to take an incoming request from the LAN-side and change the IP, revise the source port and re-write the checksum and send it on the WAN. If the NAT router receives a reply on the designated port, then it revises and forwards the packet to the LAN-side.

I really wouldn't be concerned abt security of setting up your laptop as a NAT router (as the script does). It only causes a re-writing rule for outbound tcp connection requests.

[stevea]

Uhh - iptables is listed as a service - but it can only load rules at boot time. It isn't a real service - it's a one-time startup config program.

NOONE is changing IP tables behind your back. You can explicitly change w/ iptables command or the various firewall utils.

[David Becker]

Quote:

Originally Posted by stevea

David B - you've missed the point.

Au contraire.

Quote:

Originally Posted by stevea

He needs to make his laptop act as a masquerade/forwarding router. The fact he *MAY* have another layer of masquerading router outboard of the router is completely irrelevant. Only a very few protocols like SIP cannot deliver behind two NAT routers but that's a secondary concern.

It's very relevant. The person in question has a hard time understanding what's going on. Masquerading doesn't seem to be required and setting it up would only, needlessly, introduce a misplaced learning curve.

The fedora system is connecting to a wireless node/access point. There's no complaints about the internet, or at least no complaints about the upstream connection not working. So there's already masquerading available, or it's not required.

The person in question is better served focusing on forwarding which IS required, while masquerading setup is NOT required and just makes things more difficult.

Then, there's a (somewhat serious) misconception taking place where this person, and possibly others, are under the impression that they have to setup some kind of "sharing" mechanism. The reason (plausible explanation) for this, is that, according to them, when they want to share an internet connection with several hosts, they have to setup masquerading (or Microsoft's ICS).

So now they want to "share" their wireless connection, so they think they need the equivalent of internet connection sharing, hence masquerading. The language/terminology is fooling them (Peirce where are you!??!?).

Masquerading is (typically) used to share a single IP address amongst multiple hosts. That's what's already taking place, or at least is a non-issue in this case. "Sharing" your wireless connection doesn't require sharing an IP address, unless your wireless interface has been assigned an official IP address and is acting as an internet gateway, which really doesn't seem to be the case/issue here.

Thinking "I got to *share* my wireless connection" has allowed this person to match the word "share" with stuff like "internet connection sharing" and through an (somewhat valid) association between "internet connection sharing" and "masquerading" this person is under the impression that he/she requires "masquerading". It's a false conclusion and stems, as I pointed out initially, from the term "sharing" which is Microsoft terminology, which works well for it's marketing purposes, but is neither applicable here, nor is it allowing this person to see what he/she really needs, namely IP forwarding.

Sure, you can setup masquerading, tweak your selinux config and think about trusted platform modules, but that's not getting you closer to "sharing" your wireless connection.

I'd say, focus on the forwarding, that's what is required. Setup an IP address on Fedora's ethernet interface, do likewise on the xbox while making the xbox use Fedora's ethernet interface's IP address act as the default gateway and activate IP forwarding on the Fedora host. stevea's script will likely get that done.

David

[hvdkooij]

Some of the things required:
- Setup a static Ip adres on the ethernet interface of the laptop
- Setting up a DHCP server to assign an address to the dhcp clients (the Xbox for example)
- Allow IP forwarding (disable the firewall to begin with)

There is a lot of information out there but none of them will propably describe the exact steps. So it will be a steep learning curve for the original poster anyway.

[Gödel]

Quote:

Originally Posted by hvdkooij

Some of the things required:
- Setup a static Ip adres on the ethernet interface of the laptop
- Setting up a DHCP server to assign an address to the dhcp clients (the Xbox for example)
- Allow IP forwarding (disable the firewall to begin with)

There is a lot of information out there but none of them will propably describe the exact steps. So it will be a steep learning curve for the original poster anyway.

The exact steps are simple, and do not involve disabling a firewall or setting up a separate dhcp server:

http://forums.fedoraforum.org/showpo...45&postcount=4

[beaker_]

Nice script steava. Tks.

If the OP searches the form, he'll find I walked mccoy through it using fedora's system-config-firewall, dhcpd, and networkmanager back in april or may. You're better off without nm but, if needed, you can use cnetworkmanager to avoid autologin.