IP Masquerading HOWTO
This is a brief descrition how to set up a NSLU2 as Router with IP Masquerading (NAT-Router). You need a NSLU2 and a second Ethernet Device (see EthernetAdapter).
It's tested with the official Unslung 5.5 Image and a D-Link DUB-E100 (without any additional flash/disk attached).
1. You need a NSLU2 with a unslung firmware (See UpSlug2). Enable Telnet (See EnableTelnetThroughTheWebInterface) and log in. Maybe installing a SSH Server is a good idea (e.g. UseDropBearForRemoteAccess). Don't forget to change the root password (See ChangePasswordsFromTheCommandLine).
2. Make sure you have enough space. If you use a USB-Stick or USB-Disk as root filesystem this should be no problem. Otherwise you can delete some unnecessary stuff.
3. Install the module for your USB-Ethernet-Adapter. In this case:
4. Load the module and configure your card:
insmod ax8817x ifconfig eth0 192.168.X.X up
5. Now we need iptables and some kernel modules:
ipkg-cl install iptables ipkg-cl install kernel-module-ip-tables ipkg-cl install kernel-module-iptable-filter ipkg-cl install kernel-module-ip-conntrack ipkg-cl install kernel-module-iptable-nat
6. We also need two additional modules called ipt_MASQUERADE.o and ipt_state.o. They are currently not in the ipkg repository for unlsung. But there are two ways to get them:
ipkg-cl install kernel-module-ipt-masquerade_2.4.22.l2.3r63-r7_nslu2.ipk ipkg-cl install kernel-module-ipt-state_2.4.22.l2.3r63-r7_nslu2.ipk
7. Now we can set up a iptables script. I named it
The lan device is the inbuild intel ethernet-card (ixp0). The outbound device is the USB Ethernet-Card (eth0).
#! /bin/sh # Load all modules insmod ip_tables insmod iptable_filter insmod ip_conntrack insmod iptable_nat insmod ipt_state insmod ipt_MASQUERADE # Interfaces LAN=ixp0 WLAN=eth0 # Set IP-Forwarding echo "1" > /proc/sys/net/ipv4/ip_forward # Clear all chains iptables -F iptables -F -t nat # In the NAT table (-t nat), Append a rule (-A) after routing # (POSTROUTING) for all packets going out the outside interface # (-o $WLAN) which says to masquerade the connection # (-j MASQUERADE) iptables -t nat -A POSTROUTING -o $WLAN -j MASQUERADE # Create chain which blocks new connections, except if coming from inside. iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! $WLAN -j ACCEPT # Logging is turned off #iptables -A block -j LOG --log-ip-options iptables -A block -j DROP # Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j block iptables -A FORWARD -j block
Add the following line to the end of the script to fix MTU issues (thanks to ShadowJK? from #nslu2-general for figuring this out for me). Also see http://ramblingfoo.blogspot.com/2007/11/lesson-relearned-when-linux-networking.html(approve sites)
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
In addition, you will need to install the kernel-module-ipt-tcpmss or kernel-module-xt-tcpmss and load it for this to work.
I was having weird NAT problems like I could ping and access www.google.com and I could ping www.yahoo.com but when I tried to access www.yahoo.com in a browser it would just hang waiting for a response. The above rule fixed it.
Make Startup Scripts
This section will be added later