Difference between revisions of "Internet sharing"

From ArchWiki
Jump to: navigation, search
(Instructions: ic template)
(re-add link to the wifi article)
 
(74 intermediate revisions by 30 users not shown)
Line 1: Line 1:
[[Category:Networking]]
+
[[Category:Network sharing]]
[[cs:Internet Share]]
+
[[cs:Internet sharing]]
[[es:Conexion a Internet compartida]]
+
 
[[fr:Partage de connexion]]
 
[[fr:Partage de connexion]]
[[it:Internet Share]]
+
[[it:Internet sharing]]
[[ru:Internet Share]]
+
[[ja:インターネット共有]]
==Preface==
+
[[ru:Internet sharing]]
Let's assume you have an Internet connection and you want to share it. There are two main ways to do that.
+
{{Related articles start}}
 +
{{Related|Android tethering}}
 +
{{Related|Software access point}}
 +
{{Related|Bridge with netctl}}
 +
{{Related|Ad-hoc networking}}
 +
{{Related|Sharing PPP Connection}}
 +
{{Related|Simple stateful firewall}}
 +
{{Related|Router}}
 +
{{Related|USB 3G Modem}}
 +
{{Related articles end}}
 +
This article explains how to share the internet connection from one machine to other(s).  
  
<pre>
+
== Requirements ==
  Internet                          pc1
+
1. ----> |router| ---> |switch| --->-<
+
                                      pc2 ..etc
+
+
  Internet
+
2. ------> |pc1 (router)| --> pc2..etc
+
</pre>
+
  
==Instructions==
+
The machine acting as server should have an additional network device. That network device requires a functional [[w:data link layer]] to the machine(s) that are going to receive internet access:
I'll explain the second way (it is easier and requires one less machine).
+
* To be able to share internet to several machines a [[Wikipedia:Network switch|switch]] can provide the data link.  
<ol>
+
* A wireless device can share access to several machines as well, see [[Software access point]] first for this case.
<li>Install a second network card to the first PC.</li>
+
* If you are sharing to only one machine, a [[Wikipedia:Ethernet crossover cable|crossover cable]] is sufficient. In case one of the two computers' ethernet cards has [[w:Medium Dependent Interface#Auto_MDI-X|MDI-X]] capability, a crossover cable is not necessary and a regular ethernet cable can be used. Executing {{ic|ethtool ''interface'' <nowiki>|</nowiki> grep MDI}} as root helps to figure it.
  
<li>Connect the two PCs using an ethernet cable or a [[Wikipedia:Network switch|switch]].  If one of the two computers has a gigabit ethernet card, a regular ethernet cable should work. Otherwise, use [[Wikipedia:Ethernet crossover cable|crossover cable]].</li>
+
== Configuration ==
  
<li>Let's assume that the first card (with the Internet) is called '''''internet0''''' and the other one (for the sharing) is called '''''local0'''''. (If those two keep switching at every boot read [[Udev#Setting static device names]]). The network interface of the client machine will be called '''''local1'''''.
+
This section assumes, that the network device connected to the client computer(s) is named '''''net0''''' and the network device connected to the internet as '''''internet0'''''.
  
The interfaces '''''local0''''' and '''''local1''''' will have to be in the same network.</li>
+
{{Tip|You can rename your devices to this scheme using [[Udev#Setting static device names]].}}
  
<li>Configure the second network card with:
+
All configuration is done on the server computer, except for the final step of [[#Assigning IP addresses to the client PC(s)]].
:'''IP:''' 192.168.0.1
+
:'''Netmask:''' 255.255.255.0
+
or enter in a console (as root)
+
<pre>ifconfig local0 192.168.0.1 netmask 255.255.255.0
+
ip link set local0 up</pre></li>
+
  
<li>To make this permanent, install [[netcfg]] if you don't have it and set up a network profile in {{ic|/etc/network.d}}, drawing on the examples in {{ic|/etc/network.d/examples}}.  Or, put the above lines in {{ic|/etc/rc.local}}.
+
=== Static IP address ===
  
<li>Enable packet forwarding:
+
On the server computer, assign a static IPv4 address to the interface connected to the other machines. The first 3 bytes of this address cannot be exactly the same as those of another interface.
 +
# ip link set up dev net0
 +
# ip addr add 192.168.123.100/24 dev net0 # arbitrary address
  
{{bc|1=sysctl net.ipv4.ip_forward=1}}
+
To have your static ip assigned at boot, you can use [[netctl]].
  
<li>Edit {{ic|/etc/sysctl.conf}} and add this line, which will make the previous change persistent after a reboot.
+
=== Enable packet forwarding ===
<pre>net.ipv4.ip_forward=1</pre>
+
If you are using ipv6, use these lines:
+
<pre>net.ipv6.conf.default.forwarding=1
+
net.ipv6.conf.all.forwarding=1</pre></li>
+
  
<li>Install iptables, enable NAT (needed to share Internet), save and start it.
+
Check the current packet forwarding settings:
<pre>pacman -S iptables
+
# sysctl -a | grep forward
iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE
+
rc.d save iptables
+
rc.d start iptables</pre></li>
+
  
<li>Add iptables in your DAEMONS array in your /etc/rc.conf so that it is started each time.</li>
+
You will note that options exist for controlling forwarding per default, per interface, as well as separate options for IPv4/IPv6 per interface.
  
<li>Go to the client PC and set:
+
Enter this command to temporarily enable packet forwarding at runtime:
:'''IP:''' 192.168.0.2
+
# sysctl net.ipv4.ip_forward=1
:'''Netmask:''' 255.255.255.0
+
:'''Gateway:''' 192.168.0.1
+
:'''DNS:''' The same DNS as the first PC
+
  
<pre>ifconfig local1 192.168.0.2 netmask 255.255.255.0
+
{{Tip|To enable packet forwarding selectively for a specific interface, use {{ic|1=sysctl net.ipv4.conf.''interface_name''.forwarding=1}} instead.}}
ifconfig local1 up
+
route add default gw 192.168.0.1 local1
+
echo "nameserver <adr of nameserver>" >> /etc/resolv.conf
+
</pre>
+
  
You can figure out the address of the nameserver by looking into the /etc/resolv.conf of PC1, if its Internet connection is already established. If you don't have a nameserver, you can use [https://code.google.com/speed/public-dns/ Google Public DNS] which is relatively fast. Its addresses are '''8.8.8.8''' and '''8.8.4.4'''.</li></ol>
+
{{Warning|If the system uses [[systemd-networkd]] to control the network interfaces, a per-interface setting for IPv4 is not possible, i.e. systemd logic propagates any configured forwarding into a global (for all interfaces) setting for IPv4. The advised work-around is to use a firewall to forbid forwarding again on selective interfaces. See the systemd.network(5) manual page for more information.
 +
The {{ic|1=IPForward=kernel}} semantics introduced in a previous systemd release 220/221 to honor kernel settings does not apply anymore.[https://github.com/poettering/systemd/commit/765afd5c4dbc71940d6dd6007ecc3eaa5a0b2aa1] [https://github.com/systemd/systemd/blob/a2088fd025deb90839c909829e27eece40f7fce4/NEWS]}}
  
{{Note| Of course, this also works with a mobile broadband connection (usually called ppp0 on PC1)}}
+
Edit {{ic|/etc/sysctl.d/30-ipforward.conf}} to make the previous change persistent after a reboot for all interfaces:
 +
{{hc|/etc/sysctl.d/30-ipforward.conf|<nowiki>
 +
net.ipv4.ip_forward=1
 +
net.ipv6.conf.default.forwarding=1
 +
net.ipv6.conf.all.forwarding=1
 +
</nowiki>}}
 +
 
 +
Afterwards it is advisable to double-check forwarding is enabled as required after a reboot.
 +
 
 +
=== Enable NAT ===
 +
 
 +
[[Install]] the package {{Pkg|iptables}} from the [[official repositories]]. Use iptables to enable NAT:
 +
 
 +
# iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE
 +
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 +
# iptables -A FORWARD -i net0 -o internet0 -j ACCEPT
 +
 
 +
{{Note|Of course, this also works with a mobile broadband connection (usually called ppp0 on routing PC).}}
 +
 
 +
Read the [[iptables]] article for more information (especially saving the rule and applying it automatically on boot). There is also an excellent guide on iptables [[Simple stateful firewall]].
 +
 
 +
=== Assigning IP addresses to the client PC(s) ===
 +
 
 +
If you are planning to regularly have several machines using the internet shared by this machine, then is a good idea to install a [[Wikipedia:DHCP|DHCP server]], such as [[dhcpd]] or [[dnsmasq]]. Then configure a DHCP client (e.g. [[dhcpcd]]) on every client PC.
 +
 
 +
{{Style|This is not an iptables guide. Expanding the chain with {{ic|iptables -I}} might skip other important rules; if you need to script an ON/OFF switch for this, use custom chain with a jump placed carefully in the INPUT chain.}}
 +
 
 +
Incoming connections to UDP port 67 has to be allowed for DHCP server. It also necessary to allow incoming connections to UDP/TCP port 53 for DNS requests.
 +
# iptables -I INPUT -p udp --dport 67 -i net0 -j ACCEPT
 +
# iptables -I INPUT -p udp --dport 53 -s 192.168.123.0/24 -j ACCEPT
 +
# iptables -I INPUT -p tcp --dport 53 -s 192.168.123.0/24 -j ACCEPT
 +
 
 +
If you are not planing to use this setup regularly, you can manually add an IP to each client instead.
 +
 
 +
==== Manually adding an IP ====
 +
 
 +
Instead of using DHCP, on each client PC, add an IP address and the default route:
 +
# ip addr add 192.168.123.201/24 dev eth0  # arbitrary address, first three blocks must match the address from above
 +
# ip link set up dev eth0
 +
# ip route add default via 192.168.123.100 dev eth0  # same address as in the beginning
 +
 
 +
Configure a DNS server for each client, see [[resolv.conf]] for details.
  
 
That's it. The client PC should now have Internet.
 
That's it. The client PC should now have Internet.
Line 75: Line 102:
 
== Troubleshooting ==
 
== Troubleshooting ==
  
If you are able to connect the two PCs but cannot send data (for example, if the client PC makes a DHCP request to the server PC, the server PC receives the request and offers an IP to the client, but the client does not accept it, timing out instead), check that you don't have other [[Iptables]] rules [https://bbs.archlinux.org/viewtopic.php?pid=1093208 interfering].
+
If you are able to connect the two PCs but cannot send data (for example, if the client PC makes a DHCP request to the server PC, the server PC receives the request and offers an IP to the client, but the client does not accept it, timing out instead), check that you do not have other [[Iptables]] rules [https://bbs.archlinux.org/viewtopic.php?pid=1093208 interfering].
  
==See also==
+
== See also ==
*[[Sharing ppp connection with wlan interface]]
+
* [http://xyne.archlinux.ca/notes/network/dhcp_with_dns.html Xyne's guide and scripts for launching a subnet with DHCP and DNS]
*[[Simple stateful firewall]]
+
* [[NetworkManager]] can be configured for internet sharing if used.
*[[Router]]
+
*[[USB 3G Modem]]
+

Latest revision as of 20:47, 13 June 2016

This article explains how to share the internet connection from one machine to other(s).

Requirements

The machine acting as server should have an additional network device. That network device requires a functional w:data link layer to the machine(s) that are going to receive internet access:

  • To be able to share internet to several machines a switch can provide the data link.
  • A wireless device can share access to several machines as well, see Software access point first for this case.
  • If you are sharing to only one machine, a crossover cable is sufficient. In case one of the two computers' ethernet cards has MDI-X capability, a crossover cable is not necessary and a regular ethernet cable can be used. Executing ethtool interface | grep MDI as root helps to figure it.

Configuration

This section assumes, that the network device connected to the client computer(s) is named net0 and the network device connected to the internet as internet0.

Tip: You can rename your devices to this scheme using Udev#Setting static device names.

All configuration is done on the server computer, except for the final step of #Assigning IP addresses to the client PC(s).

Static IP address

On the server computer, assign a static IPv4 address to the interface connected to the other machines. The first 3 bytes of this address cannot be exactly the same as those of another interface.

# ip link set up dev net0
# ip addr add 192.168.123.100/24 dev net0 # arbitrary address

To have your static ip assigned at boot, you can use netctl.

Enable packet forwarding

Check the current packet forwarding settings:

# sysctl -a | grep forward

You will note that options exist for controlling forwarding per default, per interface, as well as separate options for IPv4/IPv6 per interface.

Enter this command to temporarily enable packet forwarding at runtime:

# sysctl net.ipv4.ip_forward=1
Tip: To enable packet forwarding selectively for a specific interface, use sysctl net.ipv4.conf.interface_name.forwarding=1 instead.
Warning: If the system uses systemd-networkd to control the network interfaces, a per-interface setting for IPv4 is not possible, i.e. systemd logic propagates any configured forwarding into a global (for all interfaces) setting for IPv4. The advised work-around is to use a firewall to forbid forwarding again on selective interfaces. See the systemd.network(5) manual page for more information. The IPForward=kernel semantics introduced in a previous systemd release 220/221 to honor kernel settings does not apply anymore.[1] [2]

Edit /etc/sysctl.d/30-ipforward.conf to make the previous change persistent after a reboot for all interfaces:

/etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

Afterwards it is advisable to double-check forwarding is enabled as required after a reboot.

Enable NAT

Install the package iptables from the official repositories. Use iptables to enable NAT:

# iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i net0 -o internet0 -j ACCEPT
Note: Of course, this also works with a mobile broadband connection (usually called ppp0 on routing PC).

Read the iptables article for more information (especially saving the rule and applying it automatically on boot). There is also an excellent guide on iptables Simple stateful firewall.

Assigning IP addresses to the client PC(s)

If you are planning to regularly have several machines using the internet shared by this machine, then is a good idea to install a DHCP server, such as dhcpd or dnsmasq. Then configure a DHCP client (e.g. dhcpcd) on every client PC.

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: This is not an iptables guide. Expanding the chain with iptables -I might skip other important rules; if you need to script an ON/OFF switch for this, use custom chain with a jump placed carefully in the INPUT chain. (Discuss in Talk:Internet sharing#)

Incoming connections to UDP port 67 has to be allowed for DHCP server. It also necessary to allow incoming connections to UDP/TCP port 53 for DNS requests.

# iptables -I INPUT -p udp --dport 67 -i net0 -j ACCEPT
# iptables -I INPUT -p udp --dport 53 -s 192.168.123.0/24 -j ACCEPT
# iptables -I INPUT -p tcp --dport 53 -s 192.168.123.0/24 -j ACCEPT

If you are not planing to use this setup regularly, you can manually add an IP to each client instead.

Manually adding an IP

Instead of using DHCP, on each client PC, add an IP address and the default route:

# ip addr add 192.168.123.201/24 dev eth0  # arbitrary address, first three blocks must match the address from above
# ip link set up dev eth0
# ip route add default via 192.168.123.100 dev eth0   # same address as in the beginning

Configure a DNS server for each client, see resolv.conf for details.

That's it. The client PC should now have Internet.

Troubleshooting

If you are able to connect the two PCs but cannot send data (for example, if the client PC makes a DHCP request to the server PC, the server PC receives the request and offers an IP to the client, but the client does not accept it, timing out instead), check that you do not have other Iptables rules interfering.

See also