Problema mi e sledniia... (sega po-opitnite potrebiteli shte se
hvanat za glavata) :))

Purvo neka kazha kakvo znam... NISHTO!
 Imam SuSE 9 ot okolo 24 chasa. Instalirah go, ponezhe mi pisna
da preinstaliram WinXP prez niakolko dena.

Ta kum problema...
 Interneta idva prez LAN. Kompyutura mi ima 2 LAN karti i
 predava vruzkata kum oshte 2 kompyutura (vutreshna mrezha sus
 switch). Ili pone taka beshe dokato imah WinXP. Sega, obache,
si niamam gram predstava kak da nastoia SuSE-to da rutira.

 Molia Vi, ne mi davaite idei kato "izpolzvai edi-si-koe"
 ponezhe nito znam kak da go nameria tova edi-si-koe, nito shte
znam kak da go izpolzvam.
 Ako niakoi mozhe da mi kazhe (i ako ima vremeto da go napishe)
 stupka po stupka kak da go napravia shte sum mnogo blagodaren.
 I shte cherpia, razbira se. E, malko trudno, ako ne e ot Sofiia.
:)

 Abe, ne znam za vas, kogato ste zapochvali s Linux-a, no az
 imam useshtaneto, che ot spetsialist (programist) se prevrushtam v
 pulen profan. Vsichko, koeto znaeh, veche ne vurshi rabota. Vse
 edno sega zapochvam da se zanimavam. Mozhe bi, ako ne
osuznavah kolko mnogo ne znam niamashe da se plasha.

Ne znam. Prosto ako niakoi mozhe da pomogne, neka go napravi.
SHTe sum blagodaren.
 Mail-a mi e pc_lamer@abv.bg ako Vi e po-udobno tam da mi
pomognete.

Blagodaria predvaritelno.

 int21h, ne e bilo nuzhno ot tolkova obiasneniia, che si nov v
 Linux obshtestvoto a triabvalo da dadesh malko poveche informatsiia
kak tochno ti mrezhata s 1 realno ip, ili ... .
 No az sega shte ti napisha kak mislia che triabva da stane spored
men.

 1.Predpolagam, che i dvete ti Lan karti sa razpoznati ot SuSe
9. (ifconfig)

 2. sega triabva purvo da slozhish neobhodimite ip adresi na
 kartite si. (ifconfig eth0 XXX.XXX.XXX.XX netmask
255.255.255.XXX). Po sushtiia nachin stava i s eth1.

 3. triabva da dobavish gateway (route add default gw
XXX.XXX.XXX.XX eth0)

 4. neobhodimo e da dobavish i DNS Server tova mozhesh da go
 storish v /etc/resolv.conf .. pri men izglezhda po sledniia
nachin tozi fail search localdomain
nameserver XXX.XXX.X.X

 5. sledvashtata stupka e malko po slozhna!!! iptables , tova e
 sushinskiia routing. Neznam kak e pri SuSe no mislia che triabva
 da ima edin fail /etc/rc.local ... nai-dobre e tam da
 dobavish slednite redove koito shte ti napisha sega! ponezhe sled
restart shte se prochitata ot tam tezi pravila.

 Predpolagam vutreshnata ti mrezha e ot C-class v smisul
192.168.0.0/24
i shte e neobhodimo da se maskira zad real ip-to.

taka che dobaviash sledniia red:

 iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -j
MASQUERADE


Tova ti triabva spored men!

Uspeh ;)

Ako iskash da se uchish, zaraviai se v dokumentatsiiata:

http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/
http://lartc.org/howto/

Ako iskash po burzata protsedura izpolzvai YaST za nastroika 
na mrezhata, triabva da go imash na ikona niakude po 
System Tools.

Ne sum pochitatel na SuSE, taka che ostaviam na Niki da se 
proiznese v podrobnosti :)

 Mnogo blagodaria, shte go probvam i pri vsichki sluchai shte
post-na rezulata.

Ne na vreme, no vse pak shte dam malko info za mrezhite.
 Vunshnata mi mrezha si e normalna lokalna mrezha na
 sredno-statisticheski ISP. Imam si IP (192.168.0.67), maska
(ff.ff.ff.0), DNS i GW (192.168.0.1).

 Vutreshnata mrezha (kum koiato iskam da pusna interneta) sum ia
 napravil s IP-ta (192.168.1.x). Moiata karta e s 192.168.1.1
 i az sum GW na ostanalite, koito suotvetno sa 192.168.1.2 i
192.168.1.3
Za DNS sum im slozhil otnovo moeto IP kum vutreshnata mrezha.

 Ta oshte malko za vunshnata. Vsichki user-i si imame ip-ta ot
 tipa 192.168.0.x i izlizame s edno vunshno IP v neta, koeto
niama obshto sus 192.168.0.x
 Ako ima znachenie, beshe neshto ot tipa 82.70.64.190 (no ne sum
siguren).

Napravih vsi4ko tova, no vse o6te nqma internet na 
ostanalite kompiutri. Kato pusna ping kym kompiutyr ot 
vytre6nata mreja i go vry6ta. Vry6ta ping i ot kompiutyr 
ot vytre6nata mreja kym kompiutyra s linux-a. No internet 
nqma. 
ip forwarding e aktivirano 
tova sys iptables sy6to go napravih 
samo interneta go nqma :)) 
 
da ne bi da propuskam ne6to?! nqkakva glupost veroqtno. 
Samo da kaja, 4e lan-a po koito mi idva interneta e eth0, 
a tozi kym vytre6nata mreja e eth1 
 
(Sorry za 6liokavicata, no tova go pi6a ot linux-a i o6te 
ne znam kak da sloja kirilica, a zeleniq buton s nadpis 
PHO pri pisaneto na otgovor ni6to ne pravi.)

echo "1" /proc/sys/net/ipv4/ip_forward
izpulni li?

Za DNS na vutreshnite mashini si slozhi DNS-a na dostavchika,
a ne na tvoita mashina, na koiato nai-veroiato ne e pusnat
DNS survur.

 Probvai tozi skript. Slozhi go v fail "rc.firewall-2.4" sled
 tova slagash faila v /etc/rc.d/ ili tam kudeto ti se namira
 ekvivalenta na rc.local za SuSE, sled tova izpulniavash chmod
 755 rc.firewall-2.4 za da go napravish izpulnim. Otvariash
 faila rc.local (ili tozi koito izpulniava tazi rolia za SuSE)
 i opisvash putia do faila (/etc/rc.d/rc.firewall-2.4).
 Pregledai skripta i ako triabva go naglasi za tvoiata sistema,
 vsichko e dobre dokumentirano, no te suvetvam da prochetesh i
 rukovodstvata koito sa spomenati v otgovorite na drugite,
bez tiah niama da dobiesh predstava za tova koeto pravish.

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.74
#
 #               Initial SIMPLE IP Masquerade test for 2.4.x
kernels
#               using IPTABLES.  
#
 #               Once IP Masquerading has been tested, with
this simple 
 #               ruleset, it is highly recommended to use a
stronger 
 #               IPTABLES ruleset either given later in this
HOWTO or 
#               from another reputable resource.
#
#
#
# Log:
#       0.74 - the ruleset now uses modprobe vs. insmod
 #       0.73 - REJECT is not a legal policy yet; back to
DROP
 #       0.72 - Changed the default block behavior to REJECT
not DROP
 #       0.71 - Added clarification that PPPoE users need to
use
 #              "ppp0" instead of "eth0" for their external
interface
#       0.70 - Added commented option for IRC nat module
 #            - Added additional use of environment variables

#            - Added additional formatting
#       0.63 - Added support for the IRC IPTABLES module
 #       0.62 - Fixed a typo on the MASQ enable line that
used eth0
#              instead of $EXTIF
 #       0.61 - Changed the firewall to use variables for the
internal
#              and external interfaces.
 #       0.60 - 0.50 had a mistake where the ruleset had a
rule to DROP
 #              all forwarded packets but it didn't have a
rule to ACCEPT
#              any packets to be forwarded either
 #            - Load the ip_nat_ftp and ip_conntrack_ftp
modules by default
#       0.50 - Initial draft
#

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"


# The location of the iptables and kernel module programs
#
 #   If your Linux distribution came with a copy of iptables,

 #   most likely all the programs will be located in /sbin. 
If 
 #   you manually compiled iptables, the default location
will
#   be in /usr/local/sbin
#
 # ** Please use the "whereis iptables" command to figure out

 # ** where your copy is and change the path below to reflect

# ** your setup
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe


 #Setting the EXTERNAL and INTERNAL interfaces for the
network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
 #  should preferably be addressed with a RFC1918 private
address
#  scheme.
#
 #  For this example, "eth0" is external and "eth1" is
internal"
#
#
 #  NOTE:  If this doesnt EXACTLY fit your configuration, you
must 
 #         change the EXTIF or INTIF variables above. For
example: 
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0" 
#
#
EXTIF="eth0"
INTIF="eth2"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"


#======================================================================
 #== No editing beyond this line is required for initial MASQ
testing ==


echo -en "   loading modules: "

 # Need to verify that all modules have all required
dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

 # With the new IPTABLES code, the core MASQ functionality is
now either
 # modular or compiled into the kernel.  This HOWTO shows ALL
IPTABLES
 # options as MODULES.  If your kernel is compiled correctly,
there is
# NO need to load the kernel modules manually.  
#
 #  NOTE: The following items are listed ONLY for
informational reasons.
 #        There is no reason to manual load these modules
unless your
 #        kernel is either mis-configured or you
intentionally disabled
#        the kernel module autoloader.
#

 # Upon the commands of starting up IP Masq on the server,
the
# following kernel modules will be automatically loaded:
#
 # NOTE:  Only load the IP MASQ modules you need.  All
current IP MASQ 
 #        modules are shown below but are commented out from
loading.
 #
===============================================================

 echo
"----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
 #  - Loaded automatically when the "iptables" command is
invoked
#
 #  - Loaded manually to clean up kernel auto-loading timing
issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables


#Load the IPTABLES filtering module - "iptable_filter" 
 #  - Loaded automatically when filter policies are
activated


 #Load the stateful connection tracking framework -
"ip_conntrack"
#
 # The conntrack  module in itself does nothing without other
specific 
 # conntrack modules being loaded afterwards such as the
"ip_conntrack_ftp"
# module
#
 #  - This module is loaded automatically when MASQ
functionality is 
#    enabled 
#
 #  - Loaded manually to clean up kernel auto-loading timing
issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack


#Load the FTP tracking mechanism for full FTP tracking
#
 # Enabled by default -- insert a "#" on the next line to
deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp


#Load the IRC tracking mechanism for full IRC tracking
#
 # Enabled by default -- insert a "#" on the next line to
deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc


#Load the general IPTABLES NAT code - "iptable_nat"
 #  - Loaded automatically when MASQ functionality is turned
on
# 
 #  - Loaded manually to clean up kernel auto-loading timing
issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat


 #Loads the FTP NAT functionality into the core IPTABLES
code
# Required to support non-PASV FTP.
#
 # Enabled by default -- insert a "#" on the next line to
deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp


 #Loads the IRC NAT functionality into the core IPTABLES
code
# Require to support NAT of IRC DCC requests
#
 # Disabled by default -- remove the "#" on the next line to
activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc

 echo
"----------------------------------------------------------------------"

 # Just to be complete, here is a list of the remaining
kernel modules 
 # and their function.  Please note that several modules
should be only
 # loaded by the correct master kernel module for proper
operation.
 #
--------------------------------------------------------------------
#
 #    ipt_mark       - this target marks a given packet for
future action.
 #                     This automatically loads the ipt_MARK
module
#
 #    ipt_tcpmss     - this target allows to manipulate the
TCP MSS
 #                     option for braindead remote
firewalls.
 #                     This automatically loads the
ipt_TCPMSS module
#
 #    ipt_limit      - this target allows for packets to be
limited to
#                     to many hits per sec/min/hr
#
 #    ipt_multiport  - this match allows for targets within a
range
 #                     of port numbers vs. listing each port
individually
#
 #    ipt_state      - this match allows to catch packets
with various
#                     IP and TCP flags set/unset
#
 #    ipt_unclean    - this match allows to catch packets
that have invalid
#                     IP/TCP flags set
#
 #    iptable_filter - this module allows for packets to be
DROPped, 
 #                     REJECTed, or LOGged.  This module
automatically 
#                     loads the following modules:
#
 #                     ipt_LOG - this target allows for
packets to be 
#                               logged
#
 #                     ipt_REJECT - this target DROPs the
packet and returns 
 #                                  a configurable ICMP
packet back to the 
#                                  sender.
# 
 #    iptable_mangle - this target allows for packets to be
manipulated
 #                     for things like the TCPMSS option,
etc.

echo -e "   Done loading modules.\n"



 #CRITICAL:  Enable IP forwarding since it is disabled by
default since
#
 #           Redhat Users:  you may try changing the options
in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
 #   If you get your IP address dynamically from SLIP, PPP,
or DHCP, 
 #   enable this following option.  This enables
dynamic-address hacking
 #   which makes the life with Diald and similar programs
much easier.
#
echo "   Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable simple IP forwarding and Masquerading
#
 #  NOTE:  In IPTABLES speak, IP Masquerading is a form of
SourceNAT or SNAT.
#
 #  NOTE #2:  The following is an example for an internal LAN
address in the
 #            192.168.0.x network with a 255.255.255.0 or a
"24" bit subnet mask
 #            connecting to the Internet on external
interface "eth0".  This
 #            example will MASQ internal traffic out to the
Internet but not
 #            allow non-initiated traffic into your internal
network.
#
#            
 #         ** Please change the above network numbers, subnet
mask, and your 
 #         *** Internet connection interface name to match
your setup
#         


#Clearing any previous configuration
#
 #  Unless specified, the defaults for INPUT and OUTPUT is
ACCEPT
 #    The default for FORWARD is DROP (REJECT is not a valid
policy)
#
 echo "   Clearing any existing rules and setting default
policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -t nat -F

 echo "   FWD: Allow all connections OUT and only existing
and related ones IN"
 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

 echo "   Enabling SNAT (MASQUERADE) functionality on
$EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"