Setup all the clients on the internal network to point to the Linux
internal IP address as their gateway.
(In windows right-click network neighbourhood->properties->gateway
then change it to the Linux gateway internal ip.)
Setup all the clients to use your ISP's HTTP proxy if they have one,
use a transparent proxy (WARNING - I've heard reports of transparent
proxying to be very slow on very big networks), or run squid on your
new linux gateway. (This is optional, but preferrable for large networks)
Now you should start securing it! First turn off forwarding in general:
"iptables -P FORWARD DROP", and then learn how to use
iptables and /etc/hosts.allow and
/etc/hosts.deny to secure your system. WARNING
- Don't try this mentioned iptables rule until you have the masquerading
working. You have to explicitely allow every packet through that you want
if you are going to set the last rule to be DENY.
(Undo with "iptables -P FORWARD ACCEPT")
Allow through any services you do want the internet to see.
For an example, to allow access to your web server do:
$>iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT$>iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT
To allow ident (For connecting to irc etc) do
$>iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT
To test it:
Try connecting from a client to the web using an IP. Google's IP is
216.239.33.100 (well that's one of them) and you should be able to get a
reply from that. e.g. "ping 216.239.33.100"
"lynx 216.239.33.100".
Try a full out connection by name. e.g. "ping google.com"
"lynx google.com" or from Internet Explorer / netscape.
Where eth0 is the external Internet card, and 123.12.23.43 is the external
ip of that machine.