If your GNU/Linux host is part of a local network, then no further work is required. If it is connected to the Internet directly through a modem, then we will have to configure the firewall to do both address translation and to accept the iPAQ connection.
Configuring a firewall is very configuration-dependent. As a guideline, I provide the following /etc/sysconfig/iptables script, which work for the RedHat distribution (it can be adapted to other distributions too):
# iptables config file used by /etc/init.d/iptables # Authors: Benoit PAPILLAULT & Philippe LUCAS # Creation: 11/07/2002 # Modified by Michel STEMPIN for USB network # default policy are not reset before executing lines in this file # by default a packet goes either to INPUT chain or FORWARD chain # *filter # INPUT chain -P INPUT DROP -A INPUT -i lo -j ACCEPT -A INPUT -i usb0 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # list of port that are allowed by default -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # # send all other packets to syslog -A INPUT -j LOG --log-prefix "FIREWALL " # # FORWARD chain -P FORWARD DROP -A FORWARD -i usb0 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # OUTPUT chain -P OUTPUT ACCEPT COMMIT # *nat # PREROUTING chain -P PREROUTING ACCEPT # # POSTROUTING chain -P POSTROUTING ACCEPT -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -o usb0 -j ACCEPT # the SNAT line will be added by the right pppd # (the one connected to the Internet) -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j MASQUERADE # # OUTPUT chain -P OUTPUT ACCEPT COMMIT |
You may have to adapt this simple script to your needs, as a firewall configuration is based on rule chains that are processed in order. The general idea is to allow traffic between the iPAQ and the GNU/Linux host, to forward traffic from the iPAQ to the external world, translating its address to appear to be the host's address. For more information, I suggest you read the Firewall and Proxy Server HOWTO and the Linux IP Masquerade HOWTO.
| Warning |
This firewall configuration is very basic and does not provide a bulletproof (although reasonable) setup for your machine. You should really consider writing your own, based on your particular needs. |
On the RedHat distribution, You will need to restart the firewall by typing:
# service iptables restart |
For other distributions, this is probably something close to:
# /etc/rc.d/init.d/iptables restart |
When everything is fine, you should be able to "ping" the iPAQ from the GNU/Linux host, and the other way around. On the GNU/Linux host (press Ctrl-C to stop):
bash# ping 192.168.1.101 PING 192.168.1.101 (192.168.1.101) from 192.168.1.100 : 56(84) bytes of data. 64 bytes from 192.168.1.101: icmp_seq=0 ttl=255 time=2.187 msec 64 bytes from 192.168.1.101: icmp_seq=1 ttl=255 time=1.422 msec 64 bytes from 192.168.1.101: icmp_seq=2 ttl=255 time=1.236 msec 64 bytes from 192.168.1.101: icmp_seq=3 ttl=255 time=1.050 msec --- 192.168.1.101 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/mdev = 1.050/1.473/2.187/0.434 ms |
On the iPAQ:
# ping 192.168.1.100 PING 192.168.1.100 (192.168.1.100): 56 data bytes 64 bytes from 192.168.1.100: icmp_seq=0 ttl=255 time=1.6 ms 64 bytes from 192.168.1.100: icmp_seq=1 ttl=255 time=0.8 ms 64 bytes from 192.168.1.100: icmp_seq=2 ttl=255 time=1.5 ms --- 192.168.1.100 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.8/1.3/1.6 ms |
One last thing to do is to declare your DNS (Domain Name Servers) on the iPAQ. The best way is probably to copy or mimic the /etc/resolv.conf file from your GNU/Linux host machine. I suggest to enter it on the iPAQ with:
# echo "nameserver first_name_server" >> /etc/resolv.conf # echo "nameserver second_name_server" >> /etc/resolv.conf |
You should now be able to "ping" by its name any machine on the Internet that you know is responding to such requests.
If you are able to "ping" the GNU/Linux host, but not the rest of the world, this may be due to the ip_forward mechanism not being enabled. Try re-inserting the iPAQ or re-launch the ipaqnet script.