Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Routing Between Private Network And Broadband, Trying to set up a router
Loki
post Sep 1 2003, 10:22 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 1
Joined: 1-September 03
Member No.: 1,362



My goal is to set up a router on a Linux box (Red Hat 8.0) between my connection to my university's ethernet (on eth0) and a private network consisting of the Linux box and a Windows XP box (on eth1). So far I've been attempting to use the Linux box as a DHCP server on the private subnet 192.168.1.0, with mixed results. Here's what I've gotten:

/sbin/ifconfig

eth0 Link encap:Ethernet HWaddr 00:80:C6:EA:47:44
inet addr:<four octets> Bcast:<four octets> Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:848338 errors:0 dropped:0 overruns:0 frame:0
TX packets:65357 errors:0 dropped:0 overruns:0 carrier:0
collisions:5831 txqueuelen:100
RX bytes:103295200 (98.5 Mb) TX bytes:9626692 (9.1 Mb)
Interrupt:11 Base address:0xa000

eth1 Link encap:Ethernet HWaddr 00:02:B3:B5:87:A9
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:42155 errors:0 dropped:0 overruns:19710 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:3252930 (3.1 Mb)
Interrupt:10 Base address:0xc000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2804 errors:0 dropped:0 overruns:0 frame:0
TX packets:2804 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:685983 (669.9 Kb) TX bytes:685983 (669.9 Kb)

I don't know for sure, but I'm guessing that it should say "BROADCAST RUNNING" on eth1.

/etc/dhcp.conf

ddns-update-style ad-hoc;

group {

default-lease-time 600;
max-lease-time 7200;

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;

option domain-name "example.com";
option domain-name-servers 192.168.1.1;

option time-offset -18000; # Eastern Standard Time

range 192.168.1.2 192.168.1.10;
}

# host achilles {
# hardware ethernet 00:E0:18:8C:0C:B4;
# fixed-address 192.168.1.2;
#}

As a newbie, that's about as far as I got.

Profuse thanks for any help.
Go to the top of the page
 
+Quote Post
hughesjr
post Sep 1 2003, 04:12 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



i think you first need to check the file /etc/sysconfig/networking/devices/

I think it needs to say this:

DEVICE=eth1
BOOTPROTO=static
BROADCAST=192.168.1.255
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes

----------------------------------------------
Next, edit your dhcp.conf...

Put this at the top of the file instead of ddns-update-style ad-hoc:

ddns-update-style interim

Change the option domain-name "example.com"; to option domain-name "home.local"; ... or else you won't be able to go to the real example.com....

If you have setup you Linux box as a dns server (with bind installed and running) then you can use option domain-name-servers 192.168.1.1; .... if you have not setup Bind, then use the DNS servers recommended by your ISP / college IT department...you can probably get the info from your current /etc/resolv.conf file.

Then issue the command:
touch /var/lib/dhcp/dhcpd.leases

Since you only have 1 subnet, you can get rid of the group option ... and make sure not to forward DHCP request between cards option ip-forwarding off;

HERE and HERE are 2 great resources...


----------------------------------------------
Next you need to turn on IP Forwarding between network cards:

edit the file /etc/sysctl.conf

you should see something like this:

# Disables packet forwarding
net.ipv4.ip_forward=1
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Disables the magic-sysrq key
kernel.sysrq = 0


If it is net.ipv4.ip_forward = 0
change it to net.ipv4.ip_forward = 1
----------------------------------------------------------
Now you need to setup IPMasquarde/NAT with iptables so you can route the info out of eth1 to eth0 and the internet:

This /etc/syscontrol/iptables file should do the trick:
CODE
*nat
:PREROUTING ACCEPT [1842551:488351110]
:POSTROUTING ACCEPT [30328:3118918]
:OUTPUT ACCEPT [0:0]
# Do IP Masqurade for the 192.168.1.0 network on eth1
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j MASQUERADE
COMMIT
                                                                               
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:REJECT-PKT - [0:0]
:SYN-FLOOD - [0:0]
                                                                               
                                                                               
######################################################################
# Allow all loopback interface traffic
-A INPUT -i lo -j ACCEPT
                                                                               
##############################################
# Use this to accept all traffic from eth1 ...
-A INPUT -i eth1 -j ACCEPT
##############################################
                                                                               
# Block Syn Flood attacks
-A INPUT -p tcp -m tcp --syn -j SYN-FLOOD
                                                                               
# Ensure that TCP connections start with syn packets
-A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
                                                                               
# Allow session continuation traffic
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP ping requests
-A INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT
                                                                               
# Allow selected TCP/IP and/or UDP services
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
                                                                               
                                                                               
                                                                               
# Block all other TCP/IP and UDP traffic
-A INPUT -j REJECT-PKT
                                                                               
######################################################################
# Syn flood filtering chain
-A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
-A SYN-FLOOD -j DROP
                                                                               
######################################################################
# Chain used to reject all other TCP/IP, UDP and ICMP/PING packets
-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
-A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable
                                                                               
COMMIT


In the above iptables, the only things allowed into the firewall are port 22, and sessions initiated from the inside, and ping.

If you want to allow other things in, then add them under the A INPUT -p tcp -m tcp --dport 22 -j ACCEPT line....


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 17th October 2017 - 03:37 PM