unomateo
asked on
basic linux firewall configuration
I have a redhat 6.1 computer with 2 network cards in it. I have a cable modem with a static ip. my normal configuration for internet access is IP:24.5.216.13 DG:24.5.216.1 . So on the computer with the firewall I set the first card with that IP, then on the second card (eth1) I am using 192.168.1.1 .
From the firewall computer I can ping the internet and my computer with the 192.168 IP number (192.168.1.2 /WIN 98 machine).
From the win98 machine I can ping the 192.168.1.1 ip and I can ping the 24.5.216.13 ip for eth0, but I can't ping 24.5.216.1 (Default gateway).
24.5.216.13 192.168.1.1
\ /
Internet_ _ \|firewall|/_ _ _ Win98
Does that help?
I have IP_forawrding turned on (1)
I think the problem lies in the default gateway setting for the win98 machine? Do I tell it 24.5.216.13 or 192.168.1.1?
or do I use the default gateway from my ISP 24.5.216.1?
Thanks Matt
From the firewall computer I can ping the internet and my computer with the 192.168 IP number (192.168.1.2 /WIN 98 machine).
From the win98 machine I can ping the 192.168.1.1 ip and I can ping the 24.5.216.13 ip for eth0, but I can't ping 24.5.216.1 (Default gateway).
24.5.216.13 192.168.1.1
\ /
Internet_ _ \|firewall|/_ _ _ Win98
Does that help?
I have IP_forawrding turned on (1)
I think the problem lies in the default gateway setting for the win98 machine? Do I tell it 24.5.216.13 or 192.168.1.1?
or do I use the default gateway from my ISP 24.5.216.1?
Thanks Matt
If you only have a single static IP you have to use IP Masquerade on the Linux box, IP forwarding won't work. Take a look at the IP Masquerade howto for an explantion of why you need it, what it does, and how to do it (http://www.redhat.com/mirrors/LDP/HOWTO/IP-Masquerade-HOWTO.html).
You don't need to futz with the routing tables. They are already correct for Internet access, and the 192.168.1.0/24 network is in the routing table already simply because any locally attached network is automatically reachable. However, mzehner is correct in that the default gateway for any hosts on the inside network is the IP of the inside NIC of the linux box 9192.168.1.1).
You don't need to futz with the routing tables. They are already correct for Internet access, and the 192.168.1.0/24 network is in the routing table already simply because any locally attached network is automatically reachable. However, mzehner is correct in that the default gateway for any hosts on the inside network is the IP of the inside NIC of the linux box 9192.168.1.1).
ASKER
one question about the connection to my hub?
Before when the csble modem went straight to my hub the uplink light was lit?
now when I go thru the firewall computer it isn't, (cable to the firewall than out the ethernet card with 192.168. then to the hub)
is this a problem also?
Before when the csble modem went straight to my hub the uplink light was lit?
now when I go thru the firewall computer it isn't, (cable to the firewall than out the ethernet card with 192.168. then to the hub)
is this a problem also?
Maybe, maybe not. Since I don't know what hub you've got, I don't know if it has an "Uplink port". Such a port has a built in cross-over wiring and is used to connect the hub to another hub or router. Other equipment shouldn't be connected to the "Uplink port" as you'd have to use an cross-over cable to to so. It seems to me that I've seen a smart hub that could automatically sense whether it needed to use a cross-over configuration for either the first or last port, and would light the "Uplink" light if it did so. Check the docs for your hub and see what it's supposed to do.
Considering the gateway for the real Internet network should be seen to get access through, you should tell them about IP address 192.168.1.1. That's the only IP they can see on that machine. Actually if they could see the real IP addresses a gateway wouldn't be needed. :)
"Before when the csble modem went straight to my hub the uplink light was lit?
now when I go thru the firewall computer it isn't," That means the modem uses a crossoverport, so that user can use a straight cable to connect directly to an ethernet device, you must use a crossover cable to connect it to a hub.
now when I go thru the firewall computer it isn't," That means the modem uses a crossoverport, so that user can use a straight cable to connect directly to an ethernet device, you must use a crossover cable to connect it to a hub.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
also "I have IP_forawrding turned on (1)" That isnt enough, that just enables it, you also must give it "rules" with ipchains to work. If you do not have ipchains installed, it is available on your RH CD, or from www.rustcorp.com
route add -net 24.5.216.0 netmask 255.255.255.0 gw 24.5.216.13 dev eth0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth1
Also make sure your default gateway for the linux box is 24.2.216.1. You can easily set this up with "netconfig" or "linuxconf".
You can set all this up in "linuxconf" or "netconfig" but you may want to enter them manually using the route command above until you are sure you have it correct. You may use the "route" command to see the current contents of your routing tables.
Also when you have it working right configure it using netconfig or linuxconf or add the following to your /etc/sysconfig/static-rout
eth0 net 24.5.216.0 netmask 255.255.255.0 gateway 24.5.216.13
eth1 net 192.168.1.0 netmask 255.255.255.0 gateway 192.168.1.1
My answer assumes your netmask on both networks is 255.255.255.0. Also you may want to consider using ipchains to set us some packet filtering firewall rules to increase your security. Also have you considered using IP masquerading?