Solved

basic linux firewall configuration

Posted on 2000-03-19
8
392 Views
Last Modified: 2010-04-20
I have a redhat 6.1 computer with 2 network cards in it. I have a cable modem with a static ip. my normal configuration for internet access is IP:24.5.216.13 DG:24.5.216.1 . So on the computer with the firewall I set the first card with that IP, then on the second card (eth1) I am using 192.168.1.1 .
From the firewall computer I can ping the internet and my computer with the 192.168 IP number (192.168.1.2 /WIN 98 machine).
From the win98 machine I can ping the 192.168.1.1 ip and I can ping the 24.5.216.13 ip for eth0, but I can't ping 24.5.216.1 (Default gateway).

  24.5.216.13             192.168.1.1
                  \                /
Internet_ _ \|firewall|/_ _ _ Win98
             
Does that help?
I have IP_forawrding turned on (1)
I think the problem lies in the default gateway setting for the win98 machine? Do I tell it 24.5.216.13 or 192.168.1.1?
or do I use the default gateway from my ISP 24.5.216.1?

Thanks Matt          

0
Comment
Question by:unomateo
8 Comments
 
LVL 2

Expert Comment

by:mzehner
ID: 2634724
You set your default gateway on the windows machine to 192.168.1.1.  You also need to make sure your routing tables in the Linux computer are set up properly.
route add -net 24.5.216.0 netmask 255.255.255.0 gw 24.5.216.13 dev eth0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth1
Also make sure your default gateway for the linux box is 24.2.216.1.  You can easily set this up with "netconfig" or "linuxconf".

You can set all this up in "linuxconf" or "netconfig" but you may want to enter them manually using the route command above until you are sure you have it correct.  You may use the "route" command to see the current contents of your routing tables.

Also when you have it working right configure it using netconfig or linuxconf or add the following to your /etc/sysconfig/static-routes" file:
eth0 net 24.5.216.0 netmask 255.255.255.0 gateway 24.5.216.13
eth1 net 192.168.1.0 netmask 255.255.255.0 gateway 192.168.1.1

My answer assumes your netmask on both networks is 255.255.255.0.  Also you may want to consider using ipchains to set us some packet filtering firewall rules to increase your security.  Also have you considered using IP masquerading?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2634819
If you only have a single static IP you have to use IP Masquerade on the Linux box, IP forwarding won't work. Take a look at the IP Masquerade howto for an explantion of why you need it, what it does, and how to do it (http://www.redhat.com/mirrors/LDP/HOWTO/IP-Masquerade-HOWTO.html).

You don't need to futz with the routing tables. They are already correct for Internet access, and the 192.168.1.0/24 network is in the routing table already simply because any locally attached network is automatically reachable. However, mzehner is correct in that the default gateway for any hosts on the inside network is the IP of the inside NIC of the linux box 9192.168.1.1).
0
 

Author Comment

by:unomateo
ID: 2634845
one question about the connection to my hub?
Before when the csble modem went straight to my hub the uplink light was lit?
now when I go thru the firewall computer it isn't, (cable to the firewall than out the ethernet card with 192.168. then to the hub)
is this a problem also?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2634899
Maybe, maybe not. Since I don't know what hub you've got, I don't know if it has an "Uplink port". Such a port has a built in cross-over wiring and is used to connect the hub to another hub or router. Other equipment shouldn't be connected to the "Uplink port" as you'd have to use an cross-over cable to to so. It seems to me that I've seen a smart hub that could automatically sense whether it needed to use a cross-over configuration for either the first or last port, and would light the "Uplink" light if it did so. Check the docs for your hub and see what it's supposed to do.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 2

Expert Comment

by:EatEmAndSmile
ID: 2635593
Considering the gateway for the real Internet network should be seen to get access through, you should tell them about IP address 192.168.1.1. That's the only IP they can see on that machine. Actually if they could see the real IP addresses a gateway wouldn't be needed. :)
0
 
LVL 12

Expert Comment

by:j2
ID: 2635875
"Before when the csble modem went straight to my hub the uplink light was lit?
now when I go thru the firewall computer it isn't," That means the modem uses a crossoverport, so that user can use a straight cable to connect directly to an ethernet device, you must use a crossover cable to connect it to a hub.
0
 
LVL 12

Accepted Solution

by:
j2 earned 100 total points
ID: 2635887
What i would do is to simply download "pmfirewall" (www.pointman.org) download it, untar it, run the install script and just answer the questions (remember to say "yes" to 'Should this computer masquerade for other systems?') And you will be all set plus you now have a decent firewall.

Also my "Monday, March 20 2000 - 01:18PM CET " comment should have been

"via a hub, you must use a crossover cable to connect it directly to a computer."

Or if you dont need a firewall just do this on the linux

echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -A forward -s 192.168.1.0/24 -b -j MASQ

then set the clients to use 192.168.1.1 as their default gw, and set them to use the DNS of your ISP.
0
 
LVL 12

Expert Comment

by:j2
ID: 2635891
also "I have IP_forawrding turned on (1)" That isnt enough, that just enables it, you also must give it "rules" with ipchains to work. If you do not have ipchains installed, it is available on your RH CD, or from www.rustcorp.com
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

After running Ubuntu some time, you will be asked to download updates for fixing bugs and security updates. All the packages you download replace the previous ones, except for the kernel, also called "linux-image". This is due to the fact that w…
In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now