• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 447
  • Last Modified:

basic linux firewall configuration

I have a redhat 6.1 computer with 2 network cards in it. I have a cable modem with a static ip. my normal configuration for internet access is IP:24.5.216.13 DG:24.5.216.1 . So on the computer with the firewall I set the first card with that IP, then on the second card (eth1) I am using 192.168.1.1 .
From the firewall computer I can ping the internet and my computer with the 192.168 IP number (192.168.1.2 /WIN 98 machine).
From the win98 machine I can ping the 192.168.1.1 ip and I can ping the 24.5.216.13 ip for eth0, but I can't ping 24.5.216.1 (Default gateway).

  24.5.216.13             192.168.1.1
                  \                /
Internet_ _ \|firewall|/_ _ _ Win98
             
Does that help?
I have IP_forawrding turned on (1)
I think the problem lies in the default gateway setting for the win98 machine? Do I tell it 24.5.216.13 or 192.168.1.1?
or do I use the default gateway from my ISP 24.5.216.1?

Thanks Matt          

0
unomateo
Asked:
unomateo
1 Solution
 
mzehnerCommented:
You set your default gateway on the windows machine to 192.168.1.1.  You also need to make sure your routing tables in the Linux computer are set up properly.
route add -net 24.5.216.0 netmask 255.255.255.0 gw 24.5.216.13 dev eth0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth1
Also make sure your default gateway for the linux box is 24.2.216.1.  You can easily set this up with "netconfig" or "linuxconf".

You can set all this up in "linuxconf" or "netconfig" but you may want to enter them manually using the route command above until you are sure you have it correct.  You may use the "route" command to see the current contents of your routing tables.

Also when you have it working right configure it using netconfig or linuxconf or add the following to your /etc/sysconfig/static-routes" file:
eth0 net 24.5.216.0 netmask 255.255.255.0 gateway 24.5.216.13
eth1 net 192.168.1.0 netmask 255.255.255.0 gateway 192.168.1.1

My answer assumes your netmask on both networks is 255.255.255.0.  Also you may want to consider using ipchains to set us some packet filtering firewall rules to increase your security.  Also have you considered using IP masquerading?
0
 
jlevieCommented:
If you only have a single static IP you have to use IP Masquerade on the Linux box, IP forwarding won't work. Take a look at the IP Masquerade howto for an explantion of why you need it, what it does, and how to do it (http://www.redhat.com/mirrors/LDP/HOWTO/IP-Masquerade-HOWTO.html).

You don't need to futz with the routing tables. They are already correct for Internet access, and the 192.168.1.0/24 network is in the routing table already simply because any locally attached network is automatically reachable. However, mzehner is correct in that the default gateway for any hosts on the inside network is the IP of the inside NIC of the linux box 9192.168.1.1).
0
 
unomateoAuthor Commented:
one question about the connection to my hub?
Before when the csble modem went straight to my hub the uplink light was lit?
now when I go thru the firewall computer it isn't, (cable to the firewall than out the ethernet card with 192.168. then to the hub)
is this a problem also?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
jlevieCommented:
Maybe, maybe not. Since I don't know what hub you've got, I don't know if it has an "Uplink port". Such a port has a built in cross-over wiring and is used to connect the hub to another hub or router. Other equipment shouldn't be connected to the "Uplink port" as you'd have to use an cross-over cable to to so. It seems to me that I've seen a smart hub that could automatically sense whether it needed to use a cross-over configuration for either the first or last port, and would light the "Uplink" light if it did so. Check the docs for your hub and see what it's supposed to do.
0
 
EatEmAndSmileCommented:
Considering the gateway for the real Internet network should be seen to get access through, you should tell them about IP address 192.168.1.1. That's the only IP they can see on that machine. Actually if they could see the real IP addresses a gateway wouldn't be needed. :)
0
 
j2Commented:
"Before when the csble modem went straight to my hub the uplink light was lit?
now when I go thru the firewall computer it isn't," That means the modem uses a crossoverport, so that user can use a straight cable to connect directly to an ethernet device, you must use a crossover cable to connect it to a hub.
0
 
j2Commented:
What i would do is to simply download "pmfirewall" (www.pointman.org) download it, untar it, run the install script and just answer the questions (remember to say "yes" to 'Should this computer masquerade for other systems?') And you will be all set plus you now have a decent firewall.

Also my "Monday, March 20 2000 - 01:18PM CET " comment should have been

"via a hub, you must use a crossover cable to connect it directly to a computer."

Or if you dont need a firewall just do this on the linux

echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -A forward -s 192.168.1.0/24 -b -j MASQ

then set the clients to use 192.168.1.1 as their default gw, and set them to use the DNS of your ISP.
0
 
j2Commented:
also "I have IP_forawrding turned on (1)" That isnt enough, that just enables it, you also must give it "rules" with ipchains to work. If you do not have ipchains installed, it is available on your RH CD, or from www.rustcorp.com
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now