barthalamu
asked on
Networking with RH Linux 6.1
I have a multihomed Red Hat 6.1 system. I am trying to have it function as a gateway to my win98 pc's. Linux is connected to my router, and it can get to the internet just fine with it's default gateway being my router. The problem I am having is that I cannot get any of my pc's to go through the linux box and out to the net. I am using ip forwarding and have real ip addresses for all pc's. (Not using NAT) I have my pc's gateway's set to the second card in the linux machine (eth1) My goal is to have one card be my internal card and the other external, and to put up a firewall so that my pc's can get to and go through Linux to the net, but nothing can get past the external card from the internet.
I have no idea what I am doing [wrong]. Do I need to set up any static routes to accomplish this? I have 32 static ip's and my netmask is .224.
Please let me know if you need any more info.
I have no idea what I am doing [wrong]. Do I need to set up any static routes to accomplish this? I have 32 static ip's and my netmask is .224.
Please let me know if you need any more info.
You should probably also post the output of '/sbin/ifconfig' and 'route -n' and 'cat /proc/sys/net/ipv4/ip_forw
I suspect that you may be trying to use the same network on both sides of your router and that won't work. You can only route between networks, so the inside and outside interfaces must be on different networks. If you only have one netblock of 32 addresses that must be used on the outside NIC. The inside NIC and your local machines will have to be on a different network.
What you need is NAT, which Linux can't do (it can do NPAT, aka PAT), in order to use all the IP's in your netblock. The BSD variants (FreeBSD, OpenBSD) as well as Solaris & HP-UX can do this with ipfilter (see http://cheops.anu.edu.au/~avalon/ip-filter.html). NAT allows you to use a private network on the inside and a pool of public IP's (your netblock of 32) with inside clients having static or dynamic translations betwenn the private & public IP's.
What you need is NAT, which Linux can't do (it can do NPAT, aka PAT), in order to use all the IP's in your netblock. The BSD variants (FreeBSD, OpenBSD) as well as Solaris & HP-UX can do this with ipfilter (see http://cheops.anu.edu.au/~avalon/ip-filter.html). NAT allows you to use a private network on the inside and a pool of public IP's (your netblock of 32) with inside clients having static or dynamic translations betwenn the private & public IP's.
Like jlevie said, you need separate networks to route. Once you get the routing going you can setup a firewall using PM Firewall - http://www.pointman.org/PMFirewall/
Unless I missed something about it, I don't think that pmfirewall can do NAT. Accordingly he'd only be able to use one of the IP's in his netblock.
You're right, pmfirewall doesn't do NAT. It just makes it really easy to setup a firewall using ipchains. I agreed with you about needing two networks for routing. He could use private IPs internally, or he should be able to subnet his block of 32 IPs...
ASKER
Here are the outputs of what kiffney suggested that I post:
(Replaced first two parts of ip address with *'s)
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:C0:CA:12:C0:D8
inet addr:*.*.96.209 Bcast:*.*.96.223 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:574678 errors:0 dropped:0 overruns:0 frame:0
TX packets:458210 errors:0 dropped:0 overruns:0 carrier:0
collisions:8 txqueuelen:100
Interrupt:10 Base address:0xe800
eth1 Link encap:Ethernet HWaddr 00:E0:29:5B:2A:91
inet addr:*.*.96.194 Bcast:*.*.96.223 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:69081 errors:1 dropped:0 overruns:0 frame:0
TX packets:490 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:5 Base address:0xec00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:23332 errors:0 dropped:0 overruns:0 frame:0
TX packets:23332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
route -n:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
*.*.96.209 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
*.*.96.194 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
*.*.96.192 0.0.0.0 255.255.255.224 U 0 0 0 eth0
*.*.96.192 0.0.0.0 255.255.255.224 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 *.*.96.193 0.0.0.0 UG 0 0 0 eth0
Yes-IP Forwarding is turned on.
Yes-Can ping eth0 and eth1
eth0 is connected to internal network
eth1 is connected to router
jlevie is right, I am trying to use my same block of 32 ip addresses for internal and external. Should I subnet my network smaller to do what I am trying? I cannot use nat because of issues out of my control.
Thanks for the help.
(Replaced first two parts of ip address with *'s)
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:C0:CA:12:C0:D8
inet addr:*.*.96.209 Bcast:*.*.96.223 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:574678 errors:0 dropped:0 overruns:0 frame:0
TX packets:458210 errors:0 dropped:0 overruns:0 carrier:0
collisions:8 txqueuelen:100
Interrupt:10 Base address:0xe800
eth1 Link encap:Ethernet HWaddr 00:E0:29:5B:2A:91
inet addr:*.*.96.194 Bcast:*.*.96.223 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:69081 errors:1 dropped:0 overruns:0 frame:0
TX packets:490 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:5 Base address:0xec00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:23332 errors:0 dropped:0 overruns:0 frame:0
TX packets:23332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
route -n:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
*.*.96.209 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
*.*.96.194 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
*.*.96.192 0.0.0.0 255.255.255.224 U 0 0 0 eth0
*.*.96.192 0.0.0.0 255.255.255.224 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 *.*.96.193 0.0.0.0 UG 0 0 0 eth0
Yes-IP Forwarding is turned on.
Yes-Can ping eth0 and eth1
eth0 is connected to internal network
eth1 is connected to router
jlevie is right, I am trying to use my same block of 32 ip addresses for internal and external. Should I subnet my network smaller to do what I am trying? I cannot use nat because of issues out of my control.
Thanks for the help.
ASKER
By the way, it seems that when I ping, or telnet or do whatever, the traffic only seems to pass through eth0. Not sure why, just because its the first card and it is in the same network?
Yep, I suspected that you were trying to use the same netblock on the inside and the outside NIC's. The routing table tells the tale in these two lines:
*.*.96.192 0.0.0.0 255.255.255.224 U 0 0 0 eth0
*.*.96.192 0.0.0.0 255.255.255.224 U 0 0 0 eth1
If you look at that, you'll see that the exact same network is shown for both eth0 & eth1. Consequently, the routing engine in the kernel can't really figure out which NIC to use for an IP in that network. For lack of any better clue it simply sends it out the first (eth0) interface and hopes for the best.
And no you can't "cheat" and split the netblock of 32 and use half on the inside and half on the outside. Well at least not without getting the provider to do some re-configuration of the router. If the outside NIC and the router aren't using the same netmask they won't talk to each other.
*.*.96.192 0.0.0.0 255.255.255.224 U 0 0 0 eth0
*.*.96.192 0.0.0.0 255.255.255.224 U 0 0 0 eth1
If you look at that, you'll see that the exact same network is shown for both eth0 & eth1. Consequently, the routing engine in the kernel can't really figure out which NIC to use for an IP in that network. For lack of any better clue it simply sends it out the first (eth0) interface and hopes for the best.
And no you can't "cheat" and split the netblock of 32 and use half on the inside and half on the outside. Well at least not without getting the provider to do some re-configuration of the router. If the outside NIC and the router aren't using the same netmask they won't talk to each other.
ASKER
jlevie, thank you for your help. It seems like you are exactly right...please propose an answer instead of just a comment so that I can give you your points.
I can change the settings on my side of the router to reflect the smaller subnet, but I am not sure if it will effect anything on my isp's side of my router. Any ideas? If not, can you think of anything else I could do to be able to make this work with my current block of ip's, besides NAT? Thanks.
I can change the settings on my side of the router to reflect the smaller subnet, but I am not sure if it will effect anything on my isp's side of my router. Any ideas? If not, can you think of anything else I could do to be able to make this work with my current block of ip's, besides NAT? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help, but as you indicated, jlevie was the first to come up with this solution.
ASKER
Thanks, I will play around with my router.
You could add this line to /etc/rc.d/rc.local BTW, can you ping to eth0 and eth1?