Networking with RH Linux 6.1

I have a multihomed Red Hat 6.1 system.  I am trying to have it function as a gateway to my win98 pc's.  Linux is connected to my router, and it can get to the internet just fine with it's default gateway being my router.  The problem I am having is that I cannot get any of my pc's to go through the linux box and out to the net.  I am using ip forwarding and have real ip addresses for all pc's.  (Not using NAT)  I have my pc's gateway's set to the second card in the linux machine (eth1)  My goal is to have one card be my internal card and the other external, and to put up a firewall so that my pc's can get to and go through Linux to the net, but nothing can get past the external card from the internet.

I have no idea what I am doing [wrong].  Do I need to set up any static routes to accomplish this?  I have 32 static ip's and my netmask is .224.

Please let me know if you need any more info.
Who is Participating?
jlevieConnect With a Mentor Commented:
If the router can be changed, then that is going to be the only solution other than NAT if you are going to run an internal firewall box. I think that such a change probably wouldn't affect anything up-stream of the router, but you should certainly coordinate any change like that with your ISP. Of course that will reduce your useable IP's (for inside of the firewall to 14).

There may be other possible solutions. If your the router is a Cisco, you can achieve all most all of the functionality and protection of a firewall with "extended access lists" applied to the outside interface of the router. Other brands may have similar capabilities. The protection that access lists provide isn't quite as good as a true firewall, but it's probably good enough for most networks (especially if the interior systems are configured w/security in mind).

Also there are "personal firewalls" that can be installed on each windows client to protect just that client. This isn't as good of a solution as access lists on the router as you must open holes in each of the personal firewalls to/from your other local systems in order to be able to communicate amoung your local machines.

Before I can propose an answer you'll need to reject the existing proposed answer (it has the question locked). Once that's done I can propose an answer or you can simply accept a comment as the answer.
While "using" ip forwarding, did u also enabled it (default off in kernel 2.2.x) ? You can do this by: echo "1" > /proc/sys/net/ipv4/ip_forward
You could add this line to /etc/rc.d/rc.local BTW, can you ping to eth0 and eth1?
You should probably also post the output of '/sbin/ifconfig' and 'route -n' and 'cat /proc/sys/net/ipv4/ip_forwarding' so we can help.  Also, you should tell whether eth1 is connected to the internet router and eth0 is connected to your local network, etc.  If eth0 is connected to your local network, then ITS ip address is your pc's gateway, not eth1, for example.  It's hard to do this unless you give an example of how your network is laid out, what ip numbers and netmasks you are using, what the linux box can and cannot ping, etc.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

I suspect that you may be trying to use the same network on both sides of your router and that won't work. You can only route between networks, so the inside and outside interfaces must be on different networks. If you only have one netblock of 32 addresses that must be used on the outside NIC. The inside NIC and your local machines will have to be on a different network.

What you need is NAT, which Linux can't do (it can do NPAT, aka PAT), in order to use all the IP's in your netblock. The BSD variants (FreeBSD, OpenBSD) as well as Solaris & HP-UX can do this with ipfilter (see NAT allows you to use a private network on the inside and a pool of public IP's (your netblock of 32) with inside clients having static or dynamic translations betwenn the private & public IP's.
Like jlevie said, you need separate networks to route. Once you get the routing going you can setup a firewall using PM Firewall -
Unless I missed something about it, I don't think that pmfirewall can do NAT. Accordingly he'd only be able to use one of the IP's in his netblock.
You're right, pmfirewall doesn't do NAT. It just makes it really easy to setup a firewall using ipchains. I agreed with you about needing two networks for routing. He could use private IPs internally, or he should be able to subnet his block of 32 IPs...
barthalamuAuthor Commented:
Here are the outputs of what kiffney suggested that I post:

(Replaced first two parts of ip address with *'s)


eth0      Link encap:Ethernet  HWaddr 00:C0:CA:12:C0:D8
          inet addr:*.*.96.209  Bcast:*.*.96.223  Mask:
          RX packets:574678 errors:0 dropped:0 overruns:0 frame:0
          TX packets:458210 errors:0 dropped:0 overruns:0 carrier:0
          collisions:8 txqueuelen:100
          Interrupt:10 Base address:0xe800

eth1      Link encap:Ethernet  HWaddr 00:E0:29:5B:2A:91
          inet addr:*.*.96.194  Bcast:*.*.96.223  Mask:
          RX packets:69081 errors:1 dropped:0 overruns:0 frame:0
          TX packets:490 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:5 Base address:0xec00

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:23332 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23332 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

route -n:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
*.*.96.209 UH    0      0        0 eth0
*.*.96.194 UH    0      0        0 eth1
*.*.96.192 U     0      0        0 eth0
*.*.96.192 U     0      0        0 eth1       U     0      0        0 lo      *.*.96.193         UG    0      0        0 eth0

Yes-IP Forwarding is turned on.
Yes-Can ping eth0 and eth1
eth0 is connected to internal network
eth1 is connected to router

jlevie is right, I am trying to use my same block of 32 ip addresses for internal and external.  Should I subnet my network smaller to do what I am trying?  I cannot use nat because of issues out of my control.

Thanks for the help.
barthalamuAuthor Commented:
By the way, it seems that when I ping, or telnet or do whatever, the traffic only seems to pass through eth0.  Not sure why, just because its the first card and it is in the same network?
Yep, I suspected that you were trying to use the same netblock on the inside and the outside NIC's. The routing table tells the tale in these two lines:

*.*.96.192 U     0      0        0 eth0
*.*.96.192 U     0      0        0 eth1

If you look at that, you'll see that the exact same network is shown for both eth0 & eth1. Consequently, the routing engine in the kernel can't really figure out which NIC to use for an IP in that network. For lack of any better clue it simply sends it out the first (eth0) interface and hopes for the best.

And no you can't "cheat" and split the netblock of 32 and use half on the inside and half on the outside. Well at least not without getting the provider to do some re-configuration of the router. If the outside NIC and the router aren't using the same netmask they won't talk to each other.
barthalamuAuthor Commented:
jlevie, thank you for your help.  It seems like you are exactly right...please propose an answer instead of just a comment so that I can give you your points.

I can change the settings on my side of the router  to reflect the smaller subnet, but I am not sure if it will effect anything on my isp's side of my router.  Any ideas?  If not, can you think of anything else I could do to be able to make this work with my current block of ip's, besides NAT?  Thanks.
barthalamuAuthor Commented:
Thanks for the help, but as you indicated, jlevie was the first to come up with this solution.
barthalamuAuthor Commented:
Thanks, I will play around with my router.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.