Solved

Networking with RH Linux 6.1

Posted on 2000-05-12
13
199 Views
Last Modified: 2013-12-06
I have a multihomed Red Hat 6.1 system.  I am trying to have it function as a gateway to my win98 pc's.  Linux is connected to my router, and it can get to the internet just fine with it's default gateway being my router.  The problem I am having is that I cannot get any of my pc's to go through the linux box and out to the net.  I am using ip forwarding and have real ip addresses for all pc's.  (Not using NAT)  I have my pc's gateway's set to the second card in the linux machine (eth1)  My goal is to have one card be my internal card and the other external, and to put up a firewall so that my pc's can get to and go through Linux to the net, but nothing can get past the external card from the internet.

I have no idea what I am doing [wrong].  Do I need to set up any static routes to accomplish this?  I have 32 static ip's and my netmask is .224.

Please let me know if you need any more info.
0
Comment
Question by:barthalamu
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 1

Expert Comment

by:Cook
ID: 2806454
While "using" ip forwarding, did u also enabled it (default off in kernel 2.2.x) ? You can do this by: echo "1" > /proc/sys/net/ipv4/ip_forward
You could add this line to /etc/rc.d/rc.local BTW, can you ping to eth0 and eth1?
0
 
LVL 4

Expert Comment

by:kiffney
ID: 2806808
You should probably also post the output of '/sbin/ifconfig' and 'route -n' and 'cat /proc/sys/net/ipv4/ip_forwarding' so we can help.  Also, you should tell whether eth1 is connected to the internet router and eth0 is connected to your local network, etc.  If eth0 is connected to your local network, then ITS ip address is your pc's gateway, not eth1, for example.  It's hard to do this unless you give an example of how your network is laid out, what ip numbers and netmasks you are using, what the linux box can and cannot ping, etc.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2806909
I suspect that you may be trying to use the same network on both sides of your router and that won't work. You can only route between networks, so the inside and outside interfaces must be on different networks. If you only have one netblock of 32 addresses that must be used on the outside NIC. The inside NIC and your local machines will have to be on a different network.

What you need is NAT, which Linux can't do (it can do NPAT, aka PAT), in order to use all the IP's in your netblock. The BSD variants (FreeBSD, OpenBSD) as well as Solaris & HP-UX can do this with ipfilter (see http://cheops.anu.edu.au/~avalon/ip-filter.html). NAT allows you to use a private network on the inside and a pool of public IP's (your netblock of 32) with inside clients having static or dynamic translations betwenn the private & public IP's.
0
 

Expert Comment

by:twilleat
ID: 2807913
Like jlevie said, you need separate networks to route. Once you get the routing going you can setup a firewall using PM Firewall - http://www.pointman.org/PMFirewall/
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2808354
Unless I missed something about it, I don't think that pmfirewall can do NAT. Accordingly he'd only be able to use one of the IP's in his netblock.
0
 

Expert Comment

by:twilleat
ID: 2809045
You're right, pmfirewall doesn't do NAT. It just makes it really easy to setup a firewall using ipchains. I agreed with you about needing two networks for routing. He could use private IPs internally, or he should be able to subnet his block of 32 IPs...
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:barthalamu
ID: 2809051
Here are the outputs of what kiffney suggested that I post:

(Replaced first two parts of ip address with *'s)

ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:C0:CA:12:C0:D8
          inet addr:*.*.96.209  Bcast:*.*.96.223  Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:574678 errors:0 dropped:0 overruns:0 frame:0
          TX packets:458210 errors:0 dropped:0 overruns:0 carrier:0
          collisions:8 txqueuelen:100
          Interrupt:10 Base address:0xe800

eth1      Link encap:Ethernet  HWaddr 00:E0:29:5B:2A:91
          inet addr:*.*.96.194  Bcast:*.*.96.223  Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:69081 errors:1 dropped:0 overruns:0 frame:0
          TX packets:490 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:5 Base address:0xec00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:23332 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23332 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

route -n:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
*.*.96.209   0.0.0.0         255.255.255.255 UH    0      0        0 eth0
*.*.96.194   0.0.0.0         255.255.255.255 UH    0      0        0 eth1
*.*.96.192   0.0.0.0         255.255.255.224 U     0      0        0 eth0
*.*.96.192   0.0.0.0         255.255.255.224 U     0      0        0 eth1
127.0.0.0    0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0      *.*.96.193      0.0.0.0         UG    0      0        0 eth0

Yes-IP Forwarding is turned on.
Yes-Can ping eth0 and eth1
eth0 is connected to internal network
eth1 is connected to router

jlevie is right, I am trying to use my same block of 32 ip addresses for internal and external.  Should I subnet my network smaller to do what I am trying?  I cannot use nat because of issues out of my control.

Thanks for the help.
0
 

Author Comment

by:barthalamu
ID: 2809057
By the way, it seems that when I ping, or telnet or do whatever, the traffic only seems to pass through eth0.  Not sure why, just because its the first card and it is in the same network?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2809278
Yep, I suspected that you were trying to use the same netblock on the inside and the outside NIC's. The routing table tells the tale in these two lines:

*.*.96.192   0.0.0.0         255.255.255.224 U     0      0        0 eth0
*.*.96.192   0.0.0.0         255.255.255.224 U     0      0        0 eth1

If you look at that, you'll see that the exact same network is shown for both eth0 & eth1. Consequently, the routing engine in the kernel can't really figure out which NIC to use for an IP in that network. For lack of any better clue it simply sends it out the first (eth0) interface and hopes for the best.

And no you can't "cheat" and split the netblock of 32 and use half on the inside and half on the outside. Well at least not without getting the provider to do some re-configuration of the router. If the outside NIC and the router aren't using the same netmask they won't talk to each other.
0
 

Author Comment

by:barthalamu
ID: 2809432
jlevie, thank you for your help.  It seems like you are exactly right...please propose an answer instead of just a comment so that I can give you your points.

I can change the settings on my side of the router  to reflect the smaller subnet, but I am not sure if it will effect anything on my isp's side of my router.  Any ideas?  If not, can you think of anything else I could do to be able to make this work with my current block of ip's, besides NAT?  Thanks.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 305 total points
ID: 2810551
If the router can be changed, then that is going to be the only solution other than NAT if you are going to run an internal firewall box. I think that such a change probably wouldn't affect anything up-stream of the router, but you should certainly coordinate any change like that with your ISP. Of course that will reduce your useable IP's (for inside of the firewall to 14).

There may be other possible solutions. If your the router is a Cisco, you can achieve all most all of the functionality and protection of a firewall with "extended access lists" applied to the outside interface of the router. Other brands may have similar capabilities. The protection that access lists provide isn't quite as good as a true firewall, but it's probably good enough for most networks (especially if the interior systems are configured w/security in mind).

Also there are "personal firewalls" that can be installed on each windows client to protect just that client. This isn't as good of a solution as access lists on the router as you must open holes in each of the personal firewalls to/from your other local systems in order to be able to communicate amoung your local machines.

Before I can propose an answer you'll need to reject the existing proposed answer (it has the question locked). Once that's done I can propose an answer or you can simply accept a comment as the answer.
0
 

Author Comment

by:barthalamu
ID: 2811211
Thanks for the help, but as you indicated, jlevie was the first to come up with this solution.
0
 

Author Comment

by:barthalamu
ID: 2811216
Thanks, I will play around with my router.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now