[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Networking with RH Linux 6.1

Posted on 2000-05-12
Medium Priority
Last Modified: 2013-12-06
I have a multihomed Red Hat 6.1 system.  I am trying to have it function as a gateway to my win98 pc's.  Linux is connected to my router, and it can get to the internet just fine with it's default gateway being my router.  The problem I am having is that I cannot get any of my pc's to go through the linux box and out to the net.  I am using ip forwarding and have real ip addresses for all pc's.  (Not using NAT)  I have my pc's gateway's set to the second card in the linux machine (eth1)  My goal is to have one card be my internal card and the other external, and to put up a firewall so that my pc's can get to and go through Linux to the net, but nothing can get past the external card from the internet.

I have no idea what I am doing [wrong].  Do I need to set up any static routes to accomplish this?  I have 32 static ip's and my netmask is .224.

Please let me know if you need any more info.
Question by:barthalamu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2

Expert Comment

ID: 2806454
While "using" ip forwarding, did u also enabled it (default off in kernel 2.2.x) ? You can do this by: echo "1" > /proc/sys/net/ipv4/ip_forward
You could add this line to /etc/rc.d/rc.local BTW, can you ping to eth0 and eth1?

Expert Comment

ID: 2806808
You should probably also post the output of '/sbin/ifconfig' and 'route -n' and 'cat /proc/sys/net/ipv4/ip_forwarding' so we can help.  Also, you should tell whether eth1 is connected to the internet router and eth0 is connected to your local network, etc.  If eth0 is connected to your local network, then ITS ip address is your pc's gateway, not eth1, for example.  It's hard to do this unless you give an example of how your network is laid out, what ip numbers and netmasks you are using, what the linux box can and cannot ping, etc.
LVL 40

Expert Comment

ID: 2806909
I suspect that you may be trying to use the same network on both sides of your router and that won't work. You can only route between networks, so the inside and outside interfaces must be on different networks. If you only have one netblock of 32 addresses that must be used on the outside NIC. The inside NIC and your local machines will have to be on a different network.

What you need is NAT, which Linux can't do (it can do NPAT, aka PAT), in order to use all the IP's in your netblock. The BSD variants (FreeBSD, OpenBSD) as well as Solaris & HP-UX can do this with ipfilter (see http://cheops.anu.edu.au/~avalon/ip-filter.html). NAT allows you to use a private network on the inside and a pool of public IP's (your netblock of 32) with inside clients having static or dynamic translations betwenn the private & public IP's.
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.


Expert Comment

ID: 2807913
Like jlevie said, you need separate networks to route. Once you get the routing going you can setup a firewall using PM Firewall - http://www.pointman.org/PMFirewall/
LVL 40

Expert Comment

ID: 2808354
Unless I missed something about it, I don't think that pmfirewall can do NAT. Accordingly he'd only be able to use one of the IP's in his netblock.

Expert Comment

ID: 2809045
You're right, pmfirewall doesn't do NAT. It just makes it really easy to setup a firewall using ipchains. I agreed with you about needing two networks for routing. He could use private IPs internally, or he should be able to subnet his block of 32 IPs...

Author Comment

ID: 2809051
Here are the outputs of what kiffney suggested that I post:

(Replaced first two parts of ip address with *'s)


eth0      Link encap:Ethernet  HWaddr 00:C0:CA:12:C0:D8
          inet addr:*.*.96.209  Bcast:*.*.96.223  Mask:
          RX packets:574678 errors:0 dropped:0 overruns:0 frame:0
          TX packets:458210 errors:0 dropped:0 overruns:0 carrier:0
          collisions:8 txqueuelen:100
          Interrupt:10 Base address:0xe800

eth1      Link encap:Ethernet  HWaddr 00:E0:29:5B:2A:91
          inet addr:*.*.96.194  Bcast:*.*.96.223  Mask:
          RX packets:69081 errors:1 dropped:0 overruns:0 frame:0
          TX packets:490 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:5 Base address:0xec00

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:23332 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23332 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

route -n:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
*.*.96.209 UH    0      0        0 eth0
*.*.96.194 UH    0      0        0 eth1
*.*.96.192 U     0      0        0 eth0
*.*.96.192 U     0      0        0 eth1       U     0      0        0 lo      *.*.96.193         UG    0      0        0 eth0

Yes-IP Forwarding is turned on.
Yes-Can ping eth0 and eth1
eth0 is connected to internal network
eth1 is connected to router

jlevie is right, I am trying to use my same block of 32 ip addresses for internal and external.  Should I subnet my network smaller to do what I am trying?  I cannot use nat because of issues out of my control.

Thanks for the help.

Author Comment

ID: 2809057
By the way, it seems that when I ping, or telnet or do whatever, the traffic only seems to pass through eth0.  Not sure why, just because its the first card and it is in the same network?
LVL 40

Expert Comment

ID: 2809278
Yep, I suspected that you were trying to use the same netblock on the inside and the outside NIC's. The routing table tells the tale in these two lines:

*.*.96.192 U     0      0        0 eth0
*.*.96.192 U     0      0        0 eth1

If you look at that, you'll see that the exact same network is shown for both eth0 & eth1. Consequently, the routing engine in the kernel can't really figure out which NIC to use for an IP in that network. For lack of any better clue it simply sends it out the first (eth0) interface and hopes for the best.

And no you can't "cheat" and split the netblock of 32 and use half on the inside and half on the outside. Well at least not without getting the provider to do some re-configuration of the router. If the outside NIC and the router aren't using the same netmask they won't talk to each other.

Author Comment

ID: 2809432
jlevie, thank you for your help.  It seems like you are exactly right...please propose an answer instead of just a comment so that I can give you your points.

I can change the settings on my side of the router  to reflect the smaller subnet, but I am not sure if it will effect anything on my isp's side of my router.  Any ideas?  If not, can you think of anything else I could do to be able to make this work with my current block of ip's, besides NAT?  Thanks.
LVL 40

Accepted Solution

jlevie earned 1220 total points
ID: 2810551
If the router can be changed, then that is going to be the only solution other than NAT if you are going to run an internal firewall box. I think that such a change probably wouldn't affect anything up-stream of the router, but you should certainly coordinate any change like that with your ISP. Of course that will reduce your useable IP's (for inside of the firewall to 14).

There may be other possible solutions. If your the router is a Cisco, you can achieve all most all of the functionality and protection of a firewall with "extended access lists" applied to the outside interface of the router. Other brands may have similar capabilities. The protection that access lists provide isn't quite as good as a true firewall, but it's probably good enough for most networks (especially if the interior systems are configured w/security in mind).

Also there are "personal firewalls" that can be installed on each windows client to protect just that client. This isn't as good of a solution as access lists on the router as you must open holes in each of the personal firewalls to/from your other local systems in order to be able to communicate amoung your local machines.

Before I can propose an answer you'll need to reject the existing proposed answer (it has the question locked). Once that's done I can propose an answer or you can simply accept a comment as the answer.

Author Comment

ID: 2811211
Thanks for the help, but as you indicated, jlevie was the first to come up with this solution.

Author Comment

ID: 2811216
Thanks, I will play around with my router.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question