Networking with RH Linux 6.1

Posted on 2000-05-12
Last Modified: 2013-12-06
I have a multihomed Red Hat 6.1 system.  I am trying to have it function as a gateway to my win98 pc's.  Linux is connected to my router, and it can get to the internet just fine with it's default gateway being my router.  The problem I am having is that I cannot get any of my pc's to go through the linux box and out to the net.  I am using ip forwarding and have real ip addresses for all pc's.  (Not using NAT)  I have my pc's gateway's set to the second card in the linux machine (eth1)  My goal is to have one card be my internal card and the other external, and to put up a firewall so that my pc's can get to and go through Linux to the net, but nothing can get past the external card from the internet.

I have no idea what I am doing [wrong].  Do I need to set up any static routes to accomplish this?  I have 32 static ip's and my netmask is .224.

Please let me know if you need any more info.
Question by:barthalamu
  • 5
  • 4
  • 2
  • +2

Expert Comment

ID: 2806454
While "using" ip forwarding, did u also enabled it (default off in kernel 2.2.x) ? You can do this by: echo "1" > /proc/sys/net/ipv4/ip_forward
You could add this line to /etc/rc.d/rc.local BTW, can you ping to eth0 and eth1?

Expert Comment

ID: 2806808
You should probably also post the output of '/sbin/ifconfig' and 'route -n' and 'cat /proc/sys/net/ipv4/ip_forwarding' so we can help.  Also, you should tell whether eth1 is connected to the internet router and eth0 is connected to your local network, etc.  If eth0 is connected to your local network, then ITS ip address is your pc's gateway, not eth1, for example.  It's hard to do this unless you give an example of how your network is laid out, what ip numbers and netmasks you are using, what the linux box can and cannot ping, etc.
LVL 40

Expert Comment

ID: 2806909
I suspect that you may be trying to use the same network on both sides of your router and that won't work. You can only route between networks, so the inside and outside interfaces must be on different networks. If you only have one netblock of 32 addresses that must be used on the outside NIC. The inside NIC and your local machines will have to be on a different network.

What you need is NAT, which Linux can't do (it can do NPAT, aka PAT), in order to use all the IP's in your netblock. The BSD variants (FreeBSD, OpenBSD) as well as Solaris & HP-UX can do this with ipfilter (see NAT allows you to use a private network on the inside and a pool of public IP's (your netblock of 32) with inside clients having static or dynamic translations betwenn the private & public IP's.

Expert Comment

ID: 2807913
Like jlevie said, you need separate networks to route. Once you get the routing going you can setup a firewall using PM Firewall -
LVL 40

Expert Comment

ID: 2808354
Unless I missed something about it, I don't think that pmfirewall can do NAT. Accordingly he'd only be able to use one of the IP's in his netblock.

Expert Comment

ID: 2809045
You're right, pmfirewall doesn't do NAT. It just makes it really easy to setup a firewall using ipchains. I agreed with you about needing two networks for routing. He could use private IPs internally, or he should be able to subnet his block of 32 IPs...
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)


Author Comment

ID: 2809051
Here are the outputs of what kiffney suggested that I post:

(Replaced first two parts of ip address with *'s)


eth0      Link encap:Ethernet  HWaddr 00:C0:CA:12:C0:D8
          inet addr:*.*.96.209  Bcast:*.*.96.223  Mask:
          RX packets:574678 errors:0 dropped:0 overruns:0 frame:0
          TX packets:458210 errors:0 dropped:0 overruns:0 carrier:0
          collisions:8 txqueuelen:100
          Interrupt:10 Base address:0xe800

eth1      Link encap:Ethernet  HWaddr 00:E0:29:5B:2A:91
          inet addr:*.*.96.194  Bcast:*.*.96.223  Mask:
          RX packets:69081 errors:1 dropped:0 overruns:0 frame:0
          TX packets:490 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:5 Base address:0xec00

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:23332 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23332 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

route -n:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
*.*.96.209 UH    0      0        0 eth0
*.*.96.194 UH    0      0        0 eth1
*.*.96.192 U     0      0        0 eth0
*.*.96.192 U     0      0        0 eth1       U     0      0        0 lo      *.*.96.193         UG    0      0        0 eth0

Yes-IP Forwarding is turned on.
Yes-Can ping eth0 and eth1
eth0 is connected to internal network
eth1 is connected to router

jlevie is right, I am trying to use my same block of 32 ip addresses for internal and external.  Should I subnet my network smaller to do what I am trying?  I cannot use nat because of issues out of my control.

Thanks for the help.

Author Comment

ID: 2809057
By the way, it seems that when I ping, or telnet or do whatever, the traffic only seems to pass through eth0.  Not sure why, just because its the first card and it is in the same network?
LVL 40

Expert Comment

ID: 2809278
Yep, I suspected that you were trying to use the same netblock on the inside and the outside NIC's. The routing table tells the tale in these two lines:

*.*.96.192 U     0      0        0 eth0
*.*.96.192 U     0      0        0 eth1

If you look at that, you'll see that the exact same network is shown for both eth0 & eth1. Consequently, the routing engine in the kernel can't really figure out which NIC to use for an IP in that network. For lack of any better clue it simply sends it out the first (eth0) interface and hopes for the best.

And no you can't "cheat" and split the netblock of 32 and use half on the inside and half on the outside. Well at least not without getting the provider to do some re-configuration of the router. If the outside NIC and the router aren't using the same netmask they won't talk to each other.

Author Comment

ID: 2809432
jlevie, thank you for your help.  It seems like you are exactly right...please propose an answer instead of just a comment so that I can give you your points.

I can change the settings on my side of the router  to reflect the smaller subnet, but I am not sure if it will effect anything on my isp's side of my router.  Any ideas?  If not, can you think of anything else I could do to be able to make this work with my current block of ip's, besides NAT?  Thanks.
LVL 40

Accepted Solution

jlevie earned 305 total points
ID: 2810551
If the router can be changed, then that is going to be the only solution other than NAT if you are going to run an internal firewall box. I think that such a change probably wouldn't affect anything up-stream of the router, but you should certainly coordinate any change like that with your ISP. Of course that will reduce your useable IP's (for inside of the firewall to 14).

There may be other possible solutions. If your the router is a Cisco, you can achieve all most all of the functionality and protection of a firewall with "extended access lists" applied to the outside interface of the router. Other brands may have similar capabilities. The protection that access lists provide isn't quite as good as a true firewall, but it's probably good enough for most networks (especially if the interior systems are configured w/security in mind).

Also there are "personal firewalls" that can be installed on each windows client to protect just that client. This isn't as good of a solution as access lists on the router as you must open holes in each of the personal firewalls to/from your other local systems in order to be able to communicate amoung your local machines.

Before I can propose an answer you'll need to reject the existing proposed answer (it has the question locked). Once that's done I can propose an answer or you can simply accept a comment as the answer.

Author Comment

ID: 2811211
Thanks for the help, but as you indicated, jlevie was the first to come up with this solution.

Author Comment

ID: 2811216
Thanks, I will play around with my router.

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now