We help IT Professionals succeed at work.

Linux as Router

visualminder
visualminder asked
on
Medium Priority
780 Views
Last Modified: 2010-03-18
Hi,

I'm going to setup a Linux compter as Router for my local network. There are two networkcards installed in this Linux computer: eth0 and eth1. I use dsl per ppp into the internet. I want to configure the eth0 for the internal network and eth1 for the "outworld". I've followed the instruction in "HOWTO". By now  I can connect with internet from the Linux computer and I can also access the Linux computer from my windows Computer in the same localnetwork. But I can not access Internet from my windows Computer. Ping does not work either. IP Forwarding and Masquerading is activ. I think it is a problem with routing.

eth0: 192.168.10.10
eth1: 192.168.10.20

In my /etc/route.conf:
192.168.10.0            0.0.0.0                 255.255.255.0           eth0

In windows clients:
Gateway: 192.168.10.10

route -n
WITH connection:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
217.5.98.17     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         217.5.98.17     0.0.0.0         UG    0      0        0 ppp0

route -n WITHOUT connnection
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1

I just cann't understand why eth1 appears inststead of eth0.

Can someone tell me, what I should do?

Thanks

Visu
Comment
Watch Question

Carlos CabañasESPECIALISTA DE IT STG LAB

Commented:
You must not configure any router, either you must config you ppp as a default route,I have pptp connectioo  and i use pptp 10.0.0.1 --defaultroute as a connect pptp command.
Next enable forwarding with "echo 1 > /proc/sys/net/ipv4/ip_forward". Then you must config in the clients a default gateway that match with the card that is connected to your local net (eth0).-

Regards.-

Author

Commented:
I think the IP Forwarding and standard gateway is active. But it still doesn't work.

Visu

Author

Commented:
I think the IP Forwarding and standard gateway is active. But it still doesn't work.

Visu
Carlos CabañasESPECIALISTA DE IT STG LAB

Commented:
DISABLE standard route, you must not config any route in your pc. With forwarding and ppp0 interface you got a default routing outside your lan.-

Author

Commented:
I've already disabled standard route on my Linux machine.
In my /etc/route.conf there is only one line:
192.168.10.0            0.0.0.0                 255.255.255.0           eth0
Carlos CabañasESPECIALISTA DE IT STG LAB

Commented:
comment that line. and try again. It should work.

Author

Commented:
It does not seem to work. I can even not access my other localnetwork computer anymore.
CERTIFIED EXPERT

Commented:
echo "1" > /proc/sys/net/ipv4/ip_forward

BTW, what are your 2 interfaces for? when they both belong to the same subnet?
> eth0: 192.168.10.10
> eth1: 192.168.10.20

Author

Commented:
The ip_forwarding is activ
cat /proc/sys/net/ipv4/ip_forward
1

The Linux Distribution: SUSE Linux 7.2 Kernel 2.4.?
I'm using SUSEFirewall to configure the masquerading.
e.g.
/etc/rc.config:
START_FW=yes

/etc/rc.config.d/firewall.rc.config:
FW_DEV_WORLD:ppp0
FW_DEV_INT:eth0
FW_ROUTE:yes
FW_MASQUERADE:yes
...

I use pppoe
I want eth0 for the internal network and eth1 for DSL connection with internet (ppp0).
I'm not sure if the both ip should belong to the same subnet. I've seen the configuration of a collegue, that works. His 2 NICs adresse are in the same subnet.
Do you think that they should in seperate subnets?

Visu
CERTIFIED EXPERT

Commented:
if oth NICS are in the same subnet, it's useless, somehow.
Also if they are in the same subnet, you cannot use the firewall (iptables).
Check if your configuration works without the firewall.
If so, enable firewall again and please post results of
     iptables -n -L
     iptables -n -L -t nat

Author

Commented:
Without firewall I can connect into internet from my linux router machine. Because there is no masquerading, I cannot connect from other machines in the localnetwork into the internet.
It seems that I have no iptables on my SUSE Linux 7.2. I only have ipchains.

ipchains -L
Chain input (policy DENY):
target     prot opt   source     destination     ports
ACCEPT     all  ------  anywhere  anywhere        n/a
DENY       all  ----l-  pD9E1C915.dip.t-dialin.net anywhere          
    n/a
DENY       all  ----l-  192.168.10.0/24      anywhere              n/a
DENY       all  ----l-  linux.local          anywhere              n/a
DENY       all  ----l-  pD9E1C915.dip.t-dialin.net anywhere          
       n/a
DENY       all  ----l-  loopback/8           anywhere              n/a
DENY       all  ----l-  anywhere             loopback/8          n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     icmp ----l-  pD9E1C915.dip.t-dialin.net anywhere          
       source-quench
ACCEPT     icmp ----l-  anywhere            
     pD9E1C915.dip.t-dialin.net  echo-request
ACCEPT     icmp ------  anywhere            
     pD9E1C915.dip.t-dialin.net  echo-reply
ACCEPT     icmp ------  anywhere            
     pD9E1C915.dip.t-dialin.net  destination-unreachable
ACCEPT     icmp ------  anywhere            
     pD9E1C915.dip.t-dialin.net  time-exceeded
ACCEPT     icmp ------  anywhere            
     pD9E1C915.dip.t-dialin.net  parameter-problem
ACCEPT     icmp ------  anywhere             linux.local          
     echo-reply
ACCEPT     icmp ------  anywhere             linux.local          
     destination-unreachable
ACCEPT     icmp ------  anywhere             linux.local          
     time-exceededACCEPT     icmp ------  anywhere             linux.local
              parameter-problem
ACCEPT     icmp ----l-  anywhere             linux.local          
     source-quenchACCEPT     icmp ------  anywhere             linux.local
              echo-request REJECT     tcp  -y----  anywhere            
     anywhere              any ->   ident
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   telnet
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   telnet
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   time
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   time
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   finger
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   finger
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   http
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   http
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   sunrpc
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   sunrpc
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   netbios-ssn
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   netbios-ssn
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   login
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   login
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   printer
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   printer
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   904
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   904
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   1024
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   1024
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   blackjack
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   blackjack
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   6000
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   6000
DENY       tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   isdnlog
DENY       tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   isdnlog
ACCEPT     tcp  -y--l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   1024:65535
ACCEPT     tcp  ------  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   1024:65535
ACCEPT     tcp  !y----  anywhere             linux.local           any
     ->   ipcserver:65535
ACCEPT     tcp  !y----  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   ipcserver:65535
ACCEPT     tcp  !y----  anywhere             linux.local           any
    ->   ftp-data
ACCEPT     tcp  !y----  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   ftp-data
ACCEPT     udp  ------  anywhere             anywhere              any
     ->   61000:65095
DENY       udp  ----l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   time
DENY       udp  ----l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   sunrpc
DENY       udp  ----l-  anywhere            
     pD9E1C915.dip.t-dialin.net  any ->   netbios-ns
.....
ACCEPT     tcp  ------  anywhere             anywhere              ssh
     ->   any
ACCEPT     tcp  ------  anywhere             anywhere              any
     ->   ssh
ACCEPT     tcp  ------  anywhere             anywhere            
     ftp-data ->
      any
ACCEPT     tcp  ------  anywhere             anywhere            
     http ->   anyACCEPT     tcp  ------  anywhere             anywhere    
              http ->   any
ACCEPT     tcp  ------  anywhere            
     anywhere              any ->   http
ACCEPT     udp  ------  anywhere  
              anywhere              domain ->   any
ACCEPT     udp  ------  anywhere             anywhere              any
     ->   domain
ACCEPT     udp  ------  anywhere             anywhere              any
     ->   snmpACCEPT     udp  ------  anywhere             anywhere        
          any ->   snmptrap
ACCEPT     udp  ------  anywhere             anywhere              any
     ->   syslog
     Chain fw_masq (0 references):
     target     prot opt     source                destination          
     ports
     MASQ       all  ------  anywhere             anywhere
CERTIFIED EXPERT

Commented:
look like your posting from  "ipchains -L" is incomplete or dammaged: I'm missing the output and the forward chain.
Also:
> ipchains -L
> Chain input (policy DENY):
> target     prot opt     source     destination     ports
> ACCEPT     all  ------  anywhere   anywhere        n/a
As you see the general policy is DENY, then the first rule is to ACCEPT anything from anywhere to anywhere. This means that all following rules in this chain are never consulted, 'cause the first one always matches.
Probably this might be ok, please try again with
     ipchains -L -n -v
important is the value in the ifname column.

Did you make changes to the SuSEfirewall script?

For testing I suggest not to use this script but to setup
a minimal firewall, like:
   
   ipchains -P input DROP
   ipchains -A input ! -i ppp0 -j ACCEPT
   ipchains -A forward -i ppp0 -j MASQ

then you might add more rules to protect you network, but keep in mind that the sequenc is important: if a rule matches, ipchains will not check following rules. To see the rule numbers use:  ipchains -L -n --line-number

Commented:
Look at your route table again where is eth0??
Is it even configed? It better be if you have your
other systems configed to look at it.
try this:
remove eth0
set internal systems to look at eth1
clear all ipchains and set defaults to accept
ipchains -A forward -i ppp0 -j MASQ
check your route -n


Kernel IP routing table
Destination Gateway  Genmask  Flags Metric Ref    Use Iface
217.5.98.17  0.0.0.0  f.f.f.f  UH    0      0        0 ppp0
192.168.10.0 0.0.0.0  f.f.f.f  U     0      0        0 eth1
0.0.0.0    217.5.98.17 0.0.0.0 UG    0      0        0 ppp0

this should work as long as the other boxes point to eth1
you have no need for eth0 if you use ppp0


Author

Commented:
To Jscart,

I'm not quite sure what you mean. Why should I remove eth0?
I do need 2 NICs to run the thing. eth0 for internal network and eth1 for ppp0.

To ahoffmann,

Someone told me that the 2 NICs should not in the same subnet. So I changed the ip of eth1 to 192.168.20.10  255.255.255.0 . The ip of eth0  keeps unchanged : 192.168.10.10 255.255.255.0.
I've also runed following commands although I don't understand them:

ipchains -F forward
ipchains -A forward -s 192.168.10.0/24 -d 0.0.0.0/0 -j MASQ

It works then. But I cannot access some websites like www.yahoo.de from windows machines and the Internetspeed from the windows Machines is very slow. On the Linux router is the internetspeed very quick.

I think I should learn more details about the linux networking.

Can you tell me what does ipchains mean? Do you know any intuitiv tutorials online about ipchains and masquerading?
And how to do to accelarate the internetspeed and enable the access on the www.yahoo.de?

The result of ipchains -L -n -v:

Chain input (policy DENY: 3 packets, 284 bytes):
-------------------------------------------------
pkts bytes target     prot opt    tosa tosx  ifname     source   destination   ports

279 60501 ACCEPT     all  ------  0xFF 0x00  lo             0.0.0.0/0  0.0.0.0/0    n/a

0   0      DENY       all  ----l- 0xFF 0x00  eth0           217.82.45.127  0.0.0.0/0             n/a

0   0      DENY       all  ----l- 0xFF 0x00  ppp0           192.168.10.0/24      0.0.0.0/0       n/a
.....


Chain forward (policy DENY: 0 packets, 0 bytes):  
------------------------------------------------
29547 3132K MASQ   all  ------ 0xFF 0x00  *                 192.168.10.0/24      0.0.0.0/0             n/a

0     0 MASQ       all  ------ 0xFF 0x00  ppp0              0.0.0.0/0            0.0.0.0/0             n/a

.............

Chain output (policy ACCEPT: 105287 packets, 79797766 bytes):
----------------------------------------------------

279 60501 ACCEPT     all  ------ 0xFF 0x00  lo               0.0.0.0/0            0.0.0.0/0             n/a

0    0 ACCEPT     icmp ------ 0xFF 0x00  *                 217.82.45.127        0.0.0.0/0             3 ->   4

........


route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
217.5.98.17     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         217.5.98.17     0.0.0.0         UG    0      0        0 ppp0

Author

Commented:
To Jscart,

I'm not quite sure what you mean. Why should I remove eth0?
I do need 2 NICs to run the thing. eth0 for internal network and eth1 for ppp0.

To ahoffmann,

Someone told me that the 2 NICs should not in the same subnet. So I changed the ip of eth1 to 192.168.20.10  255.255.255.0 . The ip of eth0  keeps unchanged : 192.168.10.10 255.255.255.0.
I've also runed following commands although I don't understand them:

ipchains -F forward
ipchains -A forward -s 192.168.10.0/24 -d 0.0.0.0/0 -j MASQ

It works then. But I cannot access some websites like www.yahoo.de from windows machines and the Internetspeed from the windows Machines is very slow. On the Linux router is the internetspeed very quick.

I think I should learn more details about the linux networking.

Can you tell me what does ipchains mean? Do you know any intuitiv tutorials online about ipchains and masquerading?
And how to do to accelarate the internetspeed and enable the access on the www.yahoo.de?

The result of ipchains -L -n -v:

Chain input (policy DENY: 3 packets, 284 bytes):
-------------------------------------------------
pkts bytes target     prot opt    tosa tosx  ifname     source   destination   ports

279 60501 ACCEPT     all  ------  0xFF 0x00  lo             0.0.0.0/0  0.0.0.0/0    n/a

0   0      DENY       all  ----l- 0xFF 0x00  eth0           217.82.45.127  0.0.0.0/0             n/a

0   0      DENY       all  ----l- 0xFF 0x00  ppp0           192.168.10.0/24      0.0.0.0/0       n/a
.....


Chain forward (policy DENY: 0 packets, 0 bytes):  
------------------------------------------------
29547 3132K MASQ   all  ------ 0xFF 0x00  *                 192.168.10.0/24      0.0.0.0/0             n/a

0     0 MASQ       all  ------ 0xFF 0x00  ppp0              0.0.0.0/0            0.0.0.0/0             n/a

.............

Chain output (policy ACCEPT: 105287 packets, 79797766 bytes):
----------------------------------------------------

279 60501 ACCEPT     all  ------ 0xFF 0x00  lo               0.0.0.0/0            0.0.0.0/0             n/a

0    0 ACCEPT     icmp ------ 0xFF 0x00  *                 217.82.45.127        0.0.0.0/0             3 ->   4

........


route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
217.5.98.17     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         217.5.98.17     0.0.0.0         UG    0      0        0 ppp0
CERTIFIED EXPERT
Commented:
> But I cannot access some websites like www.yahoo.de from windows machines and the Internetspeed from the windows Machines is very slow.

The reason iis that windoze has a wrong DNS server.
Simple check in a cmd.exe with:  ipconfig --all
the "DNS Server" entry seems to be wrong, it must be the same IP as the "nameserver" line in Linux's /etc/resolv.conv.

A more reliable solution might be to setup a DNS server on you Linuxbox and point windoze to this server's IP.
This will be a hard job, not recommended for beginners.
Commented:
Ipchains runs the firewall rules. Linuxdoc.org has a good how-to. Well now eth0 is in the table before it looked like it was never configured.

Commented:
I'd try this:
Als eth1 connects to the DSL-box via ppp over ethernet, it seems some kind of vpn. I think it's more clear then, to use e.g. a class A network on your lan.

So change eth0 to 10.0.0.1 netmask 255.0.0.0 Your clients must have also a 10.x.y.z address, netmask 255.0.0.0 and the internal ip of the router as default gateway (10.0.0.1).

Flush all ipchains-rules:
ipchains -F

IP-forwarding must run, e.g.:
echo 1 > /proc/sys/net/ipv4/ip_forward

Deny undesired forwarding:

ipchains -P forward DENY

Allow internal network to be masqueraded:

ipchains -A forward -s 10.0.0.0/8 -j MASQ

check your /etc/resolv.conf it should at leat contain a line like so:
nameserver  ip_nameserver_your_isp

Your clients should use the same (dns) address(es) if you haven't an internal dns-server.

Cheers.








CERTIFIED EXPERT

Commented:
Cook - it's not really a VPN, it's called PPPoE (PPP over ethernet) and it's used by most DSL providers out there.  Not to get on your case, but I'm really surprised you are commenting on this if you didn't know that.  I guess you could argue that it is in a sense a Virtual _Public_ Network, but I would reject that argument.

Also, there is no reason for him to go renumbering/changing IPs - a class B from 1918 space and a class A from 1918 space all boil down to pretty much the same thing, unless his internal network is bigger than MIT's (which, somehow I doubt is the case).  Any particular reason you think a class A works better here than a class B for his internal net?

ahoffman gets my vote for points here.

-Jon

Commented:
    I have one conection like that working so let me give the hints I used.

     First, the NIC to the internet should have no given ip.
     In your question you said that you dont understand wy eth1 appears instead of eth0. thats becouse you, in fact, should not configure eth1 or eth0. Since, I guess , you are using two cards of the same brand and they are controled by the same module, you configure the module to see two cards, in /etc/modules.conf you should see.

     alias eth0 ne #supposing your module is ne
     options ne irq 9,10 io=0x300,0x340
     
     the irq9 and io0x300 goes to eth0 , irq10 and io0x340 goes to eth1, the eth1 name does not need to appear.
     So regardless of distribution thats what you should see.
     I sugest you that you use eth0 to LAN and eth1 to internet, I will be easier in linuxconf giving an ip address just to the first card, I don't know about yast.
     
     Know you make again your NFS and pppoe instaling like you did, with the cards in different positions.
     after NFS is working (thats piece of cake), and pppoe working (the rest of cake) you should configure, the firewall with ipchains.
     I got my pppoe from www.roaringpenguim.com/pppoe, you should get the last update.after instaling the package and running adsl-setup and choose masquerading,it will be instaled the script /etc/ppp/firewall.masq but for me it didn't work I had to modify a line that was
     ipchains -A forward -j MASQ
          to
     ipchains -A forward -i ppp0 -j MASQ

     and add the line:

     echo 1 > /proc/sys/net/ipv4/ip_dynaddr

     in the getway you should see:

     ifconfig should show both cards, but eth1 with no ip addr.

     route should show two ppp0 entries one is the default or 0.0.0.0

     In the windows machine you should program the gw as 192.168.10.10, and in my case I used static DNS and gave Win it address. It was very easy, stay calm, you are only misconfigurating.

Commented:
Captain,

Regarding the namegiving you may have a point. Furthermore: of course it doesn't matter if you use a class A, B or C network from a masquerading point of view, however i think it's just more clear to have 10.x.y.z and 192.168.y.z on a dual homed router than 192.168.10.x and 192.168.20.x

Apart from this: following the suggested solution should work in general.

btw, i've setup several linux based dsl-routers in Belgium and The Netherlands (PPTP as well as PPPoE) and they seem to do their job well.

I just hope visualminder get things to work, right!?
visualminder:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.

Commented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Split between ahoffman & jscart.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

troopern
EE Cleanup Volunteer

Explore More ContentExplore courses, solutions, and other research materials related to this topic.