Router Setup

p400
p400 used Ask the Experts™
on
Im trying to setup a router using redhat 8.0 in graphics mode Kde theres 2 nic's in it eth0 is going to the cable modem its set to automatically obtain an ip address
eth1 would goto the hub which will then goto my desktop and my laptop this is my first time using linux so i need alot of help with good explinations

under the network configuration panel for eth1 I've got it on static ip
Address = 192.168.1.1
Subnet Mask = 255.255.255.0
Gateway = 192.168.1.1

Im running Xp on the other computers their set to static ip
Address = for laptop - 192.168.1.100 for desktop - 192.168.1.101
Subnet Mask = 255.255.255.0
Gateway = 192.168.1.1

I am able to ping 192.168.1.1 from the Xp computers but i cant do anything online with these the linux computer can go online so i need some help to get the Xp computers to access the internet
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2005
Commented:
Personally I've not been all that impressed with GUI IPtables firewall management tools. It's easy enough to create a very good firewall without a GUI tool and once set up it isn't something that you fiddle with all the time.

Below you'll find a set of firewall rules that should do a good jobe for you. I've pre-configured the rule set for your configuration, so all you need do to set it up is:

1) Save what's below to a file named iptables-init in root's home dir.

2) Edit /etc/sysctl.conf to define:
     net.ipv4.ip_forward = 1

3) Reboot, or execute the command:
     echo 1 > /proc/sys/net/ipv4/ip_forward

4) Make the iptables-init file executable with:
     chmod +x iptables-init

5) Set up the firewall with:
     ./iptables-init
     service iptables save

On subsequent boots the firewall will be automatically started. There are lot's of comments in the file issultrating some of the other things that are commonly done.

#!/bin/sh
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save the
# running config with 'iptables-save' for RedHat to reinstate at the next boot
# IP fordarding must be enabled by other than this script for production use.
# That's best done by editing /etc/sysctl.comf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
#echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When /etc/init.d/iptables
# executes it will see the file and restore the rules. I find it easier to modify this file
# and run it (make sure it is executable with 'chmod +x iptables-init') to change the
# rulesets., rather than modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
IPTABLES="/sbin/iptables"
OUTSIDE=eth0
INSIDE=eth1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to access.
# And remember to change the  IP to be that of the INSIDE interface of the firewall.
#
#$IPTABLES -A INPUT -i $INSIDE -d 192.168.1.1 -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line.
#
#$IPTABLES -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Silently drop and SMB traffic. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux, so block that windows trash.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of allowing inbound for the port forwarding examples above.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPTABLES -A INPUT -j firewalled


Commented:
First make sure that your windows machine has the DNS numbers. I'll need to manually add these to each of your windows machines. You can get them from the GUI network config program.

You may want to check out GIPtables for a router. They have an "easy" to configure router script. I think it's www.giptables.com 

Another cool program that may help is ethereal.

<--zippyjr-->
jlevie, have seen your good starter-script sevaral times now. How about posting it as PAQ in Security TA?
It then can simply be referenced, saves some bandwidth, and typing (for you:)

p400, the NAT/masquerading in jlevie's script is what you need (and don't forget to enable the ip_forward stuff above)
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Top Expert 2005

Commented:
I keep meaning to make a web page for it, but somehow I always find other things of hight priority... Maybe over Christmas break.

Author

Commented:
Ive sut up the firewall stuff from you jlevie nut i still cant access the internet from my windows computer i can ping the windows computer from the linux one and i can ping the linux one from the windows computer but it wont let it got out to the net. the linux computer still has no problem with  internet are their any other checks i can do to find the problem if you need any more info ask and i'll answer you back the best i can
Top Expert 2005

Commented:
Using that firewall init script I know that the Linux box will NAT your inside traffic to the Internet, providing that IPtables is running and that 'echo  /proc/sys/net/ipv4/ip_forward' returns 1. So the problem is probably in the configuration of the windows box.

Make sure that the default gateway on your windows box points to the inside interface of your Linux system (192.168.1.1) and that you've defined the same DNS server IP(s) as found in /etc/resolv.conf on the Linux system.

Checks that you can make from the windows boxes include a ping of the Linux system by IP and pings of things on the Internet by IP. If the pings work by IP and not by name, then you know that it is a DNS problem.

Author

Commented:
I checked it out for windows box
IP 192.168.1.100
Subnet mask 255.255.255.0
Default gatway is 192.168.1.1
i dont know what dns numbers to put in for windows

this is the linux box
eth0 automatically assign ip by dchp

eth1
Statically set ip address
Address 192.168.1.1
subnet mask 255.255.255.0
default gateway 192.168.1.1
on the dns tab in network config it shows 3 dns
primary,secondary, and tertiary
should these be used in the windows box
they are also in /etc/resolv.conf im guessing they are for eth0 that it automatically gets from the cable modem but not sure i did not put them in.
I tryed to put them in the windows box but still nothing I cant ping an ip or address (www.yahoo.com) i get request timed out from the windows box is there maybe something i need to turn on in the script that you gave or somewhere else on the linux box
sorry for all the trouble but ive never used linux and am trying my best

Author

Commented:
also im not sure if it matters but im running the windows computers through a linksys etherfast 10/100 5-port workgroup switch
Top Expert 2005

Commented:
Okay...

Show me what:

echo /proc/sys/net/ipv4/ip_forward

returns and what:

/usr/sbin/iptables -L
/usr/sbin/iptables -L -t nat

returns.

Commented:
This maybe a problem with how you set up your firewall.

jlevie makes a good point to check that the firewall rules have started and the ip_forwarding is turned on.


You also need to take care of the DNS issues try this:

Look at the file /etc/resolve.conf on your linux machine once you have it connected to your ISP. This file will have your nameservers IP address:
nameserver xx.xx.xx.xxx
nameserver xx.xx.xx.xxx
nameserver xx.xx.xx.xxx

These numbers will be your IPS name server 1,2 and 3
Write them down and go to your Windows machine TCP/IP settings. Just below the your static IP address you can choose the option: Use the following DNS server addresses:
nameserver 1 is your preferred DNS server and nameserver 2 is you Alt DNS server. You also can use the advance button to add addtional DNS numbers (nameserver3)

<--zippyjr-->

Author

Commented:
ok ive got it working i started over reinstalled set up everything just like you said and setup the dns like zippyir and it is now working thankyou all for the great help

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial