dinambi
asked on
REDHAT 7.3 NAT
Short descripton of my network:
REDHAT 7.3 LINUX SERVER ---- eth0 ----IP: 192.168.1.1
NETMASK: 255.255.255.0
GATEWAY: 192.168.15.1
eth1-----CABLE MODEM CONNECTION
IP: DHCP
workstation1
IP: 192.168.1.3
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.1
workstation2
IP: 192.168.1.4
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.1
I had configured squid in this network and i am able to connect to internet ,but i want to configure the mail given by the internet provider in the workstations.I can view mails in the server machine .Please help me by providing a solution for configuring mails in the workstations.
REDHAT 7.3 LINUX SERVER ---- eth0 ----IP: 192.168.1.1
NETMASK: 255.255.255.0
GATEWAY: 192.168.15.1
eth1-----CABLE MODEM CONNECTION
IP: DHCP
workstation1
IP: 192.168.1.3
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.1
workstation2
IP: 192.168.1.4
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.1
I had configured squid in this network and i am able to connect to internet ,but i want to configure the mail given by the internet provider in the workstations.I can view mails in the server machine .Please help me by providing a solution for configuring mails in the workstations.
ASKER
[root@hksrv root]# cat /proc/sys/net/ipv4/ip_forw ard
1
[root@hksrv root]# iptables -L -n -v
Chain INPUT (policy ACCEPT 236K packets, 508M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 66 packets, 5496 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 236K packets, 619M bytes)
pkts bytes target prot opt in out source destination
[root@hksrv root]# nslookup www.google.com
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server: 202.88.231.2
Address: 202.88.231.2#53
Non-authoritative answer:
www.google.com canonical name = www.google.akadns.net.
Name: www.google.akadns.net
Address: 66.102.7.99
Name: www.google.akadns.net
Address: 66.102.7.104
1
[root@hksrv root]# iptables -L -n -v
Chain INPUT (policy ACCEPT 236K packets, 508M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 66 packets, 5496 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 236K packets, 619M bytes)
pkts bytes target prot opt in out source destination
[root@hksrv root]# nslookup www.google.com
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server: 202.88.231.2
Address: 202.88.231.2#53
Non-authoritative answer:
www.google.com canonical name = www.google.akadns.net.
Name: www.google.akadns.net
Address: 66.102.7.99
Name: www.google.akadns.net
Address: 66.102.7.104
The nslookup should have been done on the workstations. But it would not have worked :-)
You'd need to do a real firewall config, thus reading a lot :-), or installing fwbuilder (www.fwbuilder.org), which will allow you to build clean rules.
I suggest you try the following :
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
But, be careful. Even if it might work, it's no protection at all.
You'd need to do a real firewall config, thus reading a lot :-), or installing fwbuilder (www.fwbuilder.org), which will allow you to build clean rules.
I suggest you try the following :
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
But, be careful. Even if it might work, it's no protection at all.
ASKER
I tried the procedures u said.That doesnt work
I am able to ping the DNS server configured by the internet service provider (202.88.231.2) from the server machine.But i cant ping it from workstations.If NAT is configured whether i can ping DNS server from workstations.I am not an experienced guy so please help me to configure this condition.I dont know how this problem can be solved and if the NAT is configured whether i can access the mail provided by the internet provider in the workstations.Please help me.
I am able to ping the DNS server configured by the internet service provider (202.88.231.2) from the server machine.But i cant ping it from workstations.If NAT is configured whether i can ping DNS server from workstations.I am not an experienced guy so please help me to configure this condition.I dont know how this problem can be solved and if the NAT is configured whether i can access the mail provided by the internet provider in the workstations.Please help me.
ASKER
These are my configurations in the server machine
[root@hksrv root]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:07:E9:93:3F:58
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1466399 errors:0 dropped:0 overruns:0 frame:0
TX packets:1493175 errors:0 dropped:0 overruns:4 carrier:6
collisions:605630 txqueuelen:100
RX bytes:1451569443 (1384.3 Mb) TX bytes:1577988855 (1504.8 Mb)
Interrupt:11 Base address:0x6000
[root@hksrv root]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:07:E9:93:3F:59
inet addr:202.88.242.155 Bcast:255.255.255.255 Mask:255.255.254.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:219925 errors:0 dropped:0 overruns:0 frame:0
TX packets:98275 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:90394025 (86.2 Mb) TX bytes:13256910 (12.6 Mb)
Interrupt:11 Base address:0xb000
[root@hksrv root]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME='hksrv.hkekm.com'
#GATEWAY=192.168.1.1
GATEWAYDEV=eth1
NISDOMAIN=hkekm.com
root@hksrv root]# cat /etc/sysconfig/network-scr ipts/ifcfg -eth0
DEVICE='eth0'
ONBOOT='yes'
BOOTPROTO='none'
TYPE='Ethernet'
USERCTL='no'
IPADDR='192.168.1.1'
NETMASK='255.255.255.0'
NETWORK='192.168.1.0'
BROADCAST='192.168.1.255'
#GATEWAY='192.168.1.1'
GATEWAYDEV='eth1'
[root@hksrv root]# cat /etc/sysconfig/network-scr ipts/ifcfg -eth1
DEVICE='eth1'
BOOTPROTO='dhcp'
ONBOOT='yes'
TYPE='Ethernet'
USERCTL='no'
[root@hksrv root]# cat /etc/resolv.conf
nameserver 202.88.231.2
nameserver 202.88.231.10
[root@hksrv root]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 hksrv.hkekm.com 255.255.255.0 UG 40 0 0 eth0
192.168.1.0 * 255.255.255.0 U 40 0 0 eth0
202.88.242.0 * 255.255.254.0 U 40 0 0 eth1
127.0.0.0 * 255.0.0.0 U 40 0 0 lo
default 202.88.242.1 0.0.0.0 UG 40 0 0 eth1
[root@hksrv root]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
192.168.1.1 hksrv.hkekm.com hksrv localhost
192.168.1.3 hk3.hkekm.com hk3
192.168.1.4 hk4.hkekm.com hk4
192.168.1.5 hk5.hkekm.com hk5
192.168.1.6 hk6.hkekm.com hk6
192.168.1.7 hk7.hkekm.com hk7
192.168.1.8 hk8.hkekm.com hk8
192.168.1.9 hk9.hkekm.com hk9
192.168.1.10 hk10.hkekm.com hk10
192.168.1.11 hk11.hkekm.com hk11
192.168.1.12 hk12.hkekm.com hk12
Please help me these are the main configuration files in my server machine.
[root@hksrv root]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:07:E9:93:3F:58
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1466399 errors:0 dropped:0 overruns:0 frame:0
TX packets:1493175 errors:0 dropped:0 overruns:4 carrier:6
collisions:605630 txqueuelen:100
RX bytes:1451569443 (1384.3 Mb) TX bytes:1577988855 (1504.8 Mb)
Interrupt:11 Base address:0x6000
[root@hksrv root]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:07:E9:93:3F:59
inet addr:202.88.242.155 Bcast:255.255.255.255 Mask:255.255.254.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:219925 errors:0 dropped:0 overruns:0 frame:0
TX packets:98275 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:90394025 (86.2 Mb) TX bytes:13256910 (12.6 Mb)
Interrupt:11 Base address:0xb000
[root@hksrv root]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME='hksrv.hkekm.com'
#GATEWAY=192.168.1.1
GATEWAYDEV=eth1
NISDOMAIN=hkekm.com
root@hksrv root]# cat /etc/sysconfig/network-scr
DEVICE='eth0'
ONBOOT='yes'
BOOTPROTO='none'
TYPE='Ethernet'
USERCTL='no'
IPADDR='192.168.1.1'
NETMASK='255.255.255.0'
NETWORK='192.168.1.0'
BROADCAST='192.168.1.255'
#GATEWAY='192.168.1.1'
GATEWAYDEV='eth1'
[root@hksrv root]# cat /etc/sysconfig/network-scr
DEVICE='eth1'
BOOTPROTO='dhcp'
ONBOOT='yes'
TYPE='Ethernet'
USERCTL='no'
[root@hksrv root]# cat /etc/resolv.conf
nameserver 202.88.231.2
nameserver 202.88.231.10
[root@hksrv root]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 hksrv.hkekm.com 255.255.255.0 UG 40 0 0 eth0
192.168.1.0 * 255.255.255.0 U 40 0 0 eth0
202.88.242.0 * 255.255.254.0 U 40 0 0 eth1
127.0.0.0 * 255.0.0.0 U 40 0 0 lo
default 202.88.242.1 0.0.0.0 UG 40 0 0 eth1
[root@hksrv root]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
192.168.1.1 hksrv.hkekm.com hksrv localhost
192.168.1.3 hk3.hkekm.com hk3
192.168.1.4 hk4.hkekm.com hk4
192.168.1.5 hk5.hkekm.com hk5
192.168.1.6 hk6.hkekm.com hk6
192.168.1.7 hk7.hkekm.com hk7
192.168.1.8 hk8.hkekm.com hk8
192.168.1.9 hk9.hkekm.com hk9
192.168.1.10 hk10.hkekm.com hk10
192.168.1.11 hk11.hkekm.com hk11
192.168.1.12 hk12.hkekm.com hk12
Please help me these are the main configuration files in my server machine.
ASKER
IPTABLES FILE
[root@hksrv root]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.5 on Fri Apr 2 13:09:32 2004
*filter
:INPUT ACCEPT [21248:9165310]
:FORWARD ACCEPT [64:5376]
:OUTPUT ACCEPT [21236:8429535]
COMMIT
# Completed on Fri Apr 2 13:09:32 2004
# Generated by iptables-save v1.2.5 on Fri Apr 2 13:09:32 2004
*nat
:PREROUTING ACCEPT [1811:102733]
:POSTROUTING ACCEPT [243:15255]
:OUTPUT ACCEPT [240:15003]
[0:0] -A POSTROUTING -p tcp -m tcp --dport 25 -j MASQUERADE
[0:0] -A POSTROUTING -p tcp -m tcp --dport 110 -j MASQUERADE
COMMIT
# Completed on Fri Apr 2 13:09:32 2004
I am using the iptables for the first time.Please specify how to delete the old rules and insert new one to configure iptables.
[root@hksrv root]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.5 on Fri Apr 2 13:09:32 2004
*filter
:INPUT ACCEPT [21248:9165310]
:FORWARD ACCEPT [64:5376]
:OUTPUT ACCEPT [21236:8429535]
COMMIT
# Completed on Fri Apr 2 13:09:32 2004
# Generated by iptables-save v1.2.5 on Fri Apr 2 13:09:32 2004
*nat
:PREROUTING ACCEPT [1811:102733]
:POSTROUTING ACCEPT [243:15255]
:OUTPUT ACCEPT [240:15003]
[0:0] -A POSTROUTING -p tcp -m tcp --dport 25 -j MASQUERADE
[0:0] -A POSTROUTING -p tcp -m tcp --dport 110 -j MASQUERADE
COMMIT
# Completed on Fri Apr 2 13:09:32 2004
I am using the iptables for the first time.Please specify how to delete the old rules and insert new one to configure iptables.
Sorry. I had a typo in my commands.
Please, try the following :
iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
This should work.
If it does, then, you should change your /etc/sysconfig/iptables accordingly.
Please, try the following :
iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
This should work.
If it does, then, you should change your /etc/sysconfig/iptables accordingly.
ASKER
i had done all the settings accordingly u said,but this too didnt work
One stupid question :
What's in /proc/sys/net/ipv4/ip_forw ard ?
cat /proc/sys/net/ipv4/ip_forw ard
If there's a "0" there, it can not work. Do :
echo 1 > /proc/sys/net/ipv4/ip_forw ard
What's in /proc/sys/net/ipv4/ip_forw
cat /proc/sys/net/ipv4/ip_forw
If there's a "0" there, it can not work. Do :
echo 1 > /proc/sys/net/ipv4/ip_forw
ASKER
AT LAST I GOT IT CORRECT.I GOT THE ANSWER FROM linuxforum.com
This is how i had done.
This is a how-to about sharing the internet via a linux box to the rest of your internal network.
In windows this is know as ICS (Internet Connection Sharing).
In linux it is called NAT (Network Address Translation).
1. On the linux box (that is directly connected to the internet, and is supposed to do the internet sharing), start a terminal. Run the command su and then type the root password to become root.
2. Open the file /etc/rc.d/rc.local in your favorite text editor and add this on a new line at the bottom
/etc/rc.d/rc.ipmasq and save the file.
3. Then, create a new file called rc.ipmasq in the /etc/rc.d/ directory and open this file in a text editor and add these lines
#!/bin/sh
IPTABLES=/sbin/iptables
#All The lines below are NAT routing
# flush any old rules
$IPTABLES -F -t nat
# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forw ard
Save this file.
This script assumes that eth0 is the ethernet adaptor connected to the internet (say, thru a DSL/cable modem). Change it depending on your configuration (eth1, eth2 and so on). If the connection to the internet is not thru an ethernet device (as in the case of ordinary dialup or USB modem), you have to use ppp0 (or ppp1, ppp2 and so on).
The network connections to the internet and intranet should already be up (how to do that is outside the scope of this document).
4. Make this script file executable by running chmod 755 /etc/rc.d/rc.ipmasq
5. Then run the command /etc/rc.d/rc.ipmasq to enable the internet sharing.
6. Now you can stop being root by running exit
The above script will work after the following have been already done:
Set up the network on all the computers in the LAN. Make sure every computer can be reached from another computer by "ping".
On each client computer, set the gateway to the internal IP address of the linux computer that is connected directly to the internet. Under DNS put in the primary and/or secondary DNS IP addresses of your ISP (Internet Service Provider).
Now you should be able to browse the internet from the other computers on your internal network.
It is strongly recommended that you also use a firewall on the linux gateway. This above script will work with the firewall script without any changes being required.
This is how i had done.
This is a how-to about sharing the internet via a linux box to the rest of your internal network.
In windows this is know as ICS (Internet Connection Sharing).
In linux it is called NAT (Network Address Translation).
1. On the linux box (that is directly connected to the internet, and is supposed to do the internet sharing), start a terminal. Run the command su and then type the root password to become root.
2. Open the file /etc/rc.d/rc.local in your favorite text editor and add this on a new line at the bottom
/etc/rc.d/rc.ipmasq and save the file.
3. Then, create a new file called rc.ipmasq in the /etc/rc.d/ directory and open this file in a text editor and add these lines
#!/bin/sh
IPTABLES=/sbin/iptables
#All The lines below are NAT routing
# flush any old rules
$IPTABLES -F -t nat
# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forw
Save this file.
This script assumes that eth0 is the ethernet adaptor connected to the internet (say, thru a DSL/cable modem). Change it depending on your configuration (eth1, eth2 and so on). If the connection to the internet is not thru an ethernet device (as in the case of ordinary dialup or USB modem), you have to use ppp0 (or ppp1, ppp2 and so on).
The network connections to the internet and intranet should already be up (how to do that is outside the scope of this document).
4. Make this script file executable by running chmod 755 /etc/rc.d/rc.ipmasq
5. Then run the command /etc/rc.d/rc.ipmasq to enable the internet sharing.
6. Now you can stop being root by running exit
The above script will work after the following have been already done:
Set up the network on all the computers in the LAN. Make sure every computer can be reached from another computer by "ping".
On each client computer, set the gateway to the internal IP address of the linux computer that is connected directly to the internet. Under DNS put in the primary and/or secondary DNS IP addresses of your ISP (Internet Service Provider).
Now you should be able to browse the internet from the other computers on your internal network.
It is strongly recommended that you also use a firewall on the linux gateway. This above script will work with the firewall script without any changes being required.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If not, then, your gateway is not routing or is not NAT-ing.
From one of the workstations, try :
1) ping 216.239.59.104
If it does not work, then your NAT is not working.
Please, send the output of the following commands :
cat /proc/sys/net/ipv4/ip_forw
iptables -L -n -v
2) If it works, then, try :
nslookup www.google.com
If it does not work, then your workstations DNS is not correctly set.
Check your network config
Please, check all this already, and we can take it from here.