Solved

REDHAT 7.3 NAT

Posted on 2004-04-03
12
445 Views
Last Modified: 2010-03-17
Short descripton of my network:

REDHAT 7.3 LINUX SERVER ---- eth0 ----IP: 192.168.1.1
                                        NETMASK: 255.255.255.0
                                        GATEWAY: 192.168.15.1

                                               eth1-----CABLE MODEM CONNECTION
                                                          IP: DHCP

workstation1
IP:            192.168.1.3
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.1

workstation2
IP:             192.168.1.4
NETMASK:  255.255.255.0
GATEWAY: 192.168.1.1

I had configured squid in this network and i am able to connect to internet ,but i want to configure the mail given by the internet provider in the workstations.I can view mails in the server machine .Please help me by providing a solution for configuring mails in the workstations.
0
Comment
Question by:dinambi
  • 6
  • 4
12 Comments
 
LVL 9

Expert Comment

by:Alf666
Comment Utility
Can your workstation get to the net in any other way than through squid ?

If not, then, your gateway is not routing or is not NAT-ing.

From one of the workstations, try :

1) ping 216.239.59.104

If it does not work, then your NAT is not working.

Please, send the output of the following commands :

cat /proc/sys/net/ipv4/ip_forward

iptables -L -n -v

2) If it works, then, try :

nslookup www.google.com

If it does not work, then your workstations DNS is not correctly set.
Check your network config

Please, check all this already, and we can take it from here.
0
 

Author Comment

by:dinambi
Comment Utility
[root@hksrv root]# cat /proc/sys/net/ipv4/ip_forward
1                                                                              

[root@hksrv root]# iptables -L -n -v
Chain INPUT (policy ACCEPT 236K packets, 508M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain FORWARD (policy ACCEPT 66 packets, 5496 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 236K packets, 619M bytes)
 pkts bytes target     prot opt in     out     source               destination


[root@hksrv root]# nslookup www.google.com
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server:         202.88.231.2
Address:        202.88.231.2#53

Non-authoritative answer:
www.google.com  canonical name = www.google.akadns.net.
Name:   www.google.akadns.net
Address: 66.102.7.99
Name:   www.google.akadns.net
Address: 66.102.7.104                                                          
0
 
LVL 9

Expert Comment

by:Alf666
Comment Utility
The nslookup should have been done on the workstations. But it would not have worked :-)

You'd need to do a real firewall config, thus reading a lot :-), or installing fwbuilder (www.fwbuilder.org), which will allow you to build clean rules.

I suggest you try the following :

iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

But, be careful. Even if it might work, it's no protection at all.

0
 

Author Comment

by:dinambi
Comment Utility
I  tried the procedures u said.That doesnt work
I am able to ping the DNS server configured by the internet service provider (202.88.231.2) from the server machine.But i cant ping it from workstations.If NAT is configured whether i can ping DNS server from workstations.I am not an experienced guy so please help me to configure this condition.I dont know how this problem can be solved and if the NAT is configured whether i can access the mail provided by the internet provider in the workstations.Please help me.
0
 

Author Comment

by:dinambi
Comment Utility
These are my configurations in the server machine

[root@hksrv root]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:07:E9:93:3F:58
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1466399 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1493175 errors:0 dropped:0 overruns:4 carrier:6
          collisions:605630 txqueuelen:100
          RX bytes:1451569443 (1384.3 Mb)  TX bytes:1577988855 (1504.8 Mb)
          Interrupt:11 Base address:0x6000

[root@hksrv root]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:07:E9:93:3F:59
          inet addr:202.88.242.155  Bcast:255.255.255.255  Mask:255.255.254.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:219925 errors:0 dropped:0 overruns:0 frame:0
          TX packets:98275 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:90394025 (86.2 Mb)  TX bytes:13256910 (12.6 Mb)
          Interrupt:11 Base address:0xb000


[root@hksrv root]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME='hksrv.hkekm.com'
#GATEWAY=192.168.1.1
GATEWAYDEV=eth1
NISDOMAIN=hkekm.com

root@hksrv root]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE='eth0'
ONBOOT='yes'
BOOTPROTO='none'
TYPE='Ethernet'
USERCTL='no'
IPADDR='192.168.1.1'
NETMASK='255.255.255.0'
NETWORK='192.168.1.0'
BROADCAST='192.168.1.255'
#GATEWAY='192.168.1.1'
GATEWAYDEV='eth1'

[root@hksrv root]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE='eth1'
BOOTPROTO='dhcp'
ONBOOT='yes'
TYPE='Ethernet'
USERCTL='no'

[root@hksrv root]# cat /etc/resolv.conf
nameserver 202.88.231.2
nameserver 202.88.231.10

[root@hksrv root]# netstat -r
Kernel IP routing table
Destination     Gateway                       Genmask              Flags   MSS   Window   irtt      Iface
192.168.1.0     hksrv.hkekm.com      255.255.255.0     UG       40        0              0         eth0
192.168.1.0     *                                    255.255.255.0     U         40         0              0         eth0
202.88.242.0   *                                    255.255.254.0     U         40         0              0         eth1
127.0.0.0          *                                    255.0.0.0               U        40         0              0          lo
default               202.88.242.1              0.0.0.0                   UG      40         0             0          eth1


[root@hksrv root]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
192.168.1.1     hksrv.hkekm.com hksrv   localhost
192.168.1.3     hk3.hkekm.com   hk3
192.168.1.4     hk4.hkekm.com   hk4
192.168.1.5     hk5.hkekm.com   hk5
192.168.1.6     hk6.hkekm.com   hk6
192.168.1.7     hk7.hkekm.com   hk7
192.168.1.8     hk8.hkekm.com   hk8
192.168.1.9     hk9.hkekm.com   hk9
192.168.1.10    hk10.hkekm.com  hk10
192.168.1.11    hk11.hkekm.com  hk11
192.168.1.12    hk12.hkekm.com  hk12

Please help me these are the main configuration files in my server machine.


0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:dinambi
Comment Utility
IPTABLES FILE

[root@hksrv root]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.5 on Fri Apr  2 13:09:32 2004
*filter
:INPUT ACCEPT [21248:9165310]
:FORWARD ACCEPT [64:5376]
:OUTPUT ACCEPT [21236:8429535]
COMMIT
# Completed on Fri Apr  2 13:09:32 2004
# Generated by iptables-save v1.2.5 on Fri Apr  2 13:09:32 2004
*nat
:PREROUTING ACCEPT [1811:102733]
:POSTROUTING ACCEPT [243:15255]
:OUTPUT ACCEPT [240:15003]
[0:0] -A POSTROUTING -p tcp -m tcp --dport 25 -j MASQUERADE
[0:0] -A POSTROUTING -p tcp -m tcp --dport 110 -j MASQUERADE
COMMIT
# Completed on Fri Apr  2 13:09:32 2004

I am using the iptables for the first time.Please specify how to delete the old rules and insert new one to configure iptables.
0
 
LVL 9

Expert Comment

by:Alf666
Comment Utility
Sorry. I had a typo in my commands.

Please, try the following :

iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

This should work.

If it does, then, you should change your /etc/sysconfig/iptables accordingly.
0
 

Author Comment

by:dinambi
Comment Utility
i had done all the settings accordingly u said,but this too didnt work
0
 
LVL 9

Expert Comment

by:Alf666
Comment Utility
One stupid question :

What's in /proc/sys/net/ipv4/ip_forward ?

cat /proc/sys/net/ipv4/ip_forward

If there's a "0" there, it can not work. Do :

echo 1 > /proc/sys/net/ipv4/ip_forward
0
 

Author Comment

by:dinambi
Comment Utility
AT LAST I GOT IT CORRECT.I GOT THE ANSWER FROM linuxforum.com
This is how i had done.

This is a how-to about sharing the internet via a linux box to the rest of your internal network.

In windows this is know as ICS (Internet Connection Sharing).
In linux it is called NAT (Network Address Translation).

1. On the linux box (that is directly connected to the internet, and is supposed to do the internet sharing), start a terminal. Run the command su and then type the root password to become root.

2. Open the file /etc/rc.d/rc.local in your favorite text editor and add this on a new line at the bottom
/etc/rc.d/rc.ipmasq and save the file.

3. Then, create a new file called rc.ipmasq in the /etc/rc.d/ directory and open this file in a text editor and add these lines

#!/bin/sh

IPTABLES=/sbin/iptables

#All The lines below are NAT routing

# flush any old rules
$IPTABLES -F -t nat

# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE

# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forward



Save this file.

This script assumes that eth0 is the ethernet adaptor connected to the internet (say, thru a DSL/cable modem). Change it depending on your configuration (eth1, eth2 and so on). If the connection to the internet is not thru an ethernet device (as in the case of ordinary dialup or USB modem), you have to use ppp0 (or ppp1, ppp2 and so on).
The network connections to the internet and intranet should already be up (how to do that is outside the scope of this document).

4. Make this script file executable by running chmod 755 /etc/rc.d/rc.ipmasq

5. Then run the command /etc/rc.d/rc.ipmasq to enable the internet sharing.

6. Now you can stop being root by running exit

The above script will work after the following have been already done:

Set up the network on all the computers in the LAN. Make sure every computer can be reached from another computer by "ping".
On each client computer, set the gateway to the internal IP address of the linux computer that is connected directly to the internet. Under DNS put in the primary and/or secondary DNS IP addresses of your ISP (Internet Service Provider).

Now you should be able to browse the internet from the other computers on your internal network.

It is strongly recommended that you also use a firewall on the linux gateway. This above script will work with the firewall script without any changes being required.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
Comment Utility
PAQed with points (250) refunded

DarthMod
Community Support Moderator
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now