Fedora Core 1, 2 NIC config question

I am trying to configure a network inside our current network for a new division with high security which means that I would like to run 2 NICS, one for the client dhcp and the other for firewall.

I have the eth0 configured for DHCP to pull from my existing network and it is pulling 192.168.0.68 with a gw of 192.168.0.1 to the internet. eth1 is configured with an ip of 192.168.1.2. I have copied my dhcpd.conf below. I can get to my other network with no problem from the server but from a dhcp client from eth1 I cannot browse or get to my other network. I know that I need an iptables command also to get me through the firewall of eth0 and believe that is the issue but have been unsuccessful in finding the solution.

I am also lacking on DNS experience also and tried to research the proper config for my dns setting for this box and could not get that corrected. I have configured the host name for eth1 to local.home.org with a primary dns of my internet gw 192.168.0.1. Any help on this issue would be great.

dhcpd.conf

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

DHCPD_INTERFACE="eth1";
# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.255.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.1.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.1.1;
#       option netbios-name-servers     192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
        max-lease-time 43200;

        # we want the nameserver to appear at a fixed address
        host ns {
                next-server marvin.redhat.com;
                hardware ethernet 12:34:56:78:AB:CD;
                fixed-address 207.175.42.254;
        }
"dhcpd.conf" 32L, 884C

I am also getting an error when starting and stopping dhcpd but I am able to pull IP from clients which is confusing in it self.

dhcpd start results

[root@local etc]# dhcpd start
Internet Software Consortium DHCP Server V3.0pl2
Copyright 1995-2003 Internet Software Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP
Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 9 leases to leases file.

No subnet declaration for start (0.0.0.0).
** Ignoring requests on start.  If this is not what
   you want, please write a subnet declaration
   in your dhcpd.conf file for the network segment
   to which interface start is attached. **


Not configured to listen on any interfaces!

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.

exiting.

thanks for any and all help in advance


               
nashsupportAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
jlevieConnect With a Mentor Commented:
Your problem now is that you are executing 'dhcpd start' and you should be executing '/sbin/service dhcpd start'
0
 
pablouruguayCommented:
0
 
nashsupportAuthor Commented:
thanks for the response, I tried "You can do this by setting net.ipv4.ip_forward = 1 (instead of = 0) in your /etc/sysctl.conf file and reboot." and that really did not do anything at all so I changed my dhcpd.conf to the following but I still get the above error message when starting dhcpd:

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

DHCPD_INTERFACE="eth1";
# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.255.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.0.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.0.1;
#       option netbios-name-servers     192.168.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
"dhcpd.conf" 32L, 884C

I just do not see the correct resolution to my dhcpd.conf regarding correct ip configuration to resolve the start error and access to my gateway. Any and all help would be appreciated.

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
nashsupportAuthor Commented:
I am also wondering where I need to assign eth1 to the dhcpd, I found a line "DHCPD_INTERFACE="eth1"; that I tried in my dhcpd.conf but did not seem to help.

I have not found a definitative solution that explains top to bottom on configuring 2 nics with one running dhcpd in any help docs.

thanks
0
 
pablouruguayConnect With a Mentor Commented:
in your last post you lose the final  }
 you have in the file no? i have this config and work fine

subnet 192.168.1.0 netmask 255.255.255.0 {
        option routers 192.168.1.2;
        option subnet-mask 255.255.255.0;
        option domain-name "lacnic.net.uy";
        option domain-name-servers 192.168.1.1;
        option time-offset -03000;
        default-lease-time 600;
        max-lease-time 7200;
        range 192.168.1.3 192.168.1.195;
        allow unknown-clients;
        authoritative;
        }


0
 
pablouruguayCommented:
hey one question your eth1 have a IP static no???? if not this is the problem. and need to add one

ifconfig eth1 192.168.1.1 netmask 255.255.255.0

and restart DHCP
0
 
nashsupportAuthor Commented:
Here is my ifconfig, I have a  ip's for both adapters. I actually tried the } on my dhcpd and still get the error so I have pasted all the info here. thanks

[root@local etc]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:02:84:8D:8B
          inet addr:192.168.0.68  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6506 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5030 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:712551 (695.8 Kb)  TX bytes:480681 (469.4 Kb)
          Interrupt:10 Base address:0xec00

eth1      Link encap:Ethernet  HWaddr 00:00:21:01:8E:2A
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:101 errors:0 dropped:0 overruns:0 frame:0
          TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:23582 (23.0 Kb)  TX bytes:10132 (9.8 Kb)
          Interrupt:11 Base address:0xae00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2240 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2240 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1772704 (1.6 Mb)  TX bytes:1772704 (1.6 Mb)

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.255.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.0.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.0.1;
#       option netbios-name-servers     192.168.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
        max-lease-time 43200;
}
        # we want the nameserver to appear at a fixed address
        host ns {
                next-server marvin.redhat.com;
                hardware ethernet 12:34:56:78:AB:CD;
                fixed-address 207.175.42.254;
        }

thanks for your help
0
 
pablouruguayCommented:
ahhhhhh .... configure DHCP mask to 255.255.0.0

you have the router in 192.168.1  

and all entire net in 192.168.0

with the mask 255.255.255.0  is not possible to communicate betwen us. need a mask 255.255.0.0 or revise the router address.
0
 
pablouruguayCommented:
... besto solution changer the Newtwork CARD IP

you have 192.168.0.68 and need 1921.68.1.68
0
 
nashsupportAuthor Commented:
progress, when I run dhcpd eth1 I can pull ip from specificed range from my server but when I try dhcpd start command it errors out so the issue is my eth1 designation in my dhcpd.conf  but cannot ping my original box at 192.168.0.1 and will try a ipchains command.

0
 
pablouruguayCommented:
nooo forget the last comment.... only expand your mask.
0
 
pablouruguayCommented:
you have 2 nets in here if you expand your mask in the dhcp and in the interfaces to 255.255.0.0 you can communicate between us. but if you have this con 255.255.255.0 you need iptables and router commands to do that
0
 
nashsupportAuthor Commented:
Still getting errors, I have tried numerous things so here is some info.

[root@local etc]# dhcpd start
Internet Software Consortium DHCP Server V3.0pl2
Copyright 1995-2003 Internet Software Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP
/etc/dhcpd.conf line 4: subnet 192.168.1.0: bad subnet number/mask combination.
subnet 192.168.1.0 netmask 255.255.0.0
                                     ^
dhcp.conf

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.0.0 {

# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.0.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.1.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.0.1;
#       option netbios-name-servers     192.168.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
        max-lease-time 43200;
}
        # we want the nameserver to appear at a fixed address
        host ns {
                next-server marvin.redhat.com;
                hardware ethernet 12:34:56:78:AB:CD;
                fixed-address 207.175.42.254;
        }
0
 
pablouruguayCommented:
and you change in your network card the 192.168.1.x to mas 255.255.0.0 ???
0
 
jlevieCommented:
The dhcp problem is that there are two interfaces in the machine and you are only specifying a subnet range for one.  Edit /etc/sysconfig/dhcpd and set "DHCPDARGS=eth1". That will start the daemon as if you'd executed 'dhcpd eth1' and restrict it to the interface that you have defined a subnet for.

Oh yeah, change "subnet 192.168.1.0 netmask 255.255.0.0" back to "subnet 192.168.1.0 netmask 255.255.255.0". The daemon is smart enough to realize that since eth0 is in the 192.168.0.0/24 network that it is a logical impossibility to have eth1 supplying addresses that would overlap.

And finally, the "host ns" declaration is specifying an address that doesn't lie within the subnet that you are telling dhcpd to use, so you can't do that.
0
 
pablouruguayCommented:
jlevie you always  surprise me!!!!
0
 
jlevieCommented:
In a good way I hope?
0
 
nashsupportAuthor Commented:
the "host ns", are you referring to a name server ip or name ??
0
 
nashsupportAuthor Commented:
I found it sorry, I will try all this and let you know.

thanks so much
0
 
nashsupportAuthor Commented:
update,I changed the subnets back to 255.255.255.0 and added to /etc/sysconfig/dhcpd the DHCPDARGS=eth1 line. I am still getting the original error. I have tried numerous issues and have no luck. I have included my nic configs and dhcpd.conf. thanks for all the help.
___________________________________________________
[root@local etc]# dhcpd start
Internet Software Consortium DHCP Server V3.0pl2
Copyright 1995-2003 Internet Software Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP
Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 1 leases to leases file.

No subnet declaration for start (0.0.0.0).
** Ignoring requests on start.  If this is not what
   you want, please write a subnet declaration
   in your dhcpd.conf file for the network segment
   to which interface start is attached. **


Not configured to listen on any interfaces!

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.

exiting.
_______________________________________________________
[root@local etc]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:02:84:8D:8B
          inet addr:192.168.0.68  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38548 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22267 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4240826 (4.0 Mb)  TX bytes:2107055 (2.0 Mb)
          Interrupt:10 Base address:0xec00

eth1      Link encap:Ethernet  HWaddr 00:00:21:01:8E:2A
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:440 errors:0 dropped:0 overruns:0 frame:0
          TX packets:446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:63180 (61.6 Kb)  TX bytes:63591 (62.1 Kb)
          Interrupt:11 Base address:0xae00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2377 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2377 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1784186 (1.7 Mb)  TX bytes:1784186 (1.7 Mb)
______________________________________________________
ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.255.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.1.2;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.0.1;
#       option netbios-name-servers     192.168.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
        max-lease-time 43200;
}
        # we want the nameserver to appear at a fixed address
        host ns {
                next-server mail.wirtgenamerica.com;
                hardware ethernet 00:50:8B:9A:EF:63;
                fixed-address 192.168.0.1;


0
 
nashsupportAuthor Commented:
That worked, started perfectly. I have looked at numerous articles today and never once saw that command /sbin/service dhcpd start, what is the reason for that if you have a second. Also now when I run pgrep dhcp I get a response 3592 which is correct response I believe.

Also, my last question I promise, I can reach the outside so my eth0 is working fine, my eth1 is giving out ip's now why cannot I ping my original server at 192.168.0.1 or browse from a workstation.

thanks for all your help
0
 
jlevieCommented:
Any Linux or Unix system has to have a method of starting services at boot time. In the case of Fedora, RedHat, and others this is done with a SysV style init system. For each service not managed by inet/xinetd there's a control script in /etc/rc.d/init.d (/etc/init.d is a symlink to there). Services can be enabled/disabled for boot time start up (and at what run level(s)) with 'chkconfig service-name on|off'. And, you can manipulate a service directly with '/etc/init.d/service-name start|stop|restart|status' or using a shortcut, '/sbin/service service-name start|stop|restart|status'.  This is one reason why you hear about folks having Unix/Linux servers running for a year or more. In most cases you can start/stop/restart services at any time rather than just at boot time like most windows services.

One can, directly manipulate the service by directly executing the demon. And example of that would be to execute '/usr/sbin/dhcpd eth1', which is what the init script will wind up doing in this case. The advantage to using the init script over direct execution is that the init scrip will take care to not try to run more than one copy, that it will allow for checking status, and has provisions for shutdown of the service. Some init scripts do a lot more, e.g. look at /etc/init.d/network.

Now that you have dhcpd running okay you'll want to execute 'chkconfig dhcpd on' so that the service will auto start at boot.

Now on to the next part of the problem.

You state in the question that you want "to configure a network inside our current network for a new division with high security". To me that means that you are going to use the Linux box to firewall the 192.168.1.0/24 from the rest of your network. And that implies that you'll need an iptables rule set to protect the inner network. If I assume that you want full protection and the "high security" network will be purely consumers of simple services (e.g., web, mail, etc.) outside of the firewall (no file sharing), you'd want a firewall rule set very similar to what one would use for Internet access. There's an example of my usual firewall at http://www.entrophy-free.net/tools/iptables-gw which should be usable with a few edits.

When isolating a nework like this you have to consider whether you will NAT the private (192.168.1.0/24) addresses or route them. Routing connections from the private network means that systems on the outside network have to know how to route data back. This might mean configuring a static route on a gateway router on the outer network, which will issue re-directs to the outside IP of you Linux box, or configuring a static route on each machine in the outer network. NAT'ing the private IP's onto the outside IP of the Linux box has the advantage of not needing that route. All traffic from a machine on the private network then looks like it comes from 192.168.0.68, and nodes on the outer network already know how to reach that IP.

In addition to NAT'ing all of the private IP's onto 192.168.0.68 one can set up static NAT translations. Like the first case connections from IP's on the private network will appear to come from an IP in 192.168.0.0/24 so no additional routing info is need to get data back to the machine on the private network.

At this point your failure to be able to ping 192.168.0.1 could be due to your not having enabled IP forwarding in the kernel (it defaults to off) and that the server at 192.168.0.1 doesn't know how to route data back to the hidden IP.

Does that help?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.