Solved

Fedora Core 1, 2 NIC config question

Posted on 2004-09-09
22
12,146 Views
Last Modified: 2008-01-09
I am trying to configure a network inside our current network for a new division with high security which means that I would like to run 2 NICS, one for the client dhcp and the other for firewall.

I have the eth0 configured for DHCP to pull from my existing network and it is pulling 192.168.0.68 with a gw of 192.168.0.1 to the internet. eth1 is configured with an ip of 192.168.1.2. I have copied my dhcpd.conf below. I can get to my other network with no problem from the server but from a dhcp client from eth1 I cannot browse or get to my other network. I know that I need an iptables command also to get me through the firewall of eth0 and believe that is the issue but have been unsuccessful in finding the solution.

I am also lacking on DNS experience also and tried to research the proper config for my dns setting for this box and could not get that corrected. I have configured the host name for eth1 to local.home.org with a primary dns of my internet gw 192.168.0.1. Any help on this issue would be great.

dhcpd.conf

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

DHCPD_INTERFACE="eth1";
# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.255.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.1.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.1.1;
#       option netbios-name-servers     192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
        max-lease-time 43200;

        # we want the nameserver to appear at a fixed address
        host ns {
                next-server marvin.redhat.com;
                hardware ethernet 12:34:56:78:AB:CD;
                fixed-address 207.175.42.254;
        }
"dhcpd.conf" 32L, 884C

I am also getting an error when starting and stopping dhcpd but I am able to pull IP from clients which is confusing in it self.

dhcpd start results

[root@local etc]# dhcpd start
Internet Software Consortium DHCP Server V3.0pl2
Copyright 1995-2003 Internet Software Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP
Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 9 leases to leases file.

No subnet declaration for start (0.0.0.0).
** Ignoring requests on start.  If this is not what
   you want, please write a subnet declaration
   in your dhcpd.conf file for the network segment
   to which interface start is attached. **


Not configured to listen on any interfaces!

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.

exiting.

thanks for any and all help in advance


               
0
Comment
Question by:nashsupport
  • 9
  • 9
  • 4
22 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12015986
0
 

Author Comment

by:nashsupport
ID: 12016906
thanks for the response, I tried "You can do this by setting net.ipv4.ip_forward = 1 (instead of = 0) in your /etc/sysctl.conf file and reboot." and that really did not do anything at all so I changed my dhcpd.conf to the following but I still get the above error message when starting dhcpd:

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

DHCPD_INTERFACE="eth1";
# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.255.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.0.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.0.1;
#       option netbios-name-servers     192.168.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
"dhcpd.conf" 32L, 884C

I just do not see the correct resolution to my dhcpd.conf regarding correct ip configuration to resolve the start error and access to my gateway. Any and all help would be appreciated.

0
 

Author Comment

by:nashsupport
ID: 12017042
I am also wondering where I need to assign eth1 to the dhcpd, I found a line "DHCPD_INTERFACE="eth1"; that I tried in my dhcpd.conf but did not seem to help.

I have not found a definitative solution that explains top to bottom on configuring 2 nics with one running dhcpd in any help docs.

thanks
0
 
LVL 14

Assisted Solution

by:pablouruguay
pablouruguay earned 100 total points
ID: 12017183
in your last post you lose the final  }
 you have in the file no? i have this config and work fine

subnet 192.168.1.0 netmask 255.255.255.0 {
        option routers 192.168.1.2;
        option subnet-mask 255.255.255.0;
        option domain-name "lacnic.net.uy";
        option domain-name-servers 192.168.1.1;
        option time-offset -03000;
        default-lease-time 600;
        max-lease-time 7200;
        range 192.168.1.3 192.168.1.195;
        allow unknown-clients;
        authoritative;
        }


0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12017261
hey one question your eth1 have a IP static no???? if not this is the problem. and need to add one

ifconfig eth1 192.168.1.1 netmask 255.255.255.0

and restart DHCP
0
 

Author Comment

by:nashsupport
ID: 12017471
Here is my ifconfig, I have a  ip's for both adapters. I actually tried the } on my dhcpd and still get the error so I have pasted all the info here. thanks

[root@local etc]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:02:84:8D:8B
          inet addr:192.168.0.68  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6506 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5030 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:712551 (695.8 Kb)  TX bytes:480681 (469.4 Kb)
          Interrupt:10 Base address:0xec00

eth1      Link encap:Ethernet  HWaddr 00:00:21:01:8E:2A
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:101 errors:0 dropped:0 overruns:0 frame:0
          TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:23582 (23.0 Kb)  TX bytes:10132 (9.8 Kb)
          Interrupt:11 Base address:0xae00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2240 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2240 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1772704 (1.6 Mb)  TX bytes:1772704 (1.6 Mb)

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.255.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.0.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.0.1;
#       option netbios-name-servers     192.168.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
        max-lease-time 43200;
}
        # we want the nameserver to appear at a fixed address
        host ns {
                next-server marvin.redhat.com;
                hardware ethernet 12:34:56:78:AB:CD;
                fixed-address 207.175.42.254;
        }

thanks for your help
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12017626
ahhhhhh .... configure DHCP mask to 255.255.0.0

you have the router in 192.168.1  

and all entire net in 192.168.0

with the mask 255.255.255.0  is not possible to communicate betwen us. need a mask 255.255.0.0 or revise the router address.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12017640
... besto solution changer the Newtwork CARD IP

you have 192.168.0.68 and need 1921.68.1.68
0
 

Author Comment

by:nashsupport
ID: 12017671
progress, when I run dhcpd eth1 I can pull ip from specificed range from my server but when I try dhcpd start command it errors out so the issue is my eth1 designation in my dhcpd.conf  but cannot ping my original box at 192.168.0.1 and will try a ipchains command.

0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12017682
nooo forget the last comment.... only expand your mask.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12017699
you have 2 nets in here if you expand your mask in the dhcp and in the interfaces to 255.255.0.0 you can communicate between us. but if you have this con 255.255.255.0 you need iptables and router commands to do that
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:nashsupport
ID: 12018722
Still getting errors, I have tried numerous things so here is some info.

[root@local etc]# dhcpd start
Internet Software Consortium DHCP Server V3.0pl2
Copyright 1995-2003 Internet Software Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP
/etc/dhcpd.conf line 4: subnet 192.168.1.0: bad subnet number/mask combination.
subnet 192.168.1.0 netmask 255.255.0.0
                                     ^
dhcp.conf

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.0.0 {

# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.0.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.1.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.0.1;
#       option netbios-name-servers     192.168.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
        max-lease-time 43200;
}
        # we want the nameserver to appear at a fixed address
        host ns {
                next-server marvin.redhat.com;
                hardware ethernet 12:34:56:78:AB:CD;
                fixed-address 207.175.42.254;
        }
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12018902
and you change in your network card the 192.168.1.x to mas 255.255.0.0 ???
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12018979
The dhcp problem is that there are two interfaces in the machine and you are only specifying a subnet range for one.  Edit /etc/sysconfig/dhcpd and set "DHCPDARGS=eth1". That will start the daemon as if you'd executed 'dhcpd eth1' and restrict it to the interface that you have defined a subnet for.

Oh yeah, change "subnet 192.168.1.0 netmask 255.255.0.0" back to "subnet 192.168.1.0 netmask 255.255.255.0". The daemon is smart enough to realize that since eth0 is in the 192.168.0.0/24 network that it is a logical impossibility to have eth1 supplying addresses that would overlap.

And finally, the "host ns" declaration is specifying an address that doesn't lie within the subnet that you are telling dhcpd to use, so you can't do that.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12019011
jlevie you always  surprise me!!!!
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12019222
In a good way I hope?
0
 

Author Comment

by:nashsupport
ID: 12019530
the "host ns", are you referring to a name server ip or name ??
0
 

Author Comment

by:nashsupport
ID: 12019546
I found it sorry, I will try all this and let you know.

thanks so much
0
 

Author Comment

by:nashsupport
ID: 12021437
update,I changed the subnets back to 255.255.255.0 and added to /etc/sysconfig/dhcpd the DHCPDARGS=eth1 line. I am still getting the original error. I have tried numerous issues and have no luck. I have included my nic configs and dhcpd.conf. thanks for all the help.
___________________________________________________
[root@local etc]# dhcpd start
Internet Software Consortium DHCP Server V3.0pl2
Copyright 1995-2003 Internet Software Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP
Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 1 leases to leases file.

No subnet declaration for start (0.0.0.0).
** Ignoring requests on start.  If this is not what
   you want, please write a subnet declaration
   in your dhcpd.conf file for the network segment
   to which interface start is attached. **


Not configured to listen on any interfaces!

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.

exiting.
_______________________________________________________
[root@local etc]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:02:84:8D:8B
          inet addr:192.168.0.68  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38548 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22267 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4240826 (4.0 Mb)  TX bytes:2107055 (2.0 Mb)
          Interrupt:10 Base address:0xec00

eth1      Link encap:Ethernet  HWaddr 00:00:21:01:8E:2A
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:440 errors:0 dropped:0 overruns:0 frame:0
          TX packets:446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:63180 (61.6 Kb)  TX bytes:63591 (62.1 Kb)
          Interrupt:11 Base address:0xae00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2377 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2377 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1784186 (1.7 Mb)  TX bytes:1784186 (1.7 Mb)
______________________________________________________
ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                  192.168.1.2;
        option subnet-mask              255.255.255.0;

        option nis-domain               "local.home.org";
        option domain-name              "local.home.org";
        option domain-name-servers      192.168.1.2;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.0.1;
#       option netbios-name-servers     192.168.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.240 192.168.1.250;
        default-lease-time 21600;
        max-lease-time 43200;
}
        # we want the nameserver to appear at a fixed address
        host ns {
                next-server mail.wirtgenamerica.com;
                hardware ethernet 00:50:8B:9A:EF:63;
                fixed-address 192.168.0.1;


0
 
LVL 40

Accepted Solution

by:
jlevie earned 150 total points
ID: 12021746
Your problem now is that you are executing 'dhcpd start' and you should be executing '/sbin/service dhcpd start'
0
 

Author Comment

by:nashsupport
ID: 12022754
That worked, started perfectly. I have looked at numerous articles today and never once saw that command /sbin/service dhcpd start, what is the reason for that if you have a second. Also now when I run pgrep dhcp I get a response 3592 which is correct response I believe.

Also, my last question I promise, I can reach the outside so my eth0 is working fine, my eth1 is giving out ip's now why cannot I ping my original server at 192.168.0.1 or browse from a workstation.

thanks for all your help
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12022975
Any Linux or Unix system has to have a method of starting services at boot time. In the case of Fedora, RedHat, and others this is done with a SysV style init system. For each service not managed by inet/xinetd there's a control script in /etc/rc.d/init.d (/etc/init.d is a symlink to there). Services can be enabled/disabled for boot time start up (and at what run level(s)) with 'chkconfig service-name on|off'. And, you can manipulate a service directly with '/etc/init.d/service-name start|stop|restart|status' or using a shortcut, '/sbin/service service-name start|stop|restart|status'.  This is one reason why you hear about folks having Unix/Linux servers running for a year or more. In most cases you can start/stop/restart services at any time rather than just at boot time like most windows services.

One can, directly manipulate the service by directly executing the demon. And example of that would be to execute '/usr/sbin/dhcpd eth1', which is what the init script will wind up doing in this case. The advantage to using the init script over direct execution is that the init scrip will take care to not try to run more than one copy, that it will allow for checking status, and has provisions for shutdown of the service. Some init scripts do a lot more, e.g. look at /etc/init.d/network.

Now that you have dhcpd running okay you'll want to execute 'chkconfig dhcpd on' so that the service will auto start at boot.

Now on to the next part of the problem.

You state in the question that you want "to configure a network inside our current network for a new division with high security". To me that means that you are going to use the Linux box to firewall the 192.168.1.0/24 from the rest of your network. And that implies that you'll need an iptables rule set to protect the inner network. If I assume that you want full protection and the "high security" network will be purely consumers of simple services (e.g., web, mail, etc.) outside of the firewall (no file sharing), you'd want a firewall rule set very similar to what one would use for Internet access. There's an example of my usual firewall at http://www.entrophy-free.net/tools/iptables-gw which should be usable with a few edits.

When isolating a nework like this you have to consider whether you will NAT the private (192.168.1.0/24) addresses or route them. Routing connections from the private network means that systems on the outside network have to know how to route data back. This might mean configuring a static route on a gateway router on the outer network, which will issue re-directs to the outside IP of you Linux box, or configuring a static route on each machine in the outer network. NAT'ing the private IP's onto the outside IP of the Linux box has the advantage of not needing that route. All traffic from a machine on the private network then looks like it comes from 192.168.0.68, and nodes on the outer network already know how to reach that IP.

In addition to NAT'ing all of the private IP's onto 192.168.0.68 one can set up static NAT translations. Like the first case connections from IP's on the private network will appear to come from an IP in 192.168.0.0/24 so no additional routing info is need to get data back to the machine on the private network.

At this point your failure to be able to ping 192.168.0.1 could be due to your not having enabled IP forwarding in the kernel (it defaults to off) and that the server at 192.168.0.1 doesn't know how to route data back to the hidden IP.

Does that help?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now