RH Linux with 2 NICs

Posted on 2004-09-21
Last Modified: 2010-03-18
Hi All,

I have the following problem: I have a RH9.1 linux box with 2 network cards installed. Both are configured and working correctly. The box obviously have 2 IP addresses and 10.x.x.x address and one which falls in a range of 30 assigend to me by my ISP. The box acts as a router for the subnet allocated to me by the ISP. The box is in my DMZ. The default route on the box is the a 10.x.x.x address. I have no routing issues and all routing from the internet and from my inside LAN is working fine.

The problem is this. The box is a SMTP relay so that my exchange box does not have to be directly exposed to the net. When my box is connecting to the net it is presenting it's self as 10.x.x.x instead of the 196.x.x.x address allocated by my ISP.

How can I make the box connect with the 196.x.x.x address, because currently, I get connection refused errors when I try and connect to anything on the net because the box is presenting it's self as 10.x.x.x which is not routable over the internet. I'm guessing something like MASQ but I'm not sure. Any pointers as to what I can do about this are most well come, as my points allocation will reflect

Thanks in advance

Question by:jnbkze
  • 2
LVL 40

Expert Comment

ID: 12116305
> The default route on the box is the a 10.x.x.x address

Which would be wrong since the default route for this system should be your ISP's router's IP. With it set to the IP it is now the box will try to use the private network (10.x.x.x) and thus a private IP to reach the Internet. By setting the default route correctly it will use an outside IP.

Author Comment

ID: 12116571
Hi Jlevie,

This is a rough idea of what the connections between my box and my ISP look like

linux box -> DMZ NIC on FW -> External NIC on FW -> My Internet Router -> ISP Router

The DMZ NIC has the 10.x.x.x address
The second NIC on my linux host is 196.x.x.x and the Linux host is acting as a router for the 196.x.x.x subnet allocated to me.

I don't see how I could set up my ISP assigned IP as the default gateway. I don't see how that could work without using my DMZ NIC as the default route and therefore How could I use the 196.x.x.x IP for the default gateway. Wouldn't I need to have a virtual nic on the DMZ interface in the same subnet as the range allocated by the ISP?

                                        My Router 196.A.B.X
                                       FW External NIC 196.A.B.X
                                       FW DMZ NIC 10.x.x.x
                                       Linux Host NIC1 10.x.x.x
                                       Linux Host NIC2 196.A.C.X

Hopefully this gives a slightly better picture.


LVL 40

Accepted Solution

jlevie earned 500 total points
ID: 12117003
Okay... You neither need nor want to have the second NIC in the Linux box with the 196.A.C.x IP's on it. The firewall will need to be configured to statically NAT the 10.x.x.x IP(s) of the Linux box to the outside IP in the 196.x.x.x block. The only reason to have two NIC's in the Linux box would be if your topology looked like:

                                        /         \
         (196.A.B.C/27))/             \ (196.A.B.D/?)
                                    /                 \
                             Linux          Firewall
                                  |                       |
                                  |__________| (10.x.x.x)

Expert Comment

ID: 12119935
Hi :-)

How would you describe "presenting itself"?
Do you mean the SMTP header you see when you telnet port 25?

In order to make your SMTP relay connect to the Internet, would will need to translate its address, just as you would do with any client workstation.

NAT is defined on the firewall. For that purpose, the DMZ works exactly the same way your LAN connects. You have to tell your firewall to translate outgoing connection from 10.x.x.x to an address you will pick (192.A.B.D..). On Linux, this is called SNAT.

Depending on your firewall type, another NAT needs to be defined which forwards SMTP connections from your legal SMTP ip address to your DMZ server. On Linux, this is called DNAT.

In addition to that, you have to open some access controls to your DMZ relay host like so:
1. Allow connection from all addresses to the DMZ host on port 25/tcp
2. Allow the DMZ host to connect to the Internet on port 25/tcp and 53/udp(dns lookups, very important if you resolve using a DNS server your ISP provides).
3. Allow the DMZ host to connect to the internal mail server on port 25/tcp.

If your firewall is/were a Linux host, the commands should be:
iptables -t nat -A POSTROUTING -s  -j SNAT --to-source 196.A.B.D
iptables -t nat -A POSTROUTING -d 196.A.B.D  -j DNAT --to-destination 196.A.B.D

# Access Controls
iptables -A FORWARD -s -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -s -p udp --dport 53 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -d -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT

Replace with the actual internal address of your relay host.
Replace 196.A.B.D with your legal SMTP ip address.

Note: The access controls may not fit to your requirements. Do not accept these blindly. They may also not work (e.g. if you do not use states in your fw). Open the access controls as you see fit and check if they allow proper communications.


Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question