Solved

RH Linux with 2 NICs

Posted on 2004-09-21
4
255 Views
Last Modified: 2010-03-18
Hi All,

I have the following problem: I have a RH9.1 linux box with 2 network cards installed. Both are configured and working correctly. The box obviously have 2 IP addresses and 10.x.x.x address and one which falls in a range of 30 assigend to me by my ISP. The box acts as a router for the subnet allocated to me by the ISP. The box is in my DMZ. The default route on the box is the a 10.x.x.x address. I have no routing issues and all routing from the internet and from my inside LAN is working fine.

The problem is this. The box is a SMTP relay so that my exchange box does not have to be directly exposed to the net. When my box is connecting to the net it is presenting it's self as 10.x.x.x instead of the 196.x.x.x address allocated by my ISP.

How can I make the box connect with the 196.x.x.x address, because currently, I get connection refused errors when I try and connect to anything on the net because the box is presenting it's self as 10.x.x.x which is not routable over the internet. I'm guessing something like MASQ but I'm not sure. Any pointers as to what I can do about this are most well come, as my points allocation will reflect

Thanks in advance

jnbkze
0
Comment
Question by:jnbkze
  • 2
4 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12116305
> The default route on the box is the a 10.x.x.x address

Which would be wrong since the default route for this system should be your ISP's router's IP. With it set to the IP it is now the box will try to use the private network (10.x.x.x) and thus a private IP to reach the Internet. By setting the default route correctly it will use an outside IP.
0
 
LVL 3

Author Comment

by:jnbkze
ID: 12116571
Hi Jlevie,

This is a rough idea of what the connections between my box and my ISP look like

linux box -> DMZ NIC on FW -> External NIC on FW -> My Internet Router -> ISP Router

The DMZ NIC has the 10.x.x.x address
The second NIC on my linux host is 196.x.x.x and the Linux host is acting as a router for the 196.x.x.x subnet allocated to me.

I don't see how I could set up my ISP assigned IP as the default gateway. I don't see how that could work without using my DMZ NIC as the default route and therefore How could I use the 196.x.x.x IP for the default gateway. Wouldn't I need to have a virtual nic on the DMZ interface in the same subnet as the range allocated by the ISP?



                               -----------------------------
                                        internet
                                -----------------------------
                                             |
                                        My Router 196.A.B.X
                                             |
                                       FW External NIC 196.A.B.X
                                             |
                                       FW DMZ NIC 10.x.x.x
                                             |
                                       Linux Host NIC1 10.x.x.x
                                             |
                                       Linux Host NIC2 196.A.C.X

Hopefully this gives a slightly better picture.


jnbkze

0
 
LVL 40

Accepted Solution

by:
jlevie earned 500 total points
ID: 12117003
Okay... You neither need nor want to have the second NIC in the Linux box with the 196.A.C.x IP's on it. The firewall will need to be configured to statically NAT the 10.x.x.x IP(s) of the Linux box to the outside IP in the 196.x.x.x block. The only reason to have two NIC's in the Linux box would be if your topology looked like:

                                        Router
                                        /         \
         (196.A.B.C/27))/             \ (196.A.B.D/?)
                                    /                 \
                             Linux          Firewall
                                  |                       |
                                  |__________| (10.x.x.x)
                                                          |
0
 
LVL 9

Expert Comment

by:e-tsik
ID: 12119935
Hi :-)

How would you describe "presenting itself"?
Do you mean the SMTP header you see when you telnet port 25?

In order to make your SMTP relay connect to the Internet, would will need to translate its address, just as you would do with any client workstation.

NAT is defined on the firewall. For that purpose, the DMZ works exactly the same way your LAN connects. You have to tell your firewall to translate outgoing connection from 10.x.x.x to an address you will pick (192.A.B.D..). On Linux, this is called SNAT.

Depending on your firewall type, another NAT needs to be defined which forwards SMTP connections from your legal SMTP ip address to your DMZ server. On Linux, this is called DNAT.

In addition to that, you have to open some access controls to your DMZ relay host like so:
1. Allow connection from all addresses to the DMZ host on port 25/tcp
2. Allow the DMZ host to connect to the Internet on port 25/tcp and 53/udp(dns lookups, very important if you resolve using a DNS server your ISP provides).
3. Allow the DMZ host to connect to the internal mail server on port 25/tcp.

If your firewall is/were a Linux host, the commands should be:
# NAT
iptables -t nat -A POSTROUTING -s 10.20.30.40  -j SNAT --to-source 196.A.B.D
iptables -t nat -A POSTROUTING -d 196.A.B.D  -j DNAT --to-destination 196.A.B.D

# Access Controls
iptables -A FORWARD -s 10.20.30.40 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -s 10.20.30.40 -p udp --dport 53 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -d 10.20.30.40 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT

Replace 10.20.30.40 with the actual internal address of your relay host.
Replace 196.A.B.D with your legal SMTP ip address.

Note: The access controls may not fit to your requirements. Do not accept these blindly. They may also not work (e.g. if you do not use states in your fw). Open the access controls as you see fit and check if they allow proper communications.

Enjoy!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now