?
Solved

RH Linux with 2 NICs

Posted on 2004-09-21
4
Medium Priority
?
263 Views
Last Modified: 2010-03-18
Hi All,

I have the following problem: I have a RH9.1 linux box with 2 network cards installed. Both are configured and working correctly. The box obviously have 2 IP addresses and 10.x.x.x address and one which falls in a range of 30 assigend to me by my ISP. The box acts as a router for the subnet allocated to me by the ISP. The box is in my DMZ. The default route on the box is the a 10.x.x.x address. I have no routing issues and all routing from the internet and from my inside LAN is working fine.

The problem is this. The box is a SMTP relay so that my exchange box does not have to be directly exposed to the net. When my box is connecting to the net it is presenting it's self as 10.x.x.x instead of the 196.x.x.x address allocated by my ISP.

How can I make the box connect with the 196.x.x.x address, because currently, I get connection refused errors when I try and connect to anything on the net because the box is presenting it's self as 10.x.x.x which is not routable over the internet. I'm guessing something like MASQ but I'm not sure. Any pointers as to what I can do about this are most well come, as my points allocation will reflect

Thanks in advance

jnbkze
0
Comment
Question by:jnbkze
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12116305
> The default route on the box is the a 10.x.x.x address

Which would be wrong since the default route for this system should be your ISP's router's IP. With it set to the IP it is now the box will try to use the private network (10.x.x.x) and thus a private IP to reach the Internet. By setting the default route correctly it will use an outside IP.
0
 
LVL 3

Author Comment

by:jnbkze
ID: 12116571
Hi Jlevie,

This is a rough idea of what the connections between my box and my ISP look like

linux box -> DMZ NIC on FW -> External NIC on FW -> My Internet Router -> ISP Router

The DMZ NIC has the 10.x.x.x address
The second NIC on my linux host is 196.x.x.x and the Linux host is acting as a router for the 196.x.x.x subnet allocated to me.

I don't see how I could set up my ISP assigned IP as the default gateway. I don't see how that could work without using my DMZ NIC as the default route and therefore How could I use the 196.x.x.x IP for the default gateway. Wouldn't I need to have a virtual nic on the DMZ interface in the same subnet as the range allocated by the ISP?



                               -----------------------------
                                        internet
                                -----------------------------
                                             |
                                        My Router 196.A.B.X
                                             |
                                       FW External NIC 196.A.B.X
                                             |
                                       FW DMZ NIC 10.x.x.x
                                             |
                                       Linux Host NIC1 10.x.x.x
                                             |
                                       Linux Host NIC2 196.A.C.X

Hopefully this gives a slightly better picture.


jnbkze

0
 
LVL 40

Accepted Solution

by:
jlevie earned 1500 total points
ID: 12117003
Okay... You neither need nor want to have the second NIC in the Linux box with the 196.A.C.x IP's on it. The firewall will need to be configured to statically NAT the 10.x.x.x IP(s) of the Linux box to the outside IP in the 196.x.x.x block. The only reason to have two NIC's in the Linux box would be if your topology looked like:

                                        Router
                                        /         \
         (196.A.B.C/27))/             \ (196.A.B.D/?)
                                    /                 \
                             Linux          Firewall
                                  |                       |
                                  |__________| (10.x.x.x)
                                                          |
0
 
LVL 9

Expert Comment

by:e-tsik
ID: 12119935
Hi :-)

How would you describe "presenting itself"?
Do you mean the SMTP header you see when you telnet port 25?

In order to make your SMTP relay connect to the Internet, would will need to translate its address, just as you would do with any client workstation.

NAT is defined on the firewall. For that purpose, the DMZ works exactly the same way your LAN connects. You have to tell your firewall to translate outgoing connection from 10.x.x.x to an address you will pick (192.A.B.D..). On Linux, this is called SNAT.

Depending on your firewall type, another NAT needs to be defined which forwards SMTP connections from your legal SMTP ip address to your DMZ server. On Linux, this is called DNAT.

In addition to that, you have to open some access controls to your DMZ relay host like so:
1. Allow connection from all addresses to the DMZ host on port 25/tcp
2. Allow the DMZ host to connect to the Internet on port 25/tcp and 53/udp(dns lookups, very important if you resolve using a DNS server your ISP provides).
3. Allow the DMZ host to connect to the internal mail server on port 25/tcp.

If your firewall is/were a Linux host, the commands should be:
# NAT
iptables -t nat -A POSTROUTING -s 10.20.30.40  -j SNAT --to-source 196.A.B.D
iptables -t nat -A POSTROUTING -d 196.A.B.D  -j DNAT --to-destination 196.A.B.D

# Access Controls
iptables -A FORWARD -s 10.20.30.40 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -s 10.20.30.40 -p udp --dport 53 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -d 10.20.30.40 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT

Replace 10.20.30.40 with the actual internal address of your relay host.
Replace 196.A.B.D with your legal SMTP ip address.

Note: The access controls may not fit to your requirements. Do not accept these blindly. They may also not work (e.g. if you do not use states in your fw). Open the access controls as you see fit and check if they allow proper communications.

Enjoy!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question