?
Solved

How to configure small linux/windows network with one linux box as a router.

Posted on 2006-03-26
15
Medium Priority
?
275 Views
Last Modified: 2010-03-18
I administer 7 computers - 2 Linux and 5 Windows - inside a network of about 25 computers (I don't manage the others) connected to a HW router (which I also don't administer). My question is what is the best free (no more purchases) Linux way to provide access to each other and to the internet for those I do manage and separation from the computers I don't manage? Should I make one of my Linux boxes a second router before the HW router? If so, how do I set up the routing tables? Right now, all 25 machines are configured through DHCP provided by the HW router, but I can give static addresses to my 7 if that's the way to go.

Thanks
0
Comment
Question by:parkhensley
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 3

Expert Comment

by:leisner
ID: 16296747
Do you use NAT? is the router a router or a firewall?
Do you run dynamic DNS?
I'm not sure which distro of linux to use -- I use redhat//fedora -- I wouldn't get something
bleeding edge.

If you make one of the linux machines a  router, you have a single point of failure when something goes wrong -- not sure you gain anything and you may make headaches for yourself....

The routing tables really are no problem -- you just specify a "gateway" (the router) -- if your DHCP is set up right, it should be automatic...

0
 

Author Comment

by:parkhensley
ID: 16296797
I should have said that the hw router provides NAT and limited firewall capability. I have several distros currently under evaluation.  

The default configuration of just using the hw router as the only solution works, but when I do netstat -a, I am always finding uninvited connections ESTABLISHED or LISTENING on various ports and this bothers me because I have quite a bit of confidential material on several of the machines (and they all need internet access) and so I wanted an extra layer of protection.
0
 
LVL 3

Expert Comment

by:leisner
ID: 16297913
Maybe treat the confidentional information on specific machines with a higher amount of security
on these machines...

Putting another firewall/router in there may cause other problems -- you have to evaluate if its worth it.

Lots of ways to go....

0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 3

Assisted Solution

by:kiitii
kiitii earned 1200 total points
ID: 16298007
Perhaps, you can try http://www.smoothwall.org
It's a Firewall oriented Linux distro. (warning, it will wipe off all your harddisk data during the installation)

Put it this way.

Seperate them into few zones.

Internet zone.
DMZ zone.
LAN zone.

So meaning, you will need 3 network cards for this smoothwall.
And configure them into these 3 zone.

I suggest you:-

1. Connect the internet zone network card to your HW router/firewall.
2. Connect DMZ zone network card to your LINUX based computers. (configure every box with fixed ip address)
3. Connect LAN zone network card to your WINDOWS based computer.
And configure DHCP for this card

Hope this help.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16302584
mmhh...

I think you need first to shape a more secure layout.
I would do this:

 internet --- hw router ----(all other computers you do not manage, along with one of your linux computers) --- (a sub-lan of your managed computers)

note that you need an extra ethernet card for the linux computer you choose to be the firewall/gateway of your managed computers, along with a switch/hub for them to connect.

If you do this way, all other computers you do not administer will not be able to connect to the protected computers (they will be behind a linux firewall)

you shall then configure a firewall for your linux computer, along with dhcp server for internal computers.

if you do that, you'll be set for a double firewall layout which is far more secure than what you have right now, while being easy of administer.

hope this and the previous post of kiitii can drive you on the lane to what you want to do.
there are lot's of firewall scripts (all them manage internal linux firewall, named NETFILTER) and smoothwall is a good one as I have read. I tend to use my own written scripts, however.

Regards
0
 

Author Comment

by:parkhensley
ID: 16307438
I have 2 ethernet cards in the linux computer that I would make the gateway for my managed computers. Let me get what kiitii and Redimido are saying.

I connect my linux gateway box into the hw router for the main network through one of the cards and a hub for my other computers to connect to.through the second card. I set static ips on the 2 cards in my machine and configure the second card to provide address for the rest of my managed computers through dhcp.

If the hw router gives the larger networked machines addresses in the 192.168.0.100-199 range, then I could give the addresses 192.168.0.201 and 192.168.0.202 to eth0 and eth1 in the linux router respectively.

I would really like some help on the what the routing table should look like and the commands to create it.

Something like
0.0.0.0 192.168.0.1 255.255.255.0

Thanks
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16307638
parkhensley:

Everything is fine until the network address space.

You cannot have the same subnet on both sides of your gateway: it simply would not route anything!

You must choose a different range, say 192.168.1.0 255.255.255.0, like this:

(internet hw router) ------ |92.168.0.X (your linux machine) 192.168.1.1 ---(your managed computers)

These computers would have a 192.168.1.X ip address, with netmask 255.255.255.0 and 192.168.1.1 as their gateway.

If the Internet hardware appliance can handle some routes, add a route to your managed network in it so the other computers know how to reach the other range. something like

192.168.1.0/24 via gateway 192.168.0.X (external ip of your linux gateway)

and of course enable iptables to filter what you do not want to pass across the linux gateway.
0
 

Author Comment

by:parkhensley
ID: 16307700
I didn't mean the above to be complete. That line above should have been
"0.0.0.0 192.168.0.202 255.255.255.0" where 192.168.0.202 is the address of the card that the dhcp server service is bound to on the linux router

Just to get the routing part down I was trying to set the machines up as described above and then set the routing table on the first client and the dhcp server.

192.168.0.0     192.168.0.202     255.255.255.0 #on eth1 the dhcp server
192.168.0.202  192.168.0.1        255.255.255.0
192.168.0.201   192.168.0.1       255.255.255.0
#192.168.0.1 is the hw router and default gateway to the internet for the whole network

I can ping the hw router default gw from the linux machine, but I can't ping anything on the internet and I can't ping the linux router from the other linux box.

Obviously I need some help on the routing table. The firewall part can come after that.

Thanks
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16307865
again

you cannot have the same subnet on both sides of your linux box. to have routing, you need different subnets and a defined "gateway" that connects both.

so, if eth0 connects to the normal LAN, where your linux box connects to the hardware router, with ip address 192.168.0.202 /24; then on the other card, eth1, you should have any other network but 192.168.0.0/24, since that one is already used. I proposed you to use 192.168.1.0/24, but you can easily use 192.168.100.0/24. like here:

(internet hw router) ------ 192.168.0.202 (your linux machine) 192.168.100.1 ---(your managed computers)

you need to configure dhcp for the eth0 interfase and server 192.168.100.2-254 with 255.255.255.0 for your managed computers, making your own machine to be the gateway: 192.168.100.1

now, in order to tell the hardware router how to locate the 192.168.100.0/24 network, you should tell it the gateway for that network is 192.168.0.202 (your ip address on the unsafe non-manageed-by-you side)

Is it more clear now?
0
 

Author Comment

by:parkhensley
ID: 16317230
Sorry to be a dunce, but I'm still not getting it to work. First, I set a static route in the hw router of: Destination=192.168.100.0/24 (eth1) Subnet Mask=255.255.255.0 and Gateway=192.168.0.201 (eth0). Next I set  the ip of eth0 to 192.168.0.201(external network) and of eth1 to 192.168.100.201 (internal network) both with a subnet mask of 255.255.255.0 and gateway of 192.168.100.201 (the eth1 interface). Now, for the DHCP server service you seemed to say that it should bind to eth0. However, when I try that in SuSE's YaST2 DHCP Server tool, it doesn't allow me to set the client range to that of my managed network (192.168.100.*), but only allows 192.168.0.*. So, it seems that I have to bind it to eth1.

I'll keep raising the points as long as I'm not getting it.

Thanks
0
 
LVL 3

Expert Comment

by:kiitii
ID: 16320548
Please refer to the diagram i was mentioning about.
http://www.2meow.com/EE-diagram.png

Feel free to ask me if you are not sure.

Kiitii
0
 

Author Comment

by:parkhensley
ID: 16321978
It's a broken link.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16324271
hello

You need to understand this:

no computer can see an IP Address that's not in it's address space!

so, you cannot make Gateway=192.168.0.201 on 192.168.100.0/24 subnet!

this is why we need gateways. they are one box on our network address space that knows how to forward back and forth packets for another subnet. if it happends to be the internet, that subnet is 0.0.0.0/0 =)

so, please refer to my diagram:

(internet hw router) ------ 192.168.0.202 (your linux machine) 192.168.100.1 ---(your managed computers)

here, the (internet hw router) should create a route to the network 192.168.100.0/24, VIA 192.168.0.202 (192.168.0.202 IS the gateway to the subnet 192.168.100.0/24, in the hardware router's point of view)

for the internal, managed-by-you computers, they should have default gateway to be 192.168.100.1 (your linux-gateway ip on that subnet)

got it?

please review carefully what we are trying to explain you. I sense you are almost there.

Regards
0
 
LVL 3

Accepted Solution

by:
kiitii earned 1200 total points
ID: 16330103
Sorry for the broken link.

Try this
http://meow.homeip.net/EE-diagram.png
0
 

Author Comment

by:parkhensley
ID: 16346119
Sorry to take so long to reply, but I have a data recovery disaster going on on one of my servers. I will get back to this Sunday or Monday.

Thanks
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question