How to configure small linux/windows network with one linux box as a router.

I administer 7 computers - 2 Linux and 5 Windows - inside a network of about 25 computers (I don't manage the others) connected to a HW router (which I also don't administer). My question is what is the best free (no more purchases) Linux way to provide access to each other and to the internet for those I do manage and separation from the computers I don't manage? Should I make one of my Linux boxes a second router before the HW router? If so, how do I set up the routing tables? Right now, all 25 machines are configured through DHCP provided by the HW router, but I can give static addresses to my 7 if that's the way to go.

Thanks
parkhensleyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

leisnerCommented:
Do you use NAT? is the router a router or a firewall?
Do you run dynamic DNS?
I'm not sure which distro of linux to use -- I use redhat//fedora -- I wouldn't get something
bleeding edge.

If you make one of the linux machines a  router, you have a single point of failure when something goes wrong -- not sure you gain anything and you may make headaches for yourself....

The routing tables really are no problem -- you just specify a "gateway" (the router) -- if your DHCP is set up right, it should be automatic...

parkhensleyAuthor Commented:
I should have said that the hw router provides NAT and limited firewall capability. I have several distros currently under evaluation.  

The default configuration of just using the hw router as the only solution works, but when I do netstat -a, I am always finding uninvited connections ESTABLISHED or LISTENING on various ports and this bothers me because I have quite a bit of confidential material on several of the machines (and they all need internet access) and so I wanted an extra layer of protection.
leisnerCommented:
Maybe treat the confidentional information on specific machines with a higher amount of security
on these machines...

Putting another firewall/router in there may cause other problems -- you have to evaluate if its worth it.

Lots of ways to go....

OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

kiitiiCommented:
Perhaps, you can try http://www.smoothwall.org
It's a Firewall oriented Linux distro. (warning, it will wipe off all your harddisk data during the installation)

Put it this way.

Seperate them into few zones.

Internet zone.
DMZ zone.
LAN zone.

So meaning, you will need 3 network cards for this smoothwall.
And configure them into these 3 zone.

I suggest you:-

1. Connect the internet zone network card to your HW router/firewall.
2. Connect DMZ zone network card to your LINUX based computers. (configure every box with fixed ip address)
3. Connect LAN zone network card to your WINDOWS based computer.
And configure DHCP for this card

Hope this help.
Gabriel OrozcoSolution ArchitectCommented:
mmhh...

I think you need first to shape a more secure layout.
I would do this:

 internet --- hw router ----(all other computers you do not manage, along with one of your linux computers) --- (a sub-lan of your managed computers)

note that you need an extra ethernet card for the linux computer you choose to be the firewall/gateway of your managed computers, along with a switch/hub for them to connect.

If you do this way, all other computers you do not administer will not be able to connect to the protected computers (they will be behind a linux firewall)

you shall then configure a firewall for your linux computer, along with dhcp server for internal computers.

if you do that, you'll be set for a double firewall layout which is far more secure than what you have right now, while being easy of administer.

hope this and the previous post of kiitii can drive you on the lane to what you want to do.
there are lot's of firewall scripts (all them manage internal linux firewall, named NETFILTER) and smoothwall is a good one as I have read. I tend to use my own written scripts, however.

Regards
parkhensleyAuthor Commented:
I have 2 ethernet cards in the linux computer that I would make the gateway for my managed computers. Let me get what kiitii and Redimido are saying.

I connect my linux gateway box into the hw router for the main network through one of the cards and a hub for my other computers to connect to.through the second card. I set static ips on the 2 cards in my machine and configure the second card to provide address for the rest of my managed computers through dhcp.

If the hw router gives the larger networked machines addresses in the 192.168.0.100-199 range, then I could give the addresses 192.168.0.201 and 192.168.0.202 to eth0 and eth1 in the linux router respectively.

I would really like some help on the what the routing table should look like and the commands to create it.

Something like
0.0.0.0 192.168.0.1 255.255.255.0

Thanks
Gabriel OrozcoSolution ArchitectCommented:
parkhensley:

Everything is fine until the network address space.

You cannot have the same subnet on both sides of your gateway: it simply would not route anything!

You must choose a different range, say 192.168.1.0 255.255.255.0, like this:

(internet hw router) ------ |92.168.0.X (your linux machine) 192.168.1.1 ---(your managed computers)

These computers would have a 192.168.1.X ip address, with netmask 255.255.255.0 and 192.168.1.1 as their gateway.

If the Internet hardware appliance can handle some routes, add a route to your managed network in it so the other computers know how to reach the other range. something like

192.168.1.0/24 via gateway 192.168.0.X (external ip of your linux gateway)

and of course enable iptables to filter what you do not want to pass across the linux gateway.
parkhensleyAuthor Commented:
I didn't mean the above to be complete. That line above should have been
"0.0.0.0 192.168.0.202 255.255.255.0" where 192.168.0.202 is the address of the card that the dhcp server service is bound to on the linux router

Just to get the routing part down I was trying to set the machines up as described above and then set the routing table on the first client and the dhcp server.

192.168.0.0     192.168.0.202     255.255.255.0 #on eth1 the dhcp server
192.168.0.202  192.168.0.1        255.255.255.0
192.168.0.201   192.168.0.1       255.255.255.0
#192.168.0.1 is the hw router and default gateway to the internet for the whole network

I can ping the hw router default gw from the linux machine, but I can't ping anything on the internet and I can't ping the linux router from the other linux box.

Obviously I need some help on the routing table. The firewall part can come after that.

Thanks
Gabriel OrozcoSolution ArchitectCommented:
again

you cannot have the same subnet on both sides of your linux box. to have routing, you need different subnets and a defined "gateway" that connects both.

so, if eth0 connects to the normal LAN, where your linux box connects to the hardware router, with ip address 192.168.0.202 /24; then on the other card, eth1, you should have any other network but 192.168.0.0/24, since that one is already used. I proposed you to use 192.168.1.0/24, but you can easily use 192.168.100.0/24. like here:

(internet hw router) ------ 192.168.0.202 (your linux machine) 192.168.100.1 ---(your managed computers)

you need to configure dhcp for the eth0 interfase and server 192.168.100.2-254 with 255.255.255.0 for your managed computers, making your own machine to be the gateway: 192.168.100.1

now, in order to tell the hardware router how to locate the 192.168.100.0/24 network, you should tell it the gateway for that network is 192.168.0.202 (your ip address on the unsafe non-manageed-by-you side)

Is it more clear now?
parkhensleyAuthor Commented:
Sorry to be a dunce, but I'm still not getting it to work. First, I set a static route in the hw router of: Destination=192.168.100.0/24 (eth1) Subnet Mask=255.255.255.0 and Gateway=192.168.0.201 (eth0). Next I set  the ip of eth0 to 192.168.0.201(external network) and of eth1 to 192.168.100.201 (internal network) both with a subnet mask of 255.255.255.0 and gateway of 192.168.100.201 (the eth1 interface). Now, for the DHCP server service you seemed to say that it should bind to eth0. However, when I try that in SuSE's YaST2 DHCP Server tool, it doesn't allow me to set the client range to that of my managed network (192.168.100.*), but only allows 192.168.0.*. So, it seems that I have to bind it to eth1.

I'll keep raising the points as long as I'm not getting it.

Thanks
kiitiiCommented:
Please refer to the diagram i was mentioning about.
http://www.2meow.com/EE-diagram.png

Feel free to ask me if you are not sure.

Kiitii
parkhensleyAuthor Commented:
It's a broken link.
Gabriel OrozcoSolution ArchitectCommented:
hello

You need to understand this:

no computer can see an IP Address that's not in it's address space!

so, you cannot make Gateway=192.168.0.201 on 192.168.100.0/24 subnet!

this is why we need gateways. they are one box on our network address space that knows how to forward back and forth packets for another subnet. if it happends to be the internet, that subnet is 0.0.0.0/0 =)

so, please refer to my diagram:

(internet hw router) ------ 192.168.0.202 (your linux machine) 192.168.100.1 ---(your managed computers)

here, the (internet hw router) should create a route to the network 192.168.100.0/24, VIA 192.168.0.202 (192.168.0.202 IS the gateway to the subnet 192.168.100.0/24, in the hardware router's point of view)

for the internal, managed-by-you computers, they should have default gateway to be 192.168.100.1 (your linux-gateway ip on that subnet)

got it?

please review carefully what we are trying to explain you. I sense you are almost there.

Regards
kiitiiCommented:
Sorry for the broken link.

Try this
http://meow.homeip.net/EE-diagram.png

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
parkhensleyAuthor Commented:
Sorry to take so long to reply, but I have a data recovery disaster going on on one of my servers. I will get back to this Sunday or Monday.

Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.