We help IT Professionals succeed at work.

How to configure small linux/windows network with one linux box as a router.

parkhensley
parkhensley asked
on
Medium Priority
295 Views
Last Modified: 2010-03-18
I administer 7 computers - 2 Linux and 5 Windows - inside a network of about 25 computers (I don't manage the others) connected to a HW router (which I also don't administer). My question is what is the best free (no more purchases) Linux way to provide access to each other and to the internet for those I do manage and separation from the computers I don't manage? Should I make one of my Linux boxes a second router before the HW router? If so, how do I set up the routing tables? Right now, all 25 machines are configured through DHCP provided by the HW router, but I can give static addresses to my 7 if that's the way to go.

Thanks
Comment
Watch Question

Commented:
Do you use NAT? is the router a router or a firewall?
Do you run dynamic DNS?
I'm not sure which distro of linux to use -- I use redhat//fedora -- I wouldn't get something
bleeding edge.

If you make one of the linux machines a  router, you have a single point of failure when something goes wrong -- not sure you gain anything and you may make headaches for yourself....

The routing tables really are no problem -- you just specify a "gateway" (the router) -- if your DHCP is set up right, it should be automatic...

Author

Commented:
I should have said that the hw router provides NAT and limited firewall capability. I have several distros currently under evaluation.  

The default configuration of just using the hw router as the only solution works, but when I do netstat -a, I am always finding uninvited connections ESTABLISHED or LISTENING on various ports and this bothers me because I have quite a bit of confidential material on several of the machines (and they all need internet access) and so I wanted an extra layer of protection.

Commented:
Maybe treat the confidentional information on specific machines with a higher amount of security
on these machines...

Putting another firewall/router in there may cause other problems -- you have to evaluate if its worth it.

Lots of ways to go....

Commented:
Perhaps, you can try http://www.smoothwall.org
It's a Firewall oriented Linux distro. (warning, it will wipe off all your harddisk data during the installation)

Put it this way.

Seperate them into few zones.

Internet zone.
DMZ zone.
LAN zone.

So meaning, you will need 3 network cards for this smoothwall.
And configure them into these 3 zone.

I suggest you:-

1. Connect the internet zone network card to your HW router/firewall.
2. Connect DMZ zone network card to your LINUX based computers. (configure every box with fixed ip address)
3. Connect LAN zone network card to your WINDOWS based computer.
And configure DHCP for this card

Hope this help.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Gabriel OrozcoSolution Architect

Commented:
mmhh...

I think you need first to shape a more secure layout.
I would do this:

 internet --- hw router ----(all other computers you do not manage, along with one of your linux computers) --- (a sub-lan of your managed computers)

note that you need an extra ethernet card for the linux computer you choose to be the firewall/gateway of your managed computers, along with a switch/hub for them to connect.

If you do this way, all other computers you do not administer will not be able to connect to the protected computers (they will be behind a linux firewall)

you shall then configure a firewall for your linux computer, along with dhcp server for internal computers.

if you do that, you'll be set for a double firewall layout which is far more secure than what you have right now, while being easy of administer.

hope this and the previous post of kiitii can drive you on the lane to what you want to do.
there are lot's of firewall scripts (all them manage internal linux firewall, named NETFILTER) and smoothwall is a good one as I have read. I tend to use my own written scripts, however.

Regards

Author

Commented:
I have 2 ethernet cards in the linux computer that I would make the gateway for my managed computers. Let me get what kiitii and Redimido are saying.

I connect my linux gateway box into the hw router for the main network through one of the cards and a hub for my other computers to connect to.through the second card. I set static ips on the 2 cards in my machine and configure the second card to provide address for the rest of my managed computers through dhcp.

If the hw router gives the larger networked machines addresses in the 192.168.0.100-199 range, then I could give the addresses 192.168.0.201 and 192.168.0.202 to eth0 and eth1 in the linux router respectively.

I would really like some help on the what the routing table should look like and the commands to create it.

Something like
0.0.0.0 192.168.0.1 255.255.255.0

Thanks
Gabriel OrozcoSolution Architect

Commented:
parkhensley:

Everything is fine until the network address space.

You cannot have the same subnet on both sides of your gateway: it simply would not route anything!

You must choose a different range, say 192.168.1.0 255.255.255.0, like this:

(internet hw router) ------ |92.168.0.X (your linux machine) 192.168.1.1 ---(your managed computers)

These computers would have a 192.168.1.X ip address, with netmask 255.255.255.0 and 192.168.1.1 as their gateway.

If the Internet hardware appliance can handle some routes, add a route to your managed network in it so the other computers know how to reach the other range. something like

192.168.1.0/24 via gateway 192.168.0.X (external ip of your linux gateway)

and of course enable iptables to filter what you do not want to pass across the linux gateway.

Author

Commented:
I didn't mean the above to be complete. That line above should have been
"0.0.0.0 192.168.0.202 255.255.255.0" where 192.168.0.202 is the address of the card that the dhcp server service is bound to on the linux router

Just to get the routing part down I was trying to set the machines up as described above and then set the routing table on the first client and the dhcp server.

192.168.0.0     192.168.0.202     255.255.255.0 #on eth1 the dhcp server
192.168.0.202  192.168.0.1        255.255.255.0
192.168.0.201   192.168.0.1       255.255.255.0
#192.168.0.1 is the hw router and default gateway to the internet for the whole network

I can ping the hw router default gw from the linux machine, but I can't ping anything on the internet and I can't ping the linux router from the other linux box.

Obviously I need some help on the routing table. The firewall part can come after that.

Thanks
Gabriel OrozcoSolution Architect

Commented:
again

you cannot have the same subnet on both sides of your linux box. to have routing, you need different subnets and a defined "gateway" that connects both.

so, if eth0 connects to the normal LAN, where your linux box connects to the hardware router, with ip address 192.168.0.202 /24; then on the other card, eth1, you should have any other network but 192.168.0.0/24, since that one is already used. I proposed you to use 192.168.1.0/24, but you can easily use 192.168.100.0/24. like here:

(internet hw router) ------ 192.168.0.202 (your linux machine) 192.168.100.1 ---(your managed computers)

you need to configure dhcp for the eth0 interfase and server 192.168.100.2-254 with 255.255.255.0 for your managed computers, making your own machine to be the gateway: 192.168.100.1

now, in order to tell the hardware router how to locate the 192.168.100.0/24 network, you should tell it the gateway for that network is 192.168.0.202 (your ip address on the unsafe non-manageed-by-you side)

Is it more clear now?

Author

Commented:
Sorry to be a dunce, but I'm still not getting it to work. First, I set a static route in the hw router of: Destination=192.168.100.0/24 (eth1) Subnet Mask=255.255.255.0 and Gateway=192.168.0.201 (eth0). Next I set  the ip of eth0 to 192.168.0.201(external network) and of eth1 to 192.168.100.201 (internal network) both with a subnet mask of 255.255.255.0 and gateway of 192.168.100.201 (the eth1 interface). Now, for the DHCP server service you seemed to say that it should bind to eth0. However, when I try that in SuSE's YaST2 DHCP Server tool, it doesn't allow me to set the client range to that of my managed network (192.168.100.*), but only allows 192.168.0.*. So, it seems that I have to bind it to eth1.

I'll keep raising the points as long as I'm not getting it.

Thanks

Commented:
Please refer to the diagram i was mentioning about.
http://www.2meow.com/EE-diagram.png

Feel free to ask me if you are not sure.

Kiitii

Author

Commented:
It's a broken link.
Gabriel OrozcoSolution Architect

Commented:
hello

You need to understand this:

no computer can see an IP Address that's not in it's address space!

so, you cannot make Gateway=192.168.0.201 on 192.168.100.0/24 subnet!

this is why we need gateways. they are one box on our network address space that knows how to forward back and forth packets for another subnet. if it happends to be the internet, that subnet is 0.0.0.0/0 =)

so, please refer to my diagram:

(internet hw router) ------ 192.168.0.202 (your linux machine) 192.168.100.1 ---(your managed computers)

here, the (internet hw router) should create a route to the network 192.168.100.0/24, VIA 192.168.0.202 (192.168.0.202 IS the gateway to the subnet 192.168.100.0/24, in the hardware router's point of view)

for the internal, managed-by-you computers, they should have default gateway to be 192.168.100.1 (your linux-gateway ip on that subnet)

got it?

please review carefully what we are trying to explain you. I sense you are almost there.

Regards
Commented:
Sorry for the broken link.

Try this
http://meow.homeip.net/EE-diagram.png

Author

Commented:
Sorry to take so long to reply, but I have a data recovery disaster going on on one of my servers. I will get back to this Sunday or Monday.

Thanks
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.