How to configure small linux/windows network with one linux box as a router.

I administer 7 computers - 2 Linux and 5 Windows - inside a network of about 25 computers (I don't manage the others) connected to a HW router (which I also don't administer). My question is what is the best free (no more purchases) Linux way to provide access to each other and to the internet for those I do manage and separation from the computers I don't manage? Should I make one of my Linux boxes a second router before the HW router? If so, how do I set up the routing tables? Right now, all 25 machines are configured through DHCP provided by the HW router, but I can give static addresses to my 7 if that's the way to go.

Thanks
parkhensleyAsked:
Who is Participating?
 
kiitiiCommented:
Sorry for the broken link.

Try this
http://meow.homeip.net/EE-diagram.png
0
 
leisnerCommented:
Do you use NAT? is the router a router or a firewall?
Do you run dynamic DNS?
I'm not sure which distro of linux to use -- I use redhat//fedora -- I wouldn't get something
bleeding edge.

If you make one of the linux machines a  router, you have a single point of failure when something goes wrong -- not sure you gain anything and you may make headaches for yourself....

The routing tables really are no problem -- you just specify a "gateway" (the router) -- if your DHCP is set up right, it should be automatic...

0
 
parkhensleyAuthor Commented:
I should have said that the hw router provides NAT and limited firewall capability. I have several distros currently under evaluation.  

The default configuration of just using the hw router as the only solution works, but when I do netstat -a, I am always finding uninvited connections ESTABLISHED or LISTENING on various ports and this bothers me because I have quite a bit of confidential material on several of the machines (and they all need internet access) and so I wanted an extra layer of protection.
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
leisnerCommented:
Maybe treat the confidentional information on specific machines with a higher amount of security
on these machines...

Putting another firewall/router in there may cause other problems -- you have to evaluate if its worth it.

Lots of ways to go....

0
 
kiitiiCommented:
Perhaps, you can try http://www.smoothwall.org
It's a Firewall oriented Linux distro. (warning, it will wipe off all your harddisk data during the installation)

Put it this way.

Seperate them into few zones.

Internet zone.
DMZ zone.
LAN zone.

So meaning, you will need 3 network cards for this smoothwall.
And configure them into these 3 zone.

I suggest you:-

1. Connect the internet zone network card to your HW router/firewall.
2. Connect DMZ zone network card to your LINUX based computers. (configure every box with fixed ip address)
3. Connect LAN zone network card to your WINDOWS based computer.
And configure DHCP for this card

Hope this help.
0
 
Gabriel OrozcoSolution ArchitectCommented:
mmhh...

I think you need first to shape a more secure layout.
I would do this:

 internet --- hw router ----(all other computers you do not manage, along with one of your linux computers) --- (a sub-lan of your managed computers)

note that you need an extra ethernet card for the linux computer you choose to be the firewall/gateway of your managed computers, along with a switch/hub for them to connect.

If you do this way, all other computers you do not administer will not be able to connect to the protected computers (they will be behind a linux firewall)

you shall then configure a firewall for your linux computer, along with dhcp server for internal computers.

if you do that, you'll be set for a double firewall layout which is far more secure than what you have right now, while being easy of administer.

hope this and the previous post of kiitii can drive you on the lane to what you want to do.
there are lot's of firewall scripts (all them manage internal linux firewall, named NETFILTER) and smoothwall is a good one as I have read. I tend to use my own written scripts, however.

Regards
0
 
parkhensleyAuthor Commented:
I have 2 ethernet cards in the linux computer that I would make the gateway for my managed computers. Let me get what kiitii and Redimido are saying.

I connect my linux gateway box into the hw router for the main network through one of the cards and a hub for my other computers to connect to.through the second card. I set static ips on the 2 cards in my machine and configure the second card to provide address for the rest of my managed computers through dhcp.

If the hw router gives the larger networked machines addresses in the 192.168.0.100-199 range, then I could give the addresses 192.168.0.201 and 192.168.0.202 to eth0 and eth1 in the linux router respectively.

I would really like some help on the what the routing table should look like and the commands to create it.

Something like
0.0.0.0 192.168.0.1 255.255.255.0

Thanks
0
 
Gabriel OrozcoSolution ArchitectCommented:
parkhensley:

Everything is fine until the network address space.

You cannot have the same subnet on both sides of your gateway: it simply would not route anything!

You must choose a different range, say 192.168.1.0 255.255.255.0, like this:

(internet hw router) ------ |92.168.0.X (your linux machine) 192.168.1.1 ---(your managed computers)

These computers would have a 192.168.1.X ip address, with netmask 255.255.255.0 and 192.168.1.1 as their gateway.

If the Internet hardware appliance can handle some routes, add a route to your managed network in it so the other computers know how to reach the other range. something like

192.168.1.0/24 via gateway 192.168.0.X (external ip of your linux gateway)

and of course enable iptables to filter what you do not want to pass across the linux gateway.
0
 
parkhensleyAuthor Commented:
I didn't mean the above to be complete. That line above should have been
"0.0.0.0 192.168.0.202 255.255.255.0" where 192.168.0.202 is the address of the card that the dhcp server service is bound to on the linux router

Just to get the routing part down I was trying to set the machines up as described above and then set the routing table on the first client and the dhcp server.

192.168.0.0     192.168.0.202     255.255.255.0 #on eth1 the dhcp server
192.168.0.202  192.168.0.1        255.255.255.0
192.168.0.201   192.168.0.1       255.255.255.0
#192.168.0.1 is the hw router and default gateway to the internet for the whole network

I can ping the hw router default gw from the linux machine, but I can't ping anything on the internet and I can't ping the linux router from the other linux box.

Obviously I need some help on the routing table. The firewall part can come after that.

Thanks
0
 
Gabriel OrozcoSolution ArchitectCommented:
again

you cannot have the same subnet on both sides of your linux box. to have routing, you need different subnets and a defined "gateway" that connects both.

so, if eth0 connects to the normal LAN, where your linux box connects to the hardware router, with ip address 192.168.0.202 /24; then on the other card, eth1, you should have any other network but 192.168.0.0/24, since that one is already used. I proposed you to use 192.168.1.0/24, but you can easily use 192.168.100.0/24. like here:

(internet hw router) ------ 192.168.0.202 (your linux machine) 192.168.100.1 ---(your managed computers)

you need to configure dhcp for the eth0 interfase and server 192.168.100.2-254 with 255.255.255.0 for your managed computers, making your own machine to be the gateway: 192.168.100.1

now, in order to tell the hardware router how to locate the 192.168.100.0/24 network, you should tell it the gateway for that network is 192.168.0.202 (your ip address on the unsafe non-manageed-by-you side)

Is it more clear now?
0
 
parkhensleyAuthor Commented:
Sorry to be a dunce, but I'm still not getting it to work. First, I set a static route in the hw router of: Destination=192.168.100.0/24 (eth1) Subnet Mask=255.255.255.0 and Gateway=192.168.0.201 (eth0). Next I set  the ip of eth0 to 192.168.0.201(external network) and of eth1 to 192.168.100.201 (internal network) both with a subnet mask of 255.255.255.0 and gateway of 192.168.100.201 (the eth1 interface). Now, for the DHCP server service you seemed to say that it should bind to eth0. However, when I try that in SuSE's YaST2 DHCP Server tool, it doesn't allow me to set the client range to that of my managed network (192.168.100.*), but only allows 192.168.0.*. So, it seems that I have to bind it to eth1.

I'll keep raising the points as long as I'm not getting it.

Thanks
0
 
kiitiiCommented:
Please refer to the diagram i was mentioning about.
http://www.2meow.com/EE-diagram.png

Feel free to ask me if you are not sure.

Kiitii
0
 
parkhensleyAuthor Commented:
It's a broken link.
0
 
Gabriel OrozcoSolution ArchitectCommented:
hello

You need to understand this:

no computer can see an IP Address that's not in it's address space!

so, you cannot make Gateway=192.168.0.201 on 192.168.100.0/24 subnet!

this is why we need gateways. they are one box on our network address space that knows how to forward back and forth packets for another subnet. if it happends to be the internet, that subnet is 0.0.0.0/0 =)

so, please refer to my diagram:

(internet hw router) ------ 192.168.0.202 (your linux machine) 192.168.100.1 ---(your managed computers)

here, the (internet hw router) should create a route to the network 192.168.100.0/24, VIA 192.168.0.202 (192.168.0.202 IS the gateway to the subnet 192.168.100.0/24, in the hardware router's point of view)

for the internal, managed-by-you computers, they should have default gateway to be 192.168.100.1 (your linux-gateway ip on that subnet)

got it?

please review carefully what we are trying to explain you. I sense you are almost there.

Regards
0
 
parkhensleyAuthor Commented:
Sorry to take so long to reply, but I have a data recovery disaster going on on one of my servers. I will get back to this Sunday or Monday.

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.