Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 785
  • Last Modified:

Setup CentOS 5.5 as Linux gateway

I am a linux newbie, so please bear with me.

Trying to setup a linux gateway. I have installed CentOS 5.6 and thats ok.
The Pc has 2 network adaptors
eth0 connects to the WAN and eth1 connects to LAN
eth1 is static - 192.168.1.1

I can access the web on the linux machine.

I have setup dhcp on the linux machine:
yum -y install dhcp
I have also changed this file : /etc/sysconfig/dhcpd   and set the following:
DHCPDARGS=eth1

I have then typed the following commands:
#echo 1 > /proc/sys/net/ipv4/ip_forward

# /sbin/iptables -P FORWARD ACCEPT
# /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save

# chkconfig dhcpd on
# service network restart
# service dhcpd restart

Machines on the LAN are now getting the IP addresses correctly.
If I try and ping the internet, I can only ping IP addresses NOT domain names
On the LAN machines, the DNS assigned by the DHCP server is 208.67.222.222  (OpenDNS)
On the LAN machine if I set the DNS manually, I still cannot ping domain names, but I can ping IP addresses on the web.

If I restart the Linux machine, I cannot ping anything, unless I retype the following command:
#echo 1 > /proc/sys/net/ipv4/ip_forward

Then I can ping IP addresses.

Can anyone help me sort this out, so that I can access domain names?

thanks

Sat
0
satshah
Asked:
satshah
  • 6
  • 6
  • 4
  • +1
2 Solutions
 
svgmucCommented:
Edit /etc/sysctl.conf

Edit the “net.ipv4.ip_forward” line and set it to 1
0
 
erinvCommented:
you can check out how to set your box as a DNS server or just add any DNS server in your resovl.conf file
0
 
farzanjCommented:
If I restart the Linux machine, I cannot ping anything, unless I retype the following command:
#echo 1 > /proc/sys/net/ipv4/ip_forward


Edit /etc/sysctl.conf to include the line
net.ipv4.ip_forward=1

This would make it prevail after the reboot.

Have you set the route correctly on the LAN machines?

Do
route -n
Your default route should be your gateway machine.

IP addresses for each of the LAN machines is static also?
So you must set the DNS and route on each one of them.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
satshahAuthor Commented:
svgmuc & farzanj - thanks the sysctl.cong change works so I can still ping out after the linux machine reboots.

But I still cannot ping out to domain names from the LAN machines, only to IP.

e.g. on the LAN machine, ping 4.2.2.1 responds OK, but ping yahoo.com does not repsond at all.
Obviously I cannot use a web browser to access websites from the LAN machine.

The linux gateway machine is OK accessing websites.
0
 
farzanjCommented:
The lab machines have DNS issue.

CHeck their /etc/resolv.conf files.  What is the

server <ADDRESS>

They have?
0
 
svgmucCommented:
Does your DHCP server communicate a DNS server address to the clients? You may need to configure that in the DHCP config.
0
 
satshahAuthor Commented:
The LAN machines are windows XP.

They are set to obtain IP and DNS automatically. They get the IP and DNS correctly.

This is what my dhcpd.conf file looks like:

#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample  

#
ddns-update-style interim;
ignore client-updates;
authoritative;

subnet 192.168.1.0 netmask 255.255.255.0 {

# --- default gateway
      option routers                  192.168.1.1;
      option subnet-mask            255.255.255.0;

      option nis-domain            "zzzcols.com";
      option domain-name            "zzzcols.com";
      option domain-name-servers      208.67.222.222;

      option time-offset            -18000;      # Eastern Standard Time
#      option ntp-servers            192.168.1.1;
#      option netbios-name-servers      192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#      option netbios-node-type 2;

      range dynamic-bootp 192.168.1.128 192.168.1.254;
      default-lease-time 21600;
      max-lease-time 43200;

      # we want the nameserver to appear at a fixed address
      host ns {
            next-server marvin.redhat.com;
            hardware ethernet 12:34:56:78:AB:CD;
            fixed-address 207.175.42.254;
      }
}

I just worked with the default dhcpd.con file. Is there something wrong in the file?
0
 
svgmucCommented:
Check /etc/resolv.conf on the clients... if it has no server statement, the DHCP server doesn't communicate it.

You might try putting the address in curly brackets.

option domain-name-servers {208.67.222.222;}
0
 
farzanjCommented:
Ok.  So it doesn't appear to be a DHCP issue since your clients are Windows AND they are getting valid addresses.

Somehow, you are either blocking DNS port.  It is not passing through your gateway server.  You  may need an entry in your iptables.

Something like
iptables -A FORWARD -i eth1 -s 192.168.3.0/24 -j ACCEPT
iptables -A FORWARD -m state -s 192.168.3.0/24 --state ESTABLISHED,RELATED -j ACCEPT
0
 
satshahAuthor Commented:
SVGMUC  - The client PC's are windows XP - so do not have resolv.conf in them.

On the linux gateway, the resolv.conf looks like this:

; generated by /sbin/dhclient-script
nameserver 87.194.255.154
nameserver 208.67.222.222
search localdomain

0
 
farzanjCommented:
In your dhcp file, you have option for only one nameserver.  Please include both.
0
 
svgmucCommented:
Sorry, I missed that line about XP.

I'd follow farzanj's approach next.
Maybe you can run tcpdump on the gateway to figure out where the packets are not passing through.
0
 
satshahAuthor Commented:
farzanj  - I did the iptables entry but still no luck

This is what mt iptables file in etc/sysconfig looks like:
# Generated by iptables-save v1.3.5 on Tue Apr 19 15:01:33 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2738:2184002]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth1 -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Apr 19 15:01:33 2011
# Generated by iptables-save v1.3.5 on Tue Apr 19 15:01:33 2011
*nat
:PREROUTING ACCEPT [1094:118217]
:POSTROUTING ACCEPT [147:10557]
:OUTPUT ACCEPT [316:22154]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Apr 19 15:01:33 2011
0
 
satshahAuthor Commented:
Farzanj - the problem was with the firewall - when I p[osted the iptables file I saw the FIREWALL entries.
so I disabled the firewall in System / Administration, and I can now ping domain names.

thank you.
0
 
farzanjCommented:
Did it work?

What I see is that you are doing PREROUTING for port 80 but NOT port 53 (DNS)
Could you also add a rule for port 53,   That may work.
0
 
satshahAuthor Commented:
Farzanj - It does work
0
 
farzanjCommented:
Great.  Good to know.  Thanks.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 6
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now