|
Home > Archive > Red Hat Networking > January 2004 > I succeeded in setting up a RH9 box as router
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
I succeeded in setting up a RH9 box as router
|
|
|
| I have a ADSL modem (Alcatel speedtouch)
and an internal net (192.168.0.0/24)
I succeeded in setting up a RH9 system, for doing the routing (and
later some other server work and firewall.
here are three relevant files, to set up the two NICs and the router
table.
At last, I succeeded in setting up the routing RH9 box.
here are the two /etc/sysconfig/network-scripts/ifcfg-ethx files:
NAME=alcatel
DEVICE=eth0
BOOTPROTO=none
BROADCAST=10.255.255.255
IPADDR=10.0.0.150
NETMASK=255.0.0.0
NETWORK=10.0.0.0
ONBOOT=yes
HWADDR=00:61:B0:C3:CC:BF
USERCTL=no
PEERDNS=no
TYPE=Ethernet
and:
NAME=lima
DEVICE=eth1
BOOTPROTO=none
BROADCAST=192.168.0.255
IPADDR=192.168.0.1
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
HWADDR=00:61:B0:B5:6E:4B
USERCTL=no
PEERDNS=no
TYPE=Ethernet
and this is the /etc/sysconfig/network file:
NETWORKING=yes
HOSTNAME=lima
NOZEROCONF=yes
GATEWAY=10.0.0.138
and /proc/sys/net/ipv4/ip_forward must be set to 1, of course:
quote:
>echo "1" > /proc/sys/net/ipv4/ip_forward
and set masquerading:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Have a look in /etc/sysctl.conf too...
The NOZEROCONF is usefull to take out of the routing table the often
unnecessary weird Microsoft APIPA net.
Setting up another RH9 box with KDE, and configuring it that way,
showed a lot of details in the ifcfg-ethx files.
Next step is setting up the Netfilter stuff.
Hope this will be of some help to others. It was not easy to find this
out.
I learned a lot in the process.
Erik
| |
| Troy Piggins 2004-01-23, 7:48 pm |
| * ik <> <> [Mon, 8 Dec 2003 07:47 am] :
quote:
> I have a ADSL modem (Alcatel speedtouch)
> and an internal net (192.168.0.0/24)
> I succeeded in setting up a RH9 system, for doing the routing (and
> later some other server work and firewall.
>
> here are three relevant files, to set up the two NICs and the router
> table.
>
> At last, I succeeded in setting up the routing RH9 box.
>
> here are the two /etc/sysconfig/network-scripts/ifcfg-ethx files:
>
> NAME=alcatel
> DEVICE=eth0
> BOOTPROTO=none
> BROADCAST=10.255.255.255
> IPADDR=10.0.0.150
> NETMASK=255.0.0.0
> NETWORK=10.0.0.0
> ONBOOT=yes
> HWADDR=00:61:B0:C3:CC:BF
> USERCTL=no
> PEERDNS=no
> TYPE=Ethernet
>
> and:
>
> NAME=lima
> DEVICE=eth1
> BOOTPROTO=none
> BROADCAST=192.168.0.255
> IPADDR=192.168.0.1
> NETMASK=255.255.255.0
> NETWORK=192.168.0.0
> ONBOOT=yes
> HWADDR=00:61:B0:B5:6E:4B
> USERCTL=no
> PEERDNS=no
> TYPE=Ethernet
>
> and this is the /etc/sysconfig/network file:
>
> NETWORKING=yes
> HOSTNAME=lima
> NOZEROCONF=yes
> GATEWAY=10.0.0.138
<snip>
Thanks for the post. I have had a RH9 box acting as gateway/firewall for
some time. Runs fine, and if you want a copy of my iptables filters, let
me know. I have some questions for you..
The external NIC is DHCP client with IP address given by ISP. Here is my
/etc/sysconfig/network-scripts/ifcfg-eth0 :
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
My internal NIC is static IP address of 192.168.0.1 -
/etc/sysconfig/network-scripts/ifcfg-eth1 :
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0
Questions :
- are the NAME values you used useful for anything, or are they just so you
know which one is external or internal?
- when my dhcp lease renews, and I get a new IP address for the external
NIC, I also get a new hostname like c-210-49-xxx-xxx (the IP address is
part of the hostname). I want to be able to accept all the dhcp
information *except* this hostname. I have tried reading the dhclient,
dhclient.conf man pages but no luck. My /etc/dhclient.conf :
option hostname = armadillo
did nothing :-(
Was wondering if the HOSTNAME=lima in /etc/sysconfig/network would work in
this instance - and remember that when lease renews.
I have more things to sort out like DNS etc, but these questions will keep
me happy for now.
--
T R O Y P I G G I N S
e : troy@piggo.com
| |
|
| On Tue, 16 Dec 2003 22:41:55 +1000, the right honourable Troy Piggins
<troy@piggo.com> wrote:
quote:
>* ik <> <> [Mon, 8 Dec 2003 07:47 am] :
>
><snip>
>
>Thanks for the post. I have had a RH9 box acting as gateway/firewall for
>some time. Runs fine, and if you want a copy of my iptables filters, let
>me know. I have some questions for you..
>The external NIC is DHCP client with IP address given by ISP. Here is my
>/etc/sysconfig/network-scripts/ifcfg-eth0 :
>
>DEVICE=eth0
>BOOTPROTO=dhcp
>ONBOOT=yes
>
>My internal NIC is static IP address of 192.168.0.1 -
>/etc/sysconfig/network-scripts/ifcfg-eth1 :
>
>DEVICE=eth1
>ONBOOT=yes
>BOOTPROTO=static
>IPADDR=192.168.0.1
>NETMASK=255.255.255.0
>
>Questions :
>- are the NAME values you used useful for anything, or are they just so you
>know which one is external or internal?
I have not encountered a situation yet, where they are useful.
The important naming goes into /etc/hosts.
quote:
>- when my dhcp lease renews, and I get a new IP address for the external
>NIC, I also get a new hostname like c-210-49-xxx-xxx (the IP address is
>part of the hostname). I want to be able to accept all the dhcp
>information *except* this hostname. I have tried reading the dhclient,
>dhclient.conf man pages but no luck. My /etc/dhclient.conf :
>
>option hostname = armadillo
>
>did nothing :-(
as your DHCP server is owned by your ISP, THEY give out addresses. You
just have to swallow these. My guess is, they do the DNS too, for your
external net. So they give the corresponding hostname too.
I encountered a silly name like the one you mention too:
before I had a adsl line with fixed IP address:
speedtouch09801509854@planet.nl or something like that blabla.
I have a fixed IP address with my own domain name.
When they give you a new lease (and number) the DNS-entries at your
ISP will to be updated too. what they *use* the silly name I dunno.
I am not acquainted with your situation because I have a modem/router
in between my linux box and the adsl line. it has address 10.0.0.138
on my side. I don't do DHCP on the 10-net or on the 192-net fo9r
security reasons. And I don't care about what happens on the out-side
of the modem.
quote:
>
>Was wondering if the HOSTNAME=lima in /etc/sysconfig/network would work in
>this instance - and remember that when lease renews.
I think you are stuck with the hostname they give you, as far as the
outside goes. WHat happens on the inside net is another matter.
Is the name really important for you ?
quote:
>
>I have more things to sort out like DNS etc, but these questions will keep
>me happy for now.
for iptables, I'm studying Bob Toxen's book on Linux security. It has
an iptables script, which I am trying out now.
I would like to have a look at your script too. so if you like, send
it over to: et57 at hot mail dot com
greetings,
Erik
| |
| Micah Clarke 2004-01-23, 7:48 pm |
| Hi,
I've got to the stage where I can ping an external IP number from anywhere
on my internal network. However, I can't ping an address: if I try and ping
www.yahoo.com I get an error. Do I have to configure a DNS server on my
linux box to get around this? Obviously, none of the Windows apps (web
browser, IM, etc) work with just IP numbers. I've tried specifying my ISPs
DNS addresses on the Windows clients but this doesn't help.
Thanks for any help,
Micah
<?®ik> wrote in message news:r12utvgufbgr58b8h68hfaqp85vtmbf3m3@
4ax.com...quote:
> On Tue, 16 Dec 2003 22:41:55 +1000, the right honourable Troy Piggins
> <troy@piggo.com> wrote:
>
you[QUOTE][color=darkred]
>
> I have not encountered a situation yet, where they are useful.
> The important naming goes into /etc/hosts.
>
>
> as your DHCP server is owned by your ISP, THEY give out addresses. You
> just have to swallow these. My guess is, they do the DNS too, for your
> external net. So they give the corresponding hostname too.
> I encountered a silly name like the one you mention too:
> before I had a adsl line with fixed IP address:
>
>
> speedtouch09801509854@planet.nl or something like that blabla.
> I have a fixed IP address with my own domain name.
> When they give you a new lease (and number) the DNS-entries at your
> ISP will to be updated too. what they *use* the silly name I dunno.
>
> I am not acquainted with your situation because I have a modem/router
> in between my linux box and the adsl line. it has address 10.0.0.138
> on my side. I don't do DHCP on the 10-net or on the 192-net fo9r
> security reasons. And I don't care about what happens on the out-side
> of the modem.
>
>
in[QUOTE][color=darkred]
>
> I think you are stuck with the hostname they give you, as far as the
> outside goes. WHat happens on the inside net is another matter.
>
> Is the name really important for you ?
>
keep[QUOTE][color=darkred]
>
> for iptables, I'm studying Bob Toxen's book on Linux security. It has
> an iptables script, which I am trying out now.
> I would like to have a look at your script too. so if you like, send
> it over to: et57 at hot mail dot com
>
>
> greetings,
> Erik
| |
| Alexander Dalloz 2004-01-23, 7:48 pm |
| On Fri, 19 Dec 2003 23:35:34 +0000 Micah Clarke wrote:
quote:
> Hi,
>
> I've got to the stage where I can ping an external IP number from anywhere
> on my internal network. However, I can't ping an address: if I try and ping
> www.yahoo.com I get an error. Do I have to configure a DNS server on my
> linux box to get around this? Obviously, none of the Windows apps (web
> browser, IM, etc) work with just IP numbers. I've tried specifying my ISPs
> DNS addresses on the Windows clients but this doesn't help.
>
> Thanks for any help,
> Micah
It is enough if you define valid DNS server entries on the Windows
machines. But be sure port 53 both on UDP and TCP is not blocked by the
Linux box.
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
|
| On Fri, 19 Dec 2003 23:35:34 -0000, the right honourable "Micah
Clarke" <micahclarke@conandoyle.net> wrote:
quote:
>Hi,
>
>I've got to the stage where I can ping an external IP number from anywhere
>on my internal network. However, I can't ping an address: if I try and ping
>www.yahoo.com I get an error. Do I have to configure a DNS server on my
>linux box to get around this? Obviously, none of the Windows apps (web
>browser, IM, etc) work with just IP numbers. I've tried specifying my ISPs
>DNS addresses on the Windows clients but this doesn't help.
>
>Thanks for any help,
>Micah
No.
The DNS server is out on the internet. At least, the DNS server that
translates external names like yahoo's into ip-address vice versa.
So your internal network has to know there these servers are.
Each machine on the internal net has a setting somewhere where you can
define this server.
You define two of them: a primary and, yes, a secondary DNS server
that takes care of things if the primary gives trouble.
Of course, these external DNS servers do not know anything about the
addressing and naming on your internal net. The IP addresses there are
probably of the not-routable kind like 192.168.x.x or 10.x.x.x.
With these addresses, you can't go out on the internet (that is what
NAT is all about).
Remember: they would have you pay dearly to keep the knowledge about
your internal net on their DNS servers. And you didn't. Pay, I mean
:-)
If you would like to have DNS for the internal net, you indeed have to
set up a DNS server on one of the internal machines.
This server would then translate 192.168.1.23 to, let's say
micah.clarke.loc, vice versa.
You then set the DNS server of the internal machines to the internal
DNS server instead of to the external ones.
I'm not sure, but I think you could then "connect" this internal DNS
server with the outside ones, so that if yahoo had to be converted to
an IP-address, the internal server defers the request to the external
server. I don't do internal DNS (yet) so consult the DNS manual of
your internal DNS server program for this.
Also, read Alexanders reply. He knows a lot more than I do. And yes,
it seems you stop UDP traffic on the Linux box.
You have to allow other protocols like UDP through the firewall,
because DNS works with UDP.
Obviously, you already allowed ICMP through.
Also be sure to set up a decent firewall on the linux box.
I'm working on Bob Toxen's book "Real World Linux Security". It has a
wealth of info on hardening the linux box.
have fun besides all the frustrations :-)
Erik
|
|
|
|
|