Having trouble configuring my Linux gateway

dave247 · 09-29-2011, 02:09 PM

I am trying to configure a Linux gateway with Debian 5. Here is my system info:

eth0 - connected to internet and configured as dhcp client (actually right now its connected to my Linksys router on the 192.168 network).
eth1 - Used for my dhcp server on my LAN with static ip of: 150.50.0.1

So far I have dhcp working and its issuing addresses to my systems connected to eth1 through my switch.

Now I am at the point where I want to forward traffic to and from eth0 and eth1, mainly so I can allow internet access to devices on the 150.50 network.

My overall goal here is to replace my router with this Linux gateway system and play with packet filtering and firewall configuration, etc.

I followed a guide on setting up a gateway but I'm not sure it's correct and I tried to adjust it for my system. However, I execute the script and it doesnt seem like it is working. I am unable to access the internet from my computer on the 150.50 network.

I was wondering if I am missing anything or have something wrong with my script. This is the first time I've actually done this though I've been thinking about it for a long time. I am also still learning how iptables works.

Thanks for any help!
Here is my iptables script:

Code:

#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
# Internet: eth0  --  LAN: eth1

#delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

#Allow established connections and those not coming from outside:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow outgoing connections from the LAN side:
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

#Masquerade:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Dont forward from the outside to the inside:
iptables -A FORWARD -i eth0 -o eth1 -j REJECT

#Enable routing:
echo 1 > /proc/sys/net/ipv4/ip_forward

goossen · 09-30-2011, 12:06 AM

Some details to consider:

1- The network 150.50.X is part of the internet and should not be used for private networks.
See http://en.wikipedia.org/wiki/Private_network for more info.
2- The "states" are part of the tcp protocol only, several internet traffic is not tcp. e.g.: DNS.

My recommendation is to 1st. have the internet working and then start to experiment with firewall rules.

dave247 · 09-30-2011, 01:02 AM

1. I thought about that but technically it doesnt matter since I am going to be using NAT.

2. I'm actually not worried about the firewall yet and I am mainly trying to get internet working... which is what I am having trouble with. I am trying to configure NAT with iptables and I can't get that working.

Quote:

Originally Posted by goossen

Some details to consider:

1- The network 150.50.X is part of the internet and should not be used for private networks.
See http://en.wikipedia.org/wiki/Private_network for more info.
2- The "states" are part of the tcp protocol only, several internet traffic is not tcp. e.g.: DNS.

My recommendation is to 1st. have the internet working and then start to experiment with firewall rules.

goossen · 09-30-2011, 07:22 AM

For internet routing you only need the masquerade rule and set the ip forward to 1.

Or you can use

Code:

iptables -A POSTROUTING -t nat -s {LAN_NET} -o eth0 -j SNAT --to-source {INET_IP}

instead.

--

The fact you are using NAT doesn't allow you to use an Internet IP for your internal network. Let's say you have the following IPs on your LAN:

HOST-A: 150.50.0.10
HOST-B: 150.50.0.12

So if you send a package from HOST-A to HOST-B it will not go through your gateway but your LAN switch; that's OK.
But what if you want to visit www.sample-website.com which resolves to 150.50.0.12, the package will go to HOST-B on your LAN; that's not OK.

dave247 · 09-30-2011, 10:54 AM

Alright... looks like it was working the whole time. The ONLY thing I needed was to turn on the ip_forwarding in the kernel (which I had done all along).

My "problem" was that I have not set up DNS on my Linux system; That is why I could not go to "google.com" on my client machines. However I could successfully ping google's ip address.

Now I need to figure out the best way to forward DNS requests...

dave247 · 09-30-2011, 03:55 PM

I hate to be a pain in the butt....

what is the right/best way to get DNS working on the internal nic?

I have been looking all over the internet, reading man pages and messing with config files. I am not sure if I need to install bind9 or just edit something with my /etc/interfaces file, or resolv.conf, or change /etc/dhcp3/dhcpd.conf file or if I just need to forward DNS requests with iptables. I understand the basics of DNS but I just can't figure out how to get it working.

fukawi1 · 10-03-2011, 09:57 AM

Quote:

Originally Posted by dave247

I hate to be a pain in the butt....
what is the right/best way to get DNS working on the internal nic?

Do you mean to internal network? ie: eth1?

You probably need to tell dhcpd.conf something along the lines of

option domain-name-servers x.x.x.x

Which will tell DHCP to push the nameserver address as it hands out IP addresses to clients on the lan.

to find x.x.x.x (tehehe) cat /etc/resolv.conf