LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-11-2006, 02:09 AM   #1
RottenMutt
Member
 
Registered: Jul 2003
Location: dfw
Distribution: Latest Fedora Release
Posts: 186

Rep: Reputation: 30
help: trying to setup firewall router w/ FC4


Having some difficulty understanding just how to properly configure dhcp and Internet Connection Sharing on my FC4 box. I've RTFM, I've read the Readme yet i still can't get it working.
I have followed some guides, used dome tools:
http://fedoranews.org/blog/?p=666
http://tldp.org/HOWTO/IP-Masquerade-...-examples.html
http://www.subnetmask.info/
I can now get a ip address on my laptop, winxp home, and ping it from the linux. i can http://64.233.187.99 and bring up google, but not with their domain name.
It looks like the domain name resolution isn't working, getting closer

dhcp starts, i can ping the other computer.
PHP Code:
[root@firewall ~]# bash -x /etc/rc.d/init.d/dhcpd start
+ . /etc/rc.d/init.d/functions
++ TEXTDOMAIN=initscripts
++ umask 022
++ PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
++ export PATH
++ '[' -'' ']'
++ COLUMNS=80
++ '[' -'' ']'
+++ /sbin/consoletype
++ CONSOLETYPE=pty
++ '[' -/etc/sysconfig/i18n --'' ']'
++ . /etc/sysconfig/i18n
+++ LANG=en_US.UTF-8
+++ SYSFONT=latarcyrheb-sun16
+++ SUPPORTED=en_US.UTF-8:en_US:en
++ '[' pty '!=' pty ']'
++ '[' -'' ']'
++ export LANG
++ '[' -'' ']'
++ '[' -/etc/sysconfig/init ']'
++ . /etc/sysconfig/init
+++ BOOTUP=color
+++ GRAPHICAL=yes
+++ RES_COL=60
+++ MOVE_TO_COL='echo -en \033[60G'
+++ SETCOLOR_SUCCESS='echo -en \033[0;32m'
+++ SETCOLOR_FAILURE='echo -en \033[0;31m'
+++ SETCOLOR_WARNING='echo -en \033[0;33m'
+++ SETCOLOR_NORMAL='echo -en \033[0;39m'
+++ LOGLEVEL=3
+++ PROMPT=yes
++ '[' pty serial ']'
++ '[' color '!=' verbose ']'
++ INITLOG_ARGS=-q
+ . /etc/sysconfig/network
++ NETWORKING=yes
++ HOSTNAME=firewall.irkshouse.org
+ . /etc/sysconfig/dhcpd
++ DHCPDARGS=eth0
'[' yes no ']'
'[' -/usr/sbin/dhcpd ']'
CF=/etc/dhcpd.conf
+ [[ eth0 = *-cf* ]]
'[' -/etc/dhcpd.conf ']'
'[' '!' -/var/lib/dhcp/dhcpd.leases ']'
RETVAL=0
prog=dhcpd
+ case "$1" in
start
+ echo -'Starting dhcpd: '
Starting dhcpd: + daemon /usr/sbin/dhcpd eth0
RETVAL=0                                                 [  OK  ]
+ echo

'[' -eq 0 ']'
touch /var/lock/subsys/dhcpd
'[' -/usr/bin/logger ']'
+ /usr/bin/logger -t dhcpd 'dhcpd startup succeeded'
+ return 0
+ exit 
PHP Code:
[root@firewall ~]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:01:80:62:7A:5A
          inet addr
:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr
fe80::201:80ff:fe62:7a5a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU
:1500  Metric:1
          RX packets
:282 errors:0 dropped:0 overruns:0 frame:0
          TX packets
:193 errors:0 dropped:0 overruns:0 carrier:0
          collisions
:0 txqueuelen:1000
          RX bytes
:46641 (45.5 KiB)  TX bytes:24248 (23.6 KiB)
          
Interrupt:193 Base address:0xc000

eth1      Link encap
:Ethernet  HWaddr 00:50:BA:B2:BF:72
          inet addr
:66.182.204.127  Bcast:66.182.207.255  Mask:255.255.240.0
          inet6 addr
fe80::250:baff:feb2:bf72/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU
:1500  Metric:1
          RX packets
:82643 errors:0 dropped:0 overruns:0 frame:0
          TX packets
:3527 errors:0 dropped:0 overruns:0 carrier:0
          collisions
:0 txqueuelen:1000
          RX bytes
:8109250 (7.7 MiB)  TX bytes:555517 (542.4 KiB)
          
Interrupt:169 Base address:0xe000

lo        Link encap
:Local Loopback
          inet addr
:127.0.0.1  Mask:255.0.0.0
          inet6 addr
: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU
:16436  Metric:1
          RX packets
:1906 errors:0 dropped:0 overruns:0 frame:0
          TX packets
:1906 errors:0 dropped:0 overruns:0 carrier:0
          collisions
:0 txqueuelen:0
          RX bytes
:2465540 (2.3 MiB)  TX bytes:2465540 (2.3 MiB)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU
:1480  Metric:1
          RX packets
:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets
:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions
:0 txqueuelen:0
          RX bytes
:(0.0 b)  TX bytes:(0.0 b
PHP Code:
[root@firewall ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BROADCAST
=192.168.1.255
HWADDR
=00:01:80:62:7A:5A
IPADDR
=192.168.1.1
NETMASK
=255.255.255.0
NETWORK
=192.168.1.0
ONBOOT
=yes
TYPE
=Ethernet
BOOTPROTO
=none
USERCTL
=no
PEERDNS
=yes
IPV6INIT
=no 
PHP Code:
[root@firewall ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO
=dhcp
HWADDR
=00:50:BA:B2:BF:72
ONBOOT
=yes
TYPE
=Ethernet
DHCP_HOSTNAME
=firewall.irkshouse.org 
PHP Code:
[root@firewall ~]# cat /etc/dhcpd.conf
#   If more than one network interface is attached to the system, but the DHCP
#   server should only be started on one of the interfaces, configure the DHCP
#   server to start only on that device.
#   See DHCPDARGS= in /etc/sysconfig/dhcpd
#ddns-update-style ad-hoc;
ddns-update-style interim;
#ignore client-updates;
subnet 192.168.1.0 netmask 255.255.255.0 {
        
option routers                  192.168.1.1;
        
option subnet-mask              255.255.255.0;
#       option nis-domain               "irkshouse.org";
#       option domain-name              "irkshouse.org";
        
option domain-name-servers      192.168.1.1;
#       option broadcast-address        192.168.1.255;
#       option ip-forwarding            on;
        
option time-offset              -6;     # Central Standard Time
#       option ntp-servers              192.168.1.1;
#       option netbios-name-servers     192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
#     you understand Netbios very well
#       option netbios-node-type 2;
#       range dynamic-bootp 192.168.1.100 192.168.1.254;
        
range 192.168.1.100 192.168.1.254;
        default-
lease-time 21600;
        
max-lease-time 43200;

PHP Code:
[root@firewall ~]# cat /etc/sysconfig/dhcpd
# Command line options here
DHCPDARGS=eth0 
I have also tried this script to enable Internet Sharing, but it didn't work.
PHP Code:
[root@firewall ~]# cat /etc/rc.d/rc.firewall-iptables
#!/bin/sh
#
# rc.firewall-iptables
FWVER=0.76
#
#               Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels
#               using IPTABLES.
#
#               Once IP Masquerading has been tested, with this simple
#               ruleset, it is highly recommended to use a stronger
#               IPTABLES ruleset either given later in this HOWTO or
#               from another reputable resource.
#
#
#
# Log:
#       0.76 - Added comments on why the default policy is ACCEPT
#       0.75 - Added more kernel modules to the comments section
#       0.74 - the ruleset now uses modprobe vs. insmod
#       0.73 - REJECT is not a legal policy yet; back to DROP
#       0.72 - Changed the default block behavior to REJECT not DROP
#       0.71 - Added clarification that PPPoE users need to use
#              "ppp0" instead of "eth0" for their external interface
#       0.70 - Added commented option for IRC nat module
#            - Added additional use of environment variables
#            - Added additional formatting
#       0.63 - Added support for the IRC IPTABLES module
#       0.62 - Fixed a typo on the MASQ enable line that used eth0
#              instead of $EXTIF
#       0.61 - Changed the firewall to use variables for the internal
#              and external interfaces.
#       0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
#              all forwarded packets but it didn't have a rule to ACCEPT
#              any packets to be forwarded either
#            - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
#       0.50 - Initial draft
#

echo -"\n\nLoading simple rc.firewall-iptables version $FWVER..\n"


# The location of the iptables and kernel module programs
#
#   If your Linux distribution came with a copy of iptables,
#   most likely all the programs will be located in /sbin.  If
#   you manually compiled iptables, the default location will
#   be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE
=/sbin/modprobe


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must
#         change the EXTIF or INTIF variables above. For example:
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0"
#
#
#  IRK'S NOTES: ETH0 IS GREEN (INTIF), ETH1 IS RED (EXTIF); THEREFORE,
#             THE ADDAPTERS MUST BE SWITCHED
EXTIF="eth1"
INTIF="eth0"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"


#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==


echo -en "   loading modules: "

# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
# options as MODULES.  If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
#  NOTE: The following items are listed ONLY for informational reasons.
#        There is no reason to manual load these modules unless your
#        kernel is either mis-configured or you intentionally disabled
#        the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ
#        modules are shown below but are commented out from loading.
# ===============================================================

echo "----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables


#Load the IPTABLES filtering module - "iptable_filter"
#  - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is
#    enabled
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc


#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp


#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc

echo "----------------------------------------------------------------------"

# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function.  Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
#    ip_nat_snmp_basic - this module allows for proper NATing of some
#                        SNMP traffic
#
#    iptable_mangle    - this target allows for packets to be
#                        manipulated for things like the TCPMSS
#                        option, etc.
#
# --
#
#    ipt_mark       - this target marks a given packet for future action.
#                     This automatically loads the ipt_MARK module
#
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port individually
#
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#
#    ipt_unclean    - this match allows to catch packets that have invalid
#                     IP/TCP flags set
#
#    iptable_filter - this module allows for packets to be DROPped,
#                     REJECTed, or LOGged.  This module automatically
#                     loads the following modules:
#
#                     ipt_LOG - this target allows for packets to be
#                               logged
#
#                     ipt_REJECT - this target DROPs the packet and returns
#                                  a configurable ICMP packet back to the
#                                  sender.
#

echo -"   Done loading modules.\n"



#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP,
#   enable this following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
echo "   Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable simple IP forwarding and Masquerading
#
#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
#  NOTE #2:  The following is an example for an internal LAN address in the
#            192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
#            connecting to the Internet on external interface "eth0".  This
#            example will MASQ internal traffic out to the Internet but not
#            allow non-initiated traffic into your internal network.
#
#
#         ** Please change the above network numbers, subnet mask, and your
#         *** Internet connection interface name to match your setup
#


#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is DROP (REJECT is not a valid policy)
#
#   Isn't ACCEPT insecure?  To some degree, YES, but this is our testing
#   phase.  Once we know that IPMASQ is working well, I recommend you run
#   the rc.firewall-*-stronger rulesets which set the defaults to DROP but
#   also include the critical additional rulesets to still let you connect to
#   the IPMASQ server, etc.
#
echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES 
-F INPUT
$IPTABLES 
-P OUTPUT ACCEPT
$IPTABLES 
-F OUTPUT
$IPTABLES 
-P FORWARD DROP
$IPTABLES 
-F FORWARD
$IPTABLES 
-t nat -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES 
-A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES 
-A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -"\nrc.firewall-iptables v$FWVER done.\n" 
PHP Code:
[root@firewall ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       firewall.irkshouse.org  firewall        localhost.localdomain  localhost 

Last edited by RottenMutt; 03-11-2006 at 02:30 AM.
 
Old 03-11-2006, 01:43 PM   #2
RottenMutt
Member
 
Registered: Jul 2003
Location: dfw
Distribution: Latest Fedora Release
Posts: 186

Original Poster
Rep: Reputation: 30
Can anyone help, i'm so close to getting it to work
 
Old 03-11-2006, 03:37 PM   #3
fataldata
Member
 
Registered: Jun 2002
Location: Breckenridge, Colorado
Distribution: Ubuntu Hardy 8.04
Posts: 101

Rep: Reputation: 15
Well you have the "option domain-name-servers 192.168.1.1;" Line in your dhcpd.conf file. This is pointing back at your machines eth0 interface, are you running a DNS server on that machine? If not simply replace this entry with your DNS servers as provided by your ISP.
 
Old 03-11-2006, 08:39 PM   #4
RottenMutt
Member
 
Registered: Jul 2003
Location: dfw
Distribution: Latest Fedora Release
Posts: 186

Original Poster
Rep: Reputation: 30
my ip address is dynamic and the dhcp client on my red nic automaticly detects the DNS. so how do i automaticly pass this to my green interface/nic which is also a dhcp server?
 
Old 03-13-2006, 01:32 PM   #5
fataldata
Member
 
Registered: Jun 2002
Location: Breckenridge, Colorado
Distribution: Ubuntu Hardy 8.04
Posts: 101

Rep: Reputation: 15
Sounds like that would involve some scripting to read the server info into a variable and then reference that variable in the dhcpd.conf file. But this is not my strong suit and you would need a more knowledgeable person than myself.
I would just hard code the DNS server info into the dhcpd.conf file. DNS servers rarely change and in any case I use atleast one external dns server (i.e. not from my isp) so that my www works even when my ISP's dns goes down. This has happened a few times.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FC4 - firewall, router, NAS RottenMutt Fedora 0 03-09-2006 12:22 PM
Which gateway in router-firewall setup? hussar Linux - Networking 4 12-11-2005 11:11 AM
router and firewall setup jibskg Linux - Networking 1 08-23-2004 09:01 AM
router/firewall setup please help?! basatum Mandriva 1 09-20-2003 03:53 PM
Trying to setup a firewall router using iptables pmoss Linux - Networking 3 03-20-2002 12:15 AM


All times are GMT -5. The time now is 04:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration