LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   nat, multiple NICs (https://www.linuxquestions.org/questions/linux-networking-3/nat-multiple-nics-157167/)

the_y_man 03-13-2004 01:11 PM
nat, multiple NICs
 
I'm trying to set up NAT router on slackware 9.1 kernel 2.6.4, no X.

my setup is like this
eth0--->cable internet
eth1 ---> my computer connect to the router through this device, dhcpd send
out an IP to whoever connects on this device (eth1="192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0")

eth2 ---> my other computer connect to the router through this device, dhcpd send
out an IP to whoever connects on this device (eth2="192.168.1.2 broadcast 192.168.1.255 netmask 255.255.255.0")

my dhcpd.conf file looks like this:

Code:
ddns-updates on;
ddns-update-style ad-hoc;

default-lease-time 1200;
max-lease-time 9200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name "the.name.of.my.domaine";

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.2 192.168.1.100;
}


# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

I activate dhcpd:
dhcpd eth1 eth2

both clients get an IP

and my nat script looks like this:

Code:
#!/bin/bash

export IPTABLES=iptables
EXTIF="eth1"
INTIF="eth0"

echo "  Enabling ip_forward, and ip_dynaddr.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "  FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "  Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
the client connected to eth1 can surf the web but the client connected to eth2 cannot...both clients cannot ping each other either.

can anybody help? how can i get nat working for the client connected to eth2?

tuxguy 03-13-2004 02:47 PM
in your dhcpd.conf file... why not have it assign the the eth's that are in your server IP's via their MAC address - below

host your.host.name {
#eth1
hardware ethernet 00:50:BA:C6:3B:C4;
fixed-address 192.168.1.1;
#eth2
hardware ethernet 00:20:BA:C2:4A:F1;
fixed-address 192.168.1.2;
}
make sure to change the range in the subnet 192.168.1.0 to read

range 192.168.1.3 192.168.1.100;


now for your iptables...

EXTIF="eth1"
INTIF="eth0"


should be
EXTIF="eth1 eth2"
INTIF="eth0"

the_y_man 03-13-2004 03:49 PM
i fixed my dhcpd.conf file

but the modification to the nat script didnt work, it returned a bunch of syntax errors

tuxguy 03-13-2004 05:49 PM
have you ever thought of using arno's firewall script? it has iptables and NAT, port forwarding etc for everything... very easy to setup... and supports more than 2 NIC's...

http://rocky.molphys.leidenuniv.nl/

if you need help trying to setup that firewall up, drop me a line...

the_y_man 03-13-2004 10:48 PM
It's still not working :-( i'm disappointed with linux...windows ICS is sooo much easier to set up, but i don't have the resources for that

carboncopy 03-14-2004 03:07 AM
Quote:
Originally posted by the_y_man
It's still not working :-( i'm disappointed with linux...windows ICS is sooo much easier to set up, but i don't have the resources for that
Windows is easier to set up, easier to crack, easier to get infected with viruses, etc. :)

spurious 03-14-2004 10:08 AM
the_y_man, your iptables script only routes for eth1; you don't have any routing rules for eth2. I think that tuxguy's suggestion of assigning EXTIF="eth1 eth2" is giving you the syntax error.

Also, more importantly, you've reversed EXTIF and INTIF. eth0 is your interface to the external world, and eth1/eth2 face your internal LAN. Not that the variable names make much difference, but your script has the following errors:

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
-- if INTIF is eth0 and EXTIF is eth1, then you're basically accepting ALL traffic from the internet into your LAN. This kind of negates your firewall. It's probably why you can browse from the eth1-connected box even though the following rule is incorrect:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
-- again, the masquerading rule should be applied on the external interface, namely eth0 in your case. However, since you assigned eth1 to EXTIF, the masquerading isn't functional.

My slackbox is also routing for two computers, eth1 and eth2. This is what I have:
Code:
IPTABLES='/usr/sbin/iptables'
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# forward LAN traffic from eth1 to Internet interface eth0
$IPTABLES -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

# forward LAN traffic from eth2 to Internet interace eth0
$IPTABLES -A FORWARD -i eth2 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

echo -e "      - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

echo -e "      - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT

# block out all other Internet access on eth0
$IPTABLES -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
I didn't bother assigning eth0/eth1/eth2 to variables; of course, you can, however. Test your firewall with nmap (but be careful with this tool, since you might accidentally scan your ISP which would get you into lots of trouble), or go to a website like www.dshield.org or grc.com.

BTW, although Linux, and iptables in particular, requires more reading and research, I find that once learned, Linux is much simpler and more elegant than Windows. I started my home network with Windows98 Internet Connection Sharing. Since Windows ICS was very poorly documented, I did everything by trial-and-error. And I had to remove and reinstall and reboot ICS many times (and there is only one magic way to do it properly too). Then the ICS server crashed about once per week. I never figured out how to serve more than one workstation from ICS either; I suspect you have to purchase a multi-node licence for ICS.

I switched my ICS server to Linux (Red Hat at first) with the goal of using it to do the internet firewall/gateway thing. Yes, iptables was very difficult at first, and I scoured google for all tutorials and references. I found some sample iptables scripts here on linuxquestions.org to get me started. Now, I can't think of doing it any other way.

Also, there are alternatives to editing the iptables script directly. You could try using guarddog, which is a utility for iptables configuration.

peter_robb 03-14-2004 11:34 AM
Quote:
my setup is like this
eth0--->cable internet
eth1 ---> my computer connect to the router through this device, dhcpd send
out an IP to whoever connects on this device (eth1="192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0")

eth2 ---> my other computer connect to the router through this device, dhcpd send
out an IP to whoever connects on this device (eth2="192.168.1.2 broadcast 192.168.1.255 netmask 255.255.255.0")
and..
Quote:
#!/bin/bash

export IPTABLES=iptables
EXTIF="eth1"
INTIF="eth0"
and..
Quote:
echo " FWD: Allow all connections OUT and only existing and related ones IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
Looks like you want to use eth0 as external, and eth1 & eth2 as internal, but
your iptables rules read differently..

Try
Code:
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth2 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
You must have different subnets on eth1 & eth2
If eth1 is 192.168.1.x then eth2 needs to be different, eg 192.168.2.x


All times are GMT -5. The time now is 03:26 AM.