LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-13-2004, 02:11 PM   #1
the_y_man
LQ Newbie
 
Registered: Jan 2003
Posts: 13

Rep: Reputation: 0
nat, multiple NICs


I'm trying to set up NAT router on slackware 9.1 kernel 2.6.4, no X.

my setup is like this
eth0--->cable internet
eth1 ---> my computer connect to the router through this device, dhcpd send
out an IP to whoever connects on this device (eth1="192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0")

eth2 ---> my other computer connect to the router through this device, dhcpd send
out an IP to whoever connects on this device (eth2="192.168.1.2 broadcast 192.168.1.255 netmask 255.255.255.0")

my dhcpd.conf file looks like this:

Code:
ddns-updates on;
ddns-update-style ad-hoc;

default-lease-time 1200;
max-lease-time 9200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name "the.name.of.my.domaine";

subnet 192.168.1.0 netmask 255.255.255.0 {
   range 192.168.1.2 192.168.1.100;
}


# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

I activate dhcpd:
dhcpd eth1 eth2

both clients get an IP

and my nat script looks like this:

Code:
#!/bin/bash

export IPTABLES=iptables
EXTIF="eth1"
INTIF="eth0"

echo "   Enabling ip_forward, and ip_dynaddr.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
the client connected to eth1 can surf the web but the client connected to eth2 cannot...both clients cannot ping each other either.

can anybody help? how can i get nat working for the client connected to eth2?
 
Old 03-13-2004, 03:47 PM   #2
tuxguy
Member
 
Registered: Mar 2004
Location: North Bay, Ontario - CANADA
Distribution: Debian
Posts: 77

Rep: Reputation: 15
in your dhcpd.conf file... why not have it assign the the eth's that are in your server IP's via their MAC address - below

host your.host.name {
#eth1
hardware ethernet 00:50:BA:C6:3B:C4;
fixed-address 192.168.1.1;
#eth2
hardware ethernet 00:20:BA:C2:4A:F1;
fixed-address 192.168.1.2;
}
make sure to change the range in the subnet 192.168.1.0 to read

range 192.168.1.3 192.168.1.100;


now for your iptables...

EXTIF="eth1"
INTIF="eth0"


should be
EXTIF="eth1 eth2"
INTIF="eth0"
 
Old 03-13-2004, 04:49 PM   #3
the_y_man
LQ Newbie
 
Registered: Jan 2003
Posts: 13

Original Poster
Rep: Reputation: 0
i fixed my dhcpd.conf file

but the modification to the nat script didnt work, it returned a bunch of syntax errors
 
Old 03-13-2004, 06:49 PM   #4
tuxguy
Member
 
Registered: Mar 2004
Location: North Bay, Ontario - CANADA
Distribution: Debian
Posts: 77

Rep: Reputation: 15
have you ever thought of using arno's firewall script? it has iptables and NAT, port forwarding etc for everything... very easy to setup... and supports more than 2 NIC's...

http://rocky.molphys.leidenuniv.nl/

if you need help trying to setup that firewall up, drop me a line...
 
Old 03-13-2004, 11:48 PM   #5
the_y_man
LQ Newbie
 
Registered: Jan 2003
Posts: 13

Original Poster
Rep: Reputation: 0
Unhappy

It's still not working :-( i'm disappointed with linux...windows ICS is sooo much easier to set up, but i don't have the resources for that
 
Old 03-14-2004, 04:07 AM   #6
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Distribution: Fedora Core, Slackware, Mac OS X, Debian, OpenSUSE
Posts: 1,210
Blog Entries: 4

Rep: Reputation: 45
Quote:
Originally posted by the_y_man
It's still not working :-( i'm disappointed with linux...windows ICS is sooo much easier to set up, but i don't have the resources for that
Windows is easier to set up, easier to crack, easier to get infected with viruses, etc.
 
Old 03-14-2004, 11:08 AM   #7
spurious
Member
 
Registered: Apr 2003
Location: Vancouver, BC
Distribution: Slackware, Ubuntu
Posts: 558

Rep: Reputation: 31
the_y_man, your iptables script only routes for eth1; you don't have any routing rules for eth2. I think that tuxguy's suggestion of assigning EXTIF="eth1 eth2" is giving you the syntax error.

Also, more importantly, you've reversed EXTIF and INTIF. eth0 is your interface to the external world, and eth1/eth2 face your internal LAN. Not that the variable names make much difference, but your script has the following errors:

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
-- if INTIF is eth0 and EXTIF is eth1, then you're basically accepting ALL traffic from the internet into your LAN. This kind of negates your firewall. It's probably why you can browse from the eth1-connected box even though the following rule is incorrect:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
-- again, the masquerading rule should be applied on the external interface, namely eth0 in your case. However, since you assigned eth1 to EXTIF, the masquerading isn't functional.

My slackbox is also routing for two computers, eth1 and eth2. This is what I have:
Code:
IPTABLES='/usr/sbin/iptables'
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# forward LAN traffic from eth1 to Internet interface eth0
$IPTABLES -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

# forward LAN traffic from eth2 to Internet interace eth0
$IPTABLES -A FORWARD -i eth2 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

echo -e "       - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

echo -e "       - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT

# block out all other Internet access on eth0
$IPTABLES -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
I didn't bother assigning eth0/eth1/eth2 to variables; of course, you can, however. Test your firewall with nmap (but be careful with this tool, since you might accidentally scan your ISP which would get you into lots of trouble), or go to a website like www.dshield.org or grc.com.

BTW, although Linux, and iptables in particular, requires more reading and research, I find that once learned, Linux is much simpler and more elegant than Windows. I started my home network with Windows98 Internet Connection Sharing. Since Windows ICS was very poorly documented, I did everything by trial-and-error. And I had to remove and reinstall and reboot ICS many times (and there is only one magic way to do it properly too). Then the ICS server crashed about once per week. I never figured out how to serve more than one workstation from ICS either; I suspect you have to purchase a multi-node licence for ICS.

I switched my ICS server to Linux (Red Hat at first) with the goal of using it to do the internet firewall/gateway thing. Yes, iptables was very difficult at first, and I scoured google for all tutorials and references. I found some sample iptables scripts here on linuxquestions.org to get me started. Now, I can't think of doing it any other way.

Also, there are alternatives to editing the iptables script directly. You could try using guarddog, which is a utility for iptables configuration.
 
Old 03-14-2004, 12:34 PM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Quote:
my setup is like this
eth0--->cable internet
eth1 ---> my computer connect to the router through this device, dhcpd send
out an IP to whoever connects on this device (eth1="192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0")

eth2 ---> my other computer connect to the router through this device, dhcpd send
out an IP to whoever connects on this device (eth2="192.168.1.2 broadcast 192.168.1.255 netmask 255.255.255.0")
and..
Quote:
#!/bin/bash

export IPTABLES=iptables
EXTIF="eth1"
INTIF="eth0"
and..
Quote:
echo " FWD: Allow all connections OUT and only existing and related ones IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
Looks like you want to use eth0 as external, and eth1 & eth2 as internal, but
your iptables rules read differently..

Try
Code:
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth2 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
You must have different subnets on eth1 & eth2
If eth1 is 192.168.1.x then eth2 needs to be different, eg 192.168.2.x

Last edited by peter_robb; 03-14-2004 at 12:36 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Intel D845GLLY + Multiple Intel Pro 100 NICs + kernel 2.6.x = NICs don't work egable Linux - Hardware 0 02-04-2005 03:30 PM
Multiple NICS in Solaris 8 triley Solaris / OpenSolaris 8 01-06-2005 12:12 PM
Iptables firewall with 4 NICs and nat jod Linux - Security 7 08-06-2003 06:14 AM
router/firewall/nat/dhcp with 5 NICs? nicedreams Linux - Networking 13 06-21-2003 03:26 PM
multiple NICs paulonline2501 Linux - Hardware 2 07-23-2002 06:58 PM


All times are GMT -5. The time now is 12:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration