Hi,

I'd like to achieve the following type of setup:

ISP(ADSL router)----eth0[GatewayBox]eth1----[Switch]

...[Switch]
/|\
[PC1] [PC2] [PC3]

*) ISP doesn't give be static-IP, but only dynamic-IP.

I've 4 Linux boxes here.
1) GatewayBox (running CentOS4.6),
eth0: gets DHCP IP from ISP
eth1: IP=192.168.10.1 (statically configured)
2) PC1 [running CentOS4.6], IP=192.168.10.11
3) PC2 [running CentOS4.4], IP=192.168.10.12
4) PC3 [running CentOS4.6], IP=192.168.10.13

I want to achieve the following:
a) Enable DynamicDNS (dynDNS based) for the GatewayBox, s.t. I can reach it from anywhere in the internet.
b) Use "ssh" to get to PC1,PC2,PC3 via GatewayBox from anywhere in the internet.
c) Reach external HTTP/HTTPS site from PC1,PC2,PC3 -- however, this is only desirable, not a must have. Must-have are (a) & (b).

I guess, I need to setup a Gateway with port-forwarding, using "iptables", however, dunno how to proceed ! The Netfilter and "iptables" documentation seems a bit daunting, and most examples are for "Firewall" type application only.

Since, my ADSL router itself has an inbuilt Firewall, so I don't need to enable Firewall feature on the GatewayBox.

Need help/advice in achieving the above.

thanks & regards,
bani

PS> Actually, I also want to replicate the exact same setup also inside a corporate setup, s.t. the ISP-router is to be replaced by a DHCP based connection on corporate LAN... and it's already secure.

Here is a link to a HOWTO on using netfilter to create a gateway:

http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html

Thanks for the link, David.

I did go through that link, but the part where I got stuck was, how do I do the gateway config, if eth0 doesn't have a static IP, but only one given by DHCP !

Anytime.
I reckon you need a bit of scripting to parse the IP address out of the result of "ifconfig eth0" and use it to re-create your iptables definitions.

This will strip out the IP address of eth0:

Code:

ifconfig eth0 | grep "inet addr" | cut -d ':' -f 2 | cut -d ' ' -f 1

You could use it in your ipchains setup like this:

Code:

#!/bin/sh
GATEWAY=$(ifconfig eth0 | grep "inet addr" | cut -d ':' -f 2 | cut -d ' ' -f 1)
ipchains -F forward                                - Flush rules
ipchains -P forward DENY                           - Default set to deny packet forwarding
ipchains -A forward -s $GATEWAY/24 -j MASQ     - Use IP address of gateway for private network
ipchains -A forward -i eth1 -j MASQ                - Sets up external internet connection
echo 1 > /proc/sys/net/ipv4/ip_forward

This assumes you need to use ipchains. If you can use iptables, it is a non-issue.

Thanks again, David. This is really helpful information.

My ISP uses a 12 hours DHCP lease refresh. While most of the time, I've seen that the lease extends, but sometimes, I've seen that the IP-address also changes for the new lease. I believe, the above snippet put in a script will then have to be wrapped into some kind of a cronjob run, periodically, checking change in IP-address as well, right ?

If so, this solution is fine, i.e. better than no solution, but I was hoping to find something which is a bit more seamless.

I use iptables, but I think I'd be able to convert it.

regards,
Banibrata

Maybe you could use the (already numerous and complicated) dhcp-options?

man dhcp-options

Thanks for the tip, shall check it out.

Once I get a cron job set up, they appear seamless to me. I usually put some logging in the script that gets run so I can verify that the cron job ran at the scheduled time. Once I know it is working, I usually forget all about it.

I used a cron job to keep the wireless USB adapter connected to my MythTV box up and running by pinging the gateway once per minute. It ran for months without any problems. Then my wife switched to DirecTV and a DVR. Now the MythTV box is mothballed. MythTV got the last laugh, though: My wife says the DVR is harder to use and it definitely doesn't store as many "Murder, She Wrote" episodes.

I did check out 'dhcp-options' and _boy_ are they many ! While it might have the more elegant solution, however - for the moment, I'd stick with the much more "quick yet functional" solution you proposed David.

Thanks to all who reponded on this thread.

cheers,
Banibrata