LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 07-19-2004, 07:40 AM   #1
thegeekster
Member
 
Registered: Dec 2003
Location: USA (Pacific coast)
Distribution: Vector 5.8-SOHO, FreeBSD 6.2
Posts: 513

Rep: Reputation: 33
Project questions -> old pc as a gateway/proxy server for home


Okay, I have an old pc I want to use for a gateway, which will only be connected to one other machine..........Currently , I have a Comcast cable connection (with 3 Mbit cap on downloads, can't remember what the upload cap is) and what I'm looking to do is:

1) Run home HTTP and private FTP servers, no mail server, but maybe bittorrent later on............
2) Limit or throttle bandwidth for those downloading from my servers, mostly for binaries (pix, executable, archive files, etc)
3) Allow me unlimited access to the internet through the gateway
4) Able to use my main pc for storing the files for my ftp server

Hardware:
> '95 Compaq Presario 7180 desktop
> Pentium 100 CPU (i586)
> 64 MB EDO RAM
> 2 3COM NICs - 3C509B-TPC and 3C509B-TPO
> Seagate 4.2 G hard drive
> Seagate 1.2 G hard drive (original drive)
> Samsung 52x CDROM
> Compaq 14" monitor (original monitor)
> Comcast cable modem (Terayon TJ-715)
> one crossover cable with the RJ45 connections
(NOTE: The Compaq uses an old Phoenix BIOS which has the 8 G limitation on hard drives.)

I will be installing Slackware using the latest 2.4 kernel, minimum install without GUI........maybe even removing stuff from the minimum install not needed.......with gShield to configure the firewall cause I'm used to it and is suitable for my needs (don't know enough about iptables yet to make my own firewall script)..........I currently have Apache for my HTTP server (currently using 1.3.29, but will upgrade to the latest 1.3 version), and Pure-FTP for my ftp server......I also have Webmin installed on my main machine which I plan on using to administer the gateway machine

Now, what I was wondering is should I go with Squid for the proxy server............I mostly want it for bandwidth control, not necessarily for the caching since I will only have one machine to serve, but I probably will use some caching..........Or is there a better alternative (TIS, SOCKS...?)........

Also, what would be the best way to handle the servers..............keep them on my main machine or move them over to the old one........

For the web server, I'm going to be creating a personal site called "The Slack Corner" (Yes, another Slack site.... ) which will deal with Slackware, Linux, Open Source, Bash scripting, Slackware packages, and such........I've already got the domain name from DynDNS.org (slackcorner.homelinux.net), from their free Dynamic DNS service.......

And what I would like to do is to use the gateway machine for serving the web content, but store the packages and other binaries on my main machine where I have more room, since I can't use today's modern hard drives on the old machine (nothing over 8 G).........So I'm looking for some advice on the best approach for doing that............I currently use ReiserFS for my partitions.....

So the bottom line is to use the old machine for the servers, and use my main machine for a desktop, but also use dedicated partitions on my main machine for use by the servers on the old machine...........and control the bandwidth for inbound traffic on large files, but allow me unlimited internet access for browsing downloads, or as much as possible without interfering with those who may be downloading from me.............Hope I'm making myself clear...

This is mainly an exercise in network administration for me, a hands on approach, but I love to share, so my web site is also for the benefit of others, not just myself.......Any advice, problems I may encounter, pat on the back, etc., will be very much appreciated...........


Last edited by thegeekster; 07-19-2004 at 07:43 AM.
 
Old 07-19-2004, 11:28 AM   #2
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
what we can say about a pentium 100 :-)
http://www.szabilinux.hu/bandwidth/
 
Old 07-19-2004, 12:15 PM   #3
Bill Gates 666
Member
 
Registered: Dec 2003
Location: Cambridge
Distribution: Arch
Posts: 68

Rep: Reputation: 22
Hi

Firewalling, bandwidth shapping, etc. are all good on a P100.

I use Squid myself with SquidGuard - which is useful for blocking adverts in webpages!! I don't see much speed up from Squid (I'm running MDK 9.2 on an Athlon 2000+ at run level 3 i.e. no X-windows)... but I am sure it helps a bit (e.g. caching images, etc.)!! I would switch to the 2.6.xx kernel but I have problem with the PCI ADSL modem I have (which has no updated drivers)... If you can I would try and use the 2.6.xxx kernels 'cause its like NxO!!

If you want bandwidth control you should qdiscs and iptables which are both part of the 2.4.xxx and 2.6.xxx kernels. They work very efficiently on any old hardware. :-) By all means use throttling if its built into a server!!

Your real problem is HD space on the P100 machine for serving images, tec. If you want to get more space than the current HD 5Gbyte(~) capacity..have you considered a 10-20Gbyte external Firewire 400 drive which would get round the IDE size limitation in BIOS? They are coming down in price all the time and work very well (!!) with Linux... If you can get a cheap FW card that works with your motherboard BIOS of course...

I would use a much lighter webserver (like Turbo HTTPD) on the P100 machine:
http://www.acme.com/software/thttpd/benchmarks.html
Quoting: "Don't get too excited over the performance figures. Most of these servers have enough oomph to keep a T1 saturated, running on a lowly 100MHz Pentium or maybe even a 486. Very very few web applications need more power than that. So, the fact that Apache is not that fast shouldn't be of concern to most people"
You might have a problem with your P100 small memory size and Appache. Turbo HTTPD has a much smaller memory footprint.
It has throttling, etc. which you said you needed.

I have both webservers running on my Linux box (Appache and Thttpd). THTTPD appears to be quite easy to setup.

Hope that helps a bit. I am complete newbie so take my advice with a pinch of salt!!

_______________________
Bill Gates #666 (aka Robert)
 
Old 07-19-2004, 03:52 PM   #4
thegeekster
Member
 
Registered: Dec 2003
Location: USA (Pacific coast)
Distribution: Vector 5.8-SOHO, FreeBSD 6.2
Posts: 513

Original Poster
Rep: Reputation: 33
maxut:
Thanx for the URL................I've bookmarked several Linux HOWTOs already for this project, but didn't see that one........


Bill Gates 666:
Quote:
I use Squid myself with SquidGuard - which is useful for blocking adverts in webpages!! I don't see much speed up from Squid (I'm running MDK 9.2 on an Athlon 2000+ at run level 3 i.e. no X-windows)... but I am sure it helps a bit (e.g. caching images, etc.)!! I would switch to the 2.6.xx kernel but I have problem with the PCI ADSL modem I have (which has no updated drivers)... If you can I would try and use the 2.6.xxx kernels 'cause its like NxO!!
What is SquidGuard exactly..........about all I know is it's an addon for Squid....

I think I will start with the 2.4 kernel 'cause I'm already familiar with it and haven't used the later kernel yet. Maybe I'll run the 2.6 kernel later, after I get something setup and running decently.......

Quote:
If you want bandwidth control you should qdiscs and iptables which are both part of the 2.4.xxx and 2.6.xxx kernels. They work very efficiently on any old hardware. :-) By all means use throttling if its built into a server!!
I was planning on using iptables, and use gShield to configure it with, as I mentioned above.........However, I'm not familiar with qdiscs yet.........................I know I have quite a bit of reading to do, but what would be the best way to handle qdiscs?..........

Quote:
Your real problem is HD space on the P100 machine for serving images, tec. If you want to get more space than the current HD 5Gbyte(~) capacity..have you considered a 10-20Gbyte external Firewire 400 drive which would get round the IDE size limitation in BIOS? They are coming down in price all the time and work very well (!!) with Linux... If you can get a cheap FW card that works with your motherboard BIOS of course...
I know about the drive size limitation I have, which is why I'm looking for a way to efficiently utilize the existing partitions on my main machine which can be served from the old one...............Or would I be better off to keep the Apache and Pure-FTP servers on my main machine and just do a port forwarding? I would like to move as much of the servers I can to the old machine, which will help to ease the amount of processes running on my main machine for desktop use, but if it's better to keep the HTTP and FTP severs on the desktop machine, then so be it............Also, I do have an old SCSI card I can drop in, if that would help, but I don't have any SCSI drives...........

I'm not looking to spend any more money than is necessary, being on a tight budget, and want to make use of what I already have lying around..............Which is what this project is about - putting to good use OLD hardware I already have, besides learning about Linux networking.......

Quote:
I would use a much lighter webserver (like Turbo HTTPD) on the P100 machine:
http://www.acme.com/software/thttpd/benchmarks.html
Quoting: "Don't get too excited over the performance figures. Most of these servers have enough oomph to keep a T1 saturated, running on a lowly 100MHz Pentium or maybe even a 486. Very very few web applications need more power than that. So, the fact that Apache is not that fast shouldn't be of concern to most people"
You might have a problem with your P100 small memory size and Appache. Turbo HTTPD has a much smaller memory footprint.
It has throttling, etc. which you said you needed.
I'll look into that thttpd.........but as you have in your quotes, Apache should be enough to do the job........................I'll be compiling all the software I will need, which is not a problem for me (I am well-versed compiling stuff for Slackware), so I can tweak the compiling especially for the i586 CPU.........

As for the P100 memory, it has a bigger L2 cache than my main computer which is running an Athlon AMD 900 (K7) CPU...........It's the RAM which may be a bit of a concern, but the process forking under Apache can be controlled somewhat which should help with the memory footprint............

Apache also has a couple of third-party mods for throttling - mod_bandwidth and mod_throttling - which can be easily added............But I will look into thttpd, tho'........


Thanx for the replies so far...................Anyone else, please feel free to step in if you have any tips, something to add, or if there's something else I'm overlooking..........
 
Old 07-19-2004, 05:47 PM   #5
Bill Gates 666
Member
 
Registered: Dec 2003
Location: Cambridge
Distribution: Arch
Posts: 68

Rep: Reputation: 22
Hi mate,

Uhhm. By P100 memory I meant the memory size on that machine. I would of said processor cache otherwise. With 64mbytes I think Appache is out of the window... thttpd might fit in. Like you say the best solution is to port forward to other machine. Keep your current disc setup. Run squid on your faster desktop as well (it benefits from extra CPU). You need memory and HD space for it. YOU WANT STUFF TO BE CACHED IN THE RAM - 64 MBYTES WON'T CUT IT!! (You prob. need 512 mbytes++ for this).

I recommended the 2.6.xxx kernel for your P100 machine. However if you do run lots of servers on your desktop you MUST run the 2.6.xxx kernel on it!! An AMD Athlon 900 ain't gonna beat any processor speed records. Hell I built my router up with Athlon 2000+!! - the price differential on buying a new Athlon at the cheaper end is very small :-) But I run Squid, Appache and a mail server on it so I do occasionally need the extra CPU power.

The response time for starting applications in X on a 2.6.xxx-based Linux/GNU system has to be seen to be believed!! I tried it out a few months ago and was amazed... You wouldn't notice much slow down or lack of responsiveness with the background servers using it. The new kernel makes Windows XP Pro look like it is standing still!!

However I can't use the new kernel on my Linux box because its such a radical rewrite... Even on uniprocessor (non-hyperthreading) systems all hardware driver modules have to be re-enterant as the kernel is no premptive (i.e. it can be interrupted by high priority interrupts - like HD transfers). My PCI Conexant ADSL modem Linux driver is no longer maintained by the company. Its very reliable though I find (I quite often max out my 2mbit line through it)...

SquidGuard just allows you to redirect URLs based on domain names, partial URLs, or regular expressions to your own content. I just use SquidGuard to display a blocked advert message for certain images I detect as adverts mainly through regular expression matching on:
.../ad[vert][s]/...
sort of thing. Works pretty well. You can also block flash movies, etc. I find it very handy for reading webpages without getting distracted by crap :-)
You can google to get URL (its just something like www.squidguard.org).

Check out the Linux Advanced Routing website:

http://lartc.org/

for details of iptables and qdiscs. The site also has sample shell scripts to help you get started. Its really good!!
The mailing list is helpful as well. I use a simple HTB (Heriachical Token Bucket filter) qdisc tree to bandwidth shape uploads on my ADSL modem interface. Its great for Windblows (pphlewww... :-) 'file sharing' clients like Direct Connect which saturate your upload and would unchecked basically grind your DSL/cable link to a trickle!! I just wrote a shell script which I call from within Shorewall (a firewall based on simple scripts, config files and iptables) which just basically sets up the HTB tree. HTB is preferable to CTB (which you will also see) as its easier to setup.

Both qdiscs and iptables are setup with simple shell commands but they alter the settings for modules compiled as part of the kernel. So basically they are really efficient and run in the background as part of the Linux kernel and don't steal many CPU cycles.

Sorry for all the wauffle!!

___________
Bill Gate #666
 
Old 07-20-2004, 05:58 PM   #6
thegeekster
Member
 
Registered: Dec 2003
Location: USA (Pacific coast)
Distribution: Vector 5.8-SOHO, FreeBSD 6.2
Posts: 513

Original Poster
Rep: Reputation: 33
Okay, after looking around some more it looks like I'll have to keep the HTTP server on my main machine, but maybe using a hybrid setup with Apache/thttpd/lingerd.......I was planning on using PHP, which thttp isn't really designed for (tho' it can be patched for it), but after looking around, I find that a few high-traffic sites use Apache/thttpd, where Apache serves the dynamic content and thttpd serves the static content (such as images and other such files).........

Then I came across lingerd which basically does the lingering and closes the connection started by the web server..............This allows Apache or thttpd to reduce their CPU and RAM usage by allowing them to start the connection then move on to start another one instead of waiting around for a second or two, which is apparently the main bottleneck for Apache (this waiting around to close the connection)......

How it works is you turn off all KeepAlive in the main webserver so it can move on and handle a lot more traffic with less CPU and RAM usage, while lingerd takes over and closes the connection.......Here's part of the README.txt from lingerd:
Quote:
ARE THERE ANY ALTERNATIVES TO LINGERD?

Yes. The "classical" solution to the lingering_close problem, and more
generally, to the problem of having a big Apache/mod_{perl,php} process
spoonfeed data to a slow client on a congested link, is to run a
front-end proxy server. This can be done with of squid, or with a
light-weight Apache configured with mod_proxy and without any scripting.

Lingerd has a number of advantages, and also some disadvantages,
compared to this approach.

Advantages:

- lingerd is easier to set up: no URL rewriting, no multiple webservers,
no reverse rewriting rules.

- lingerd only takes control when Apache is done with the connection, so
there is no extra latency for the client.

- lingerd is easier on system resources: the sent data doesn't get
copied around any extra times between userspace and kernel memory,
the way it does with a proxy. lingerd itself takes very few
resources of its own.

Disadvantages:

- a proxy front-end can double as a cache, as a load balancer and as
a light-weight image server, which lingerd obviously can't.

for an image server, I recommend using a standalone copy of
thttpd (http://www.acme.com/software/thttpd/) or boa
(http://www.boa.org).

for load balancing, this is better done at the IP level, with a
package like Piranha
(http://people.redhat.com/kbarrett/HA/index.html)

- both approaches can still stall the heavy Apache process if the data
to send doesn't fit in the buffers. with lingerd, the maximum data
size that can be handled without slowing Apache down is the kernel's
maximum write() buffer for tcp/ip sockets. since a front-end proxy
goes through two network sockets and a userspace buffer, the maximum
data size that it can handle without blocking is twice the kernel's
tcp/ip write buffer size plus the size of the userspace buffer
(usually 8k or so). see `TUNING HINTS' below on how to increase
the tcp/ip write buffer size with lingerd.

- lingerd is less portable. it should run on any modern Unix, but it
would probably be hard to port to non-POSIX systems. but feel free
to prove me wrong.
So I'll be playing around with with this, setting up the gateway on the old machine with Squid, and see what servers I can put on it along with Squid, and what needs to remain on my main machine................at the very least, I can relieve some of the load from Apache on my main machine with lingerd, which in turn will help since it will also be running an X gui (KDE)........

This will take a bit of time because I will be compiling some of these packages for the old machine optimized for the i586 CPU, but I will check back periodically with some updates (and probably more questions) on my progress................In the meantime, if anyone has anything to add, feel free to step in and post your worth.......


PS: I've already tuned the TCP stack with parameters I found here >> Enabling High Performance Data Transfers, and increased the default read and send windows to 131072 (128K) as well from the original of around 101376 (99K).............These I put in rc.inet2, just before it starts the inetd superserver, like so:
Code:
# Tune the TCP stack
# Values taken from "Enabling High Perfomance Data Transfers
# (http://www.psc.edu/networking/perf_tune.html#Linux)
  echo "Tuning the TCP stack..."
  # Turns on the TCP timestamps, window scaling, and SACK...
  echo 1                     > /proc/sys/net/ipv4/tcp_timestamps
  echo 1                     > /proc/sys/net/ipv4/tcp_window_scaling
  echo 1                     > /proc/sys/net/ipv4/tcp_sack
  # Reasonable values for the default and max receive/send windows and receive/send buffers...
  echo 131072                > /proc/sys/net/core/wmem_default  # default send window
  echo 8388608               > /proc/sys/net/core/wmem_max      # maximum send window
  echo 131072                > /proc/sys/net/core/rmem_default  # default receive window
  echo 8388608               > /proc/sys/net/core/rmem_max      # maximum receive window
  echo "4096 87380 4194304"  > /proc/sys/net/ipv4/tcp_rmem      # memory reserved for TCP rcv buffers
  echo "4096 65536 4194304"  > /proc/sys/net/ipv4/tcp_wmem      # memory reserved for TCP snd buffers
 
Old 07-20-2004, 11:44 PM   #7
thegeekster
Member
 
Registered: Dec 2003
Location: USA (Pacific coast)
Distribution: Vector 5.8-SOHO, FreeBSD 6.2
Posts: 513

Original Poster
Rep: Reputation: 33
I came across another site for tweaking the TCP stack using sysctl (TCP Tuning Guide) and I must say, using their settings has improved my RTT (ping times) dramatically, as well as being much more consistent.................I don't have sysctl installed (Note: I guess it's installed, but I've never used it) so I converted the settings to the method I used above by echo'ing to the appropriate files in the /proc/sys/net directories and subdirectories.................There's a couple of extra tweaks I didn't have before, but it was the changes in the TCP buffer sizes that made the difference........................My ping times were somewhat erratic, ranging from 200ms all the way up to 900ms (but generally around the 300-400 range), and now I'm getting a range of 60-70ms or 70-80ms, depending on the site I'm pinging..........

Here's the new settings I'm using (changes in bold):
Code:
# Tune the TCP stack
# Values taken from "Enabling High Perfomance Data Transfers
# (http://www.psc.edu/networking/perf_tune.html#Linux):
echo "Tuning the TCP stack..."
# Flush the cache in the routing table to allow dynamic resizing for retransmits:
echo 1                     > /proc/sys/net/ipv4/route/flush
# Turns on the TCP timestamps, window scaling, and SACK:
echo 1                     > /proc/sys/net/ipv4/tcp_timestamps
echo 1                     > /proc/sys/net/ipv4/tcp_window_scaling
echo 1                     > /proc/sys/net/ipv4/tcp_sack
# Reasonable values for the default and max receive/send windows and receive/send buffers:
echo 65536                 > /proc/sys/net/core/wmem_default  # default send window
echo 8388608               > /proc/sys/net/core/wmem_max      # maximum send window
echo 87380                 > /proc/sys/net/core/rmem_default  # default receive window
echo 8388608               > /proc/sys/net/core/rmem_max      # maximum receive window
# Linux auto-tuning for snd/rcv buffers ("min default max"):
echo "4096 87380 8388608"  > /proc/sys/net/ipv4/tcp_rmem      # memory reserved for TCP rcv buffers
echo "4096 65536 8388608"  > /proc/sys/net/ipv4/tcp_wmem      # memory reserved for TCP snd buffers
echo "4096 4096 4096"      > /proc/sys/net/ipv4/tcp_mem       # Number of pages, not bytes
# Increase bandwidth for receive host:
echo 2500                  > /proc/sys/net/core/netdev_max_backlog  # Default is 300
Thought I'd share this for anyone who may be interested............

Last edited by thegeekster; 07-21-2004 at 01:24 AM.
 
Old 07-21-2004, 11:24 AM   #8
Bill Gates 666
Member
 
Registered: Dec 2003
Location: Cambridge
Distribution: Arch
Posts: 68

Rep: Reputation: 22
Hi

Thanks for that info. Thats very interesting I will investigate further when the TCP Tuning Guide http://www-didc.lbl.gov/TCP-tuning/buffers.html link is back up (did you save any of the pages from this site BTW)!!

So you are telling your box to negotiate from 65Kbyte windows up to 8mbyte windows for good connections. My current values are about 65Kbyte to 128Kbyte max (the defaults).

But I don't see how any of this tinkering would affect ping times?? Basically you are affecting TCP stack parameters which increase throughput not latency. I.e. for a ony-way TCP stream less reverse stream ACKs are needed for high window values. This wouldn't affect ping times as they use the ICMP protocol (i.e. not TCP).

If you are testing your setup by saturating your link upstream and/or downstream and then pinging you would be better of with QOS bandwidth shapping qdiscs. The idea is to rate limit uploads to below link saturation capacity to avoid large queues of upstream packs building up at your ISP. This dramatically increases latency for the connection. My quoted upstream is 256kbit/s, my maximum actual upstream is about 240kbit/s but I rate limit my upload to only 180kbit/s.

It depends what kind of broadband connection you have. If its DSL then this technique is essential to improve latency (DSL upstream is always heavily buffered). Because downstream is dependent on the latency of the upstream TCP ACK packets you also improve downstream throughput.

I am concerned about you altering the /proc/sys/net/ipv4/tcp_mem setting!! These 3 settings are determined by Linux at boot by the amount of
available RAM. You are talking about allocating 16mbytes of RAM permanently for TCP buffering. This can't be paged and MUST ALLOCATED IN RAM.
If you are doing this on the P100 machine with 64mbytes of RAM you could break it if you try to run much else on it. My Linux box with 512mbytes of RAM defaults to this setting (i.e. 4096 x 4Kbyte pages)!!


Hope you find this info useful!!

____________
Bill Gates #666
 
Old 07-23-2004, 03:44 PM   #9
thegeekster
Member
 
Registered: Dec 2003
Location: USA (Pacific coast)
Distribution: Vector 5.8-SOHO, FreeBSD 6.2
Posts: 513

Original Poster
Rep: Reputation: 33
FYI - The tweaks I posted above are what I've set on my main machine, not the old one.............

It seems this might take longer than I planned..................I'm having trouble with the NICs................I finally got Slack to recognize and assign the IRQs for them at boot time, but dhcpcd isn't working like it should.............When it sends the DHCPC_BROADCAST request, it times out...............ifconfig doesn't list either of them, only the loopback device (lo).......and 'cat /proc/interrupts' doesn't show the assigned IRQs (IRQ 5 and IRQ 10)...................How I got them to be initially recognized by the kernel is by putting these lines in /etc/modules.conf:
Code:
alias eth0 3c509
alias eth1 3c509
Also, for some reason the kernel wants to use the SCSI driver for the CDROM, even though it's an IDE device and not a burner............and the kernel wants to load the USB drivers, but there is no USB ports at all, even when passing the 'nousb' option to the kernel at boot time it still loads the driver............Also, the agpgart driver wants to load, but there is no AGP bus, the video is an onboard S3 Trio chip (VGA compatible controller: S3 Inc. 86c764/765 [Trio32/64/64V+]).............

I think I'll need to disable hotplugging altogether for this old machine.................I've been roaming the 'Net, but if anyone has any suggestions, I'm all ears.......


PS: For those unfamiliar with the 3C509 network cards, they're ISA cards.........

Last edited by thegeekster; 07-23-2004 at 03:49 PM.
 
Old 07-27-2004, 01:18 AM   #10
thegeekster
Member
 
Registered: Dec 2003
Location: USA (Pacific coast)
Distribution: Vector 5.8-SOHO, FreeBSD 6.2
Posts: 513

Original Poster
Rep: Reputation: 33
Okay................I was able to solve the problem with connecting to the Internet, which I've outlined in this thread, http://www.linuxquestions.org/questi...22#post1071422 ..........

Now I have to solve the problem of getting the "LAN" part to work (that is, getting them to talk to each other).................I've tried setting up the network using the subnet of 192.168.1.0/255.255.255.0, but neither machine can ping each other (and I haven't blocked ICMP echo requests in the firewall).........The server is using the the LAN address of 192.168.1.254 as a router address on the eth1 card, and my desktop is using 192.168.1.10 for it's ip address............I know the cable is okay, because I was able to setup the DHCPD daemon (usr/sbin/dhcpcd eth1) in the server and my desktop machine is able to get the correct settings................Which means I'm missing something else.................I've placed the line "ALL: ALL" in /etc/hosts.deny on the server, and put the line "ALL: 127.0.0.1, 192.168.1." in /etc/hosts.allow, which should allow the whole subnet access to the server...........I've also enabled port forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward), recompiled the kernel to support masquerading and nat................I've been reading all the howtos I can get my hands on, but something is missing.........I cannot access the Internet from my desktop machine when connected to the server, and neither one can ping each other...............

If anyone can offer some tips, add something else, please, please step in.........
 
Old 07-27-2004, 04:37 AM   #11
Bill Gates 666
Member
 
Registered: Dec 2003
Location: Cambridge
Distribution: Arch
Posts: 68

Rep: Reputation: 22
Hi again,

Glad you got that ISA sorted out :-)

I am bit confused about your setup now!! You have eth1 (an ISA card) on your router hooked up to your desktop and manually (??) setup with LAN IPs (i.e. your not running a DHCP server on the router).

The /etc/hosts.allow & /etc/hosts.deny are only used for the INETD superserver on my distro (ie a server which listens on behalf of other networking programs to save memory).

So you can't ping each other over the 192.168.1.x LAN eh?!! Whats the output of:

#ip route
#ifconfig

on both machines (as root)? (or the depreciated <route> command if you're using an older kernel)

What Firewall are you using? Perhaps you could post the config file (if its not too long) here... Even if its just iptables commands in a shell script perhaps you can post that? Which machines are running firewalls (ie. both or just the router)??

Can you ping out to the internet from your router?

Basically you just need to systematically eliminate problems. Should be easy to sort out (unlike that nasty ISA card problem)
____________
Bill Gates #666
 
Old 07-27-2004, 04:14 PM   #12
thegeekster
Member
 
Registered: Dec 2003
Location: USA (Pacific coast)
Distribution: Vector 5.8-SOHO, FreeBSD 6.2
Posts: 513

Original Poster
Rep: Reputation: 33
Quote:
Originally posted by Bill Gates 666
Hi again,

Glad you got that ISA sorted out :-)

I am bit confused about your setup now!! You have eth1 (an ISA card) on your router hooked up to your desktop and manually (??) setup with LAN IPs (i.e. your not running a DHCP server on the router)....
Hi, Bill

Yes, eth0 is an external connection and eth1 is an internal LAN connection, and I'm trying to manually set up the LAN part.................I did successfully set up DHCP on the gateway router (which I'll be referring to as the gateway machine from here on) with the command '/usr/sbin/dhcpd eth1' and the desktop machine was able to successfully obtain the correct ip address using 'dhcpcd; command (not to be confused with 'dhcpd' server daemon), leading me to believe the cable itself isn't the problem (yet they still couldn't ping each other, while I can browse the net with the gateway machine using a text browser)............But I want to set the LAN up without using the DHCPD daemon on the gateway router to conserve resources as much as possible.........

Either way, I can ping the outside world from the dual-homed gateway machine, but I can't ping the other machine on the internal LAN side, nor connect to the outside from my desktop machine through the gateway machine...........Right at this moment I took the gateway machine offline and hooked the desktop directly to the cable modem so I can research some more (it was getting a bit tedious surfing the 'Net with a text browser since the gateway machine doesn't have X installed, and I'm a bit spoiled with GUI browsers )............I'll hook everything back up and post the output of the route and ifconfig commands, but I did check them out and everything seemed to be in order when I had the gateway machine online.......

For the firewall, I'm using gShield on both machines, which uses a config file to set the rules.................I've enabled NAT for the LAN which is comfirmed with the message, "[gShield] 192.168.1.0/24 authorized for NAT", when I start gShield...............I also thought there was a problem with the firewall, so I disabled the firewall on both machines, which flushes the rulesets when using the 'stop' command on gShield's startup script, and still couldn't ping each machine on the LAN...........

Being new to Linux networking, it's probably something very simple which I've overlooked............Anyway, I'll be back a little later to post the outputs after putting the gateway machine back online, which means I'll be posting from the text browser until I can get this sorted out.........I'm still a little foggy on the whole IP address / Netmask / Subnet Mask / Gateway terms and concepts, which is probably part of my dilemma, ie., not definig the LAN correctly in the various config files, so I'm doing some more homework to get these terms and concepts firmly in mind...................
 
Old 07-27-2004, 05:28 PM   #13
Bill Gates 666
Member
 
Registered: Dec 2003
Location: Cambridge
Distribution: Arch
Posts: 68

Rep: Reputation: 22
Hi

It is a bit difficult to help someone using a different distro. I know Slack streamlines the startup scripts a lot versus Mandrake which I use. Having said that I am considering putting Slack on my Linux box as I am running minimal install anyway... Probably do away with a lot of SysV5 startups and run stuff under Dr D. J. Bernstein's Daemon Tools packages. Would be a lot faster, more reliable and streamlined. As the box is overpowered for what it does I probably won't touch it in the near future

This is my config. file for my LAN facing ethernet interface (ifcfg-eth0 - /etc/sysconfig/network-scripts):
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
MII_NOT_SUPPORTED=yes

I guess you have found the equivalent network card startup file for Slack (presuming it has a similar arrangment) if you have got access to the cable modem?? Or have you accidently assigned the ethernet cards to be DHCP clients without running a DHCP server on the LAN. That might mess things up!!

My Linux box has a DHCP server running which assigns static IP addresses based on the MAC address of the client machine (all Winblows boxes). I need DHCP assigned static addresses to allow port forwarding (for the usual not strictly legal reasons :-).

Here is my /etc/dhcpd.conf file (with a bit of * privacy added in ). It used by the DHCPD server which runs off a standard SysV5 script in Mandrake. Surprising easy to setup
___________________________________________________________________
ddns-update-style none;

default-lease-time 100000;
max-lease-time 200000;
option subnet-mask 255.255.255.0;
option routers 192.168.0.1;

option domain-name-servers 192.168.0.1;
boot-unknown-clients false;


subnet 192.168.0.0 netmask 255.255.255.0 {

group {
use-host-decl-names true;

host robs-printer {
hardware ethernet **:**:**:**:**:**;
fixed-address 192.168.0.*;
}

host robs-laptop {
hardware ethernet **:**:**:**:**:**;
fixed-address 192.168.0.*;
}

host robs-desktop-01 {
hardware ethernet **:**:**:**:**:**;
fixed-address 192.168.0.*;
}

host daves-desktop-01 {
hardware ethernet **:**:**:**:**:**;
fixed-address 192.168.0.*;
}

host daves-desktop-02 {
hardware ethernet **:**:**:**:**:**;
fixed-address 192.168.0.*;
}
}

}
___________________________________________________________________

When you stop Shorewall (the firewall I use - which is based on shell scripts which use Iptables) it goes into a kind of emergency lock down mode which stops a lot of network accesses (unless overridden in the config. files). Does gShield do something similar?? (A bit of a long short I'm afraid)...

____________
Bill Gates #666
 
Old 07-28-2004, 09:51 AM   #14
thegeekster
Member
 
Registered: Dec 2003
Location: USA (Pacific coast)
Distribution: Vector 5.8-SOHO, FreeBSD 6.2
Posts: 513

Original Poster
Rep: Reputation: 33
Hooray...................Finally got it working..............Both machines can ping each other and I can surf the 'Net from my desktop through the gateway machine............

Turns out I overlooked two items.......................In the desktop machine, I forgot to add the appropriate nameserver entry in /etc/resolv.conf, and for the gateway machine I needed to start bind (by making bind's startup script, /etc/rc.d/rc.bind, executable) so my desktop machine can use the gateway machine to resolve hostnames on the internet.........

I'm also able to use full-duplex mode with both ISA cards on the gateway machine wihtout any apparent collisions or loss of speed (The NIC in my desktop machine is a newer PCI card which probably has an auto-detection feature for the mode)............

Quote:
...I guess you have found the equivalent network card startup file for Slack (presuming it has a similar arrangment)...
Yes, in Slackware, all startup scripts reside in a single directory, /etc/rc.d.............The script which checks for the ethernet cards is called /etc/rc.d/rc.inet1, which has a config file located in the same directory, called /etc/rc.d/rc.inet1.conf.........This config file actually uses array variables used by the rc.inet1 startup script, although it doesn't have a whole lot of variables to use for each interface, only aks for the ip address and netmask and the default gateway ip........or if you are using DHCP, instead.............I guess it doesn't really need a lot of variables defined because the rc.inet1 startup script does some extensive probing and checking to get the rest of the needed info to start the cards............(I forgot to define the default gateway variable at the bottom of the config file for my desktop machine which was part of the problem I was having)...........

I did try the DHCPD server daemon, too, but felt it was unnecessary since I only have one machine being served on the LAN...................If I had several Windows boxes then I could see running the DHCPD daemon on the gateway to simplify things.........It did work, tho'. The desktop machine was assigned the correct settings, but I just couldn't get the machines to ping each other on the LAN (until now)..........This is the config I had for the DHCPD daemon in /etc/dhcpd.conf:
Code:
option subnet-mask 255.255.255.0;
option domain-name-servers 192.168.1.1;
ddns-update-style ad-hoc;

subnet 192.168.1.0 netmask 255.255.255.0 {
	host home {
		default-lease-time 2419200;
		max-lease-time 2678400;
		hardware ethernet nn:nn:nn:nn:nn:nn;
		fixed-address 192.168.1.10;
	}
}
As for the firewall, gShield doesn't lock things down when you stop it, it merely flushes the iptables modules........

Now that the work is out of the way, it's time to play and experiment with different configurations, to see what I can get away with and what my limitations are..........


PS: Hey, Bill..........If you need some help with setting up Slackware, I've gotten very familiar with the inner working of Slack, so if you need help, just holler.............

Last edited by thegeekster; 07-28-2004 at 09:52 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Gateway Colorbook Project joney_bravo Linux - Laptop and Netbook 4 07-31-2005 12:27 AM
Proxy or Gateway xowl Linux - Networking 1 02-05-2005 10:44 AM
Squid Gateway / Proxy Server TheRealDeal Linux - Networking 4 12-09-2004 07:20 AM
Fedora Core 2: Personal, home-based email server issues and questions nmsatyagrahi Linux - Networking 1 07-01-2004 01:46 PM
proxy server thru nat gateway. tanmay_79 Linux - General 1 09-10-2001 08:45 AM


All times are GMT -5. The time now is 10:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration