I have Red Hat 9 and the computer has eth0 and eth1. Eth0 is the internet and eth1 is the lan and I want to route the internet to my lan. How would i do that?

Maiios

im in a good mood so rather than tell u to do a search, i'll give u a howto.

im going to assume your internet connection on eth0 works so im skipping all that:



Step 1. Stetting up eth1

a) Give eth1 and ip address, netmask and bcast address:


Step 2. Setting up IP routing



a) turn on IP forwarding

1. turn it on now

2. set it to always be on when u reboot

edit the file /etc/sysctl.conf
change the line that says

#net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1


b) add entry in routing table
route add -net 10.10.10.0 netmask 255.255.255.0 eth1

(this may be optional but it would come in handy if u added more NICs and networks
to your box).


Step 3. Setting up NATing (iptables and such)

i wont go deep into iptables here but you will want to learn them (ASAP!!!)

you should maybe make a script so what i'll do is make this next section
copy and pastable as a script and then i'll tell u what to do with it.

1. put this in a file called something like rc.firewall
2. edit any IP addresses and such
3. save the file and put it in /etc
4. open up the file /etc/rc.local and add the line:

sh /etc/rc.firewall

5. go ahead and run the script to get the rules going without having to reboot:

sh /etc/rc.firewall



Step 4. Setting up the Windows box (assuming win2k/XP if 98/ME let me know)

1. get to the control panel

in win 2k : Start->Settings->Control Panel
xp : Start->Control Panel (could be different if u have a classic menu setup)

in control panel look for network connections
(in xp u might have to click Network and Internet Connections -> Network Connections)

u should see an icon called Local Area Connection (or something similar).

RIGHT mouse click on it and click Properties at the bottom of the menu

in the scroll list in the middle, scroll down to Internet Protocol- TCP/IP and click on it to highlight it

Click the Properties button located below the scroll box (it becomes enabled when u highlight TCP/IP)

A box opens up:

for IP Address: 10.10.10.2 (2 can be anythign from 2-254, 0 is illegal and .1 is the router)

Netmask 255.255.255.0
Gateway: 10.10.10.1


DNS: you will have to get these from your ISP, one that works tho is 4.2.2.2 but u should really get these from your ISP and hard code those values here.


Close the the properties, close the Network Config box (close everything).

oh, make sure u have connected the linux box to the winbox via a CROSSOVER cable.

test out the connection and it should work.

if u have problems, click on start->run and type cmd
press enter and u will get a command prompt

c:\> ping 10.10.10.1 see if u get replies back

in linux:

#ping 10.10.10.2 (or whatever u set for the windows IP) see if u get replies back



let me know if something goes wrong.


also, there may be typos in this HOWTO so let me know if anythign goes wrong and my iptables rules really arent the best but i think it should be enough to get you going.

you could always try changing the default FORWARD policy to ACCEPT if u can ping but cant get an internet connection.

another thing,

there is a netconfig script somewhere in red hat that will save the eth1 setting even after reboot, i forgot what the file was tho so if u reboot, u might have to do the ifconfig part over until u fix the file.

Thank you so much! That was really helpful... and a great crash course in learning Linux (incase you couldn't tell... I am a windows native *sniffle*)

I've followed step by step what you wrote.

My need is to have a linux machine with 2 network cards that acts as a router between my lan and the ADSL router.

Your howto seems to be written to face my exact problems.

By the way, even with no drop rules at all, it seems not to work.
The ip_forward flag is set up correctly to 1.
ETH0=192.168.100.11
ETH1=192.168.127.11(my local network is 192.168.127.0/24)
default gateway on the linux router ---> 192.168. 100.1 ( ADSL router)

The default gateway on the lan client is set to 192.168.127.11, and the ip address dynamicallyassigned via a dhcp deamon as 192.168.127.40.
The linux machine is able to navigate into the internet, to ping both the ADSL router and the lan client.
The lan client sees both the ethernet cards into the linux machine(192.168.100.11,192.168.127.11, but is not able to see the other machines attached to eth0, like the ADSL router).

Surely my problem will be related to something really trivial, but after having read a lot of posts, a lot of howto(like the gateway howto, the adv routing howto), I'm not able to see anything at all.

Have you any idea regarding what can I search for to solve my problem?
I have actually set the dns address of a dns server on the internet, but I don't think it is relevant if I type manually ip address... dns is for name resolution, isn't it?

This is the result of a ping to the ADSL router from the host 192.168.127.40, but I'm not really able to fully understand the meaning of the results...

[root@proxy01 netfilter]# tcpdump -i eth0
tcpdump: listening on eth0
23:08:02.004796 192.168.100.1.router > 192.168.100.255.router: RIPv2-resp [items 1]: {0.0.0.0}(2) [ttl 1]
23:08:02.016256 192.168.100.11.32768 > ns4.tin.it.domain: 2223+ PTR? 1.100.168.192.in-addr.arpa. (44) (DF)
23:08:02.099813 arp who-has 192.168.100.11 tell 192.168.100.1
23:08:02.099856 arp reply 192.168.100.11 is-at 0:3:6d:f1:33:3
23:08:02.100382 ns4.tin.it.domain > 192.168.100.11.32768: 2223 NXDomain* 0/1/0 (104)
23:08:02.101790 192.168.100.11.32768 > ns4.tin.it.domain: 2224+ PTR? 112.112.216.212.in-addr.arpa. (46) (DF)
23:08:02.187739 ns4.tin.it.domain > 192.168.100.11.32768: 2224 1/3/4 (209)
23:08:02.188178 192.168.100.11.32768 > ns4.tin.it.domain: 2225+ PTR? 11.100.168.192.in-addr.arpa. (45) (DF)
23:08:02.269624 ns4.tin.it.domain > 192.168.100.11.32768: 2225 NXDomain* 0/1/0 (105)
23:08:07.094547 arp who-has 192.168.100.1 tell 192.168.100.11
23:08:07.095108 arp reply 192.168.100.1 is-at 0:a0:c5:5d:1e:9f

Thanks Robert, im also in the same scenario having trouble. None of the other guides i found said anything about the iptables setup.

I'll try this when i get home, cheers

Fedora doesnt like the script i guess... iptables is in the sbin dir though

[root@localhost sbin]# sh /etc/rc.firewall
/etc/rc.firewall: line 3: =/sbin/iptables: No such file or directory
/etc/rc.firewall: line 5: =eth0: command not found
/etc/rc.firewall: line 6: =eth1: command not found
/etc/rc.firewall: line 7: =192.168.1.1: command not found
/etc/rc.firewall: line 10: =192.168.1.0/24: No such file or directory
/etc/rc.firewall: line 13: -F: command not found
/etc/rc.firewall: line 14: -F: command not found
/etc/rc.firewall: line 15: -t: command not found
/etc/rc.firewall: line 18: -P: command not found
/etc/rc.firewall: line 19: -P: command not found
/etc/rc.firewall: line 20: -P: command not found
/etc/rc.firewall: line 24: -A: command not found
/etc/rc.firewall: line 25: -A: command not found
/etc/rc.firewall: line 28: -A: command not found
/etc/rc.firewall: line 29: -A: command not found
/etc/rc.firewall: line 33: -A: command not found

On line #3 make sure this is where your iptables is. If your not sure do
find / |grep iptables

Basically the error is that it cannot find iptables where you are telling it to look.

It's there alright.. iptables v1.2.8

How frustrating

F1uX,

I have exactly the same configuration as you describe above and it works fine for me.

Firstly my ADSL router does all the firewall and NATing stuff so I do not have any iptables rules what so ever on my PC with the dual network cards other than to say they are all set to accept. I have simply turned on the ip_forward flag.

This is what I get with the iptables command:

root@rocky:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

This is my routing table on my dual network card PC (edited to suit your configuration). Note that my gateway is set to my ADSL router as this is where I want all packets not bound for my networks 192.168.100.0/24 or 192.168.127.0/24 to go (ie: the Internet):

root@rocky:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.127.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 eth0

Secondly you say that your lan client sees both the ethernet cards in your linux machine but not the other things attached to eth0 such as your ADSL router. My suggestion is that your lan client can see your router but the router does not know where to reply to. In reality it's probably trying to route the network packets bound for 192.168.100.0/24 off onto Internet because they don't match your local network of 192.168.127.0/24.

What I have done is set up a static route on my router to ensure that traffic bound for 192.168.100.0/24 is sent to the PC with dual network cards that being 192.168.100.11.

When you now ping for 192.168.100.1 (my router) it it will figure out where to reply by using the static route in the routing table (ie: it will reply to 192.168.100.11 which will in turn forward the packets onto 192.168.127.11 and then onto my lan client).

All other machines on the network need their gateway pointing to your dual network card PC.

Hope this helps,

Paul.

i am new to linux as well and searched and searched for the right iptables setup to get my rh9 box to work right as a router between my broadband (cable modem) connection and the lan side... if you have your linux box set up as a dhcp server, fine...if not, assign the network card in the linux box that is being used for the lan side a static ip address (you will already have this done anyways if you have the dhcp server portion set up and running properly anyways)... if no dhcp server daemon is running, set all other client machines w/ a staic ip, subnet & dns server info...from there, enter the following lines for iptables.... this worked flawlessly for me.... (below was copied from another website) :-->

As root, run the following commands after you replace YOUR.IP.ADDRESS.HERE with the IP number your ISP supplied.

modprobe ipt_MASQUERADE
iptables -F; iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to YOUR.IP.ADDRESS.HERE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -P INPUT DROP
iptables -A FORWARD -i eth0 -o eth0 -j REJECT

These commands are taken from the HOWTO link above. These settings worked for me with a static IP address from my ISP. If you have a dynamically assigned IP address from your ISP, substitute the appropriate lines from the link. Lisa reports that because her IP address was dynamic, she substituted

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
for
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to YOUR.IP.ADDRESS.H

<---:

be sure to pay attention to the part about if your ip address from your isp is either static or dynamically assigned....

you can add the cmds above into your rc.local file to run everytime when your linux machine boots up...

i am pretty sure that the iptables cmds above provide no security whatsoever besides blocking ftp... tweak as you see fit... hope this helps!!

Hey maze_fire,
I tried your code snipet and it froze my box. I double checked it for errors and there were none. Is there something else that I have to do other than put that code into the local file?

is there a particular line that it froze up on after you entered it?

I added it to a file and ran it all. No error popped up. I am not sure.