LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Small Linux Router/firewall behind D-Link Hardware router (http://www.linuxquestions.org/questions/linux-networking-3/small-linux-router-firewall-behind-d-link-hardware-router-170149/)

dleidlein 04-14-2004 03:01 PM

Small Linux Router/firewall behind D-Link Hardware router
 
Hello folks, did a search on the forums but was unable to come up with the answer (not to rule out I didn't try enough search terms). It's a pretty quick one though.

A friend of mine is giving me his old Macintosh (still don't know what year or "version". I know NOTHING about mac) and an old PC. I'm hoping the PC is at least a 386 or better.

Here's the scenario I'm trying to create and I THINK it would work.

We have a cable connection, DHCP IP from Road Runner. My parents have a couple computers so they will probably be using the D-link hardware router to get their IP's. (Unless I can convince them otherwise :D )
I currently get my IP from the router as well. What I want to do is setup the PC as a www/ftp server(Yes, I want three computers in my room), the mac box as a router / firewall, and my main "power" computer as my desktop use machine.
So, first question is, if I can put linux on the mac, I should be able to make it a router, right? Bigger question, is it feasable to have a router behind a router? The reason I ask, is the mac box won't be getting neccessarily a "public" ip. It gets a 192.168.0.* from the D-link router. and my machines PAST that will also need private internal addresses (right?).
I know the internet is basically a bunch of routers so I ASSUME it will work.
2. will that slow my connection down? Not worried too much about the web/ftp server because this is all just a learning process (I want to get some certifications and also be able to walk into job interviews and say, here's my website, check it out), but I play games (mostly Counter-strike) from my computer so ping from there IS an issue.
3. A DMZ is basically a non-firewalled area? What security concerns will I have if I put my mac box on a DMZ? I'll only have ports 80, 21, and 22(ssh) open, and only apache, ftp, and sshd running. Eventually I'll add qmail or some other mail server (What is everyon'es preference here and why?)

geez that's long, sorry! I try not to post too often and when I do, it's only to show how much of a :newbie: I am. :D

Mara 04-14-2004 04:32 PM

Re: Small Linux Router/firewall behind D-Link Hardware router
 
Quote:

Originally posted by dleidlein

So, first question is, if I can put linux on the mac, I should be able to make it a router, right? Bigger question, is it feasable to have a router behind a router? The reason I ask, is the mac box won't be getting neccessarily a "public" ip. It gets a 192.168.0.* from the D-link router. and my machines PAST that will also need private internal addresses (right?).

You can do it. The best way will b eprobably to give the machines 'in' private addresses from different subnet than the 'main' network (192.168.1.x for example). And you'll probably need NAT (masquerading, in fact) to map your local addresses to the one used by NIC connected to the hardware router. Or maybe you'll be able to configure the router to map both subnets..
Quote:

2. will that slow my connection down? Not worried too much about the web/ftp server because this is all just a learning process (I want to get some certifications and also be able to walk into job interviews and say, here's my website, check it out), but I play games (mostly Counter-strike) from my computer so ping from there IS an issue.
You shouldn't notice any performance loss.
Quote:

3. A DMZ is basically a non-firewalled area? What security concerns will I have if I put my mac box on a DMZ? I'll only have ports 80, 21, and 22(ssh) open, and only apache, ftp, and sshd running.
In your network there's not much need to DMZ. You should simply install firewalls on all machines and update them regularly. :)
Quote:

Eventually I'll add qmail or some other mail server (What is everyon'es preference here and why?)
I use qmail for most installs and like it. Just installed postfix on a new server (to try something different) and I must say it's also nice and probably easiest to install than qmail. So I'll recommend postfix as your first installation, then you can play with qmail :)

dleidlein 04-14-2004 04:52 PM

Thanks so much for the reply

Quote:

In your network there's not much need to DMZ. You should simply install firewalls on all machines and update them regularly.
The reason I ask this is I saw a quote somewhere saying that your firewall should have nothing else running on it.....And on win machines, firewall software seems to hog up resources. I know there's never 100% security but is the difference between having my router block all traffic except ports ** forwarded to the web server, and having that PLUS a firewall on each computer going to do anything? How "intensive" is IPTABLES? as in CPU/memory utilization.

Quote:

The best way will b eprobably to give the machines 'in' private addresses from different subnet than the 'main' network (192.168.1.x for example).
Sorry, need a little clarification. Do you mean assign my desktop and the web server a 192.168.1.* address? Then have the linux router (which will have a "public" ip of 192.168.0.102) forward all traffic destined for 192.168.0.102 to 192.168.1.*? And I'm sure it's possible, but how would I have IPTABLES forward those ports I mentioned to a SPECIFIC IP? I think I want all RELATED,ESTABLISHED (so no inbound connections allowed) for my desktop (for gaming, no serving) and the same for the server, also forwarding ports 21, 22 , 25, 80, and 110 to the server.

Mara 04-14-2004 05:08 PM

Quote:

Originally posted by dleidlein

The reason I ask this is I saw a quote somewhere saying that your firewall should have nothing else running on it.....And on win machines, firewall software seems to hog up resources. I know there's never 100% security but is the difference between having my router block all traffic except ports ** forwarded to the web server, and having that PLUS a firewall on each computer going to do anything? How "intensive" is IPTABLES? as in CPU/memory utilization.

If you're firewalling 1Gbit Ethernet or you have very high traffic, you probably need quite powerful machine, but for normal network 486 would not have much to do..

Quote:

Sorry, need a little clarification. Do you mean assign my desktop and the web server a 192.168.1.* address?
Yes, also to one NIC on the Mac machine.
Quote:

Then have the linux router (which will have a "public" ip of 192.168.0.102) forward all traffic destined for 192.168.0.102 to 192.168.1.*? And I'm sure it's possible, but how would I have IPTABLES forward those ports I mentioned to a SPECIFIC IP? I think I want all RELATED,ESTABLISHED (so no inbound connections allowed) for my desktop (for gaming, no serving) and the same for the server, also forwarding ports 21, 22 , 25, 80, and 110 to the server.
Exactly. You can forward ports to machines.

dleidlein 04-14-2004 05:15 PM

Quote:

Yes, also to one NIC on the Mac machine.
Ah, good call. The internal NIC (going to the other machines) if I remember correctly.

AC97Conquerer 04-28-2006 12:00 AM

Well, I have the SOLUTION!

Here's the situation:
1) I can browse the internet just fine.
2) I can access my website with http://localhost or http://127.0.0.1
3) I cannot access my website from my real IP address http://69.?.?.?
4) I'm using Linux (Debian)
5) This is what my network setup looks like:
INTERNET
|
|
DSL Modem (192.168.1.1)
|
|
DI-604 D-Link Router (192.168.0.1) (It grabs the IP address 192.168.1.7 from the DSL Modem)
|
|
My SERVER

I had to enable freakin' DMZ through http://192.168.0.1/
Which is totally stupid because there goes the freakin' router's firewall.

If you really want to break this silly problem, use `traceroute`, and then email me.

So this is what [/etc/network/interfaces] looked like:
Code:

iface eth0 inet dhcp
I made the D-Link router use dynamic DHCP IP creation.

This is what `traceroute www.google.com` says:
Code:

#: traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 64.233.161.99
traceroute to www.l.google.com (64.233.161.99), 30 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  0.237 ms  0.222 ms  0.182 ms
 2  192.168.1.1 (192.168.1.1)  0.920 ms  0.803 ms  0.802 ms
 3  vancwacobr2.vancwacoro1.centurytel.net (69.29.185.10)  20.015 ms  19.353 ms  19.774 ms
 4  vancwacoro2.vancwacoro1.centurytel.net (64.91.105.1)  20.077 ms  21.920 ms  22.464 ms
 5  so-0-0-2.ar2.DEN2.gblx.net (208.48.23.217)  92.548 ms  94.620 ms  102.333 ms
 6  so1-2-1-2488M.scr2.SFO1.gblx.net (67.17.92.242)  137.703 ms  137.355 ms  137.203 ms
 7  po3-0.palcr1.PaloAlto.opentransit.net (193.251.150.173)  147.612 ms  152.019 ms  144.914 ms

blah
blah
blah

As you can see above, it's going through my Router first (makes sense), and then through my DSL modem, then to the internet.

Also on the Router's configuration that you have the Virtual Server port 80 being sent to the appropriate computer (which doesn't really matter probably because ya got freakin' DMZ....).

If you are still having issues and you want to stop by my house, we can talk it over a cup of coffee, hollaway@gmail.com

Black81 04-30-2007 05:12 AM

Hello.
well, i gave up on all the howtos/guides/thingys out there... i know i should be a simple thing but i cannot get it right...
well, first, i was having a web/ftp/ssh/smtp/imap server on one place qhere i got a static ip address directly to the internet. because o changing locations, now i got a dinamic ip address and over all behind a dlink dl-724p+ wireless router (the server is wired).
well, i'veconfigured my router to:
1st) used the DDNS to set my router address up on no-ip (it did change the address and i can ping my router from the intenet)
2nd) i put a DMZ, (i guess, i'm nor really sure since it do nothing, i couldnt see any diferences at all) by selecting DMZ on my firewall and specifying the internal ip address of my web/ftp... server.
3rd) from there i tryied putting a virtual host, using my internal ip address, and the ports for web/ftp/ssh/smtp/imap services to be redirected to the web/ftp/ssh... server, but no luck, still got timeout on any service.
4th) cheked that there wasnt any firewall bloking those ports... none found.
5th) installed no-ip DUC for linux on the server, and deselect the DDNS... nothing...
6th) Tryied another router, to check if that was the problem... same thing...
6th) i cheked that the services were running... Localhost-> Ok!... LAN-> OK!... Ping from router-> OK!... from outside router-> Fail! my common sense said that the problem is the router not redirecting the services to the designated address or so, if there is any kind man arround, that could giveme a fool-proof guide to install this server behind the router and visible from outside, please letme know, got many sites hosted on this "host" and every day that passes is worst. please help.
Thanks.


All times are GMT -5. The time now is 07:58 PM.