Small Linux Router/firewall behind D-Link Hardware router
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Small Linux Router/firewall behind D-Link Hardware router
Hello folks, did a search on the forums but was unable to come up with the answer (not to rule out I didn't try enough search terms). It's a pretty quick one though.
A friend of mine is giving me his old Macintosh (still don't know what year or "version". I know NOTHING about mac) and an old PC. I'm hoping the PC is at least a 386 or better.
Here's the scenario I'm trying to create and I THINK it would work.
We have a cable connection, DHCP IP from Road Runner. My parents have a couple computers so they will probably be using the D-link hardware router to get their IP's. (Unless I can convince them otherwise )
I currently get my IP from the router as well. What I want to do is setup the PC as a www/ftp server(Yes, I want three computers in my room), the mac box as a router / firewall, and my main "power" computer as my desktop use machine.
So, first question is, if I can put linux on the mac, I should be able to make it a router, right? Bigger question, is it feasable to have a router behind a router? The reason I ask, is the mac box won't be getting neccessarily a "public" ip. It gets a 192.168.0.* from the D-link router. and my machines PAST that will also need private internal addresses (right?).
I know the internet is basically a bunch of routers so I ASSUME it will work.
2. will that slow my connection down? Not worried too much about the web/ftp server because this is all just a learning process (I want to get some certifications and also be able to walk into job interviews and say, here's my website, check it out), but I play games (mostly Counter-strike) from my computer so ping from there IS an issue.
3. A DMZ is basically a non-firewalled area? What security concerns will I have if I put my mac box on a DMZ? I'll only have ports 80, 21, and 22(ssh) open, and only apache, ftp, and sshd running. Eventually I'll add qmail or some other mail server (What is everyon'es preference here and why?)
geez that's long, sorry! I try not to post too often and when I do, it's only to show how much of a I am.
Re: Small Linux Router/firewall behind D-Link Hardware router
Quote:
Originally posted by dleidlein
So, first question is, if I can put linux on the mac, I should be able to make it a router, right? Bigger question, is it feasable to have a router behind a router? The reason I ask, is the mac box won't be getting neccessarily a "public" ip. It gets a 192.168.0.* from the D-link router. and my machines PAST that will also need private internal addresses (right?).
You can do it. The best way will b eprobably to give the machines 'in' private addresses from different subnet than the 'main' network (192.168.1.x for example). And you'll probably need NAT (masquerading, in fact) to map your local addresses to the one used by NIC connected to the hardware router. Or maybe you'll be able to configure the router to map both subnets..
Quote:
2. will that slow my connection down? Not worried too much about the web/ftp server because this is all just a learning process (I want to get some certifications and also be able to walk into job interviews and say, here's my website, check it out), but I play games (mostly Counter-strike) from my computer so ping from there IS an issue.
You shouldn't notice any performance loss.
Quote:
3. A DMZ is basically a non-firewalled area? What security concerns will I have if I put my mac box on a DMZ? I'll only have ports 80, 21, and 22(ssh) open, and only apache, ftp, and sshd running.
In your network there's not much need to DMZ. You should simply install firewalls on all machines and update them regularly.
Quote:
Eventually I'll add qmail or some other mail server (What is everyon'es preference here and why?)
I use qmail for most installs and like it. Just installed postfix on a new server (to try something different) and I must say it's also nice and probably easiest to install than qmail. So I'll recommend postfix as your first installation, then you can play with qmail
In your network there's not much need to DMZ. You should simply install firewalls on all machines and update them regularly.
The reason I ask this is I saw a quote somewhere saying that your firewall should have nothing else running on it.....And on win machines, firewall software seems to hog up resources. I know there's never 100% security but is the difference between having my router block all traffic except ports ** forwarded to the web server, and having that PLUS a firewall on each computer going to do anything? How "intensive" is IPTABLES? as in CPU/memory utilization.
Quote:
The best way will b eprobably to give the machines 'in' private addresses from different subnet than the 'main' network (192.168.1.x for example).
Sorry, need a little clarification. Do you mean assign my desktop and the web server a 192.168.1.* address? Then have the linux router (which will have a "public" ip of 192.168.0.102) forward all traffic destined for 192.168.0.102 to 192.168.1.*? And I'm sure it's possible, but how would I have IPTABLES forward those ports I mentioned to a SPECIFIC IP? I think I want all RELATED,ESTABLISHED (so no inbound connections allowed) for my desktop (for gaming, no serving) and the same for the server, also forwarding ports 21, 22 , 25, 80, and 110 to the server.
Originally posted by dleidlein
The reason I ask this is I saw a quote somewhere saying that your firewall should have nothing else running on it.....And on win machines, firewall software seems to hog up resources. I know there's never 100% security but is the difference between having my router block all traffic except ports ** forwarded to the web server, and having that PLUS a firewall on each computer going to do anything? How "intensive" is IPTABLES? as in CPU/memory utilization.
If you're firewalling 1Gbit Ethernet or you have very high traffic, you probably need quite powerful machine, but for normal network 486 would not have much to do..
Quote:
Sorry, need a little clarification. Do you mean assign my desktop and the web server a 192.168.1.* address?
Yes, also to one NIC on the Mac machine.
Quote:
Then have the linux router (which will have a "public" ip of 192.168.0.102) forward all traffic destined for 192.168.0.102 to 192.168.1.*? And I'm sure it's possible, but how would I have IPTABLES forward those ports I mentioned to a SPECIFIC IP? I think I want all RELATED,ESTABLISHED (so no inbound connections allowed) for my desktop (for gaming, no serving) and the same for the server, also forwarding ports 21, 22 , 25, 80, and 110 to the server.
Here's the situation:
1) I can browse the internet just fine.
2) I can access my website with http://localhost or http://127.0.0.1
3) I cannot access my website from my real IP address http://69.?.?.?
4) I'm using Linux (Debian)
5) This is what my network setup looks like:
INTERNET
|
|
DSL Modem (192.168.1.1)
|
|
DI-604 D-Link Router (192.168.0.1) (It grabs the IP address 192.168.1.7 from the DSL Modem)
|
|
My SERVER
I had to enable freakin' DMZ through http://192.168.0.1/
Which is totally stupid because there goes the freakin' router's firewall.
If you really want to break this silly problem, use `traceroute`, and then email me.
So this is what [/etc/network/interfaces] looked like:
Code:
iface eth0 inet dhcp
I made the D-Link router use dynamic DHCP IP creation.
This is what `traceroute www.google.com` says:
Code:
#: traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 64.233.161.99
traceroute to www.l.google.com (64.233.161.99), 30 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 0.237 ms 0.222 ms 0.182 ms
2 192.168.1.1 (192.168.1.1) 0.920 ms 0.803 ms 0.802 ms
3 vancwacobr2.vancwacoro1.centurytel.net (69.29.185.10) 20.015 ms 19.353 ms 19.774 ms
4 vancwacoro2.vancwacoro1.centurytel.net (64.91.105.1) 20.077 ms 21.920 ms 22.464 ms
5 so-0-0-2.ar2.DEN2.gblx.net (208.48.23.217) 92.548 ms 94.620 ms 102.333 ms
6 so1-2-1-2488M.scr2.SFO1.gblx.net (67.17.92.242) 137.703 ms 137.355 ms 137.203 ms
7 po3-0.palcr1.PaloAlto.opentransit.net (193.251.150.173) 147.612 ms 152.019 ms 144.914 ms
blah
blah
blah
As you can see above, it's going through my Router first (makes sense), and then through my DSL modem, then to the internet.
Also on the Router's configuration that you have the Virtual Server port 80 being sent to the appropriate computer (which doesn't really matter probably because ya got freakin' DMZ....).
If you are still having issues and you want to stop by my house, we can talk it over a cup of coffee, hollaway@gmail.com
Hello.
well, i gave up on all the howtos/guides/thingys out there... i know i should be a simple thing but i cannot get it right...
well, first, i was having a web/ftp/ssh/smtp/imap server on one place qhere i got a static ip address directly to the internet. because o changing locations, now i got a dinamic ip address and over all behind a dlink dl-724p+ wireless router (the server is wired).
well, i'veconfigured my router to:
1st) used the DDNS to set my router address up on no-ip (it did change the address and i can ping my router from the intenet)
2nd) i put a DMZ, (i guess, i'm nor really sure since it do nothing, i couldnt see any diferences at all) by selecting DMZ on my firewall and specifying the internal ip address of my web/ftp... server.
3rd) from there i tryied putting a virtual host, using my internal ip address, and the ports for web/ftp/ssh/smtp/imap services to be redirected to the web/ftp/ssh... server, but no luck, still got timeout on any service.
4th) cheked that there wasnt any firewall bloking those ports... none found.
5th) installed no-ip DUC for linux on the server, and deselect the DDNS... nothing...
6th) Tryied another router, to check if that was the problem... same thing...
6th) i cheked that the services were running... Localhost-> Ok!... LAN-> OK!... Ping from router-> OK!... from outside router-> Fail! my common sense said that the problem is the router not redirecting the services to the designated address or so, if there is any kind man arround, that could giveme a fool-proof guide to install this server behind the router and visible from outside, please letme know, got many sites hosted on this "host" and every day that passes is worst. please help.
Thanks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.