LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 09-23-2003, 11:51 PM   #1
tnine9
Member
 
Registered: Jan 2003
Posts: 39

Rep: Reputation: 15
Question Using RedHat 8.x with PPPoE as a router/firewall


OK, I have a server/workstation with 2 Ethernet cards in it, both work fine and are recognized by redhat (linksys). The hardware is Dual Xeons, 750 Mb ram, 100 Gb disk space.

Here is a diagram of my physical wiring

---->SBC DSL(pppoe) --- > eth1 -----> eth0-------->switch ---> windows clients

NOTE: eth0 has not configuration and is part of ppp0.

I have downloaded and installed the latest stable rpm of rp-pppoe 3.5.2. This works like a champ, I can connect to the net, and I have no problems browsing the web, pinging etc. from the server. However, if I configure eth0 with the following settings:

IP 192.168.0.1
SubNet 255.255.255.0

as soon as I bring eth0 up ("ifup eth0") I lose all connectivity until I completely remove eth0 from my system and do a "network restart". I would like to use my server as a firewall and a router for all of my internal home machines. I'm not very savvy with NAT /ipchains/iptables so some help would be great.

Thanks,
Todd

P.S. I have tried using firestarter as a tool for newbies, the concept is great however I still can't route my traffic from eth0 to ppp0.
 
Old 09-24-2003, 01:21 AM   #2
born4linux
Senior Member
 
Registered: Sep 2002
Location: Philippines
Distribution: Slackware, RHEL&variants, AIX, SuSE
Posts: 1,127

Rep: Reputation: 49
this one is a good start:

http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html
 
Old 09-29-2003, 06:23 PM   #3
tnine9
Member
 
Registered: Jan 2003
Posts: 39

Original Poster
Rep: Reputation: 15
No Dice

Sorry about the delayed response, I had 2 CS test last week and I just haven't had the time to set things up.

OK I would like to make a revision to the first diagram, it should be.

---->SBC DSL(pppoe) --- > eth0 -----> eth1-------->switch ---> windows clients


Now, I went to
http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html where I followed the tutorial for iptables. I set up iptables with the following script

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward


Now I can get online from the RH8 system via PPPoE, and with eth1 up. However, I still cannot connect to the public net with my Windows client computers. I turned on debugging for iptables and this is what was written.

thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=00:04:5a:7b:a4:fe:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=9247 DF PROTO=TCP SPT=4538 DPT=20 WINDOW=64240 RES=0x00 ACK URGP=0
Sep 29 18:26:26

thornine kernel: OUTPUT_DROP: IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.2 LEN=1039 TOS=0x08 PREC=0x00 TTL=64 ID=10829 DF PROTO=TCP SPT=20 DPT=4538 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Sep 29 18:26:26

thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=00:04:5a:7b:a4:fe:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=9248 DF PROTO=TCP SPT=4538 DPT=20 WINDOW=64240 RES=0x00 ACK URGP=0


It seems to me that the packets are simply being dropped, I have no idea how to fix this. Can anyone give me a hand?
 
Old 09-29-2003, 07:06 PM   #4
bentz
Member
 
Registered: Mar 2003
Distribution: Fedora, Mac OSX
Posts: 362

Rep: Reputation: 30
These logs are showing an FTP session from (I can only guess) your Windows machine to the Linux machine.

If what you are concerned with is Internet access, try to simply browse the web from the Windows machine and see if that works.

Make sure that the TCP/IP configuration points to the IP of the Linux machine as the Default Gateway.
 
Old 09-29-2003, 07:07 PM   #5
yocompia
Member
 
Registered: Apr 2003
Location: Chicago, IL
Distribution: openbsd 3.6, slackware 10.0
Posts: 244

Rep: Reputation: 30
you might want to post your "#ifconfig -a" output. it seems like everything is setup correctly, but i had a problem like this when i setup my wireless stuff. it ended up being really retarded (didn't have a default gateway set correctly) and i think it's probably the same for you.

my current suspect is the broadcast on the card that interfaces with the windows computers (eth1).

just to give you some forwarding rules that work to compare with:

$IPTABLES -A FORWARD -i ppp0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i wlan0 -o ppp0 -m state ! --state INVALID -m mac --mac-source 00:09:5b:6c:53:8b -j ACCEPT

in your case, you might not need the MAC matching and the replacements (ppp0-->eth0) and (wlan0-->eth1) should give you rules you can use for your setup.

also note that --append = -A and --in-interface = -i is a bit more succinct.

HTH,
y-p
 
Old 09-30-2003, 10:02 PM   #6
tnine9
Member
 
Registered: Jan 2003
Posts: 39

Original Poster
Rep: Reputation: 15
Still No Dice

Here is what I have acomplished thus far.

I tried the new iptables commands with this script.

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCE
PT
iptables -A FORWARD -i wlan0 -o ppp0 -m state ! --state INVALID -j ACCEPT


I still couldn't get any info through. Here is what was logged.

Sep 30 22:02:36 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=00:04:5a:7b:a4:fe:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=15854 PROTO=UDP SPT=3831 DPT=53 LEN=40

Sep 30 22:02:37 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=00:04:5a:7b:a4:fe:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=15855 PROTO=UDP SPT=3831 DPT=53 LEN=40

Sep 30 22:02:37 thornine kernel: OUTPUT_DROP: IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.2 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=54854 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.0.2 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=15855 PROTO=UDP SPT=3831 DPT=53 LEN=40 ]

Sep 30 22:02:37 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15856 PROTO=UDP SPT=137 DPT=137 LEN=58

Sep 30 22:02:37 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15857 PROTO=UDP SPT=137 DPT=137 LEN=58

Sep 30 22:02:38 thornine kernel: INPUT_DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:76:37:14:be:08:00 SRC=192.168.0.2 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15858 PROTO=UDP SPT=137 DPT=137 LEN=58


This is what I get from "ifconfig -a"

eth0 Link encap:Ethernet HWaddr 00:04:5A:82:E1:6E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3206 errors:0 dropped:0 overruns:0 frame:0
TX packets:3471 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:935813 (913.8 Kb) TX bytes:327493 (319.8 Kb)
Interrupt:18 Base address:0xe000

eth1 Link encap:Ethernet HWaddr 00:04:5A:7B:A4:FE
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:852 errors:0 dropped:0 overruns:0 frame:0
TX packets:780 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:66110 (64.5 Kb) TX bytes:663879 (648.3 Kb)
Interrupt:19 Base address:0x400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:700 (700.0 b) TX bytes:700 (700.0 b)

ppp0 Link encap:Point-to-Point Protocol
inet addr:65.42.230.185 P-t-P:65.42.231.254 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:102 (102.0 b) TX bytes:94 (94.0 b)


My windows client computer is configured as follows

IP : 192.168.0.2
Subnet 255.255.255.0
GateWay 192.168.0.1

Primary DNS 192.168.0.1

Thanks,
Todd
 
Old 10-01-2003, 12:19 PM   #7
yocompia
Member
 
Registered: Apr 2003
Location: Chicago, IL
Distribution: openbsd 3.6, slackware 10.0
Posts: 244

Rep: Reputation: 30
here are a few things you can change:

NOTE: external quotes denote commands and phrases in files, so remove them before inserting into files

0) you may want to write "/sbin/iptables" in place of "iptables", as i'm not certain invoking an executable without a path works in an iptables script; check that the rules are there by looking at the output of "iptables -L" from the command line

1) make sure you have a line in your firewall like "echo "1" > /proc/sys/net/ipv4/ip_forward" to setup IP forwarding

2) set the DNS for the remote computers to that of your ISP

3) change the rule you transcribed (incorrectly) from

iptables -A FORWARD -i wlan0 -o ppp0 -m state ! --state INVALID -j ACCEPT

to
VVV
iptables -A FORWARD -i eth1 -o ppp0 -m state ! --state INVALID -j ACCEPT ^^^^

4) i'd also add a masquerading line for the outgoing packets:

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

5) once things are working (or even before that), you may want to setup basic tables and policies to protect you from the internet, so add these to your script:

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A OUTPUT -o ppp0 -m state ! --state INVALID -j ACCEPT

try all these things out, and let me know how it goes.

gl
 
Old 10-01-2003, 02:10 PM   #8
tnine9
Member
 
Registered: Jan 2003
Posts: 39

Original Poster
Rep: Reputation: 15
Routing problems still

OK
here is the entire script I execute called routerSetup.sh
<File>

/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o ppp0 -m state ! --state INVALID -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A OUTPUT -o ppp0 -m state ! --state INVALID -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

</File>

Here is what I recieve from "iptables -L"
<Output>

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

</Output>


As far as assigning the DNS to my windows clients, I can't do it. The ppp0(DSL modem to eth0) uses PPPoE, so my DNS server IP is assigned to me dynamically.

I also can no longer ping my windows client 192.168.0.2, nor can I ping my router from my windows box. However, I can ping the Internet from my router. Here is that output

<Ping internet>
PING www.google.akadns.net (216.239.39.99) from 65.42.228.59 : 56(84) bytes of data.
64 bytes from 216.239.39.99: icmp_seq=1 ttl=49 time=44.3 ms
64 bytes from 216.239.39.99: icmp_seq=2 ttl=49 time=45.2 ms
</Ping>

<Ping client>
PING 192.168.0.2 (192.168.0.2) from 192.168.0.1 : 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
</Ping>


Thanks for all the help thus far, I really appreciate it.

Todd
 
Old 10-01-2003, 04:38 PM   #9
hakcenter
Member
 
Registered: Apr 2003
Location: Not to far from the computer screen
Distribution: RedHat 9.0
Posts: 324

Rep: Reputation: 30
/sbin/iptables -A INPUT -i lo -j ACCEPT

just after that add

/sbin/iptables -A INPUT -i eth1 -j ACCEPT

I have a good link in my Sig if you want to read it a bit.
 
Old 10-01-2003, 05:27 PM   #10
yocompia
Member
 
Registered: Apr 2003
Location: Chicago, IL
Distribution: openbsd 3.6, slackware 10.0
Posts: 244

Rep: Reputation: 30
i think you should have the quotes around the 1 for line listed below:

echo "1" > /proc/sys/net/ipv4/ip_forward

apologies if this confusion arose based on my NOTE.

what hak has written above is a good idea, because i didn't allow for incoming signals on eth1, so add that rule too. i don't do this, as i prefer that clients behind the firewall cannot ping or access the firewall.

oh, and to allow pinging of the network, add this rule (same idea as for ppp0)

/sbin/iptables -A OUTPUT -o eth1 -m state ! --state INVALID -j ACCEPT

we're getting closer, i can smell it. just a bit more work...
 
Old 10-02-2003, 02:58 PM   #11
tnine9
Member
 
Registered: Jan 2003
Posts: 39

Original Poster
Rep: Reputation: 15
Hell Yeah!

Thanks for all the help, it is finally working! Now I just have to re-arrange all the cables and clean up the office.

Thanks!
Todd
 
Old 10-03-2003, 01:14 AM   #12
yocompia
Member
 
Registered: Apr 2003
Location: Chicago, IL
Distribution: openbsd 3.6, slackware 10.0
Posts: 244

Rep: Reputation: 30
righteous. have fun.
 
Old 07-31-2005, 01:27 PM   #13
chris_wn
LQ Newbie
 
Registered: Jul 2005
Posts: 1

Rep: Reputation: 0
Talking THX!

This documentation helped me out too!!!!!

Many THANX on that!!!!

Shalom,
chris
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
internet with pppoe behind a router mdk2k Linux - Hardware 1 04-25-2004 09:55 PM
Slack 9.1 as router/gateway and PPPoE uros678 Linux - Networking 2 12-12-2003 03:29 AM
RedHat as a Router/Firewall - Help enphectedfile Red Hat 24 10-16-2003 07:21 AM
Firewall/Router/pppoe/dhcp Beetle B. Linux - Networking 3 09-15-2003 02:07 PM
pppoe through linux router/firewall ..Tookers.. Linux - Networking 2 04-30-2003 07:34 AM


All times are GMT -5. The time now is 12:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration