Yikes! No one can get Internet thru Linux gateway/router/firewall/DHCP
I have a IBM eServer running Linux Mandrake Multi-Network-Firewall (Kernel 2.4.18). The server has two Broadcom NetXtreme Gigabit Ethernet cards, both of which are configured properly (I believe).
eth0 is connected to a ADSL modem, so it doesn't come up at boot, uses DHCP IP address, and PPP0 interface.
eth1 is static IP with 192.168.1.1/255.255.255.0 and is connected to a Ethernet switch where the Windows XP LAN is.
The idea is that the Windows XP LAN will connect to the Internet through the server. The server should act as a firewall, Internet content filter, DHCP server, and possibly a Web proxy too. And a router and gateway.
I believe I have configured eth0/adsl properly because the conection is started at boot (adsl-start) and adsl-status indicates the connection is up. From eth0, I can ping Internet addresses like www.sympatico.ca and www.google.ca.
From eth1 I can ping my LAN (example, 192.168.1.113). But it seems like eth1 and eth0 cannot talk to each other. For instance, no one on the LAN can access the Internet, even to ping it (host unknown). and if I ping eth0's IP address from eth1, I get "destination host unreachable".
I am quite new to all this, but I have tried to set up IP MASQ from a HOWTO i found on the Internet; also I tried to set up routing from a HOWTO as well. Even used "route add default PPP0" and still, can't connect.
I must be missing something, but what! I have been working on this for a week now, please help!!!
Im rather new too, but maybe can help you since have the same configuration here. All I know was self taught, so better doble check.
If your firewall is based on ipchains, check what your actual iprules are like with:
to list your rules:
ipchains -L input
ipchains -L output
ipchains -L forward
Input: what comes from the internet
output : what comes from your network
forward: goes from one board to the other Eth0 to 1
also check on /etc/rc.d/rc.firewall
to check what ports you actually have open on your firewall do
netstat -a [-n -p -A inet]
If for some reason, you need to clear all the rules, to start up building new ones and use Internet right away (very Careful: without security)
Open your predermined rule,
ipchains -P output ACCEPT
and program your machines to have a gateway to your firewall's internal eth ip address.
When you have people accessing the web, start creating rules with ipchains to build up security. (buy a good book like Firewalls Linux /Prentice Hall)
If your aproach is to start with security START HERE, check that your default rule is in DENY, and start building rules to activate each service you want, (web,smtp...)
NEVER CALL THIS ipchains commands from shell and not from a remote machine, use a file, you might loose contact
Thanks for the reply
Thanks Manrique, my Linux uses iptables instead, but I think the commands are the same. I made a backup copy of my iptables file, and just deleted it, and stopped the firewall program completely (shorewall). Next I made a iptables file with everything set to ACCEPT. Still, cannot connect. (This was last week). Then last night I set up some MASQUERADE rules, because of only having one public IP address, I thought that's why the LAN machines cannot connect.. Still no go.
I did not have a /etc/rc.d/rc.firewall file, but last night I copied one from a Internet HOWTO and edited it for my machine.
Finally, I set up routing useing the route command.
EDIT: Oh, i forgot to mention: since the server isn't working, during work hours we use our old hardware router that is also a gateway/DHCP. This hardware router uses 192.168.1.1 for the LAN, which is the same as the card on the server. So all the machines on the LAN are already programmed to look to that IP for DHCP and Internet services.
Again, thanks for your help, do you have any more suggestions of what I can try?
Are you sure the DHCP daemon is up and running in your linux to give the IP's to your windows machines?
Yes, When I reboot my windows computer (well the test one) it does indeed seem to get a IP address. winipcfg shows that the lease was obtained at the time I rebooted. And on the server the DHCP log shows that the matching IP address is being used. So, I'm sure that yes, the DHCP server is working.
I forgot to mention, I have followed the steps that others have posted about routing.
1. Eth1 is properly configured with 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
2. IP forwarding is turned on
"cat /proc/sys/net/ipv4/ip_forward" returns 1
3. added entry in routing table
route add -net 192.168.1.0 netmask 255.255.255.0 eth1
route add default ppp0
4. set up iptables from a script I found on the Internet HOWTO that includes the line (something like)
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
So following the helpful steps that the experts have given to the other users, hasn't worked for me so far. What did I overlook? The Windows machines use 192.168.1.1 as a gateway/DHCP.
Does your iptables FILTER table have a FORWARD chain which ACCEPTS traffic.
Here is an example of mine.
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Here's the contents of the IPTABLES that I'm using for now:
quote from 1st post
"eth0 is connected to a ADSL modem, so it doesn't come up at boot, uses DHCP IP address, and PPP0 interface."
If your gateway to the internet is through eth0 connected to your adsl modem shouldn't you use eth0 as your default route? I have a dsl connection and my default route for traffic traversing my firewall is the interface attached to the DSL Modem. Below you can see my route table.
[09:09:28][root@host:dir ]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
I'd like to give some help and I guess it might be useful.
According to the msg you posted you say that your server is configured correctly.
So if you are sure about your route ip or unsure do this:
login as root and on the command line type:
# route [ret]
am sure with this command you will be able to see something like this;
Destination GATEWAY GenMask Flags Metric Ref Use Iface
Default 192.***.**.* 255.***.***.* UG 0 0 0 eth0
if you aren't connecting to the internet with this gateway then try another one by issuing the following command as root:
# route add default gw 192.***.***.***.* [replace stars with you gateway ip numbers]
And remember you can't use two different gateways at the same time instead one should be deleted or disabled before you switch to another by issuing this command as root:
# route del default gw 192.***.***.***.* [replace stars with you gateway ip numbers]
From here try to ping your gateway if it is o.k, then try pinging you dns if you have one. If not sure where you dns resides just issue this command and you will see it or add it there:
# vi /etc/resolve.conf [ret]
If everything is alright then try pinging i.e www.google.com and if everything is o.k then you are ready to go on the internet and in case things are not working out but you are able to ping all the hosts then you seem to be behind a proxy and you need to specify it in your favourite web browser and if you are using mozilla then go to
edit --->Preferences--->Advanced---->Proxies----->Select Manual Proxy Configuration.
Dear try you luck and see if it works and if it doesn't then you need to consult you Network Administrator otherwise you might need to go to a Cyber Cafe to surf the net.
Here's a possible problem I see here.
Also, it seems odd to be using ppp0, but if you can ping from your firewall out to the internet, the routing must be working right. Maybe the NAT table needs to be pointed at eth0 instead? That's a complete guess though.
Hope that first bit helps at least
Nice catch Dewar I totally missed that one, but I think you're right about the -s/-d issue in the FORWARD table.
Hey Avatar, I don't know if you got this resolved yet, but here is my firewall startup script, in case it helps you. I see a few descrepencies between ours. This is verbatim so it reflects my small network.
Also, the NAT table is correct to use PPP0. At least for me :)
psyche, dewar, benji, fatal: Thank you all for your assistance. My problem is resolved now. It is the selfless community of Linux users that makes up the greatest amount of my satisfaction with this operating system; I always know that if something doesn't work... someone will help me fix it!! :D
|All times are GMT -5. The time now is 10:08 PM.|