LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-08-2011, 11:26 AM   #1
shaileshjkumar
LQ Newbie
 
Registered: Aug 2011
Posts: 3

Rep: Reputation: Disabled
Linux as a router between 2 local networks to ISPs.


Following is my setup:
Server: Ubuntu 11.04 with three NICs.
NIC 1- eth0 - 192.168.x.x
NIC 2- eth1 - 172.196.x.x
NIC 3- eth2 - 10.20.30.x

eth0 and eth1 are my Local LAN and eth2 is WAN the IP given to me by the ISP (Internet)

I configured the server using IPTABLES for getting the Router/Firewall features and also DNS.

Question:

1) There are few servers in my eth1 network which needs to serve few applications and windows shares to eth0, so since itís the Windows network and servers there are WINS and NETBIOS naming resolution in the eth1 network. I have configured the Ubuntu as a DNS server too but the server's name in eth1 are not getting resolved to the eth0 network. How to fix this?

2) How to configure my IPTABLES to detect the destination IPs coming from source eth0 to redirect to eth1 (if any packets for eth1) or to eth2 (if any packets to internet)? Also, no traffic from eth1 to eth0 is to be allowed. e.g. one of my system in 192 network should be able to connect and work with 172 network but none from 172 network should be able to connect to 192 network and also the 172 network system should not go to internet.

I googled and found lot of information in IPTABLES but nowhere mentioned for two different networks having service to each other and also going to the internet.

Also, no information I found for Linux DNS serving the WINS/NETBIOS naming resolution.

Thank you in advance for help.

Cheers.

Shailesh
 
Old 08-10-2011, 12:18 PM   #2
janhe
Member
 
Registered: Jul 2007
Location: Belgium
Distribution: slackware64 13.1, slackware 13.1
Posts: 369

Rep: Reputation: 49
Quote:
Originally Posted by shaileshjkumar View Post
Following is my setup:
Server: Ubuntu 11.04 with three NICs.
NIC 1- eth0 - 192.168.x.x
NIC 2- eth1 - 172.16.x.x
NIC 3- eth2 - 10.20.30.x

eth0 and eth1 are my Local LAN and eth2 is WAN the IP given to me by the ISP (Internet)

I configured the server using IPTABLES for getting the Router/Firewall features and also DNS.
The 196 bothered me. So:
eth0 -> client computers, internet access, access to servers
eth1 -> servers, no internet access, no direct access to clients
eth2 -> internet, no direct access to clients, no access to servers
Quote:
Originally Posted by shaileshjkumar View Post
Question:

1) There are few servers in my eth1 network which needs to serve few applications and windows shares to eth0, so since itís the Windows network and servers there are WINS and NETBIOS naming resolution in the eth1 network. I have configured the Ubuntu as a DNS server too but the server's name in eth1 are not getting resolved to the eth0 network. How to fix this?
There are 2 ways to fix this, if I understand the problem correctly.
1. Put an entry for each server in the DNS configuration on the Ubuntu box, forget WINS & NETBIOS NS
2. Put the IP of the WINS server in the configuration of the client PCs
This can be done with DHCP configuration if the Ubuntu box also is the DHCP server.

The things below only apply if the IP on eth2 (internet) is actually a public IP, and not in the range 10.x.x.x .
If it is a private IP, then things are different. Tell me if it is a private IP, and I'll give you the way to set that up.
Quote:
Originally Posted by shaileshjkumar View Post
2) How to configure my IPTABLES to detect the destination IPs coming from source eth0 to redirect to eth1 (if any packets for eth1) or to eth2 (if any packets to internet)?
Just act as if eth1 isn't there. Since both eth0 and eth1 have private IPs, there's no need for iptables to interfere. Routing between eth0 and eth1 should work automatically when routing between eth0 and eth2 is set up.
Quote:
Originally Posted by shaileshjkumar View Post
Also, no traffic from eth1 to eth0 is to be allowed. e.g. one of my system in 192 network should be able to connect and work with 172 network but none from 172 network should be able to connect to 192 network and also the 172 network system should not go to internet.
There are a few rules needed to make this happen. They should all be inserted in the forward chain.
Set the default policy on the forward chain to drop.
Add a rule to accept related and established packets.
Add a rule to accept packets from eth0.
Quote:
Originally Posted by shaileshjkumar View Post
I googled and found lot of information in IPTABLES but nowhere mentioned for two different networks having service to each other and also going to the internet.

Also, no information I found for Linux DNS serving the WINS/NETBIOS naming resolution.

Thank you in advance for help.

Cheers.

Shailesh
I hope this info, together with what you googled, can get you on your way.
Don't forget to configure firewall rules for your Ubuntu box itself. The iptables forward chain doesn't look at packets that are meant for your Ubuntu box.
If you need more information, post a link to a tutorial you plan to use as a base, so I can reference that for giving you more detailed instructions.
 
Old 08-15-2011, 12:49 PM   #3
shaileshjkumar
LQ Newbie
 
Registered: Aug 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
Linux as a router between 2 local networks to ISPs

Quote:
Originally Posted by janhe View Post
The 196 bothered me. So:
eth0 -> client computers, internet access, access to servers
eth1 -> servers, no internet access, no direct access to clients
eth2 -> internet, no direct access to clients, no access to servers
Yes the network is, exactly the way you mentioned.

Quote:
Originally Posted by janhe View Post
There are 2 ways to fix this, if I understand the problem correctly.
1. Put an entry for each server in the DNS configuration on the Ubuntu box, forget WINS & NETBIOS NS
2. Put the IP of the WINS server in the configuration of the client PCs
This can be done with DHCP configuration if the Ubuntu box also is the DHCP server.
I installed BIND, so please direct me where to add the entries. I did add to the host file though, but that did not make any difference.
I cannot configure the box as a DHCP as there is a DHCP integrated ADS of Windows environment. This box is just the Gateway and the DNS assigned by the ADS/DHCP to the clients. I configured the WINS assignment of this box's IP to the clients also.

Quote:
Originally Posted by janhe View Post
The things below only apply if the IP on eth2 (internet) is actually a public IP, and not in the range 10.x.x.x .
If it is a private IP, then things are different. Tell me if it is a private IP, and I'll give you the way to set that up.

Just act as if eth1 isn't there. Since both eth0 and eth1 have private IPs, there's no need for iptables to interfere. Routing between eth0 and eth1 should work automatically when routing between eth0 and eth2 is set up.

There are a few rules needed to make this happen. They should all be inserted in the forward chain.
Set the default policy on the forward chain to drop.
Add a rule to accept related and established packets.
Add a rule to accept packets from eth0.

I hope this info, together with what you googled, can get you on your way.
Don't forget to configure firewall rules for your Ubuntu box itself. The iptables forward chain doesn't look at packets that are meant for your Ubuntu box.
If you need more information, post a link to a tutorial you plan to use as a base, so I can reference that for giving you more detailed instructions.
1) eth2 is not a public IP to the internet, its a private IP provided by the ISP from its network to the internet.
2) I put in the rules like the following:

INTIF="eth0"
INTIF2="eth1"
EXTIF="eth2"
*nat
-A POSTROUTING -o "$INTIF2" -d 172.0.0.0/8 -j MASQUERADE
-A POSTROUTING -o "$EXTIF" -j MASQUERADE
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i "$INTIF" -o "$INTIF2" -j ACCEPT
-A FORWARD -i "$INTIF2" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

It was fairly simple and its working as expected. Only the DNS part is not working. e.g. the local server names with just the windows name and not the full domain name cannot be pinged. But if I do a manual entry of the same in the host file of the clients it works, now changing host file for so many clients is not possible, so I was thinking any way to fix it on the box itself.

Thanks in advance..

Shailesh
 
Old 08-16-2011, 03:36 AM   #4
janhe
Member
 
Registered: Jul 2007
Location: Belgium
Distribution: slackware64 13.1, slackware 13.1
Posts: 369

Rep: Reputation: 49
When you post configuration files, logs, program output etc., please put it between [CODE][/CODE] tags. (use the # button above the textbox where you type the reply)

Quote:
Originally Posted by shaileshjkumar View Post
I installed BIND, so please direct me where to add the entries. I did add to the host file though, but that did not make any difference.
The entries will have to be added to the appropriate zone file of BIND.
Quote:
Originally Posted by shaileshjkumar View Post
I cannot configure the box as a DHCP as there is a DHCP integrated ADS of Windows environment. This box is just the Gateway and the DNS assigned by the ADS/DHCP to the clients. I configured the WINS assignment of this box's IP to the clients also.
Do you have a WINS server or not? If you haven't set up a WINS server, I'd suggest forgetting about WINS, and using DNS, also because you are running AD.
Quote:
Originally Posted by shaileshjkumar View Post
1) eth2 is not a public IP to the internet, its a private IP provided by the ISP from its network to the internet.
Doesn't your ISP give you a public IP address? You have my sympathy.
Quote:
Originally Posted by shaileshjkumar View Post
2) I put in the rules like the following:
Code:
INTIF="eth0"
INTIF2="eth1"
EXTIF="eth2"
*nat
-A POSTROUTING -o "$INTIF2" -d 172.0.0.0/8 -j MASQUERADE
Why have you added this rule? What is it supposed to do?
The rest of your firewall seems OK. Remember to set up rules for protecting the Ubuntu box itself. Certainly if it is directly reachable from the internet.
Quote:
Originally Posted by shaileshjkumar View Post
It was fairly simple and its working as expected. Only the DNS part is not working. e.g. the local server names with just the windows name and not the full domain name cannot be pinged.
So, if you use the full domain name, then the name does resolve?
Are the servers by any chance also part of the domain?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to share bandwidth of two ISPs for local client with Linux server golden_boy615 Linux - Networking 4 06-29-2011 12:23 AM
openSuse 10.2 as a router with 2 ISPs jebaird SUSE / openSUSE 4 11-21-2007 04:51 PM
linux box as a router between two networks LinuxLover Linux - Server 1 08-04-2007 01:25 AM
2 networks and 2 internet connections on linux router seer_tenedos Linux - Networking 6 03-27-2005 07:24 AM
howto relay ISPs dhcp ip's though linux router to LAN deice Linux - Networking 0 09-20-2004 11:40 AM


All times are GMT -5. The time now is 07:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration