LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Networking with iptables / nat / ipmasq (https://www.linuxquestions.org/questions/linux-newbie-8/networking-with-iptables-nat-ipmasq-435347/)

Fredstar 04-15-2006 03:18 AM
Networking with iptables / nat / ipmasq
 
Hello everyone!!

Been a long night and im about to head off to bed as the sun starts to rise =D

Im in the process of trying to build a fc5 firewall / router with the following diagram.


-----------
| Internet|
-----------
|
| (eth0)
-----------
|FC 5 box |
------------
| (eth1)
|
---------
|5-port |
|Switch |
---------
| (box A / Box b)
-------------------------
| |
------------- -------------
|192.168.0.2 | |192.168.0.3 |
------------- -------------

My problems, well first the rest of the information
eth0
IP: 24.22.230.33
GATEWAY: 34.30.230.34
SUBNET: 255.255.255.248

eth1
IP: 192.168.0.1
GATEWAY: 192.168.0.1
SUBNET: 255.255.255.0

COMPA
IP: 192.168.0.2 COMPB / 192.168.0.3
GATEWAY: 192.168.0.1
SUBNET: 255.255.255.0

===========
OK
===========

Now with the current setup i can ping my box 192.168.0.1 without any problems from computer a and b. However, i cant use the internet any longer on any machine. Then if i disable eth1 i can once again use the internet from the fc5/router/firewall box. Im new at this so i could be really out there since im taking shots in the dark. I have read a lot of online stuff and still having problems.

I took down iptables to try and see if that helped but it didnt.
Any help appreciated!!
thanks

jschiwal 04-15-2006 05:36 AM
Is the FC5 eth0 card configured to use DHCP, or did you configure it manually. Check your route table and the value of the default gateway. Also check that you have the correct nameserver IP addresses in resolv.conf.

Do you have masquerading set up to share the internet connection?

cs-cam 04-15-2006 08:58 AM
I struggled with this a while ago but ended up bailing on the do-it-yourself idea and used Endian Firewall. It's a distro that is set up to do this and is therefore considerably easier for someone not very strong in the networking department (me!) to use. Endian is based off IPcop and has a much smaller community so if you did choose to go this route, I'd probably suggest looking at IPcop as it'll be easier to find help :)

Fredstar 04-15-2006 04:58 PM
Quote:
Originally Posted by jschiwal
Is the FC5 eth0 card configured to use DHCP, or did you configure it manually. Check your route table and the value of the default gateway. Also check that you have the correct nameserver IP addresses in resolv.conf.

Do you have masquerading set up to share the internet connection?
eth0 is configured manually.

The route is something i have not even messed with yet, but at the moment i am reading around on it. Also the resolv.conf is working. The internet only goes down when i bring up the LAN card for the network.

cs-cam Thanks for the heads up and when i get some free time ill look around at it. However, for now i think im going to stick with fc5 for now.

Thanks to both
:newbie: <-- me and networking

jschiwal 04-15-2006 08:11 PM
If you have two nic interfaces, a default gateway is needed so that the host (FC5) knows which interface to send outbound traffic. I'm not familiar with the FC5 gui configuration programs, but I bet that there is one where you can set up your interfaces. Setting the default gateway in one of the interfaces usually ends up setting the default gateway for the machine, by adjusting the route. The traditional configuration file for routes may have move to /etc/sysconfig/network/, and it may be a target file rather than a configuration. Please read through the networking section of FC5 for all the gory details.

Also, I don't believe you mentioned whether you want to allow hosts A & B access to the internet. If that is that case, and you want to share a single internet IP address, then you will need to configure NAT routing ( a.k.a. masquerading ). There is another type of NAT routing where you might have 3 internet IP addresses for example, and the routing provides one-to-one mapping between the internet IP address and 3 of the local IP addresses.

If the FC5 host is not your workstation, but a dedicated gateway/firewall, then you can make it a hardened host, with almost nothing installed to lessen the number of avenues a hacker can try to attack. This entails removing X windows, kde/gnome and any windows manager, most applications and even the compiler suite. Picking up a book on hardening linux might be a good idea, and since so little would be installed, re-installing from scratch could even be quicker.
When it comes to security, in a sense, less is more. ( Less as in installed software, not less security ).

Fredstar 04-15-2006 08:25 PM
It works =D

Well i had a real issue with doing it with fc5. The default and basic installation seemed bloated to me. I shopped around and decided to try my luck with another.

Yes i wanted to outbound traffic for my network A and B. I ended up performing this with bsd/PF firewall since i found an extremely well documented walk through that helped me fill in the holes. There was a lot of things i was doing wrong because i just didnt know. now that i know im going to give it a run on a distro.

Further research i found that i could do the same configurations since IPtables is a child / branch off the old PF firewall on bsd.

Was a fun and great learning exp and i thank everyone for the help.

To the above:
For the firewall/ router i didnt install a gui or any X11 packages. The computer isnt the most suped piece of equipment and i wouldnt want to bog it down. All i have is the Core operating system installed.


All times are GMT -5. The time now is 11:34 PM.