LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-15-2006, 04:18 AM   #1
Fredstar
Member
 
Registered: Jul 2004
Location: Rochester, NY
Distribution: Fedora9::FreeBSD7.1
Posts: 296

Rep: Reputation: 30
Networking with iptables / nat / ipmasq


Hello everyone!!

Been a long night and im about to head off to bed as the sun starts to rise =D

Im in the process of trying to build a fc5 firewall / router with the following diagram.


-----------
| Internet|
-----------
|
| (eth0)
-----------
|FC 5 box |
------------
| (eth1)
|
---------
|5-port |
|Switch |
---------
| (box A / Box b)
-------------------------
| |
------------- -------------
|192.168.0.2 | |192.168.0.3 |
------------- -------------

My problems, well first the rest of the information
eth0
IP: 24.22.230.33
GATEWAY: 34.30.230.34
SUBNET: 255.255.255.248

eth1
IP: 192.168.0.1
GATEWAY: 192.168.0.1
SUBNET: 255.255.255.0

COMPA
IP: 192.168.0.2 COMPB / 192.168.0.3
GATEWAY: 192.168.0.1
SUBNET: 255.255.255.0

===========
OK
===========

Now with the current setup i can ping my box 192.168.0.1 without any problems from computer a and b. However, i cant use the internet any longer on any machine. Then if i disable eth1 i can once again use the internet from the fc5/router/firewall box. Im new at this so i could be really out there since im taking shots in the dark. I have read a lot of online stuff and still having problems.

I took down iptables to try and see if that helped but it didnt.
Any help appreciated!!
thanks

Last edited by Fredstar; 04-15-2006 at 04:20 AM. Reason: Sorry about the diagram really came out looking like hell
 
Old 04-15-2006, 06:36 AM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
Is the FC5 eth0 card configured to use DHCP, or did you configure it manually. Check your route table and the value of the default gateway. Also check that you have the correct nameserver IP addresses in resolv.conf.

Do you have masquerading set up to share the internet connection?
 
Old 04-15-2006, 09:58 AM   #3
cs-cam
Senior Member
 
Registered: May 2004
Location: Australia
Distribution: Gentoo
Posts: 3,544
Blog Entries: 4

Rep: Reputation: 57
I struggled with this a while ago but ended up bailing on the do-it-yourself idea and used Endian Firewall. It's a distro that is set up to do this and is therefore considerably easier for someone not very strong in the networking department (me!) to use. Endian is based off IPcop and has a much smaller community so if you did choose to go this route, I'd probably suggest looking at IPcop as it'll be easier to find help
 
Old 04-15-2006, 05:58 PM   #4
Fredstar
Member
 
Registered: Jul 2004
Location: Rochester, NY
Distribution: Fedora9::FreeBSD7.1
Posts: 296

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by jschiwal
Is the FC5 eth0 card configured to use DHCP, or did you configure it manually. Check your route table and the value of the default gateway. Also check that you have the correct nameserver IP addresses in resolv.conf.

Do you have masquerading set up to share the internet connection?
eth0 is configured manually.

The route is something i have not even messed with yet, but at the moment i am reading around on it. Also the resolv.conf is working. The internet only goes down when i bring up the LAN card for the network.

cs-cam Thanks for the heads up and when i get some free time ill look around at it. However, for now i think im going to stick with fc5 for now.

Thanks to both
<-- me and networking
 
Old 04-15-2006, 09:11 PM   #5
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
If you have two nic interfaces, a default gateway is needed so that the host (FC5) knows which interface to send outbound traffic. I'm not familiar with the FC5 gui configuration programs, but I bet that there is one where you can set up your interfaces. Setting the default gateway in one of the interfaces usually ends up setting the default gateway for the machine, by adjusting the route. The traditional configuration file for routes may have move to /etc/sysconfig/network/, and it may be a target file rather than a configuration. Please read through the networking section of FC5 for all the gory details.

Also, I don't believe you mentioned whether you want to allow hosts A & B access to the internet. If that is that case, and you want to share a single internet IP address, then you will need to configure NAT routing ( a.k.a. masquerading ). There is another type of NAT routing where you might have 3 internet IP addresses for example, and the routing provides one-to-one mapping between the internet IP address and 3 of the local IP addresses.

If the FC5 host is not your workstation, but a dedicated gateway/firewall, then you can make it a hardened host, with almost nothing installed to lessen the number of avenues a hacker can try to attack. This entails removing X windows, kde/gnome and any windows manager, most applications and even the compiler suite. Picking up a book on hardening linux might be a good idea, and since so little would be installed, re-installing from scratch could even be quicker.
When it comes to security, in a sense, less is more. ( Less as in installed software, not less security ).
 
Old 04-15-2006, 09:25 PM   #6
Fredstar
Member
 
Registered: Jul 2004
Location: Rochester, NY
Distribution: Fedora9::FreeBSD7.1
Posts: 296

Original Poster
Rep: Reputation: 30
It works =D

Well i had a real issue with doing it with fc5. The default and basic installation seemed bloated to me. I shopped around and decided to try my luck with another.

Yes i wanted to outbound traffic for my network A and B. I ended up performing this with bsd/PF firewall since i found an extremely well documented walk through that helped me fill in the holes. There was a lot of things i was doing wrong because i just didnt know. now that i know im going to give it a run on a distro.

Further research i found that i could do the same configurations since IPtables is a child / branch off the old PF firewall on bsd.

Was a fun and great learning exp and i thank everyone for the help.

To the above:
For the firewall/ router i didnt install a gui or any X11 packages. The computer isnt the most suped piece of equipment and i wouldnt want to bog it down. All i have is the Core operating system installed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Networking (PF/NAT) Crunch *BSD 5 09-01-2004 06:21 AM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 06:08 AM
IPMasq/NAT Issues - Very Weird Annex Linux - Networking 4 10-04-2002 05:05 AM
Iptables & Ipmasq playing up NiM Linux - Networking 4 08-17-2001 12:50 PM
need help with ipmasq/iptables vital Linux - Networking 4 07-02-2001 11:47 AM


All times are GMT -5. The time now is 09:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration