DISCUSSION: Linux Router

hakcenter · 06-03-2004, 12:15 PM

This thread is to discuss the article titled: Linux Router

jcluney · 06-09-2004, 03:29 PM

have a router set up and usind slackware 9.1 eth0 is working fine but i am getting this error on boot up Jun 9 17:15:24 roadrunner kernel: eth1: link down what could be the problem the output of ifconfig is

his is the output of ifconfig

eth0 Link encap:Ethernet HWaddr 00:0A:xx:CD:xx:AD
inet addr:205.xxx.160.xx Bcast:205.251.xx.255 Mask:255.255.252.0 UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9757 errors:0 dropped:0 overruns:0 frame:0
TX packets:1961 errors:0 dropped:0 overruns:0 carrier:0
collisions:73 txqueuelen:1000
RX bytes:1538741 (1.4 Mb) TX bytes:281166 (274.5 Kb)
Interrupt:11 Base address:0xd800

eth1 Link encap:Ethernet HWaddr 00:40:xx:8A:xx:F1
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:10122 (9.8 Kb)
Interrupt:10 Base address:0xcf00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:252 (252.0 b) TX bytes:252 (252.0 b)
could some one pleas help me

AdamZappal · 03-14-2005, 02:27 AM

in this article he mentions, if we cant ping the machine on the LAN then we have to read another article before proceeding?!! well... what article?

maxque · 04-23-2005, 02:12 PM

Quote:

Originally posted by AdamZappal
in this article he mentions, if we cant ping the machine on the
LAN then we have to read another article before proceeding?!!
well... what article?

What is the output from sudo iptables -L ?

If iptables is loaded you will have at least three chains, INPUT, OUTPUT and FORWARD. iptables is installed and loaded. Then try iptables -v -L INPUT , from that if your rules are there you should see some indication of them. Then do the same for the FORWARD chain.

The next thing to check is that your own dhcp server is running and assigning addresses. I have already written my own dhcp.conf file and assigned hardware-ethernet ip addresses specifically to each machine on my network.

This article is pretty sparse, I think they're leaving it up to us to fill in the missing pieces. The other thing I didn't see mentioned was the version of IPtables or the kernel version. There are some changes from the 2.4 to the 2.6 kernel and I'm not sure how this is affecting things either.

I am in the middle of doing just this in hopes of retiring my linksys router and making way for a web server on the other connection I have from my ISP.

cheers,
maxque

maxque · 04-23-2005, 03:36 PM

OK, Since I am doing this for real at the moment, I'll post things here in hopes that I'll get some help as I go along and maybe help others to.

IPTABLES are a list of rules which exist in your computer's memory. They can be added and changed on the fly so it makes them very flexible. You can enter the barebones commands from your terminal and they will stay there until you reboot the computer. In real life, a set of rules like this evolve over time and are tweaked and adjusted to meet the current circumstances.

This isn't a very good way of preserving them for next time you boot. The rules can be put into the form of a shell script which you can run by hand as you work on them or set to run when you boot the server, and BEFORE anything else is loaded. Here is the barebones rules in the form of a very simple shell script:

Code:

#!/bin/sh
# First let linux know this is a shell script and how to execute it
# Next, just in case there are any rules sitting in memory we flush everything
/sbin/iptables -F
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

# Lets know specifically where we intersect  with the Internet
# specifically allow data from our own static IP 
/sbin/iptables -A INPUT -s 216.xxx.xxx.xxx  -j ACCEPT  #for everything
# or you if you don't have a static ip, do it by interface
/sbin/iptables -A INPUT -i eth0 -j ACCEPT

# Since this a router, it might be nice to know which one
/sbin/iptables -A FORWARD -i eth1 -o eth0
/sbin/iptables -A FORWARD -i eth0 -o eth1

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP

/sbin/iptables -A INPUT -i eth1 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

I'll have to figure out the mechanics of the NAT portion as I go. but this is more information. Someone else post here to, I'm right playing this by ear now!

maxque

michaelsanford · 06-06-2005, 04:04 PM

I just wanted to mention something about the subnetting in dhcpd.conf

Code:

ddns-update-style ad-hoc;
option domain-name-servers x.x.x.x;
option routers x.x.x.x;
subnet 10.0.0.0 netmask 255.0.0.0 {
    range 10.0.0.0 10.0.0.100;
}

This would probably be better like this:

Code:

ddns-update-style ad-hoc;
option domain-name-servers x.x.x.x;
option routers x.x.x.x;
subnet 10.0.0.0 netmask 255.255.255.0 {
    range 10.0.0.2 10.0.0.100;
}

That way the subnet matches the range of network addresses allowed (since you originally had a subnet mask allowing 10.0.0.1 to 10.254.254.254 but were only addressing 10.0.0.1 to 10.0.0.100). Also you shouldn't really bound a range with 10.0.0.0 (or with any address with a zero-byte fourth octet) because that's a reserved address, and make sure that your router (which I assume has a dhcpd-side interface of 10.0.0.1 ?) doesn't pass out an IP address that's the same as the interface.

It won't actually pass out an address that's already in use and it won't pass out a network address (10.0.0.0) to a client host, this is just tying up loose ends so to speak.

Also, for those of us who don't have /etc/sysctl.conf (like Slackware) you can use this to enable Iipv4_forwarding. You can put this in a startup script to make the change permanent across reboots:

Code:

/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

Just my 0,02 $, still a good guide!

jp_durai · 10-17-2005, 01:04 AM

in this article he mentions, if we cant ping the machine on the LAN then we have to read another article before proceeding?!! well... what article?

jp_durai · 11-04-2005, 06:53 AM

I have installed fedora 4 with two ethernet cards for making a router and configured.If i ping a pc connected with eth0, it replies. but pinging pcs connected with eth1 replies unreachable destination. what may be the problem .If any body knows pls reply.

srnerkar1 · 11-12-2005, 01:24 AM

good afternoon everybody,
I have certain questions in my mind about the router. I am using squid server with that i am able to access internet . That squid server is having 2 NIC connected to local and outside network but problem occures when i want to upload data from the local systems in LAN to my private web site through SQUID server it wont allow me to do so
So sir, can that problem be sovled by setting that squid server as a LINUX ROUTER.......................
Please suggest any solution if any rather than this..........

Avatar · 03-12-2007, 08:44 AM

Has this article been removed? I only see the first paragraph then it cuts off.

Davschm · 03-19-2007, 08:06 PM

Same, i cant read this artical.

UhhMaybe · 05-03-2007, 11:50 PM

maxque the differences between the two kernels are as big as what YOU need within the kernel's. They are configurable. They are Sometimes interchangeable. Not Always. The IPChains software is not the same as IPTables. See http://www.wiki.com/ and http://tldp.org/HOWTO/HOWTO-INDEX/howtos.html