I have exactly what you're looking for already set up!
First you need to make sure the drivers for your cards are either compiled in to your kernel, or loaded at runtime via /etc/rc.d/rc.modules. Try uncommenting the line that says "/sbin/modprobe 3C509" to see if that driver works for your cards.
Next you need to figure out which interfaces are associated with eth0, eth1, and eth2 (or wlan0 if you have a wireless card in the computer.) Then edit /etc/rc.d/rc.inet1 to configure the settings for each of these interfaces. I like to create separate rc scripts (e.g. /etc/rc.d/rc.eth0) for each interface, then call those scripts from /etc/rc.d/rc.inet1. I basically just pull the interface-specific code from rc.inet1 and put it in rc.eth0. Anyway, you need to configure the settings on each interface. My eth1 interface is automatically configured via DHCP by my ISP (including the default gateway) so in /etc/rc.d/rc.eth1 I set USE_DHCP=yes. Here's an example of my /etc/rc.d/rc.eth0 and my /etc/rc.d/rc.inet1:
Code:
#! /bin/sh
# /etc/rc.d/rc.eth0
INTERFACE="eth0"
IPADDR="192.168.0.1"
NETMASK="255.255.255.0"
USE_DHCP=no
#DHCP_HOSTNAME="CCHOSTNUM-A"
if [ "$USE_DHCP" = "yes" ]; then
echo "Attempting to configure $INTERFACE by contacting a DHCP server..."
# Add the -h option to the DHCP hostname:
if [ ! "$DHCP_HOSTNAME" = "" ]; then
DHCP_HOSTNAME="-h $DHCP_HOSTNAME"
fi
rm -f /etc/dhcpc/dhcpcd-$INTERFACE.pid
/sbin/dhcpcd -t 10 ${DHCP_HOSTNAME} -d ${INTERFACE}
elif [ ! "$IPADDR" = "127.0.0.1" -a ! "$IPADDR" = "" ]; then # set up IP statically:
# Determine broadcast and network addresses from the IP address and netmask:
BROADCAST=`/bin/ipmask $NETMASK $IPADDR | cut -f 1 -d ' '`
NETWORK=`/bin/ipmask $NETMASK $IPADDR | cut -f 2 -d ' '`
# Set up the ethernet card:
echo "Configuring ${INTERFACE}:"
echo "ifconfig ${INTERFACE} ${IPADDR} broadcast ${BROADCAST} netmask ${NETMASK}"
/sbin/ifconfig ${INTERFACE} ${IPADDR} broadcast ${BROADCAST} netmask ${NETMASK}
# If that didn't succeed, give the system administrator some hints:
if [ ! $? = 0 ]; then
echo "Your ${INTERFACE} card was not initialized properly. Here are some reasons why this"
echo "may have happened, and the solutions:"
echo "1. Your kernel does not contain support for your card. Including all the"
echo " network drivers in a Linux kernel can make it too large to even boot, and"
echo " sometimes including extra drivers can cause system hangs. To support your"
echo " ethernet, either edit /etc/rc.d/rc.modules to load the support at boot time,"
echo " or compile and install a kernel that contains support."
echo "2. You don't have an ethernet card, in which case you should run netconfig"
echo " and configure your machine for loopback. (Unless you don't mind seeing this"
echo " error...)"
fi
fi
Code:
#! /bin/sh
# /etc/rc.d/rc.inet1
# This script starts up the base networking system.
#
# Version:
# @(#)/etc/rc.d/rc.inet1 8.1 Tue May 28 15:27:39 PDT 2002 (pjv)
# Edit the next line to point to your gateway:
GATEWAY="" # REPLACE with YOUR gateway!
# Set up the loopback interface:
/sbin/ifconfig lo 127.0.0.1
/sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo
# Set up the interfaces
if [ -x /etc/rc.d/rc.eth0 ]; then
/etc/rc.d/rc.eth0
fi
if [ -x /etc/rc.d/rc.eth1 ]; then
/etc/rc.d/rc.eth1
fi
if [ -x /etc/rc.d/rc.eth2 ]; then
/etc/rc.d/rc.eth2
fi
if [ -x /etc/rc.d/rc.wlan0 ]; then
/etc/rc.d/rc.wlan0
fi
# Set up the gateway:
if [ ! "$GATEWAY" = "127.0.0.1" -a ! "$GATEWAY" = "" ]; then
/sbin/route add default gw ${GATEWAY} metric 1
fi
# End of /etc/rc.d/rc.inet1
Finally, you need to use iptables to do firewalling/NAT/Masquerading. On my server I have three interfaces: eth1 goes to my cable modem, eth0 goes to my internal wired network (192.168.0.0/24), and wlan0 goes to my wireless PCI card (192.168.1.0/24). My server acts as an access point for wireless clients.
The only ports I allow access to from the Internet are 25 (smtp email server) and 22 (ssh). Here's my /etc/rc.d/rc.firewall script that I call from /etc/rc.d/rc.local:
Code:
#!/bin/sh
# /etc/rc.d/rc.firewall
###############################################################################
#
# Author: Eric R. Turner <eric.r.turner(at)bitbreather(dot)com>
#
# The syntax of iptables is basically:
#
# iptables [-t table] -ACDI CHAIN rule-specification -j TARGET [options]
#
# There are three built-in tables that each have some built-in chains:
#
# filter - Basic packet-filter table with INPUT, FORWARD, and OUTPUT chains.
# Only one of the chains will be traversed. (This the default
# table.)
# nat - Network address translation table with PREROUTING, POSTROUTING,
# and OUTPUT chains. PREROUTING accepts the DNAT target. Other
# chains accept the SNAT target.
# mangle - Table used to change info other than the IP address in the
# header. For example, it can change the type of service (TOS)
# or time-to-live(ttl) information.
#
###############################################################################
IPT=/usr/sbin/iptables
# Use a trusted PATH
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
export PATH
# Disable IP forwarding until the rules are in place.
echo 0 > /proc/sys/net/ipv4/ip_forward
# Install the necessary kernel modules.
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
# Flush the tables and delete the non-builtin chains
# to ensure that we are starting from scratch.
for i in filter nat mangle
do
$IPT --table $i --flush
$IPT --table $i --delete-chain
done
# Set up a user-defined chain called "tcprules" in the filter table that
# prevents anyone from connecting to local computers from the outside, but
# allows local computers to establish connections to the outside. We'll
# specify that the INPUT and FORWARD chains use the rules defined in our
# "tcprules" chain after we've established those rules.
$IPT --table filter --new-chain tcprules
# Accept traffic (and related traffic on different ports) coming in on
# any interface if the traffic has been seen before in both directions.
$IPT --table filter \
--append tcprules \
--match state \
--state ESTABLISHED,RELATED \
--jump ACCEPT
# Accept new TCP traffic coming in on any interface
# for the email server.
$IPT --table filter \
--append tcprules \
--protocol tcp \
--destination-port 25 \
--match state \
--state NEW \
--jump ACCEPT
# Accept new SSH traffic coming in on any interface.
$IPT --table filter \
--append tcprules \
--protocol tcp \
--destination-port 22 \
--match state \
--state NEW \
--jump ACCEPT
# Accept new traffic coming in on any interface except eth1 (the
# Internet interface).
$IPT --table filter \
--append tcprules \
--in-interface ! eth1 \
--match state \
--state NEW \
--jump ACCEPT
# The catch-all rule: drop new or invalid traffic coming in on any
# network interface.
$IPT --table filter \
--append tcprules \
--match state \
--state NEW,INVALID \
--jump DROP
# Use the rules defined in the "tcprules" chain for the INPUT and
# FOREWARD chains.
$IPT --table filter \
--append INPUT \
--jump tcprules
$IPT --table filter \
--append FORWARD \
--jump tcprules
# Make sure the default policy for the filter table's INPUT and
# FORWARD chains is DROP rather than ACCEPT, in case we misconfigure
# the firewall.
$IPT --table filter \
--policy INPUT DROP
$IPT --table filter \
--policy FORWARD DROP
# Add masquerading to the POSTROUTING chain in the nat table.
$IPT --table nat \
--append POSTROUTING \
--out-interface eth1 \
--source 192.168.0.0/24 \
--destination 0/0 \
--jump MASQUERADE
$IPT --table nat \
--append POSTROUTING \
--out-interface eth1 \
--source 192.168.1.0/24 \
--destination 0/0 \
--jump MASQUERADE
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
