I have set up a Debian 3.1 box with a very clean install, nothing unnesecary running. I installed off the internet, everything is up to date and it was running fine. Note the WAS, now heres my problem:
The box is a router for my wireless highspeed:
--Internet--
|
|
--Isp private network--
|
|
--My radio--
|
|
--Debian box--
|
|---------------Wireless laptop(s)
--Wired boxes (windows)--
Thats the network diagram. I do not have any control of the Radio, I simply set the routers external interface to a certain IP the radio is configured to accept and I can access the internet.
The router (debian box) is set up as follows:
I have 3 interfaces
eth0 -- to wireless radio provided by ISP (mounted in a tree) -- 192.168.5.23 fixed ip
eth1 -- internal wired network -- 192.168.0.254 -- to a 4 port hub
eth2 -- internal wirless network -- 192.168.1.254 -- zd1211 Usb Dongle.
/etc/network/interfaces
Quote:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.5.23
netmask 255.255.255.0
network 192.168.5.0
broadcast 192.168.5.255
gateway 192.168.5.254
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 204.50.96.7
dns-search box
auto eth1
iface eth1 inet static
address 192.168.0.254
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
auto eth2
iface eth2 inet static
address 192.168.1.254
netmask 255.255.255.0
broadcast 192.168.1.255
up iwconfig eth2 essid boink mode Master channel 10
|
I am running this script for NAT/Firewall. I obatined it from the aboutdebian.com firewall tutorial and modified it to add the second wireless interface. I added the proper rules (i think).
START SCRIPT
--------------------------
Quote:
#!/bin/sh
# IPTABLES FIREWALL script for the Linux 2.4 kernel.
# This script is a derivitive of the script presented in
# the IP Masquerade HOWTO page at:
# http://www.tldp.org/HOWTO/IP-Masquer...-examples.html
# It was simplified to coincide with the configuration of
# the sample system presented in the Guides section of
# www.aboutdebian.com
#
# This script is presented as an example for testing ONLY
# and should not be used on a production firewall server.
#
# PLEASE SET THE USER VARIABLES
# IN SECTIONS A AND B OR C
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
# === SECTION A
# ----------- FOR EVERYONE
# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK
# The default value below is for "eth0". This value
# could also be "eth1" if you have TWO NICs in your system.
# You can use the ifconfig command to list the interfaces
# on your system. The internal interface will likely have
# have an address that is in one of the private IP address
# ranges.
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the designation for the Internal Interface's
INTIF="eth1"
# Enter the NETWORK address the Internal Interface is on
INTNET="192.168.0.0/24"
# Enter the IP address of the Internal Interface
INTIP="192.168.0.254/24"
# Enter the designation for the Internal Interface's
INTIF2="eth2"
# Enter the NETWORK address the Internal Interface is on
INTNET2="192.168.1.0/24"
# Enter the IP address of the Internal Interface
INTIP2="192.168.1.254/24"
# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
# The default value below is "ppp0" which is appropriate
# for a MODEM connection.
# If you have two NICs in your system change this value
# to "eth0" or "eth1" (whichever is opposite of the value
# set for INTIF above). This would be the NIC connected
# to your cable or DSL modem (WITHOUT a cable/DSL router).
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the external interface's designation for the
# EXTIF variable:
EXTIF="eth0"
# ! ! ! ! ! Use ONLY Section B *OR* Section C depending on
# ! ! ! ! the type of Internet connection you have.
# ! ! ! ! ! Uncomment ONLY ONE of the EXTIP statements.
# === SECTION B
# ----------- FOR THOSE WITH STATIC PUBLIC IP ADDRESSES
# SET YOUR EXTERNAL IP ADDRESS
# If you specified a NIC (i.e. "eth0" or "eth1" for
# the external interface (EXTIF) variable above,
# AND if that external NIC is configured with a
# static, public IP address (assigned by your ISP),
# UNCOMMENT the following EXTIP line and enter the
# IP address for the EXTIP variable:
EXTIP="192.168.5.23"
# === SECTION C
# ---------- DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS
# SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING
# If you get your IP address dynamically from SLIP, PPP,
# BOOTP, or DHCP, UNCOMMENT the command below.
# (No values have to be entered.)
# Note that if you are uncommenting these lines then
# the EXTIP line in Section B must be commented out.
#EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
# -------- No more variable setting beyond this point --------
echo "Loading required stateful/NAT kernel modules..."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " External interface: $EXTIF"
echo " External interface ($EXTIF) IP address is: $EXTIP"
echo " Internal interface ($INTIF) IP address is: $INTIP"
echo " Wireless interface ($INTIF2) IP address is: $INTIP2"
echo " Loading firewall server rules..."
UNIVERSE="0.0.0.0/0"
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
echo -e " - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid -- same for eth2
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $INTIF2 -s $INTNET2 -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET2 -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $INTIF2 -s $INTNET -d $UNIVERSE -j ACCEPT
#???
#iptables -A INPUT -i $INTIF2 -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -i $EXTIF -s $INTNET2 -d $UNIVERSE -j drop-and-log-it
# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# OPTIONAL: Uncomment the following two commands if plan on running
# an Apache Web site on the firewall server itself
#
#echo -e " - Allowing EXTERNAL access to the WWW server"
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $INTIF2 -s $EXTIP -d $INTNET2 -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET2 -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET2 -j drop-and-log-it
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
# Allow all connections OUT and only existing/related IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $INTIF -o $INTIF2 -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $INTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it
# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
echo -e " Firewall server rule loading complete\n\n"
|
--END SCRIPT--
I have dhcp3-server installed and configured properly. I can aquire IP address perfectly fine on the wired interface.
/etc/dhcp3/dhcpd.conf
Quote:
#
# Sample configuration file for ISC dhcpd for Debian
#
# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "box.box";
option domain-name-servers 204.50.96.7, 204.50.96.8;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 192.168.0.0 netmask 255.255.255.0 {
# range 192.168.0.10 192.168.0.250;
# option routers box;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.250;
option subnet-mask 255.255.255.0;
option routers 192.168.1.254;
option broadcast-address 192.168.1.255;
default-lease-time 600;
max-lease-time 7200;
}
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.250;
option subnet-mask 255.255.255.0;
option routers 192.168.0.254;
option broadcast-address 192.168.0.255;
default-lease-time 600;
max-lease-time 7200;
}
|
Ok so I have had no problems surfing the web with the wired clients, desktop PCs. Then I decided I would like to have wireless access with my laptop. I had a ZyDas chipset (zd1211) usb dongle for 802.11b wireless and installed and aquired the proper drivers and it is working fine in the router.
I can put it into master mode and associate with it on a windows laptop. Heres the problem: I cant get an IP address over DHCP on the wireless interface. I can put a static IP in (192.168.1.56) and then I can browse to the webserver running on the router (apache). But i CANNOT browse the net.
I was also wondering if there is a better way to implement the 2 internal interfaces (wired and wireless). I tried using a bridge (brctl) but that seemed to make everything stop working (i suppose because the bridge has no IP, therefore the 2 interfaces become unaccesible?). What I suppose I could do is get another NIC, plug it into the hub, and bridge it to the wireless interface, but that seems kind of redundant.
Please shed some light on this matter for me, I am truly stumped :confused:
Thanks alot,
kcbanner