DebianThis forum is for the discussion of Debian Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have set up a Debian 3.1 box with a very clean install, nothing unnesecary running. I installed off the internet, everything is up to date and it was running fine. Note the WAS, now heres my problem:
Thats the network diagram. I do not have any control of the Radio, I simply set the routers external interface to a certain IP the radio is configured to accept and I can access the internet.
The router (debian box) is set up as follows:
I have 3 interfaces
eth0 -- to wireless radio provided by ISP (mounted in a tree) -- 192.168.5.23 fixed ip
eth1 -- internal wired network -- 192.168.0.254 -- to a 4 port hub
eth2 -- internal wirless network -- 192.168.1.254 -- zd1211 Usb Dongle.
/etc/network/interfaces
Quote:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.5.23
netmask 255.255.255.0
network 192.168.5.0
broadcast 192.168.5.255
gateway 192.168.5.254
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 204.50.96.7
dns-search box
I am running this script for NAT/Firewall. I obatined it from the aboutdebian.com firewall tutorial and modified it to add the second wireless interface. I added the proper rules (i think).
START SCRIPT
--------------------------
Quote:
#!/bin/sh
# IPTABLES FIREWALL script for the Linux 2.4 kernel.
# This script is a derivitive of the script presented in
# the IP Masquerade HOWTO page at:
# http://www.tldp.org/HOWTO/IP-Masquer...-examples.html
# It was simplified to coincide with the configuration of
# the sample system presented in the Guides section of
# www.aboutdebian.com
#
# This script is presented as an example for testing ONLY
# and should not be used on a production firewall server.
#
# PLEASE SET THE USER VARIABLES
# IN SECTIONS A AND B OR C
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
# === SECTION A
# ----------- FOR EVERYONE
# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK
# The default value below is for "eth0". This value
# could also be "eth1" if you have TWO NICs in your system.
# You can use the ifconfig command to list the interfaces
# on your system. The internal interface will likely have
# have an address that is in one of the private IP address
# ranges.
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the designation for the Internal Interface's
INTIF="eth1"
# Enter the NETWORK address the Internal Interface is on
INTNET="192.168.0.0/24"
# Enter the IP address of the Internal Interface
INTIP="192.168.0.254/24"
# Enter the designation for the Internal Interface's
INTIF2="eth2"
# Enter the NETWORK address the Internal Interface is on
INTNET2="192.168.1.0/24"
# Enter the IP address of the Internal Interface
INTIP2="192.168.1.254/24"
# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
# The default value below is "ppp0" which is appropriate
# for a MODEM connection.
# If you have two NICs in your system change this value
# to "eth0" or "eth1" (whichever is opposite of the value
# set for INTIF above). This would be the NIC connected
# to your cable or DSL modem (WITHOUT a cable/DSL router).
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the external interface's designation for the
# EXTIF variable:
EXTIF="eth0"
# ! ! ! ! ! Use ONLY Section B *OR* Section C depending on
# ! ! ! ! the type of Internet connection you have.
# ! ! ! ! ! Uncomment ONLY ONE of the EXTIP statements.
# === SECTION B
# ----------- FOR THOSE WITH STATIC PUBLIC IP ADDRESSES
# SET YOUR EXTERNAL IP ADDRESS
# If you specified a NIC (i.e. "eth0" or "eth1" for
# the external interface (EXTIF) variable above,
# AND if that external NIC is configured with a
# static, public IP address (assigned by your ISP),
# UNCOMMENT the following EXTIP line and enter the
# IP address for the EXTIP variable:
EXTIP="192.168.5.23"
# === SECTION C
# ---------- DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS
# SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING
# If you get your IP address dynamically from SLIP, PPP,
# BOOTP, or DHCP, UNCOMMENT the command below.
# (No values have to be entered.)
# Note that if you are uncommenting these lines then
# the EXTIP line in Section B must be commented out.
echo " External interface: $EXTIF"
echo " External interface ($EXTIF) IP address is: $EXTIP"
echo " Internal interface ($INTIF) IP address is: $INTIP"
echo " Wireless interface ($INTIF2) IP address is: $INTIP2"
echo " Loading firewall server rules..."
UNIVERSE="0.0.0.0/0"
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
echo -e " - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid -- same for eth2
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $INTIF2 -s $INTNET2 -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET2 -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $INTIF2 -s $INTNET -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
iptables -A INPUT -i $EXTIF -s $INTNET2 -d $UNIVERSE -j drop-and-log-it
# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# OPTIONAL: Uncomment the following two commands if plan on running
# an Apache Web site on the firewall server itself
#
#echo -e " - Allowing EXTERNAL access to the WWW server"
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $INTIF2 -s $EXTIP -d $INTNET2 -j ACCEPT
# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET2 -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET2 -j drop-and-log-it
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
# Allow all connections OUT and only existing/related IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $INTIF -o $INTIF2 -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $INTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it
# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
echo -e " Firewall server rule loading complete\n\n"
--END SCRIPT--
I have dhcp3-server installed and configured properly. I can aquire IP address perfectly fine on the wired interface.
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "box.box";
option domain-name-servers 204.50.96.7, 204.50.96.8;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
Ok so I have had no problems surfing the web with the wired clients, desktop PCs. Then I decided I would like to have wireless access with my laptop. I had a ZyDas chipset (zd1211) usb dongle for 802.11b wireless and installed and aquired the proper drivers and it is working fine in the router.
I can put it into master mode and associate with it on a windows laptop. Heres the problem: I cant get an IP address over DHCP on the wireless interface. I can put a static IP in (192.168.1.56) and then I can browse to the webserver running on the router (apache). But i CANNOT browse the net.
I was also wondering if there is a better way to implement the 2 internal interfaces (wired and wireless). I tried using a bridge (brctl) but that seemed to make everything stop working (i suppose because the bridge has no IP, therefore the 2 interfaces become unaccesible?). What I suppose I could do is get another NIC, plug it into the hub, and bridge it to the wireless interface, but that seems kind of redundant.
Please shed some light on this matter for me, I am truly stumped
I am assuming here that the 4-port hub (not a switch?) includes the DSL modem and a nat-router ... this will be the gateway then?
You seem to be using a usb dongle with a 2.4 kernel (is this true?). 2.4 is tricky with USB. This support is vastly improved in 2.6 and available in the stable tree.
You can browse the local network, but not with dhcp? You cannot access the internet though you can browse to the gateway?
Looks like a nameserver problem ... check the laptop knows where to look for a dhcp server ... and otherwise for the nameserver. You also should look at your dhcp log on the deb. box to see what happens when your laptop sends it's dhcpinq
You may want to inclose the two subnets in a shared network declaration?
But I have a funny feeing about the way you've set up the subnets - did you do it like this for a reason or did you just copy the example?
However - have you tried without the firewall?
I'm not sure with this quick look, but it appears to me you have allowed forwarding between the two networks, but not network2 (WLAN) to the internet. So it may just be the firewall - you are logging all dropped packets so you can check if the firewall is dropping internet outgoing from your laptop. (Trying a bit without the firewall will clear this up right away.)
I think how this would normally be done is to use the debain box to do IP forwarding between the networks and do dhcp on the wired lan only. As the simplest option.
ISP Radio
|
|
192.168.5.*
|
|
eth0
Debian Box -- eth2 The USB dongle.
eth1
|
|
HUB - 4 port to all wired clients.
But since my last post I have scrapped the first firewall script, and used Bastille to make a newer one I believe is more secure. I have been trying to recompile my 2.4 kernel with support for the USB Orinoco client, and then use hermes AP. Every time i recompile the kernel, I get a
kernel panic: VFS: error reading 16:03 (hdc3)
Or it doesn't boot properly, giving some other error that flies by way too fast
I dont think its the firewall, exact same one on both interfaces.
I thought it might have been the zd1211 chipset not supporting something along the way, so I got a new driver. It works the same, I can connect with windows clients, only after a static IP/DNS.
The new driver spams "before wait 2" to the console like 10 times a second, my logs are filled
I cannot connect with linux clients for some reason
Im starting to think I will make a fresh install with 2.6 with Orinoco support and use that (USB). I have a gentoo CD here somewhere I could try, but I would prefer to stick with debian.
I dont think its the firewall, exact same one on both interfaces.
I thought it might have been the zd1211 chipset not supporting something along the way, so I got a new driver. It works the same, I can connect with windows clients, only after a static IP/DNS.
The new driver spams "before wait 2" to the console like 10 times a second, my logs are filled
I cannot connect with linux clients for some reason
Im starting to think I will make a fresh install with 2.6 with Orinoco support and use that (USB). I have a gentoo CD here somewhere I could try, but I would prefer to stick with debian.
This is taking WAY to long
Thanks,
kcbanner
if you want to reinstall with debian you can use the boot prompt "expert26" and it should load a 2.6 kernel which you can then update. I use an ancient testing sarge netinst CD still that allows me to do that, and i love it, but yeah the kernel 2.6 does greatly improve USB support and such, you can also use udev now. You could also just use your current installation and compile a 2.6.8 kernel or something like that and just install it and see how things work out.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
