Configuring DHCP and Internet sharing on RHEL5, still not working.

mid_nightslover · 03-18-2010, 04:16 AM

I am having problem configuring my system to work as dhcp server as well as share internet connection.

dhcp server configuration is working fine, but having problem with the internet sharing.

dhcp.conf

subnet 192.168.1.0 255.255.255.0 {
options routers 1921.68.1.1;
options subnet-mask 255.255.255.0;

options nis-domain "domain.org"
options domain-name-servers xxx.xx.xx.xx, xx.x.xxx.x;

options time-offset -18000;
range 1921.168.1.2 192.168.1.110
default-lease-time 21200
max-lease-time 43600
}

have two lan cards,
(Internet) eth0 172.29.14.205/16
(Local) eth1 192.168.1.1/24

I have enabled ip forwarding.
#echo 1 > /proc/sys/net/ipv4/ip_forward

enable iptables nat.

#iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#iptables -A FORWARD -j LOG

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

my internet connection is working on the server.
i can ping the other dhcp-clients.
they can ping the server (local eth1)
but the can't browse the internet..

did i miss anything...please help.

OdinnBurkni · 03-18-2010, 04:44 AM

Not sure you missed anything but you did this ipforward. I usually do it by go to /etc/sysctl.conf and it should look something like this (taken from CentOS 5.4)

Code:

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456

I hope the # sign isn't in your script, it's to comment out a line.

Quote:

#iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#iptables -A FORWARD -j LOG

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Try changing to

Code:

iptables -t nat -A POSTROUTING -o lo      -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s eth1  -j ACCEPT

or

Code:

iptables -t nat -A POSTROUTING -o lo      -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s eth1  -j MASQUERADE

This might not work, I'm taking it from a script I use instead of the original iptables.

never say never · 03-18-2010, 06:24 AM

Can your system reach the internet?

Quote:

options routers 1921.68.1.1;

Should be

Code:

options routers 192.168.1.1;

Quote:

range 1921.168.1.2 192.168.1.110

Should be

Code:

range 192.168.1.2 192.168.1.110

Neither of those addresses were valid. Restart your DHCP Server.

On each client machine reset the nic to acquire new dhcp info.

On a DHCP Client Machine Check to make sure that the default gateway is listed as (apparently) "192.168.1.1"

On Windows this can be checked by typing "route print" at a prompt. On linux "route"

Next try "ping google.com" if that works all should be good.

If it fails try "ping 64.233.169.103" (this is a google server)
If this works, you have connectivity but DNS is not working.
If that fails try "ping <eth0 of your system>" to see if they can reach the gateway.

If you still have problems report back with the results from above.

OdinnBurkni · 03-19-2010, 04:21 AM

never say never... you're great... I missed that part, I was too focused on the sysctl.conf thing. Of course he will not get anything if the IP is as it seems.
mid_nightslover please let us know how this goes...

mid_nightslover · 03-20-2010, 01:24 AM

Thanks guys for the help,

I am sorry for the typo about the numbers, and for that i am going to post the complete files.

/etc/dhcpd.conf

Code:

ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

# --- default gateway
	option routers			192.168.1.1;
	option subnet-mask		255.255.255.0;

	option nis-domain		"domain.org";
	option domain-name		"domain.org";
	option domain-name-servers	x.x.x.x, x.x.x.x;

	option time-offset		-18000;	# Eastern Standard Time
#	option ntp-servers		192.168.1.1;
#	option netbios-name-servers	192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#	option netbios-node-type 2;

	range  192.168.1.2 192.168.1.110;
	default-lease-time 21600;
	max-lease-time 43200;
}

/etc/sysctl.conf

Code:

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456

I have the following commands for NAT:

Code:

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG

iptables -t nat -A POSTROUTING -o lo      -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0  -j MASQUERADE

in the last command i tried to include -s eth1, gave an error as it needs ip/host. so i removed it.

this is how my iptables file looks like after issuing iptables-save

/etc/sysconfig/iptables

Code:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

this is the netstat -rn

[root@DHCP opt]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.29.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 172.29.13.84 0.0.0.0 UG 0 0 0 eth0

The internet works on the server.
On the client side i can ping the g/w 192.168.1.1 ok
I can ping 172.29.14.205 ok
but i can't ping google.com or 64.233.181.103 (which is google ip)
My guess is that something in the iptables blocking the packets from going outside to the Internet.

mid_nightslover · 03-21-2010, 01:20 AM

I think the problem was the with iptables default rules, as i cleared them everything worked.

Code:

echo "Clearing old firewall rules..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

echo "setting up the rules...."
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
service iptables restart

now the Dhcp and Internet sharing is working, and i can access the internet on the client side.

except i had problem with dhcpd failing at start up after the reboot.
and i found out that the local NIC is down, thought its ONBOOT=yes and it also doesn't have Gateway.
both of the NIC have ONBOOT=yes still only the internet NIC is activated on boot.

I am sure there is a way to get both them up during startup.
I fixed it by editing the /etc/rc3.d/S99local

Code:

ifup eth1
service network restart
service dhcpd restart

this is a temporary solution, i need a better way to fix this.
any suggestions guys?

Thanks in advance.