Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
11-19-2005, 09:20 AM
|
#1
|
LQ Newbie
Registered: Sep 2003
Location: NY
Distribution: Ubuntu
Posts: 14
Rep:
|
Building a router...
Hello everyone,
I am trying to build a linux box that assigns IP addresses on interfaces eth1 and eth0. Then is able to route traffic between them and to the internet (eth2). I have dhcp set-up and working, but I can't figure out how to get my box to forward requests from eth0 and eth1 to the internet. I can get internet from eth2, what I am pretty sure I need to do is configure port forwarding in some way. I need to get DNS to work as well. Here's my information...
Currently assigned IP addresses/setup...
Internet
|
D-Link Router= 192.168.0.1 --- Other PC's
|
Switch --- Other PC's
|
Linux PC
eth2= 192.168.0.102
eth1= 192.168.2.1 --- PC 192.168.2.99
eth0= 192.168.1.1 --- PC 192.168.1.99
Here is my new dhcp.conf...
Code:
##########################################################
#
# DHCP CLIENT CONFIGURATION SETTINGS
#
# use ad-hoc style name server updating procedures
ddns-update-style ad-hoc;
option domain-name "jasons-dhcp-server.com";
#assign the remote dhcp server hostname/ip addresses
option domain-name-servers 192.168.1.1, 192.168.2.1;
##########################################################
#
# DHCP SERVER CONFIGURATION SETTINGS
#
# assign the defaul lease time (seconds)
default-lease-time 600000000;
# assign the max lease time (seconds)
max-lease-time 720000000;
# eth0 subnet configuration
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.99;
option routers 192.168.1.1;
option broadcast-address 192.168.1.1;
}
# eth1 subnet configuration
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.2 192.168.2.99;
option routers 192.168.2.1;
option broadcast-address 192.168.2.1;
}
Of the dhcp3-server file...
Code:
# Defaults for dhcp initscript
# sourced by /etc/init.d/dhcp
# installed at /etc/default/dhcp3-server by the maintainer scripts
#
# This is a POSIX shell fragment
#
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES="eth0 eth1"
Now, after some playing around dhcp works! However, that's only half the battle. I want the connecting PCs to be able to access the internet. After troubleshooting a bit I have found that when pinging 192.168.0.1 I can only get as far as eth2 (192.168.0.102).
I have tried enableing ip forwarding and proxy arp on all the interfaces and adding routes but to no avail.
Here are what my routes are currently...
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth2
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth2
I am very grateful for your help. 
|
|
|
11-19-2005, 09:44 AM
|
#2
|
Member
Registered: Feb 2005
Distribution: Debian FC4 LFS Slackware
Posts: 174
Rep:
|
A look at your host.conf, resolv.conf, hosts.allow, and hosts.deny might be helpful.
nz
|
|
|
11-19-2005, 10:09 AM
|
#3
|
LQ Newbie
Registered: Sep 2003
Location: NY
Distribution: Ubuntu
Posts: 14
Original Poster
Rep:
|
Of course....
host.conf
Code:
order hosts,bind
multi on
resolv.conf
Code:
search rochester.rr.com
nameserver 192.168.0.1
hosts.allow, not anything really...
Code:
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5), hosts_options(5)
# and /usr/doc/netbase/portmapper.txt.gz
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8), rpc.mountd(8) and
# /usr/share/doc/portmap/portmapper.txt.gz for further information.
#
hosts.deny, not much again
Code:
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5), hosts_options(5)
# and /usr/doc/netbase/portmapper.txt.gz
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
Hope that helps.
Last edited by THE RADICAL; 11-19-2005 at 05:45 PM.
|
|
|
11-19-2005, 05:45 PM
|
#4
|
LQ Newbie
Registered: Sep 2003
Location: NY
Distribution: Ubuntu
Posts: 14
Original Poster
Rep:
|
Update: After some more troubleshooting, I have determined that when I ping the main router (192.168.0.1) the packet is forwarded by eth2 onto 192.168.0.1, it's just that when 192.168.0.1 responds to the request the packet goes to 192.168.0.102 (eth2), and then gets dropped.
So my question is, how do I get incoming requests to direct themselves to the actual sender, instead of the exiting interface (eth2)?
That seems to be my hitch for now, please help!
|
|
|
11-19-2005, 09:29 PM
|
#5
|
Member
Registered: Feb 2005
Distribution: Debian FC4 LFS Slackware
Posts: 174
Rep:
|
|
|
|
11-20-2005, 10:35 AM
|
#6
|
LQ Newbie
Registered: Sep 2003
Location: NY
Distribution: Ubuntu
Posts: 14
Original Poster
Rep:
|
I'm not sure,
I've checked my addressing scheme, netmasks and gateways and from my understanding I believe those settings are ok. I really think that the problem lies with eth2 for some reason not knowing what to do with incomming packets on the internal LAN.
For possible solutions I was thinking about adding a route or some iptables script? Unfortunately I am relatively new at doing both. I remember using an iptables script from http://www.aboutdebian.com/proxy.htm that actually worked for one of the interfaces (eth0 or eth1) but would not work for them simutaniously.
Is there a script or a route I can add to help eth2 to understand where to send incomming requests from PC's behind this router?
-Cheers
|
|
|
11-20-2005, 09:51 PM
|
#7
|
Member
Registered: Feb 2005
Distribution: Debian FC4 LFS Slackware
Posts: 174
Rep:
|
See 'man traceroute', specifically the -s option, as in;
%>traceroute -s 192.168.0.102 192.168.0.1, and
%>traceroute -s 192.168.0.102 192.168.2.99. You get the idea.
I think you will get a 'timeout' or 'network unreachable on one of these.
My personal preference is static routes initially until I get a feel for what the topology is going to be. I then implement DHCP with this information. Sure, it's more typing but I get a better feel for where the packets are going. But, my networks are small, less than 20 nodes. I am not a professional network engineer, yet, so complicated Visio or Dia network maps are not in my toolbox either.
Is this a mixed *nix/Windows network? How do the machines directly off the D-Link router perform? Exactly how many nodes (machines) are on this network?
nz
EDIT: Saw this below your thread: http://www.linuxquestions.org/questi...hreadid=384888
Last edited by nonzero; 11-20-2005 at 09:57 PM.
|
|
|
11-21-2005, 11:45 AM
|
#8
|
LQ Newbie
Registered: Sep 2003
Location: NY
Distribution: Ubuntu
Posts: 14
Original Poster
Rep:
|
I get a timeout on the following (as expected)
traceroute -s 192.168.1.1 192.168.0.1
traceroute -s 192.168.2.1 192.168.0.1
I was thinking that static routes would be a solution as well, however my D-Link doesn't support it. I think my only option is to use NAT. I have never worked with NAT though but I need to somehow mask requests coming from behind my linux box with the outgoing IP 192.168.0.102, so that my router knows what to do with them. Then when they come back to the linux box, eth2 takes off the mask and moves them along.
Any idea on how to do this?
Here's the break down of my network...
D-Link ------ PC1 (DHCP) WinXP
|
|
Switch ------- PC2 (DHCP) WinXP
|
|
|
Linux Router (Ubuntu)
|
L eth2 192.168.0.102
L eth1 192.168.2.1 ---------- PC (DHCP) Win98
L eth0 192.168.2.1 ----------- PC (DHCP) WinXP
Your probably asking yourself, why doesn't he link up to the d-link or the switch, instead of going through all that. Answer is cause I want to learn hehe.
Cheers
Last edited by THE RADICAL; 11-21-2005 at 11:47 AM.
|
|
|
11-21-2005, 04:35 PM
|
#9
|
Senior Member
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024
Rep:
|
first off, these:
Quote:
# eth0 subnet configuration
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.99;
option routers 192.168.1.1;
option broadcast-address 192.168.1.1;
}
# eth1 subnet configuration
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.2 192.168.2.99;
option routers 192.168.2.1;
option broadcast-address 192.168.2.1;
}
|
should be:
Code:
# eth0 subnet configuration
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.99;
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
}
# eth1 subnet configuration
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.2 192.168.2.99;
option routers 192.168.2.1;
option broadcast-address 192.168.2.255;
}
But, to address your issue, It appears that your router at 192.168.0.1 doesn't know how to talk to the 192.168.1.0 and 192.168.2.0 networks. There are two ways I can think of to fix this, I've done both.
One is to manually set up routes on the [D-link?] router to the two networks:
route add net 192.168.1.0 gw 192.168.0.102
route add net 192.168.2.0 gw 192.168.0.102
I may have the syntax wrong, but the comparable Linux commands are something like that, unfortunatly your D-Link probably uses a different syntax and may have a way to add routes buried in the web GUI somewhere.
The other option is to turn on NAT on the Linux box, so that everything coming out the 192.168.0.x interface looks like it's coming from that network. the raw IPTABLES commands look something like:
Code:
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
## SNAT (MASQUERADE) functionality on external int
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
## Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
the above code may need to be tweaked for your setup, or there may be an option in whatever interface you use to configure your firewall to add this in.
|
|
|
11-21-2005, 07:04 PM
|
#10
|
Member
Registered: Feb 2005
Distribution: Debian FC4 LFS Slackware
Posts: 174
Rep:
|
Quote:
option broadcast-address 192.168.1.255;
|
oops, missed that!
Quote:
unfortunately your D-Link probably uses a different syntax and may have a way to add routes buried in the web GUI somewhere.
|
My ISP sent me a Westell modem for my home DSL connection and at first I thought it was a piece of junk until I started configuring it. It does static routing setup easily through it's web interface and DHCP configuration and firewalling are even easier. I agree with Darin that the IPTables/NAT method would be your ticket if you can get the right configuration. Do you happen to have Webmin installed on the Linux router? IMHO - a lot of good tools in one package.
Don't rule out problems with WINXP's firewall configuration.
nz
|
|
|
11-21-2005, 08:33 PM
|
#11
|
LQ Newbie
Registered: Sep 2003
Location: NY
Distribution: Ubuntu
Posts: 14
Original Poster
Rep:
|
Thanks for the help everyone.
I was able to use an IP Tables script and tweak it a bit to get this to work. This site offered some great reading.
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/
|
|
|
All times are GMT -5. The time now is 01:13 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|