Newbie convert to Linux networking and have implemented a new server into our office - have some 'anti-linux' bods in the office that are waiting for the system to fail, so any help in the following much appreciated...

I have a new linux box with 3 nics in it. I have a DSL connection via a router. This is on a 192.168.0.0 network. I have set the router to 192.168.0.1 and one nic in the linix box to 192.168.0.2. I then have an internal LAN with an IP address range of 10.130.1.64-128. I have set one of the other nics to 10.130.1.67 which connects to our LAN whilst the other has an address of 10.130.1.66 which connects to a isdn router with an address of 10.130.1.65. So far...so good. I have set the DNS servers on the linux box to those of my service provider.

I have installed safesquid and set my default gateway on the LAN PCs (XP,2k etc) to 10.130.1.67. I can ping this address and I have configured the proxy address in firefox to this machine. The internet works and flies - great.

However, if I try to ping an internet IP or dns address (i.e.google) I get no replies. I can ping anything from the linux box. This means I cannot get to my mail server as it is external @ the ISP. If I traceroute to an ip it hits 10.130.1.67 but then fails. If I do the same with a address like google then I get a DNS failure. My LAN pcs have the ISP DNS address + an internal address of a Win2K box that does internal DNS.

My IP forwarding is set to 1 and on my DSL router I have added a route to 10.130.1.0 via 192.168.0.2.

Im struggling to work out whats going on and I'm sure it is obvious to someone that actually knows what they are doing!

The next problem which I can forsee is routing. All internal traffic needs to stay internal (10.130.1.64-128), all internet traffic needs to go out via the internet and anything else in the 10.0.0.0 range needs to go out via the 10.130.1.66 card which should then pump the traffic through the ISDN router.

I currently have the firewall turned OFF but want to implement this asap. I thought I'd get the basic going first.

Any help VERY much appreciated.

Chris

Welcome to LQ.

You will need to enabled masquerading. Take a look at this LA:
http://www.linuxquestions.org/questi...ticle&artid=23

Thanks very much - I will give this a try first thing Monday when I can get on the machine.

being cheeky - and as you know what your doing, I will ask another question!

If I have a DSL router (such as a Draytek one) which supports VPN and I allow a connection in - which IP would I put in the router for its start destination - the 192.168.0.2 (and then have the linux box do something?) or would I be able to put in an address in my LAN range reserved for dial-ins (a 10.130.1.XXX) - would the linux box be able to sort this.

Apologies in my 'lack-of-understanding'.

Thanks,

Chris

You will need a vpn server at each end and it is the ip address of the other vpn server. There is a page from Draytek that describes a typical setup:
http://www.draytek.co.uk/products/draytek_vpn.html

Hi David, many thanks for your help. I had a look at the Draytek readme and it all looks good. What I dont understand is most how-to's describe having an external user connection via VPN (lets say they are using the MS VPN software client) and they make a connection to a vpn server (lets say a draytek router) which then authenitcates and allows them onto the network. In the cases I have read the vpn server sits on the same IP address range as the LAN (i.e. the LAN is 10.0.0.0 with the router having a WAN address and a 10.0.0.0 address) - it then assigns one of these addresses...I get that. In my case, what I have is a LAN on the 10.0.0.0 address which plugs into my Linux box but the VPN server/Router is plugged into a different NIC with an address of 192.168.0.0. When the authentication is made on the router - can it assign a 10.0.0.0 address which will allow the user into my LAN zone or does it have to work differently?

Your insight and help very much appreciated!

Thanks

Chris

It doesn't assign an address. The communication is done over a tunnel using the existing IP addresses on each end of the VPN.

Ok - I think I understand, not sure how it works everything out, but I guess I need to try and install and go from there. It will either work or not !

Thanks for your time.

Chris

Working now - but not sure about this!

I added masquerading by following the mini-howto. It still did not work until I changed

echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

to

echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Any ideas why this should be?

Were your INTIF and EXTIF variables set correctly?

Hi - I believe I set it ok.

intif was set to eth0 (my LAN)
extif was set to eth2 (internet)

It's working - but I want to understand how and why and if something is wrong and needs setting up better. I then want to stop direct-internet connections out so the lan machines browser has to use the proxy server as now a user can just point to the linux box and they have unrestricted internet access.

I'm learning, but still have much to learn!

I can help you shut down users trying to use web browsers without the proxy... add a rule to your firewall script like this:
$IPTABLES -A FORWARD -p tcp --destination-port 80 -j REJECT

...before the rule ending in LOG...
which will stop the firewall from forwarding any traffic bound for port 80. The traffic bound for the proxy server isn't covered by forward; rather it is an INPUT first to the proxy and then an OUTPUT from the proxy to the internet (when needed.)

thanks very much - I will try this in the morning....