Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Newbie convert to Linux networking and have implemented a new server into our office - have some 'anti-linux' bods in the office that are waiting for the system to fail, so any help in the following much appreciated...
I have a new linux box with 3 nics in it. I have a DSL connection via a router. This is on a 192.168.0.0 network. I have set the router to 192.168.0.1 and one nic in the linix box to 192.168.0.2. I then have an internal LAN with an IP address range of 10.130.1.64-128. I have set one of the other nics to 10.130.1.67 which connects to our LAN whilst the other has an address of 10.130.1.66 which connects to a isdn router with an address of 10.130.1.65. So far...so good. I have set the DNS servers on the linux box to those of my service provider.
I have installed safesquid and set my default gateway on the LAN PCs (XP,2k etc) to 10.130.1.67. I can ping this address and I have configured the proxy address in firefox to this machine. The internet works and flies - great.
However, if I try to ping an internet IP or dns address (i.e.google) I get no replies. I can ping anything from the linux box. This means I cannot get to my mail server as it is external @ the ISP. If I traceroute to an ip it hits 10.130.1.67 but then fails. If I do the same with a address like google then I get a DNS failure. My LAN pcs have the ISP DNS address + an internal address of a Win2K box that does internal DNS.
My IP forwarding is set to 1 and on my DSL router I have added a route to 10.130.1.0 via 192.168.0.2.
Im struggling to work out whats going on and I'm sure it is obvious to someone that actually knows what they are doing!
The next problem which I can forsee is routing. All internal traffic needs to stay internal (10.130.1.64-128), all internet traffic needs to go out via the internet and anything else in the 10.0.0.0 range needs to go out via the 10.130.1.66 card which should then pump the traffic through the ISDN router.
I currently have the firewall turned OFF but want to implement this asap. I thought I'd get the basic going first.
Thanks very much - I will give this a try first thing Monday when I can get on the machine.
being cheeky - and as you know what your doing, I will ask another question!
If I have a DSL router (such as a Draytek one) which supports VPN and I allow a connection in - which IP would I put in the router for its start destination - the 192.168.0.2 (and then have the linux box do something?) or would I be able to put in an address in my LAN range reserved for dial-ins (a 10.130.1.XXX) - would the linux box be able to sort this.
You will need a vpn server at each end and it is the ip address of the other vpn server. There is a page from Draytek that describes a typical setup: http://www.draytek.co.uk/products/draytek_vpn.html
Hi David, many thanks for your help. I had a look at the Draytek readme and it all looks good. What I dont understand is most how-to's describe having an external user connection via VPN (lets say they are using the MS VPN software client) and they make a connection to a vpn server (lets say a draytek router) which then authenitcates and allows them onto the network. In the cases I have read the vpn server sits on the same IP address range as the LAN (i.e. the LAN is 10.0.0.0 with the router having a WAN address and a 10.0.0.0 address) - it then assigns one of these addresses...I get that. In my case, what I have is a LAN on the 10.0.0.0 address which plugs into my Linux box but the VPN server/Router is plugged into a different NIC with an address of 192.168.0.0. When the authentication is made on the router - can it assign a 10.0.0.0 address which will allow the user into my LAN zone or does it have to work differently?
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
intif was set to eth0 (my LAN)
extif was set to eth2 (internet)
It's working - but I want to understand how and why and if something is wrong and needs setting up better. I then want to stop direct-internet connections out so the lan machines browser has to use the proxy server as now a user can just point to the linux box and they have unrestricted internet access.
I can help you shut down users trying to use web browsers without the proxy... add a rule to your firewall script like this:
$IPTABLES -A FORWARD -p tcp --destination-port 80 -j REJECT
...before the rule ending in LOG...
which will stop the firewall from forwarding any traffic bound for port 80. The traffic bound for the proxy server isn't covered by forward; rather it is an INPUT first to the proxy and then an OUTPUT from the proxy to the internet (when needed.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.