Hi,

I'm trying to configure a PC with debain and two NICs (to make a firewall).

It's been frustrating with a lot of commands that I'm reading about in tutorials not seeming to work.

My first question is how can I get Debain to set the ip address and netmask for the second NIC (eth1) at boot?

I've appended /etc/network/interfaces
with

iface eth1 inet static
address 10.1.2.50
netmask 255.255.255.0
gateway 10.1.1.100

which is completedly ignored on boot. Following boot ifconfig -a gives

---
eth0 Link encap:Ethernet HWaddr 00:a0:cc:66:c5:47
inet addr:10.1.1.100 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::2a0:ccff:fe66:c547/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:156 errors:1 dropped:0 overruns:0 frame:0
TX packets:98 errors:7 dropped:0 overruns:0 carrier:7
collisions:0 txqueuelen:1000
RX bytes:19485 (19.0 KiB) TX bytes:13933 (13.6 KiB)
Interrupt:18 Base address:0xb800

eth1 Link encap:Ethernet HWaddr 00:02:b3:41:59:7e
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


---

I've tried ifconfig eth1 up to no avail.

I can manually use ifconfig to set the address and mask (ifconfig eth1 10.1.2.50 / ifconfig eth1 netmask 255.255.255.0) but it'd be nice to have it happen automatically on boot.

The second problem I have is trying to modify kernel routes.

I can see the exisiting routes with ip route show:

default via 10.1.1.1 dev eth0
10.1.1.0/24 dev eth0 proto kernel scope link src 10.1.1.100
10.1.2.0/24 dev eth1 proto kernel scope link src 10.1.2.50


I think I need to add a default for eth1 (Lan side) pointing back to the upside NIC eg:

default via 10.1.1.100 dev eth1

but cannot figure out how to do this.

I've tried:
route add default gw 10.1.1.100 eth1
returns
STOCADDRT: No such process

and

ip route add default via 10.1.1.100 eth1
which returns
Error: either "to" is duplicate or "10.1.1.100" is a garbage.

I'm obviously not understanding something here.

What routing entries will I need on a dual NIC setup for a scheme:

Internet address
|
ISP/router with NAT (10.1.1.1/24)
|
Debain dual nic eth0 10.1.1.100/24
Debain dual nic eth1 10.1.2.50/24
|
clients 10.1.2.0/24

I'd be grateful if anyone could shed some light on either of these issues for me.

many thanks

BWestOz

As you say, this is a Debian-specific question; you know how to assign an IP address to an interface, you just don't know how to make Debian do this automatically at boot.

In most of the example configurations I've seen, the "iface" statement is preceded by an an "auto" statement, like this:You could try that and see if it works.

Also, be aware that:

1. gateways can never be in a non-connected subnet (OK, in this case the subnet is actually connected, but not to the interface where you've put the "gateway" parameter), and
2. you don't specify gateways on a per-interface basis; gateways are per-routing table (and you usually only have one of those)

In other words, remove the gateway parameter from the eth1 section.

No, you shouldn't do that. Your Debian router should have exactly 1 default gateway, and that should be the ISP router.

You may have to enable routing manually, though. Make sure the /etc/sysctl.conf file contains the line “net.ipv4.ip_forward = 1″ (and if you have to add it, run sysctl -p /etc/sysctl.conf afterwards).

The only problem you'll run into is how to make sure return traffic from the Internet to 10.1.2.0/24 are sent via 10.1.1.100 by the ISP router. Either you'll have to add a static route to the ISP router (10.1.2.0/24 via 10.1.1.100), or the Debian router will have to NAT overload outgoing traffic behind 10.1.1.100, in which caseshould do the trick, but you'll need to save the iptables ruleset to a Debian-specific file to make sure it gets reapplied at bootup. (I think the correct command is iptables-save > /etc/iptables.up.rules, but don't quote me on that; check the Debian documentation.)

1 members found this post helpful.

Hi Set Olmy,

Thank you very much for your reply.

As you suggested, putting 'auto eth1' at the beginning of the config info in the interfaces file solved the auto config of eth1.

I edited /etc/sysctl.conf file to contain line “net.ipv4.ip_forward = 1"

This also seems to work.

If I put a PC on LAN 2 and ping a PC on LAN 1 I can see the ICMP packet on LAN 1 with a sniffer. However it doesn't come back because I havn't sorted the Masquarade yet.

The setup is:
-----------

WAN
Isp router w 4 ports -> 10.1.1.x/24 - LAN 1
10.1.1.1
|
debian eth0 10.1.1.100
debian eth1 10.1.2.50
|
LAN 2 10.1.2.x/24
----------


route -n gives
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

ip route gives

default via 10.1.1.1 dev eth0
10.1.1.0/24 dev eth0 proto kernel scope link src 10.1.1.100
10.1.2.0/24 dev eth1 proto kernel scope link src 10.1.2.50


Does the Gateway IP of 0.0.0.0 (in the route -n listing above) mean that matching packets invoke an ARP request?


Can you explain your suggestion:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To me?

I would have thought that packets on eth1 needed to be modified.

Can you suggest any good information source that explains this stuff?


Thanks again

BWestOZ

http://www.debian-administration.org/articles/23
http://blog.noviantech.com/2010/12/2...in-15-minutes/
15minutes is the promise. Dunno if this holds up but looks promising.

Using Masquerade is an option here but you could also make sure that the devices on LAN 1 have a route back to LAN 2. It depends on what you want to achieve. Also masquerade is needed non the less on the gateway for internet access. Also this might also be set on the actual router. So it all depends on what you really want to do.

Just and advice skip the use of route and ifconfig and stick to ip [route|addr|link] and a like. They are the next generation tools for this and to me make more sense also the syntax can be hard to get. This also includes ss instead of netstat. Anyways on to your questions

The gateway IP of 0.0.0.0 is somewhat an alias for an address that is not know. So if the kernel needs to route an address he does not find in his routing table he defaults back to the route for 0.0.0.0 which brings up device eth0. Hence the name default route.
Talking about the arp request. If the target ip route is not known then you get an arp request. Also the router will be known quite fast the arp request does not happen everytime.


This means that every package that has been routed and leaves on eth0 gets masquerade. Masquerade means that the source part of the ip packet gets substitute with the one on the machine. Meaning the ip of eth0 and a somewhat random port. When the packet returns the original source address will be used again. Just this time as the target.
Now think how the flow of a packet from lan 2 to www is. It goes into gatway:eth1 and gets routed. The kernel knows it has to be send out on eth0 due to beeing the default gateway. So he does the masquerade here.

Maybe you could use some info on network related things. Check out tldp.org. You'll find a lot of guides also some are quite dated they give a nice basic understanding of things.

1 members found this post helpful.

Hi zhjim (& Ser Olmy),

Thank you for your reply.

Thank you both for your help.

I now have LAN2 able to access LAN1 + www which is what I wanted.

I need to spend a little time improving my understanding but will have to leave it for a while and get on with my other jobs.

Thanks again

BWestOz