Hello everyone,

I'm new to Linux and new to this forum. I will do the best I can to explain what I am trying to do and the solution I am in search of.

The type of network I'm trying to setup is as follows...

1. Cable modem to Linux RedHat-9.0
2. Linux RedHat-9.0 to Switch
3. Switch to WinXPPro

A basic idea of how I want this network to work is as follows...

The Linux box is to act as a router/firewall so to speak for the network. I've aquired some firewall scripts for the linux box that are to acomplish the following (close all 65,335 ports on the box but open ports when connections are started internally). When connections are started internally only related traffic is aloud back in. I'd like to get the Internet connection working on the Win box before installing the custom firewall scripts (just because I'm very close to doing that and because the scripts will need altered a little bit).

Okay, now before I continue I must stress that (1) I'm not very familiar with Linux, (2) I have no iptable knowledge or experience, (3) I have little knowledge of setting up networks. If I say something incorrect or confuse you by the way I explain something I will do my best at clearing it up by replying to your questions.

The two systems:

RedHat-9.0
eth0 installed and working (DHCP to gain public ip from ISP)
eth1 installed and working (Statically assigned 192.168.1.1)

WinXPPro
NIC installed and working (Statically assigned 192.168.1.2)
I assigned the DNS server for the Win Box to be 192.168.1.1 (the Linux box)

The name of the local domain of my network is Tektrik.net, the Linux box is named Vektor and the Win box is named Pazentez. Because of my lack of network knowledge I have the SOA nameserver for both host as being Vektor (Is this correct?). I have made reverse zone pointers for both Vektor and Pazentez. I noticed somehow I ended up getting Vektor in the reverse zone pointer for the local reverse zone pointer records (0.0.127.in-addr-arpa). Both localhost and Vektor are listed in the record as (127.0.0.1). Does this sound about right? Then of course I have the Name to IP Translations for Tektrik.net with host Vektor (192.168.1.1) and Pazentez (192.168.1.2) with their reverse zone pointers respectively.

Communications between these two systems is working. From Vektor I can ping Pazentez by either putting in the ip or typing "ping Pazentez -c 1". From Pazentez I can only ping Vektor by typing "ping 192.168.1.1". Pazentez has no knowledge of Vektor except by my configuring Vektor as Pazentez's Preferred DNS server by it's IP. This doesn't seem right to me, shouldn't Pazentez have knowledge of who Vektor is by name?

Anyhow, in the Linux box's Network Device Control I set the hostname to Vektor.Tektrik.net. Until I did this I kept getting welcome to localhost.localdomain at boot even though I did the DNS stuff. The DNS related addresses below where I set the host name are all the ip's the cable providers DHCP server gave eth0. The tab to the right of DNS called Host in the Network Device Control (or after you click configure "Network Configuration") there is a 127.0.0.1 localhost.localdomain with alias localhost which it said not to touch, a 192.168.1.1 vektor.tektrik.net with alias vektor and finally 192.168.1.2 pazentez.tektrik.net with alias pazentez.

I have a feeling my DNS configuring is all messed and the only reason anything is working by name is due to my tinkering in the Network Configuration stuff. I am not able to connect to web sites from Pazentez but I can telnet into Vektor by typing "telnet 192.168.1.1".

I am going to figure out what's going on here eventually but if anyone has any input as to why my Win box can't call up my Linux box which would then route the packets off to the ISP's DNS server and so on I'd appreciate it.

Thank you and if anyone wants a copy of the scripts I have I'll post them upon request. For now I'd just like to get this network working properly out of the box, then I'll start tweaking..

Unless you have a reason for using your own dns I would put in your isp's dns and you need to setup iptables masquerade on the internet interface, and enable ip forwarding. That will get you connected. Then you can follow the dns howto and test the dns server to see that it's working if you still want it.

To access the machines by name you need to add the search domain to be local. And then dns should work without giving the full domain name as machine.domain.com.

You could put the names in the hosts file .

Depending on what else you are looking to use your linux box for, there are a couple linux versions based on RH you may want to look at:

IPcop is a dedicated linux firewall.

Clarkconnect is a server/gateway/firewall package.

Thanks for your replies David and darb.

David how would I go about setting up IP Tables Masquerade and IP Forwarding?

I'm not familiar with Linux so please list commands to carry out tasks. I've got the moving around part down just pat (haha), but never opened and edited a file through terminal.

Thank you.

For the ip forwarding you set that like this after boot

echo 1 > /proc/sys/net/ipv4/ip_forward

That can be done in the boot scripts, your iptables script, or in /etc/rc.d/rc.local.

I think I would go with rc.local or /etc/rc.d/init.d/iptables, then you can use Red Hat's iptables script to set the firewall rules in /etc/sysconfig/iptables..

Here is a very basic iptables file created by lokkit that goes in /etc/sysconfig/iptables.

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


the -p 50 and -p 51 lines are for IPSec and you may not want them. You may also need other ports open if this is a server.


Start the firewall like this..

service iptables restart
chkconfig iptables on


Now you need to add the ppp interface if it's not already there, like this...

iptables -I RH-Firewall-1-INPUT -i ppp+ -j ACCEPT


Then this command for masquerade..

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



Now the masquerading is enabled, save the current state of the firewall like this..

service iptables save

Here is the resulting /etc/sysconfig/iptables file

# Generated by iptables-save v1.2.9 on Wed Mar 31 20:04:05 2004
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 31 20:04:05 2004
# Generated by iptables-save v1.2.9 on Wed Mar 31 20:04:05 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i ppp+ -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Mar 31 20:04:05 2004

Excellent. Thank you very much. I am going to type out the scripts that I have and if you don't mind please look them over and help me edit them as I need to. I need a few questions answered about the scripts before I go installing them though. I believe the eth0 and eth1 are backwards, I'll explain when I post the scripts in about an hour. I've been on the comp all day and my wrist are hurting so I'm going to take a break.

The scripts are certainly worth copying and keeping. Very secure. Anyhow, in about an hour the scripts will be posted.

Again, thank you very much for posting.