Hello to all. This is my first post to the forum so be kind.

I am new to Linux after too many years developing web applications in the Windoze environment. I have 3 servers, two with WhiteBox Enterprise v3. I am having the same problem on both boxes. A third box has RHEL WS v3 and is running fine in this setup.

I have two aDSL lines coming in to the house. On one line I have a DSL Router with wi-fi capabilities and have 3 windows boxes connected to that. The other line is a business DSL with 4 useable IPs.

Here is my setup. Each server has 2 10/100 nic cards. The intent is to connect one nic card to the "internal" network and the other to be facing the "internet" through a switch connected to the DSL modem. (I have a second DSL router through which I plan to eventually connect the production machines. But I want to get this working first.)

The internal network is a Class C with each hardwired machine using a unique IP address. I have them configured with 192.168.1.1 as the gateway and 255.255.255.0 as the subnet mask. On the business line I have 64.191.139.49 as the Gateway and 255.255.255.248 as the subnet mask, with each of the three boxes assigned one of the unique IPs I have been assigned.

When I start up the boxes they talk to the internal net just fine. But I can't get them to talk to the external network at all. I have switched the cables to make sure they aren't the problems and switched the nic card being used with no change. The internal connection works fine on either nic card. I have even spoken with tech support at the isp to get the lines checked out.

Internally the machines respond to ping and I have been able to set up an ftp server and sucessfully access it through the internal ip but not the external. I can access the internet with the browser fine as long as the internal connection is live. If I deactivate the internal connection it no longer works.

I have tested this with the firewall turned off, with iptables turned off and with the firewall active and both interfaces flagged as trusted. With no change in results.

Here is some diagnostic data: (eth0 is internal, eth1 is external)

ifconfig eth0

PHP Code:

eth0      Link encap:Ethernet  HWaddr 00:B0:D0:D1:6B:FE
          inet addr:192.168.1.71  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:25770 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24828 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2295342 (2.1 Mb)  TX bytes:12329287 (11.7 Mb) 


ifconfig eth1

PHP Code:

eth1      Link encap:Ethernet  HWaddr 00:02:B3:5B:3F:93
          inet addr:64.191.139.51  Bcast:64.191.139.55  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3226 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2561 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:262213 (256.0 Kb)  TX bytes:1989041 (1.8 Mb) 


route -n

PHP Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
64.191.139.48   0.0.0.0         255.255.255.248 U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0 


cat /etc/resolv.conf

PHP Code:

; generated by /sbin/dhclient-script
nameserver 64.191.128.10
nameserver 64.191.128.101 


lspci

PHP Code:

00:00.0 Host bridge: Broadcom CNB20LE Host Bridge (rev 06)
00:00.1 Host bridge: Broadcom CNB20LE Host Bridge (rev 06)
00:04.0 Ethernet controller: Intel Corporation 82557/8/9 [Ethernet Pro 100] (rev 08)
00:06.0 VGA compatible controller: ATI Technologies Inc 3D Rage IIC (rev 7a)
00:0f.0 ISA bridge: Broadcom OSB4 South Bridge (rev 50)
00:0f.2 USB Controller: Broadcom OSB4/CSB5 OHCI USB Controller (rev 04)
00:11.0 Host bridge: Broadcom CNB20LE Host Bridge (rev 06)
00:11.1 Host bridge: Broadcom CNB20LE Host Bridge (rev 06)
06:04.0 PCI bridge: Intel Corporation 80960RM [i960RM Bridge] (rev 01)
06:04.1 RAID bus controller: Dell PowerEdge Expandable RAID Controller 3/Di (rev 01)
07:06.0 SCSI storage controller: Adaptec AIC-7880U (rev 02)
08:04.0 Ethernet controller: Intel Corporation 82557/8/9 [Ethernet Pro 100] (rev 08)
08:06.0 SCSI storage controller: Adaptec AHA-3960D / AIC-7899A U160/m (rev 01)
08:06.1 SCSI storage controller: Adaptec AHA-3960D / AIC-7899A U160/m (rev 01) 


It's obvious that eth1 is talking to something but I don't know what.
The one thing I do notice is that the difference in the settings for destination, gateway and genmask between eth0 and eth1. Could this be causing the problem? If so, how do I fix it?

As you can tell I am very inexperienced with network issues in Linux. I have been working on this on and off for over a month now as time permits. I have "Googled" this to death with no resolution. All helpful suggestions are welcome!!!

Glenn Puckett
Lexington, KY

I'm not sure what I did. But as I was playing around with the network settings (really without changing anything) it has started working. I created a profile (it had defaulted to "common"). And then tried adding a "New" xDSL connection but it turned out that was for a PPP connection which I don't have. I do not have a required userid/password to activate my xDSL connection. After deleting that and returning the network configuration back to it's original setting, except keeping the new profile name, the results of the route inquiry have changed.

route -n now returns

All the other results are the same.

At this point this box responds to the ping from both internal and external IPs. I do not understand how my changes caused this effect. Can someone help clearify this for me so I can understand it enough not to screw it up again? I keep thinking I don't have the entire setup configured properly.

I went through the same sequence on the second box (I think!!) and didn't get the same result. So the second box still doesn't work properly. I am totally puzzled now. I hate misteries!!!!

Thanks,

Glenn Puckett

Where does the 169.254.0.0 address come from?
Also, the default gateway for the internet leaning machines should probably be your DSL gateway on eth1. On the second route listing this is correct, whereas in the first, you have 192.168.1.1 as the default gateway. Check the default gateway on all three machines.

Also, if these three boxes are offering services to the internet, you should consider using a gateway device, such as a NAT router to isolate the other network, or keep the two networks totally isolated. If one of them, lets say a web server is hacked. The hacker then has access through eth0 to your inside network.

At work, when I needed to update the virus definitions for some XP servers, I would unplug my management laptop from the regular network before plugging it in to a network with internet access.

I have no idea. It is not in any setting I can find.
Unfortunately I am a total novice with Linux here. How do I set the default gateway? I identify a gateway for each network card. But I don't see a way to set which one is the default.

You are correct, of course. But, initially, I just need to learn how to make all this work. Then I will start putting it together more inteligently. I do have a DSL router that I cab put these machines behind. But I do need to talk to them through the internal network. So I am willing to leave the internal network connection. We also use software firewall on each machine to help with security.

You might want to look at this link. It explains using two NAT routers as firewalls.
http://www.grc.com/nat/nats.htm

The explaination is plain. But the example that they use is where both sets of computers use a private subnet, so your situation is different, but it may make a good read anyway.

Given the two lines coming in, you may want to add a third router (w/switch output) which the 3 local leaning NICs plug into. This would give you the same protection as the example link and allow you high speed local access through that router.

Internet -----| LAN Router | ------ LAN Computers -----| Router 3 | ----- 3 Servers ------| Router | --- Internet

You will still want to use your firewall setup on the three servers and make them bastion hosts. You could administer the servers using ssh and sftp alone and close all other ports and remove whatever software you can. I would recommend picking up the March 2006 issue of Linux Journel magazine. The issue topic is security, and one of the articles covers securing the SSH configuration.