Setting up a gateway/dhcp server.

chaosego · 09-20-2004, 01:07 PM

I've read linuxquestions.org for over 2 years now, and have just decided to register.

So let's get down to it.

I finally got my Linksys WPC54GS to work in Suse 9.1 (defualt 2.6.4-52), using ndiswrapper 0.9, so I may be able to help anyone with an issue regarding that, as I overcame a few issues myself. Back to business, I want to set up this computer (running Suse 9.1 personal) as a gateway/dhcp server for my other computer (running Windows XP). I'll be using wlan0 as the internet connection and eth0 to connect to a hub. I'm really not to sure where to start, so any help is appreciated.

win32sux · 09-20-2004, 01:39 PM

well, for the dhcp server, it's basically just a matter of installing the package, and then editing your /etc/dhcpd.conf file...

as for the gateway, you basically just need an iptables script... how comfortable are you with iptables??

ps: you might also wanna install dnsmasq on the gateway, so that the hosts on your lan don't need to use your ISP's DNS servers (this makes web surfing much faster)...

http://thekelleys.org.uk/dnsmasq/doc.html

win32sux · 09-20-2004, 01:54 PM

here's a basic /etc/dhcpd.conf file:

Code:

ddns-update-style none;

subnet 192.168.0.0 netmask 255.255.255.0 {
   range 192.168.0.2 192.168.0.254;
   option subnet-mask 255.255.255.0;
   option broadcast-address 192.168.0.255;
   option domain-name-servers 192.168.0.1;
   option routers 192.168.0.1; }

here's a basic iptables script:

Code:

###############################################################################
### Variables
###############################################################################

IPT="/usr/sbin/iptables"
INET_IFACE="wlan0"
LAN_IFACE="eth0"
LAN_IP="192.168.0.1"
LAN_NET="192.168.0.0/24"
LAN_BCAST="192.168.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"


###############################################################################
### Modules
###############################################################################

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc


###############################################################################
### Kernel Parameters
###############################################################################

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians


###############################################################################
### Flush Chains and Set Policies
###############################################################################

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT


###############################################################################
### Create User Chains
###############################################################################

$IPT -N INPUT_INET2GATE
$IPT -N INPUT_LAN2GATE
$IPT -N FORWARD_INET2LAN
$IPT -N FORWARD_LAN2INET
$IPT -N BAD_PACKETS


###############################################################################
### INPUT
###############################################################################

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p ALL -j BAD_PACKETS
$IPT -A INPUT -p ALL -i $INET_IFACE -j INPUT_INET2GATE
$IPT -A INPUT -p ALL -i $LAN_IFACE -j INPUT_LAN2GATE
$IPT -A INPUT -p ALL -j LOG --log-prefix "INPUT DROP: "


###############################################################################
### FORWARD
###############################################################################

$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p ALL -j BAD_PACKETS
$IPT -A FORWARD -p ALL -i $LAN_IFACE -o $INET_IFACE -j FORWARD_LAN2INET
$IPT -A FORWARD -p ALL -i $INET_IFACE -o $LAN_IFACE -j FORWARD_INET2LAN
$IPT -A FORWARD -p ALL -j LOG --log-prefix "FORWARD DROP: "


###############################################################################
### OUTPUT
###############################################################################

$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -j LOG --log-prefix "OUTPUT DROP: "


###############################################################################
### POSTROUTING
###############################################################################

$IPT -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j MASQUERADE


###############################################################################
### INPUT_INET2GATE
###############################################################################

$IPT -A INPUT_INET2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT_INET2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_INET2GATE -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE
###############################################################################

$IPT -A INPUT_LAN2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT_LAN2GATE -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ALL -j RETURN


###############################################################################
### FORWARD_INET2LAN
###############################################################################

$IPT -A FORWARD_INET2LAN -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_INET2LAN -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN


###############################################################################
### BAD_PACKETS
###############################################################################

$IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A BAD_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_PACKETS -p ALL -d 255.255.255.255 -j DROP
$IPT -A BAD_PACKETS -p ALL -d $LAN_BCAST -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s ! $LAN_NET -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LAN_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LAN_NET -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -j RETURN


echo "So let it be written, so let it be done."

chaosego · 09-20-2004, 03:28 PM

Downloaded the packages for DHCP, DHCP Server, DHCP Tools, and Dnsmasq.
Installed them all.
I did some reading on iptables, I have a decent idea of what they are now, and what they do, not so sure on how to make/implement them yet.

The /etc/dhcpd.conf and the iptables script; are they ment to work together, or just sperate examples of each?

win32sux · 09-20-2004, 03:57 PM

Quote:

Originally posted by chaosego
Downloaded the packages for DHCP, DHCP Server, DHCP Tools, and Dnsmasq.
Installed them all.
I did some reading on iptables, I have a decent idea of what they are now, and what they do, not so sure on how to make/implement them yet.

The /etc/dhcpd.conf and the iptables script; are they ment to work together, or just sperate examples of each?

they are separate examples... however, the iptables script is configured to allow a dhcp server on the lan, the rule that allows that is:

Code:

$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

basically, you just execute the iptables script and you're done... copy/paste the script from here into a text file, make the file executable, and execute it (as root)...

once you know the script is working the way you want it to (you might need to make some adjustments to the script), you just set it to run automatically on startup...

as for dnsmasq, you might not need to configure anything at all, just start it with this command:

Code:

dnsmasq --interface=eth0

once you have it working right, then also just add the command to your startup sequence... the same goes for the dhcp server, which can be started with:

Code:

dhcpd eth0

here's a good resource for iptables educational material:

http://www.linuxguruz.com/iptables

chaosego · 09-20-2004, 04:18 PM

Before I configured my wireless card, this laptop always used to access the internet via it's eth0. Should I be making a lot of changes to ifcfg-eth0? Or could I just make a new ifcfg-eth0.1 for when I want to use it as the gateway/dhcp server ? If so are there any significant changes I need to make, and what are they? Thanks for all your help so far.

Oh I was curious where you got that iptable script. Did you write it yourself, or is there an archieve somewhere?

chaosego · 09-20-2004, 04:22 PM

Quote:

Originally posted by win32sux
make the file executable, and execute it (as root)...

Please elaborate, mainly on how to make it executable. I'm guess it will be with chmod, which I've only used before, and sparringly. (If it's not clear yet, I'm still pretty new with linux, but I'm trying to learn.

)

win32sux · 09-20-2004, 06:24 PM

Quote:

Originally posted by chaosego
Before I configured my wireless card, this laptop always used to access the internet via it's eth0. Should I be making a lot of changes to ifcfg-eth0? Or could I just make a new ifcfg-eth0.1 for when I want to use it as the gateway/dhcp server ? If so are there any significant changes I need to make, and what are they? Thanks for all your help so far.

Oh I was curious where you got that iptable script. Did you write it yourself, or is there an archieve somewhere?

basically you just need eth0 (your lan interface) to have an ip like 192.168.0.1 and a netmask like 255.255.255.0... your internet interface should be configured in the normal way, either statically or with dhcp.. i'm not sure what kinda configuration your external card uses...

i made the script myself, it's similar to what i use on my box... the link i posted above has plenty of other example scripts...

win32sux · 09-20-2004, 06:25 PM

Quote:

Originally posted by chaosego
Please elaborate, mainly on how to make it executable. I'm guess it will be with chmod, which I've only used before, and sparringly. (If it's not clear yet, I'm still pretty new with linux, but I'm trying to learn. )

you're on the right track...

Code:

chown root.root example.txt

chmod 700 example.txt

the first command makes root the owner of the file...

in the second command, the 7 gives root read/write/execute permission, the first 0 gives users in root's group zero permissions (nothing) and the second 0 gives other users zero permission...

then, to execute the file (as root) do:

Code:

./example.txt

chaosego · 09-20-2004, 09:34 PM

When I try and do

# dhcpd eth0

I get the following error:

"No subnet declaration for eth0 (0.0.0.0).
** Ignoring requests on eth0. If this is not what
you want, please write a subnet declaration
in your dhcpd.conf file for the network segment
to which interface eth0 is attached. **

Not configured to listen on any interfaces! "

I'm trying to fiddle with the dhcpd.conf atm, but I don't seem to be getting anywhere.

[Edit]

I am not 100% sure of the order which I should be doing these commands. As of now I'm doing something like :

# ./gateway.iptables //the ip table script you posted

#ifup eth0

#dnsmasq --interface=eth0

#dhchd eth0

Other then the error I said above, the only other thing that goes on is it waits for the eth0 to connect to a dhcp server (which I know there isn't one running yet, but i'm gonna run it ... right?), so it sets it to listen in the background? I'm getting slightly more 'in the loop' here, but I'm also getting slightly more lost. hehe.

win32sux · 09-21-2004, 07:55 AM

your eth0 shouldn't be connecting to any dhcp server... you'd need to run a dhcp client to do that, and that's not what you're doing...

make sure you have eth0 properly configured before you attempt to make the dhcp server listen on it...

Code:

ifconfig eth0 inet 192.168.0.1 netmask 255.255.255.0

after eth0 is configured then you can start the dhcp daemon (make sure you copy/paste the example configuration into your /etc/dhcpd.conf)...

ps: i just edited the script, adding a rule allowing pings from the lan to the internet, so that you can test the forwarding easily by pinging internet hosts...

soylentgreen · 09-21-2004, 12:32 PM

first, i wanted to thank win32sux for being so very clear on your explanation.. i managed to follow it, as i am trying to do just about the same thing.

i followed everything up to the end, and i got my gf's windoze machine to PING out, but cannot get outbound browsing. (no MSN, no IE)
but it CAN ping out by name and number...

any suggestions?

thanks..

slackware 10 on dell latitude w/ 2 ethernet cards
eth0 = internet
eth1 = local ( i modified the scripts to reflect this)

thanx!

win32sux · 09-21-2004, 12:53 PM

Quote:

Originally posted by soylentgreen
first, i wanted to thank win32sux for being so very clear on your explanation.. i managed to follow it, as i am trying to do just about the same thing.

i followed everything up to the end, and i got my gf's windoze machine to PING out, but cannot get outbound browsing. (no MSN, no IE)
but it CAN ping out by name and number...

any suggestions?

thanks..

slackware 10 on dell latitude w/ 2 ethernet cards
eth0 = internet
eth1 = local ( i modified the scripts to reflect this)

thanx!

okay so you can't surf from the lan, but you can ping an ip like "216.239.57.99" and a domain like "google.com" from your girlfriend's pc on the lan??

what does the logfile show when you attempt to surf from the lan??

Code:

tail -f /var/log/syslog

also, make sure you don't have your girlfriend's pc set to use a proxy or something...

are you using a dns daemon on the slackware gateway??

soylentgreen · 09-21-2004, 12:58 PM

Sep 21 13:56:02 slacktop kernel: FORWARD DROP: IN=eth1 OUT=eth0 SRC=192.168.0.58 DST=64.233.171.104 LEN=474 TOS=0x00 PREC=0x00 TTL=127 ID=3089 DF PROTO=TCP SPT=4232 DPT=80 WINDOW=64240 RES=0x00 ACK PSH URGP=0

Sep 21 13:56:38 slacktop kernel: FORWARD DROP: IN=eth1 OUT=eth0 SRC=192.168.0.58 DST=64.233.171.104 LEN=474 TOS=0x00 PREC=0x00 TTL=127 ID=3101 DF PROTO=TCP SPT=4232 DPT=80 WINDOW=64240 RES=0x00 ACK PSH URGP=0
Sep 21 13:56:41 slacktop kernel: INPUT DROP: IN=eth0 OUT= MAC=00:80:c7:3f:28:27:00:05:5f:e8:70:70:08:00 SRC=143.229.142.174 DST=68.42.81.220 LEN=60 TOS=0x00 PREC=0x00 TTL=116 ID=20433 PROTO=UDP SPT=6348 DPT=6348 LEN=40
Sep 21 13:56:51 slacktop kernel: INPUT DROP: IN=eth0 OUT= MAC=00:80:c7:3f:28:27:00:05:5f:e8:70:70:08:00 SRC=68.61.117.76 DST=68.42.81.220 LEN=60 TOS=0x00 PREC=0x00 TTL=121 ID=49680 PROTO=UDP SPT=6346 DPT=6348 LEN=40
Sep 21 13:56:51 slacktop kernel: INPUT DROP: IN=eth0 OUT= MAC=00:80:c7:3f:28:27:00:05:5f:e8:70:70:08:00 SRC=209.161.228.131 DST=68.42.81.220 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=54859 DF PROTO=TCP SPT=1984 DPT=6346 WINDOW=65535 RES=0x00 SYN URGP=0

her IP addy is 192.168.0.58...
i'm relatively new to linux also.. so thanx for being patient.

soylentgreen · 09-21-2004, 01:10 PM

she doesn't have a proxy running..
previously i had this machine w/xp and ICS...
she can ping google.com and numbers.. but no browsing.. hopefully i captured what you needed to see from the log..

let me know if i need to give you any other info

thanx again.