Moderately complex netowrking setup not working.

AntonGolovin · 01-26-2010, 08:05 PM

Hi, thank you in advance for your response. My network looks like the following:

WAN (cable)
|
|
[wireless/LAN router, ASUS] -- wireless computers (connecting ok).
|
|
[wired Debian firewall & dnsmasq box, can access the Internet ok]
|
|
[wired CentOS intranet computers, not getting internet access but able to see each other and the firewall box - with IP and host names both - via switches]

Except for firewall and NFS, I tried to configure the network based on these instructions for CentOS (suitably modifying them for Debian where needed): http://oss.segetech.com/intranet.html

1) Would you be so kind to say if such a set up is possible (having in mind the chain of essentially two routers - the ASUS and the firewall box) - would the intranet computers be able to access the internet at all?

2) I did not configure an iptables firewall and do not know if it is running on the firewall box (I was going to do that later.) If it is running, it has default values. Would any of those cases prevent intranet computers accessing the internet?

3) Is there anything else I could have missed potentially that would prevent intranet computers from getting to the Internet?

4) Personally I am starting to think that a chain of two routers (ASUS and firewall box acting as a router) may not allow a frame to properly get to the Internet or back keeping the initial destination's address intact. (Although isn't this how the Internet works in general?) I am not a networking guru, so I could be wrong.

Thank you for your response!

nimnull22 · 01-26-2010, 09:41 PM

If you do prefer speak russian, I can explain, but I do not think this forum will appreciate our discussion.

So, if you find place, you are welcome.

sohail0399 · 01-27-2010, 12:07 AM

According to your diagram what i understand is there are two network interface at "wired Debian firewall" or they are connected to the switch.
If there are two network interfaces then check the IP and configuration of that which is connected to the "wired CentOS intranet computers".

if there is some what other then please enplane.

/dev/me · 01-27-2010, 04:34 AM

Welcome to the forums!

1) I can't think of a reason why you would put your WLAN between the firewall and the WAN. But my bet is, if you move it inside your LAN, that the clients loose connection to the internet.

2) I assume the Debian box has two NICs. Has the Debian box got IP forwarding enabled? If you kept mostly default values, then probably not. This needs to be done in two places. First, the kernel should know:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

And obviously the iptables rules should also reflect this. A little bit like this:

Code:

#########################################################
# VARIABLES AND DEFINITIONS (AND MODPROBES)             #
#########################################################
# VARIABLES
ipt="/usr/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth0"
WAN_IFACE="eth1"

# BASIC KERNEL MODULES
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE

# FOR IRC AND FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc

# FLUSH RULES AND DELETE CUSTOM CHAINS
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X



#########################################################
# GENERAL CONFIGURATION AND DEFAULT POLICIES            #
#########################################################
# DEFAULT POLICIES
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

# LOOPBACK AND INTERNAL SERVICES
$ipt -A INPUT -i lo -j ACCEPT

# IP MASQUERADING
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

# OUTGOING TRAFFIC RULES
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -A FORWARD -i $LAN_IFACE  -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Then the clients need to get the Debian box as gateway, this you can do in dnsmasq.conf

3) Yes. Probably. Creating a setup like you have is not impossible, and not even very difficult. But it seems it's your first attempt, so what you need to do goes a little beyond the scope of normal computer usage.

The main points are 1) that your Debian box has ipforwarding enabled, that it's iptables rules are setup to allow NAT and masquerading, and 3) that dnsmasq is setup to hand out valid leases to the clients.

Be sure to read up on iptables, and setup extensive logging until you are confident it's all working properly. Then you can turn many (but not all!) logging options off.

4) A word of advice. Don't treat wireless any more special than wired connections. It is basically the same, except that the signal goes through the air rather than through copper. If you set your wireless router to what I believe is called 'bridged mode', it wont hand out DHCP anymore and won't act as gateway either, but just transfer any signal to the Debian box. For this, it needs to be in LAN.
That is a lot safer, because wireless clients will get the same iptables policies as wired clients.

AntonGolovin · 01-27-2010, 04:19 PM

Would you also be so kind to point me to how I could connect a Windows client to my Linux LAN domain?

Thanks in advance!

/dev/me · 01-27-2010, 06:21 PM

Not really sure what you mean by 'domain'.

Assuming you want to just have Wintels on your LAN, then that's easy. When dnsmasq is configured properly, you should have no problem connecting Windows machines.

AntonGolovin · 01-27-2010, 06:32 PM

By domain I mean the part like: mypcname.mylinuxdomain. I just thought somehow I must make Windows connect to mylinuxdomain.

So, basically, if I understand correctly, when configuring a static IP in Windows I do not need to specify a domain? What about the workgroup?

Thanks for your responses!