Routing and Masquerading on RedHat 7.2

[jxfish2]

I'm running RedHat 7.2 at home.

I have 7 systems at home, but only one static IP address...

I've been connecting each of the other systems via DHCP, but want to setup DNS, IP Masquerading and Routing via my one and only static system...

Can anyone point me to a good tutorial, or examples? ( Just for the routing and masquerading )...

Can anyone tell me which files might need to be modified, and possibly supply some examples for each file... ( Again, just for the routing and masquerading... )

( Mind you, I'm not a novice, and I'm quite familiar with most of your basic networking files... )

This is just one thing I've never done, and I'm not quite sure where to start...

( Actually, I stayed up all night, trying to "hack" my way through it, without any real reference materials, and only a vague idea of what I needed to do... )

In the end, my attempts failed miserably....

So, I thought I'd try my friendly neighborhood guru's first...

Sorry for rambling... I'm tired...

JCF

 

[RhythmAce]

If $29 is not out of your reach, you can go to a place like Best Buy and get a router. This will not have all the bells and whistles of the more expensive ones but it will do what you want. You set it up through you web browser and comes with a setup wizzard to help you get up and running in a few minutes. For example, the router uses your IP, DNS and netmask on the WAN side and will be given a static ip such as 192.168.0.1 on the LAN side. You have a choice of giving each machine a static internal ip or use the built in DHCP server. If you have any servers running, you will need to at least give this machine a static ip so you can route the traffic to this machine.You will then point to the router's internal IP as the gateway and DNS server on all the other machines. I have the D-link DI-604 and it took less than 5 minutes to get my network sharing my internet connection. Since the router only has 1 WAN port and 4 LAN ports, you will need to get a hub also. I can't imagine paying more than $20 or so for it. Most linux distros come with everything you need to do this. You can do a web search for "internet sharing" and you will get lots of links on how to setup a home network.

 

[jxfish2]

So, you're saying that I can't use my actual Linux server as a router? I really don't know, but I was under the impression that I could!!!

I already have 2 8-port switches, and $29.00 is within my price range...

Hmmm... I guess I'm off to Best Buys...

Thanks

JCF

 

[Morsing]

NO!!!!! DO NOT WASTE YOUR MONEY ON A ROUTER!!!!!

Linux can almost anything a $10000 router can do and just as easy.

Start reading the Howto's (should be on your computer in /usr/doc or /usr/share/something) or do a search on 'iptables'/'ipchains' and IP masquerading.

You can only use routing if you have a registered domain, so you need to setup IP masquerading which is very easy.

Just to start with:

# echo '1' > /proc/sys/net/ipv4/ip_forward # enables forwarding in the kernel

# ipchains -A input -i eth0 -s 10.0.0.0/16 -d 0.0.0.0/0 -j ACCEPT # Assumes your using ipchains, int. net=10.0.0.0 and int. if.=eth0

Then set your Linux box as default gateway on your Machines.

Hope it helps.

Cheers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[RhythmAce]

I guess the last sentence wasn't too clear. I was saying if you are up to it, most distros have everything you need to set your linux box up as a gateway, router, dhcp server, proxy server as well as web server mail server, file server and firewall. Oh yeah, print server, voice mail, well you get the idea. The great thing about it is all this would cost thousands of dollors on a win system but you more than likely have it on your box already. You just have to configure them and have them start at boot time. My suggestion was not meant to be an answer to your question but a quick easy way to get all your machines to share one internet connection. As Morsing suggests, you should learn ipchains and other things so you can use one of your machines as a more secure gateway to the internet. Sorry for the confusion.

 

[jxfish2]

I hooked up the DI-604 last night, and everything is working "as the router was intended to".

In other words, I can get to my primary webserver from the internet, and my various systems can reach the internet.

This particular router allows you to access various services, such as FTP, HTTP, HTTPS, etc.

But, it only allows you to create a single virtual server for each of the above services. ( You can only connect to a single server inside of the firewall. )

Once inside, I'm sure there must be a way to redirect the HTML pages to another internal machine, but you can only get to a single machine from the WAN.

Question:

Using Linux as the Firewall / Router, can I access multiple, different systems from the internet?

Let's say that my domain name was "davids_domain.com", and let's say that I had several internal servers; "DD1", "DD2", "DD3", etc.

Could I access the webservers on each of these various boxes from the web?

Could I access them using a URL naming convention like:

http://www.DD1.davids_domain.com

Is there a way to setup access to the webservers, using the above naming conventions, from within my own environment, or do I need to register each and every server with my ISP?

If I setup my own DNS servers, can I do the above?

Do I "NEED" to setup my own DNS servers?

If I wanted the ability to route mail to each or any of my servers, how can I route using the following naming convention:

root@DD1.davids_domain.com
user2@DD2.davids_domain.com

If I setup my own internal mail server, can I do the above?

Do I "NEED" to setup my own internal mail server?

TIA

JCF

 

[RhythmAce]

To have your own domain name wich can be reached from the internet, you need to purchase one from a registrar. I would avoid Verisign/Network Solutions and go with

http://www.godaddy.com

because you can get a much better deal. There are other registrars out there but I was just giving an example. Once you have your domain name you can add an unlimited amount of sub-domains. For example, mail.yourdomain.com, chat.yourdomain.com, user.yourdomain.com and so on. Apache will let you create virtual servers for all of your sites on one machine. This is what web hosting services do. All http and https traffic is handled by apache but you can set the DocumentRoot (webspace) for each site any where on your local network. As for DNS servers, I don't think you really need it unless you want to use domain names only accessible from you local net. In this case you would use Bind. If you have a registered domain name then you can use sendmail as your mail server. You would be able to receive mail addressed to you@yourdomain.com. You would add an "A" record for mail.yourdomain.com to your zone.m(yourdomain.com) and use the same ip as your domain. Then you need to create an "MX" record showing mail.yourdomain.com will handle mail for yourdomain.com. All this would be done through yuor registrar or whoever has your dns records. I hope I understood your question. If I didn't... never mind.

 

[jxfish2]

OK... Something's still wrong...

I got the DI-604 to work just fine, with static IPs on all internal systems.

Each system had internet connectivity.

Unfortunately, the 604 wasn't compatible with the routers at my place of work.

I then picked up a LinkSys, which I was told should work.

Again, I got everything up and working, only to find that it wouldn't support my VPN connection at work.

So, I'm back to the Linux firewall and router.

My "router" has two (2) NIC cards in it, and I'd like to use the first NIC card to connect to the internet, and the second NIC card to connect to the LAN.

My internet connection works just fine, with the static IP address assigned by my ISP.

I can ping each of my internal systems, and they can each ping me, using a local / internal IP address scheme, with 192.*.*.1 defined both as the internal gateway, and as the IP address assigned to the internal card.

So connections are up, all around.

The system simply isn't forwarding from the first / internal card, through the second / external card...

How can I make this happen?

TIA

JCF

 

[RhythmAce]

Since you have 2 NICs this makes it easier than having to use virtual ip addressing such as eth0:1, eth0:2 and so on. Actually, you can have up to 256 ip addresses on on NIC. I assume you have neither the D-link or LinkSys routers connected at this point. You would connect your cards just as you did those routers. For example eth0 will be connected to the cable/dsl modem and eth1 would be connected to your lan. eth0 would have your public ip and eth1 would have your local ip. All traffic in both directions will pass through your linux box. How traffic gets routed now depends on what you want to do and how you want to do it. This brings us back to where we started. you will be doing a lot with ipchains and iptables. I can help a little with that but let's see if we got traffic coming in one card and out the other.

 

[jxfish2]

I have traffic coming in and out of both cards.

It's just that nothing's getting from NIC 1 to NIC 2...

When I ran the above "echo" and "ipchains" commands from the command line, I didn't get any errors.

But, when I attempted to open the ipchains GUI interface, it appeared as if nothing was configured.

I'm also running "webmin". Inside of webmin, when I attempt to access ipchains, it gives me an error:

Start Error {

An error occured when checking your current IPtables configuration :

/lib/modules/2.4.18-18.7.x/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
/lib/modules/2.4.18-18.7.x/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.18-18.7.x/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.18-18.7.x/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters.
You may find more information in syslog or the output from dmesg
iptables v1.2.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

This may indicate that your kernel does not support IPtables.

}

So, it appears as if there might be something wrong with either the kernel, ipchains or insmod...

Any help here would be greatly appreciated...

TIA

JCF

 

[RhythmAce]

Dumb question but do you have ipchains and iptables to start at boot up? As for your NICs, I guess I'm not gettin' it. You say traffic is passing through both but it won't pass from one to the other? Can ya help me out here?. one should ONLY be connected directly to your modem and the other should ONLY be connected to your lan.

 

[jxfish2]

Sorry for the confusion...

The NIC that's connected to the internal LAN can talk to each of the other systems, and each of them can talk to the internal NIC.

The NIC that's connected to the Modem can access the internet just fine...

But, the systems on the internal network can't get "through" the proxy server / firewall to the external NIC, or to the internet...

 

[jxfish2]

Ahhh... To answer your question about ipchains starting at boot...

Yes, both ipchains and iptables are setup to start at boot...