| View previous topic :: View next topic |
| Author |
Message |
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
 Posted: Sun Jan 11, 2004 11:27 pm Post subject: [SOLVED] Trying to setup a router.. |
 |
|
.. and going bald in the process!
I've RTFM, searched the forums, etc .. but I still can't figure this out for the life of me.
I'm trying to setup my server as a router for my desktop to connect to, but for the life of me, I can't get it working. I can ping, ssh, etc the server from my desktop, but I can't get out on the internet with it. I suspect it's either with my Shorewall configuration or DHCP settings. Here's my question:
- Does shorewall need any dhcp server running? It seems like, even without it, my box picks up a correct ip address.
- What /etc/conf.d/net settings do you put in the router? Do you manually set the iface settings? gateway? etc.
That's about it... I'm totally lost on this one. Had it working under MDK (of course), but now I can't do a ding-dong thing.
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki
Last edited by beandog on Sun Jan 25, 2004 3:04 pm; edited 1 time in total |
|
| Back to top |
|
 |
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Sun Jan 11, 2004 11:50 pm Post subject: |
|
|
You generally need two things to make a gateway work under Linux:
1. allow packet forwarding
| Code: | echo 1 >/proc/sys/net/ipv4/ip_forward
|
2. enable NAT translation
| Code: | | iptables -t nat -A POSTROUTING -o <inet_iface> -j MASQUERADE |
That's it.
Oh and yes, you default gateway has to point to the internet interface (inet_iface) as well, of course. |
|
| Back to top |
|
|
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
| Posted: Mon Jan 12, 2004 12:45 am Post subject: |
|
|
| adaptr wrote: |
Oh and yes, you default gateway has to point to the internet interface (inet_iface) as well, of course. |
I got the first two, but not sure what you meant by the last one.
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki |
|
| Back to top |
|
|
Dillinger
Apprentice
Joined: 27 Jul 2003
Posts: 226
Location: Huntington Beach, Ca
|
| Posted: Mon Jan 12, 2004 1:28 am Post subject: |
|
|
He means does the gateway of the desktop machine point to the gateway of the router. For example I have a router with two NICs, eth0 gets the net connection and eth1 connects my router and my desktop box. The private IP of eth1 is 192.168.0.1 so I have the gateway on the desktop box set to that address.
_________________
registered Linux user #338885
www.easylinuxguide.com
www.linuxforums.org |
|
| Back to top |
|
|
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
| Posted: Mon Jan 12, 2004 2:10 am Post subject: |
|
|
| Dillinger wrote: | | He means does the gateway of the desktop machine point to the gateway of the router. For example I have a router with two NICs, eth0 gets the net connection and eth1 connects my router and my desktop box. The private IP of eth1 is 192.168.0.1 so I have the gateway on the desktop box set to that address. |
I'm pretty sure I do. Here's what my /etc/conf.d/net is set to on my desktop:
| Code: |
iface_eth0="10.10.10.2 broadcast 10.10.10.255 netmask 255.255.255.0"
gateway="eth0/10.10.10.254"
|
For my router, it's set to:
| Code: |
iface_eth0="dhcp"
iface_eth1="10.10.10.1 broadcast 10.10.10.255 netmask 255.255.255.0"
|
Does that look right? Thanks for helping me out, guys ..
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Jan 12, 2004 2:15 am Post subject: |
|
|
No, it doesn't.
The gateway address of the desktop box has to be the address of the gateway on the side of the desktop.
If your desktop has 10.10.10.2, and your gateway has 10.10.10.1, then the gateway for the desktop is by definition 10.10.10.1 as well.
The desktop has nothing to do with the network on the other side of the gateway, and indeed should not even be aware of it! |
|
| Back to top |
|
|
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
| Posted: Mon Jan 12, 2004 2:38 am Post subject: |
|
|
| adaptr wrote: | | then the gateway for the desktop is by definition 10.10.10.1 as well. |
Oops, I actually posted that wrong in the previous post -- the gateway for the desktop was set to 10.10.10.1 (not 10.10.10.254), and it doesn't work.
I don't get it though -- from what it sounds like, I have my setup just as Dillinger does, and as the Shorewall doc says:
| Quote: | | Your local computers (computer 1 and computer 2 in the above diagram) should be configured with their default gateway to be the IP address of the firewall's internal interface. |
And I still can't get outside the internal network onto the net.
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki |
|
| Back to top |
|
|
Arasi
Tux's lil' helper
Joined: 04 Jan 2004
Posts: 75
Location: Canada
|
| Posted: Mon Jan 12, 2004 2:56 am Post subject: |
|
|
Simpliest mistakes can make the nastiest problems....or rather I've screwed myself over on typos before so on that note, have you verified the content of /etc/shorewall/policy?
If you could post it if your not sure we can take a look at it.
Also rechecking or posting for some assistance yous /etc/shorewall/rules file may be a good idea.
Arasi |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Jan 12, 2004 2:57 am Post subject: |
|
|
Please post the output of
and
and we'll see...
Oh and note that since you're using a firewall script (shorewall is not a firewall, it's a firewall script) any of the above may mean nothing, since iptables routing is a bugger to debug...
Big piece of advice:
DUMP the shorewall stuff, and get it to work first!
| Code: | iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -F |
Note I'm not that sure about this, since it's been a while since I used iptables directly..
Better disable shorewall on startup and reboot.
and then insert only the masquerade entry.
Other piece of advice:
Assming that you do eventually want to use shorewall with this - invest some time in learning how the different parts of iptables work together, since it is certainly not intuitive...
My best guess is that a part of the shorewall config is frustrating your attempts to masquerade your desktop in connecting to the internet. |
|
| Back to top |
|
|
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
| Posted: Mon Jan 12, 2004 3:28 am Post subject: |
|
|
| adaptr wrote: | Please post the output of
and
and we'll see...
|
| Code: |
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
eth0_masq all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain eth0_masq (1 references)
target prot opt source destination
MASQUERADE all -- 10.10.10.0/24 anywhere
|
| Code: |
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
24.2.78.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 24.2.78.1 0.0.0.0 UG 0 0 0 eth0
|
| adaptr wrote: |
Oh and note that since you're using a firewall script (shorewall is not a firewall, it's a firewall script) any of the above may mean nothing, since iptables routing is a bugger to debug...
|
Seriously ... I need to ditch the crutch. That does make a lot more sense though, when you realize it's a script.
Okay, I'm not sure I did this in the right order .. oops.
I disabled shorewall, removed it from startup, rebooted, and ran those iptables commands.
Rebooted my desktop, and it still no workie. Same as before. I can ping the server, but that's it.
What did you mean by this:
| Quote: | | and then insert only the masquerade entry. |
Edit:
Oh, this one: iptables -t nat -A POSTROUTING -o <inet_iface> -j MASQUERADE
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki
Last edited by beandog on Mon Jan 12, 2004 5:32 am; edited 1 time in total |
|
| Back to top |
|
|
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
| Posted: Mon Jan 12, 2004 3:42 am Post subject: |
|
|
For the record, I uploaded these:
Server/router:
/etc/conf.d/net
ifconfig
Dekstop:
/etc/conf.d/net
ifconfig
| Arasi wrote: | Simpliest mistakes can make the nastiest problems....or rather I've screwed myself over on typos before so on that note, have you verified the content of /etc/shorewall/policy?
If you could post it if your not sure we can take a look at it.
Also rechecking or posting for some assistance yous /etc/shorewall/rules file may be a good idea. |
And my whole stinkin shorewall directory 
Hope that helps.
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Jan 12, 2004 7:05 am Post subject: |
|
|
Based on your previous post (with the route), I have one question:
Why are there TWO deafult gateways ?
The "127.0.0.0" thing looks very suspicious to me - I've never seen that before.
Also, no - when you run the iptables line and then reboot - it'll all be gone again, won't it ?
Iptables is only a command, it has no "magic" to remember what you've done.
First reboot, THEN run the iptables line, it will (should) work IMMEDIATELY.
Note that you will only need to reboot once; I only suggested you reboot because it is the easiest way to get rid of the zillions of iptables rules the shorewall scripts will insert.
Don't worry, understanding will come with time...and patience, of course 
I used to trouble myself with iptables for a long time on my old RH7.2 box, and finally ditched all that and installed ipcop on an old P-200.
No more iptables crap for me! |
|
| Back to top |
|
|
Arasi
Tux's lil' helper
Joined: 04 Jan 2004
Posts: 75
Location: Canada
|
| Posted: Mon Jan 12, 2004 7:51 pm Post subject: |
|
|
| Quote: |
And my whole stinkin shorewall directory
Hope that helps. |
Yes.....I don't see any problems jumping right out...have you veiwed the shorewall logs to see if its logging your attempts to pass through the firewall? You may want to even add logging in the policy file for your fw - > net.
Will take a further look later for you.
Arasi |
|
| Back to top |
|
|
beandog
Bodhisattva
Joined: 04 May 2003
Posts: 2072
Location: /usa/utah
|
| Posted: Sun Jan 25, 2004 3:04 pm Post subject: |
|
|
I finally got it .. after I had a friend come over and explain something to me.
Ah, the basics of network routing.
I didn't realize two things: that I had to set the gateway on the internal network (not the router), and that I could either run a dhcp server on the router and set eth0 on the desktop to accept dhcp connections OR I could just set my internal ip address statically. I've gone with the second choice, since I don't wanna go hunting for a dhcpd.
Thanks guys.
_________________
If it ain't broke, tweak it. dvds | blurays | blog | wiki |
|
| Back to top |
|
|
|
Networking & Security
