| View previous topic :: View next topic |
| Author |
Message |
tom purl
n00b
Joined: 01 Sep 2004
Posts: 61
|
 Posted: Wed May 11, 2005 1:53 am Post subject: Shorewall Static Router Setup Problems |
 |
|
I'm trying to set up my Gentoo computer as a static ip router for a small network. I've read through numerous tutorials and message boards and haven't been able to solve my problems. Any help I could get would be greatly appreciated.
First, I have two interfaces. eth0 is the interface to my small network, and eth1 points to my wireless router. Here's the output from ifconfig:
| Code: | eth0 Link encap:Ethernet HWaddr 00:09:5B:09:D9:8E
inet addr:172.16.0.1 Bcast:172.16.0.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:1260 (1.2 Kb)
Interrupt:3 Base address:0x4000
eth1 Link encap:Ethernet HWaddr 00:09:5B:91:59:61
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:357611 errors:0 dropped:0 overruns:0 frame:0
TX packets:183410 errors:53500 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:330860479 (315.5 Mb) TX bytes:25563266 (24.3 Mb)
Interrupt:11 Base address:0x2000 Memory:f5000000-f5000fff
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:24738 errors:0 dropped:0 overruns:0 frame:0
TX packets:24738 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2414782 (2.3 Mb) TX bytes:2414782 (2.3 Mb) |
The first thing that I did to set up my machine as a router was to edit /etc/conf.d/net. Here's what my version of the file says:
| Code: | iface_eth0="172.16.0.1 broadcast 172.16.0.255 netmask 255.255.255.0"
...
iface_eth1="dhcp" |
Next, I configured Shorewall so I could use my box as a router using this following tutorial. The conf files in the tutorial assume that eth0 is your external interface, but I edited the conf files so that it knew that eth1 was my external interface.
Finally, I edit /etc/sysctl.conf and un-commented the following:
| Code: | # Disables packet forwarding
net.ipv4.ip_forward = 1
# Disables IP dynaddr
#net.ipv4.ip_dynaddr = 0
# Disable ECN
net.ipv4.tcp_ecn = 0
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Disables the magic-sysrq key
#kernel.sysrq = 0 |
I then restarted eth0 and Shorewall and tested my new private ip address:
| Code: | homer shorewall # ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.090 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=0.088 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=64 time=0.088 ms
--- 172.16.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.088/0.088/0.090/0.010 ms |
Great. The interface is up and I can ping it from the router.
This is where I have a problem. My client computer is also a Gentoo linux box, and I set it up with the following /etc/conf.d/net configuration:
| Code: | | iface_eth0="172.16.0.2 broadcast 172.16.0.255 netmask 255.255.255.0" |
I then restarted eth0, and was able to ping 172.16.0.2 from the client.
The big test is when I tried to ping my Gentoo router. Pinging 172.16.0.1 from the client doesn't work, and vice-versa: I can't ping the client from the router using 172.16.0.2.
Is there anything obvious that I'm missing? Any help you can give me would be greatly appreciated!
Tom Purl |
|
| Back to top |
|
 |
tom purl
n00b
Joined: 01 Sep 2004
Posts: 61
|
| Posted: Wed May 11, 2005 1:57 am Post subject: |
|
|
| I also just went into /etc/conf.d/net on the client and set the router to 172.16.0.1, but that didn't help. |
|
| Back to top |
|
|
encase
n00b
Joined: 25 Oct 2004
Posts: 55
Location: Switzerland
|
| Posted: Wed May 11, 2005 2:21 am Post subject: |
|
|
First of all, i would suggest you to use ipcop,smoothwall or something like that. they're small, easy and probably more secure than a "homemade* router (gateway?).
However you have the possibilities. Have you made graph or a plan of your network with all the necessary info? I would highly recommend, to do so if you haven't already. mark all computers (cables) etc.
You should also know, that different networks need different subnets. And different network interfaces (wlan or eth) should have different subnets.
I can't say by heart, why computers can't ping each other. But i think it must be related with ip-adresses, the default gateway, or like that. You should give more info! |
|
| Back to top |
|
|
tom purl
n00b
Joined: 01 Sep 2004
Posts: 61
|
| Posted: Wed May 11, 2005 2:36 am Post subject: |
|
|
Thanks for the quick help encase!
| encase wrote: | | First of all, i would suggest you to use ipcop,smoothwall or something like that. they're small, easy and probably more secure than a "homemade* router (gateway?). |
Thanks for the advice. I haven't even heard of these distributions before. For now, however, I would like to use Gentoo.
| encase wrote: | | However you have the possibilities. Have you made graph or a plan of your network with all the necessary info? I would highly recommend, to do so if you haven't already. mark all computers (cables) etc. |
I don't know if this is necessary for my network. It is very small and simple (one client talking to one router/gateway, both machines running Gentoo).
| encase wrote: | | You should also know, that different networks need different subnets. And different network interfaces (wlan or eth) should have different subnets. |
Both of my networks are on different subnets.
| encase wrote: | | I can't say by heart, why computers can't ping each other. But i think it must be related with ip-adresses, the default gateway, or like that. You should give more info! |
What other info should I post? I think that I've posted everything that I'm aware of. |
|
| Back to top |
|
|
Rad
Guru
Joined: 11 Feb 2004
Posts: 401
Location: Bern, Switzerland
|
| Posted: Wed May 11, 2005 3:00 am Post subject: |
|
|
Maybe you blocked the ping packets in shorewall? They might even be blocked by default, I don't really know... Try issuing a "shorewall clear" and/or allow all ICMP (it's a protocol, like tcp or udp) traffic from "fw" to the zone the other machine is in and vice versa. The latter is done by editing /etc/shorewall/rules.
Ah and check whether your zone, interfaces and policy file in the shorewall dir also look okay... |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Wed May 11, 2005 5:42 am Post subject: |
|
|
Did you set your default gateways correct?
- on the shorewall box -> wireless router
- on the client box -> shorewall box
is icmp allowed on the shorewall box (for the ease of use try first with 'accept all all icmp')
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
