Hello I am a new user to Linux but in the last couple of months gained some Idea about it, I am trying to set up a small network in my office having 3 windows xp PCs, two fedora10 PCs I have an adsl router with 4-port hub connecting to the internet, one switch (say sw1) and one linux PC (say linux1) is connected directly to the router, the three win xp PCs are connected to switch sw1. all the above is working fine, I am able to get connected to Internet In all the systems, and able to network among all the above four. Now I want to make the linux1 as a proxy server for, hence I added another network card into it connected it to another switch sw2, which is connected to another linux pc (say linux2). I have tried a hundred things, and googled an equal no. and finally posting it here. In order to reduce confusion I have disabled DHCP in all machines, and given static ips instead NetworkManager was not happy about it, hence to fix my static IP i disabled NetworkManager ('chkconfig NetworkManager off') /--winxp3 /---winxp2 /---winxp1 sw1 / internet---router--(eth0)linux1(eth1)--sw2--(eth0)linux2 the above is a schematic of my network, sw1 and sw2 are 8 port-switches all is well except there is no visibility between the two linux systems linux1 and linux2, this is the /etc/sysconfig/network-scripts/ifcfg-eth0, of linux1 DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.1.255 HWADDR=00:e0:27:21:01:17 IPADDR=192.168.1.3 NETMASK=255.255.255.0 NETWORK=192.168.1.0 ONBOOT=yes GATEWAY=192.168.1.1 TYPE=Ethernet NM_CONTROLLED=no USERCTL=no PEERDNS=yes MII_NOT_SUPPORTED=yes DNS1=192.168.1.1 # where i found in /etc/resolv.conf this is the -------/etc/sysconfig/network-scripts/ifcfg-eth1, of linux1------- DEVICE=eth1 ONBOOT=yes BOOTPROTO=static HWADDR=00:1f:d0:32:29:a7 IPADDR=192.168.1.31 NETMASK=255.255.255.0 TYPE=Ethernet USERCTL=no PEERDNS=no NETWORK=192.168.1.0 BROADCAST=192.168.1.255 ------------this is the ifconfig of linux1-------------- eth0 Link encap:Ethernet HWaddr 00:E0:27:21:01:17 inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:27ff:fe21:117/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8021 errors:0 dropped:0 overruns:0 frame:0 TX packets:9165 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4855236 (4.6 MiB) TX bytes:1716932 (1.6 MiB) Interrupt:16 Memory:fa000000-fa0000ff eth1 Link encap:Ethernet HWaddr 00:1F0:32:29:A7 inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0 --------------- do------------------ lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:95 errors:0 dropped:0 overruns:0 frame:0 TX packets:95 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:18290 (17.8 KiB) TX bytes:18290 (17.8 KiB) --------- this is interface from linux1 --------- auto lo iface lo inet loopback address 127.0.0.1 netmask 255.255.255.0 auto eth0 iface eth0 inet static address 192.168.1.3 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.1 auto eth1 iface eth1 inet static address 192.168.1.31 netmask 255.255.255.0 broadcast 192.168.1.255 ----------this is iptables -L from linux1-------- Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ----------this is the /etc/sysconfig/network-scripts/ifcfg-eth0, of linux2------- DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.1.255 HWADDR=00:IF0:42:0D:90 IPADDR=192.168.1.7 NETMASK=255.255.255.0 NETWORK=192.168.1.0 ONBOOT=yes GATEWAY=192.168.1.31 TYPE=Ethernet NM_CONTROLLED=no USERCTL=no PEERDNS=yes MII_NOT_SUPPORTED=yes DNS1=192.168.1.1 -------this is interface from linux2-------- auto lo iface lo inet loopback address 127.0.0.1 netmask 255.255.255.0 auto eth0 iface eth0 inet static address 192.168.1.7 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.31 ------this is the "nmap -sP 192.168.1.0-255" from linux1 I can see all the systems except linux2 Host 192.168.1.1 appears to be up. MAC Address: xyz (Semindia Systems Private Limited) Host localhost.server1 (192.168.1.3) appears to be up. Host 192.168.1.9 appears to be up. MAC Address: xyz (Giga-byte Technology Co.) Host 192.168.1.12 appears to be up. MAC Address: wyz (Giga-byte Technology Co.) Host 192.168.1.55 appears to be up. MAC Address: xyz (Giga-byte Technology Co.) Nmap done: 256 IP addresses (5 hosts up) scanned in 1.920 seconds This is to inform you i have disabled Firewall through GUI "Administration----Firewall-----disabled" i tried ping from linux1 to linux2 and vice versa with no success setting up of this proxy server is key to me, once this works I want to setup a firewall in linux1 and transfer all winxp systems from sw1 to sw2. I WOULD BE VERY GLAD IF SOMEONE CAN GUIDE ME WITH THIS. Best Regards G S Reddy
Hi, you show that iptables -L on Linux1 is set up to allow all. But what about Linux 2? Is it set up in the same manner? It will need to allow the pings. Maybe it is already set up, I didn't see your output for iptables -L for Linux 2 (maybe I didn't look hard enough). Here is a link that might help, it seems relevant: http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html
Hey Jeff, thanks for the link... i tried with link, but still there is no success, but i have confident i will reach my goal with your help..... ----------now my Linux1 iptables -L is Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination and --------my Linux2 iptables -L is chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited chain OUTPUT (policy ACCEPT) target prot opt source destination let me know what could be the reason that i still cant see Linux 2 and vice versa, still host unreachable waiting for your reply
Hey tech.gsr, this is sort of a cop-out... but rather than debugging this step by step, here's another thought. I'd recommend, particularly for someone fairly new to linux, installing a gui firewall package (if you have a desktop linux setup, such as gnome or kde). In that case, I can guarantee you will be able to not only get the boxes to ping each other, but you will be able to enable and disable pings at the check of a box. My preference is firestarter, although it has not had any active development for awhile, it works fine for me. Here is a link to install it on fedora: http://www.techotopia.com/index.php/Using_Firestarter_to_Configure_a_Fedora_Linux_Firewall Install it (on both linux boxes), and there is a checkbox for allowing/disallowing pings in the menus. You can also open up any ports you want, etc. Also, if you don't like using the package, you can use it to produce your iptables rules, and then you can set up a startup script for iptables, and not need the gui frontend. That way, you can see what is actually needed to enable pings. Will a gui firewall frontend to iptables work for you? This is what firestarter is. It also has some nice features -- you can monitor all active connections to the box, etc. If you are purposely avoiding a gnome/kde desktop, or a gui firewall interface, then back to the drawing board. Cheers...
Hey Jeff, as your opinion i had installed firestarter in bith the PC's (Linux1 and Linux2), i already configured firestarter in both, but i am not sure whether i did correct. in Linux2, when i say firestarter to start, the error encountered as " Failed to start the Firewall..... The device pan0 is not ready" I think i did not set the proper device setting and reason why i am not able connect my Linux2, as i am first time using Firestarter.
tech.gsr, on Linux2, you can check the output of the command: ifconfig that should tell you what interfaces you have on Linux2. You only need to configure firestarter for eth0, it sounds like you are also configuring it for a bluetooth device. There is a wizard in firestarter, did you use that to set up Linux2? Also, if I understand your setup correctly, you do not need to set up IP forwarding or NAT on Linux2. The more complicated setup is on Linux1; is it set up OK now? Is your plan to use Linux1 as your firewall/router and move your Win XP boxes to the subnet connected to eth1? Firestarter should work fine for this, it is how I have my home network configured.
cannot ping internal network Hey Jeff, ------------------------------------- internet--->Router----> |eth0(DHCP)----Linux1----eth1 |--------> eth0 Linux2 -------------------------------------- For the external device (usually eth0): * Enable dynamic IP configuration (DHCP) The internal device (usually eth1): * Disable dynamic IP configuration * IP address: 192.168.2.3 * Netmask: 255.255.255.0 ----------#ifconfig------------- eth0 Link encap:Ethernet HWaddr 00:E0:27:21:01:17 inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:27ff:fe21:117/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7417 errors:0 dropped:0 overruns:0 frame:0 TX packets:9756 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5027831 (4.7 MiB) TX bytes:1574260 (1.5 MiB) Interrupt:16 Memory:fa000000-fa0000ff eth1 Link encap:Ethernet HWaddr 00:1F0:32:29:A7 inet addr:192.168.2.3 Bcast:192.168.2.3 Mask:255.255.255.255 inet6 addr: fe80::21f:d0ff:fe32:29a7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:881 errors:0 dropped:0 overruns:0 frame:0 TX packets:38 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:99105 (96.7 KiB) TX bytes:6897 (6.7 KiB) Interrupt:20 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:976 (976.0 b) TX bytes:976 (976.0 b) Now Configuring the clients------ If I configure Linux 2 eth0 as DHCP but unable to do, In Linux1 the, even if the status of "dhcpd" running in Linux1. in linux2 i use to get the error of " Determining IP information for eth0 is failed...... If I configure to static IP in Linux 2 the wired connection will establish, but there will be no netwroking, no internet, no ping for 192.168.1.1, 192.168.1.4 etc.... Can you tell me what will be the problem? either i did not configure properly Linux eth1 or is there any other prolem?? Even i started with Firestarter, there is nowhere configure any bluetooth device, but still pan0 is activated, and tried with link "http://www.techotopia.com/index.php/...Linux_Firewall" still no success, I am really apologise for less knowledge on networking, but i need to slove this issue...... Regards slims.
tech.gsr, there are a few things to sort out... Right now, it appears that you have Linux1 running DHCP for clients on the eth0 interface. This means any boxes that are connected to a switch connected to eth0 that are set up to allow their IP address to be assigned by a DHCP server will get assigned an IP address. Right now, according to ifconfig, you do not have DHCP running on the eth1 interface. This is why Linux2 is not able to get an IP address. dhcpd in linux runs on the interface or interfaces that you define in the config file, and right now it is only set up to run on eth0 of Linux1. You should be able to have it run on eth1 as well as eth0, or you could set it up to only run on eth1, if it is not serving up IP addresses to clients on eth0. I believe that you have Linux2 configured to get its IP address from a DHCP server. However, eth0 of Linux2 is connected to eth1 of Linux1, and this interface needs to be providing DHCP if you want Linux2 to get an IP address in this manner. The thing to consider is that networking is set up to work on only one interface at a time, until you set up routes to bridge the interfaces. If you are planning on having more than one machine connected to eth1 of Linux1, then set up dhcpd to serve eth1 for the 192.168.2.x subnet. When this is set up, when you run ifconfig on Linux1, you will see that the broadcast address will be 192.168.2.255, with a subnet mask of 255.255.255.0 (this means it can talk to any IP address in the 192.168.2.x subnet). Once your DHCP server is set up for that subnet, then Linux2 (or any other box connected to eth1) will be able to get an IP address assigned. In the firestarter menus, I believe you should be able to check whether you want it to enable the DHCP server for a given address (I am not where I can confirm this at the moment). Also, in the menus, you have the ability to identify which interfaces you want it to manage, and you want to make sure that you do not enable "pan0" as one to manage, or else firestarter may not start (since it cannot configure the firewall rules for this interface properly). I think that your configuration is a bit unusual; you could set up a small network to use a Linux box as the router and NAT (network address translation). You appear to be trying to do this twice (perhaps, I am not sure your exact goal). Here is my setup: internet (cable modem)<-->eth1--Linux1--eth2<-->switch<-->multiple PCs Linux1 is set up to provide NAT and DHCP services (among other things). I get a single IP address to the outside world from my ISP: to the internet, I appear as 1.2.3.4 (for example). My internal network is 192.168.0.x. Each PC has an IP address, assigned by Linux1 via eth2. Linux1 has an IP address on that subnet of 192.168.0.101. If I try to ping a machine outside my network, for example if 192.168.0.102 tries to ping www.google.com, my NAT routes the ping request from eth2 to eth1 and outward, but it appears as if it is coming from 1.2.3.4. It does this because the firewall is performing a NAT of 192.168.0.102 to 1.2.3.4, and when (if) the ping comes back from google, then it will go to the eth1 interface toward 1.2.3.4, and the firewall will know to translate and route that back to 192.168.0.102. In order for your ping to work, you will need to add routes for your various subnets, to make sure that you can actually traverse the path you are intending to traverse. You do this with the 'route add' command, but before going there, I go back to my previous question: Is your plan to use Linux1 as your firewall/router and move your Win XP boxes to the subnet connected to eth1? That would become much simpler than what you have set up, because right now you have a router which is performing NAT, and you could get rid of that entirely and not have that extra layer in your network path to the internet.
I checked, firestarter is only set up to configure as a DHCP server on one interface. tech.gsr, my recommendation to try, it should solve your problems: - dump your router. - at least temporarily, if pan0 represents a removable bluetooth device, remove it or power it off, so that it does not interfere with firestarter configuration. - connect network as follows: ---internet<--> eth0--Linux1--eth1<---->sw1<--->eth0--Linux2 you can also connect other PCs to sw1. Configure firestarter on Linux1: - eth0 is configured for ip address assigned with DHCP (assuming you get assigned an IP address dynamically from your ISP). Configure firestarter for internet connection sharing on eth1, and also as a DHCP server. You can follow this link: http://www.fs-security.com/docs/wizard.php All of your devices connected to sw1 will get their IP address from Linux1, and access the internet through NAT through Linux1. Make sure you are careful to keep ports closed on eth0, since this is your firewall to the internet. Firestarter will allow you to control which (if any) ports are open on eth0. Allow pings via the pulldown menu if you want. Configure firestarter on Linux2: -eth0 ip address is assigned via DHCP. Make sure to allow pings. Open any ports you want. You should be done... try to open a web browser and access the internet. Cheers
