Linux.com

Home Linux Community Forums Linux System Administration Network Management How do I get the internet to work in this setup?

How do I get the internet to work in this setup?

Link to this post 15 Nov 10

DSL Modem <--> Wireless router <--> ServerA <--> Workstations

Wireless router (192.168.0.1)
ServerA (10.0.255.250) = Default Gateway to Workstations (or DHCP scope; dhcpd.conf)

ServerA has eth0 and eth1; eth0 goes to the wireless router, and eth1 connects to the HP switch (all workstations connect to this).

ServerA runs Squid.

Here is ServerA's /etc/network/interfaces

# -------------------------------
auto lo
iface lo inet loopback

# -------------------------------
auto eth0
iface eth0 inet static
address 192.168.0.199
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.1
gateway 192.168.0.1
post-down ip addr flush dev eth0

# --------------------------------
auto eth1
iface eth1 inet static
address 10.0.255.250
network 10.0.0.0
netmask 255.255.0.0
broadcast 10.0.255.255

Previously I had been using a static internet IP for eth0, but then I moved this server behind a router (as well as another server that had a static internet IP).

Through wireless (direct to 192.168.0.1), I can surf the internet.
But when I try to surf the internet through ServerA, I cannot get a page, nor can I ping a website from ServerA through shell.

NOTE: I will worry about changing the DHCP scope later. Right now, experience and stuff in scenarios like this are good. :) Later I will want to make our new pfSense server take over as DHCP scope (or whatever).

Link to this post 15 Nov 10

Have you already setup the ip forwarding and the other necessary option in iptables?

Also have you read a guide like http://www.gentoo.org/doc/en/home-router-howto.xml ?

Link to this post 15 Nov 10

mfillpot wrote:

Have you already setup the ip forwarding and the other necessary option in iptables?
I'm not quite sure what you mean.. or rather, what to say. This is a network that I took over about a month ago; the previous sysadmin, who had setup this entire network and servers, is in prison. ;\ He didn't leave any documentation whatsoever, and the way he set up some things (like the e-mail servers/forwarding/filtering) are very strange.

Anyway, if you need me to pull up some information from some file, I can do that for you. I'm the kind that usually learns by hands-on experience, so please forgive me if I'm stupid or something. :( I'm a beginner with Linux (although have worked with it before).

mfillpot wrote:

Also have you read a guide like http://www.gentoo.org/doc/en/home-router-howto.xml ?
Does http://www.yolinux.com/TUTORIALS/DHCP-Server.html count? :ohmy:

Right now my concern isn't the pfSense server (this isn't fully built yet either). The 192.168.0.1 router is a consumer-level D-Link DI-524. ;o Of course, this is temporary, but it is necessary until the pfSense server is ready to replace the router, and ServerA's squid and position of being DNS server.

Link to this post 15 Nov 10

DHCP is only a service provided by the server, it is it built to be a gateway then you must configure port forwarding or NAT through the firewall, read the link I left for instructions and if you want you can post the output of "iptables -L" here, don't forget to clean out specific ip addresses and other proprietary information.

Link to this post 15 Nov 10

mfillpot wrote:

DHCP is only a service provided by the server, it is it built to be a gateway then you must configure port forwarding or NAT through the firewall, read the link I left for instructions and if you want you can post the output of "iptables -L" here, don't forget to clean out specific ip addresses and other proprietary information.

I don't quite understand a lot of it, although my mind is telling me that it is a list of firewall rules as to what to do with a certain packet type (ie. TCP or UDP or both or other) on a certain port and/or destination and/or source, etcetera. It looks like there is a lot of useless stuff in there that is no longer needed.

I changed up the numbers by only having 1 significant digit (so if it was 238, I changed it to 200).

servera:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 127.0.0.0/8 anywhere
DROP tcp -- a0.debed1.client.atlantech.net/27 anywhere tcp dpt:www
DROP tcp -- 30.90.100.200/27 anywhere tcp dpt:www
DROP tcp -- 200.10.200.0/26 anywhere tcp dpt:www
DROP tcp -- a0.debed1.client.atlantech.net/27 anywhere tcp dpt:65522
DROP tcp -- 30.90.100.200/27 anywhere tcp dpt:65522
DROP tcp -- 200.10.200.0/26 anywhere tcp dpt:65522
ACCEPT tcp -- 100.200.200.200.transedge.com/29 anywhere tcp
ACCEPT tcp -- 70-80-90-10.client.mchsi.com anywhere tcp
ACCEPT tcp -- 70-80-90-20.client.mchsi.com anywhere tcp
ACCEPT tcp -- 70-80-90-21.client.mchsi.com anywhere tcp
ACCEPT tcp -- 70-80-90-22.client.mchsi.com anywhere tcp
ACCEPT tcp -- 10.0.0.0/8 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- mail.stlabre.org anywhere tcp dpt:smtp
ACCEPT tcp -- 10.0.0.253 anywhere tcp dpt:smtp
ACCEPT tcp -- 10.0.0.253 anywhere tcp dpt:2525
ACCEPT tcp -- 10.0.0.0/24 anywhere tcp dpt:smtp
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:domain
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:www
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:submission
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:mysql
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:jabber-client
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:5223
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:jabber-server
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:62525
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:65522
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 flags:!SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp dpt:snmp
DROP tcp -- anywhere anywhere tcp dpt:161
DROP tcp -- 10.0.1.100 anywhere tcp dpt:1214
DROP udp -- 10.0.1.100 anywhere udp dpt:1214
DROP tcp -- 10.0.1.100 anywhere tcp dpts:6346:6348
DROP udp -- 10.0.1.100 anywhere udp dpts:6346:6348
DROP tcp -- 10.0.1.100 anywhere tcp dpts:4661:4672
DROP udp -- 10.0.1.100 anywhere udp dpts:4661:4672
DROP tcp -- 10.0.1.100 anywhere tcp dpt:6257
DROP udp -- 10.0.1.100 anywhere udp dpt:6257
DROP tcp -- 10.0.1.100 anywhere tcp dpt:6699
DROP udp -- 10.0.1.100 anywhere udp dpt:6699
DROP tcp -- 10.0.1.100 anywhere tcp dpt:4444
DROP udp -- 10.0.1.100 anywhere udp dpt:4444
DROP tcp -- 10.0.1.100 anywhere tcp dpt:5555
DROP udp -- 10.0.1.100 anywhere udp dpt:5555
DROP tcp -- 10.0.1.100 anywhere tcp dpt:6666
DROP udp -- 10.0.1.100 anywhere udp dpt:6666
DROP tcp -- 10.0.1.100 anywhere tcp dpt:7777
DROP udp -- 10.0.1.100 anywhere udp dpt:7777
DROP tcp -- 10.0.1.100 anywhere tcp dpt:8888
DROP udp -- 10.0.1.100 anywhere udp dpt:8888
DROP tcp -- 10.0.1.100 anywhere tcp dpts:6881:6889
DROP udp -- 10.0.1.100 anywhere udp dpts:6881:6889
ACCEPT udp -- 10.0.1.100 anywhere udp dpts:1716:1718
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:8777
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:27900
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpt:14200
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpts:20025:20048
LOG tcp -- !10.0.0.0/8 anywhere tcp dpts:tcpmux:65535 LOG level warning
REJECT tcp -- !10.0.0.0/8 anywhere tcp dpts:tcpmux:65535 reject-with tcp-reset

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 10.0.1.100 anywhere udp dpts:1716:1718
ACCEPT udp -- 10.0.1.100 anywhere udp dpts:1716:1718
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:8777
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:27900
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpt:14200
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpts:20025:20048
DROP all -- 240.0.0.0/5 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 10.0.0.0/8 anywhere
ACCEPT tcp -- 10.0.1.101 anywhere tcp
ACCEPT all -- 10.0.255.10 anywhere
ACCEPT all -- 10.0.255.12 anywhere
ACCEPT all -- crm.company.com anywhere
ACCEPT all -- 10.0.255.10 anywhere
ACCEPT tcp -- crm.company.com anywhere tcp dpt:www
ACCEPT tcp -- crm.company.com anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere servera.company.com tcp dpt:www
ACCEPT tcp -- anywhere host10.grandex.com tcp dpt:www
ACCEPT tcp -- anywhere 60.100.20.20 tcp dpt:www
ACCEPT tcp -- anywhere servera.dyn.company.comtcp dpt:3128
REJECT tcp -- anywhere anywhere tcp dpt:3128 reject-with tcp-reset

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I'm not quite sure if any of this matters, as none of it will be exactly necessary when we commission the pfSense server.
(Actually, now that I think about it.. maybe it does.) (EDIT: And yeah, I have no doubt there is a bunch of useless stuff in there. This company used to be about 5x its current size.)

Someone on [H]ardForum suggested this to me:

auto eth0
iface eth0 inet static
address 192.168.0.199
network 192.168.0.0 [b]<----192.168.0.1[/b]
netmask 255.255.255.0
broadcast 192.168.0.1 [b]<----192.168.0.255[/b]
gateway 192.168.0.1
post-down ip addr flush dev eth0

EDIT2: /etc/conf.d/ doesn't exist. :(

servera:~# cd ../etc/conf.d
bash: cd: ../etc/conf.d: No such file or directory

EDIT3: /etc/resolv.conf

#nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 208.67.220.220
I should probably set it back to nameserver 127.0.0.1.. I set it to those two nameservers (OpenDNS) sometime last week and forgot about it. :silly:

EDIT4: Actually I think, maybe (have to test it out if the HardForum advice doesn't succeed) I have to set nameserver 192.168.0.1.

EDIT5: /etc/dhcpd.conf

subnet 10.128.0.0 netmask 255.128.0.0 {
range 10.128.0.2 10.128.0.254;
default-lease-time 86400;
max-lease-time 2592000;
option broadcast-address 10.255.255.255;
option domain-name-servers ServerA;
option routers ServerA;
option subnet-mask 255.255.0.0;
option time-servers ServerC;
option netbios-name-servers ServerC;
}

subnet 10.0.0.0 netmask 255.255.255.0 {
option domain-name "company.com";
option broadcast-address 10.255.255.255;
option domain-name-servers ServerC;
option routers ServerA;
option subnet-mask 255.0.0.0;
option time-servers ServerC;
default-lease-time 0;
max-lease-time 0;
option broadcast-address 10.0.0.255;
}

subnet 127.0.0.0 netmask 255.255.255.0 {
option domain-name "company.com";
default-lease-time 0;
}

Link to this post 15 Nov 10

Firewall - First off it looks like the firewall wasn't specific enough and lacks some necessary values including specifying interfaces, and it looks like it is is not using NAT or even specifying the interfaces for the forwarding to occur, if you are interested in using NAT to hide the internal network details then checkout http://www.revsys.com/writings/quicktips/nat.html for simple instructions for forwarding and NAT use. In all, it really does look like it is time for you to review the entire firewall and rewrite it from scratch to fulfill your current needs.

IP addresses - the recommendation to change the broadcast and network address on eth0 is correct.

Nameservers - you can tell the server to use the router or a preferred outside server like google or opendns, that is your choice.

DHCP - I don't really understand why you have three subnets listed, I think that may be confusing the dhcpd server. Have you set the bootup options to tell dhcpd to only listen for requests on a specific interface such as on http://tldp.org/HOWTO/DHCP/x369.html ?

Also, can you tell us what Linux disto and version you are using so we know where the various files should reside? In addition I would like to know if the firewall was setup with a tool or if it is based on a scripted file?

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board