Linux.com

Home Linux Community Forums Linux System Administration Network Management How do I get the internet to work in this setup?

How do I get the internet to work in this setup?

Link to this post 15 Nov 10

After looking a bit further into the firewall rules it does appear there are some redundant rules and stale rules from old subnet that will need to be removed.

Again, if you are not serving any external services from inside eth1 consider using NAT.

Link to this post 16 Nov 10

Also, can you tell us what Linux disto and version you are using so we know where the various files should reside?

servera:/proc# cat version
Linux version 2.4.29 (root@servera.company.com) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Sat Jan 22 09:14:41 CST 2005

In addition I would like to know if the firewall was setup with a tool or if it is based on a scripted file?
I have no idea. As I mentioned before (or thought I did :D), the previous sysadmin left virtually no documentation of his network setup and stuff. The only kinds of "documents" we have are manuals for business software (which I think is totally irrelevant here, and you'll probably agree).

DHCP - I don't really understand why you have three subnets listed, I think that may be confusing the dhcpd server. Have you set the bootup options to tell dhcpd to only listen for requests on a specific interface such as on tldp.org/HOWTO/DHCP/x369.html ?
Not sure what to say other than that it appears that unassigned machines will attain a 10.0.0.x IP address. Otherwise, if they are written in some file with their MacID and hostname, they will be assigned a manually entered static IP. I think 10.0.2.x was meant to belong to office workstations, and 10.0.1.x to warehouse workstations, but that's just an educated guess based on the IPs all the workstations get (yeah, I made a beautiful network map in Visio).

Where would I set "bootup options" anyhow? :? Perhaps I can take a look at such file(s) and quote their internet-friendly contents here.

Nameservers - you can tell the server to use the router or a preferred outside server like google or opendns, that is your choice.
The D-Link router is already set to use OpenDNS, so it would make more sense to use nameserver 127.0.0.1. :P

(Note to self: http://manpages.ubuntu.com/manpages/lucid/man5/interfaces.5.html)

Firewall - First off it looks like the firewall wasn't specific enough and lacks some necessary values including specifying interfaces, and it looks like it is is not using NAT or even specifying the interfaces for the forwarding to occur, if you are interested in using NAT to hide the internal network details then checkout www.revsys.com/writings/quicktips/nat.html for simple instructions for forwarding and NAT use. In all, it really does look like it is time for you to review the entire firewall and rewrite it from scratch to fulfill your current needs.
Could you show me example files so that I could compare the formats/entries to the ones in ServerA's to try and see the whats and whys between the two?

After looking a bit further into the firewall rules it does appear there are some redundant rules and stale rules from old subnet that will need to be removed.

Again, if you are not serving any external services from inside eth1 consider using NAT.
Stuff like crm.company.com, intmail.company.com (to access internal, private e-mail through Squirrel Mail -- necessary because one of the servers [dedicated to a piece of software designed to literally run an entire company] sends invoice/payment e-mails to internal e-mail accounts), webtracker.company.com, rma.company.com, and support.company.com are accessible by internal computers only (can't be accessed from Internet). Is this what you mean by "if you are not serving any external services from inside"?

Thanks, I really appreciate your help mfillpot! I am really learning from this.

Link to this post 16 Nov 10

Thank you for posting the information. I hope I don;t give you too much work from this thread, but here is what I have for you now.

VERSION - Now we know that you are running an antique Debian installation, I really hope you have another server around for testing purposes because I highly recommend updating the server to the current release of Debian to receive a decade worth of security updates, an extra server is requested because it would be best to test on a staging server.

FIREWALL - Most likely based upon the age of the system the former admin run a firewall script saved at /etc/init.d/firewall.sh. I would really like to be able to review the script with you to see what can be fine tuned, if you are interested please send me a message on this site so I can give you my e-mail address to send it to, I want it out of the forum because I don't want your company's firewall information in public.

Once you get the firewall scripts you can run a pretty good comparison using the diff utility. If you are interested in using NAT you can configure the router to forward traffic destined to specific ports to the local servers and treat all other traffic as NAT which can be addressed later.

DHCPD - That now makes sense and should do the job. Although I think it would be beneficial to add MAC address associations to set the staic ips so the addresses can all be managed from the server. Again I would be interested to see the network map to understand the structure, but I don't want it in public and I don't use visio, so if you can package it into another format to send to me we can work through this setup.

BOOT OPTIONS- Most likely the boot options from the link don't apply on your system because of the age, due to the age you may need to poke around to find everything.. This is yet another reason to consider updating the OS.

NAMESERVERS - the 127 subnet is loopback, using that address will tell it to use itself to get names, you will have to point it to the router or another DNS server.

INSIDE SERVERS - For the sake of this conversation we can consider all servers that need listen for requests from the internet to be outside services and all others are internal services.

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board