How do I get the internet to work in this setup?
DSL Modem <--> Wireless router <--> ServerA <--> Workstations
Wireless router (192.168.0.1)
ServerA (10.0.255.250) = Default Gateway to Workstations (or DHCP scope; dhcpd.conf)
ServerA has eth0 and eth1; eth0 goes to the wireless router, and eth1 connects to the HP switch (all workstations connect to this).
ServerA runs Squid.
Here is ServerA's /etc/network/interfaces
# -------------------------------
auto lo
iface lo inet loopback# -------------------------------
auto eth0
iface eth0 inet static
address 192.168.0.199
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.1
gateway 192.168.0.1
post-down ip addr flush dev eth0# --------------------------------
auto eth1
iface eth1 inet static
address 10.0.255.250
network 10.0.0.0
netmask 255.255.0.0
broadcast 10.0.255.255
Previously I had been using a static internet IP for eth0, but then I moved this server behind a router (as well as another server that had a static internet IP).
Through wireless (direct to 192.168.0.1), I can surf the internet.
But when I try to surf the internet through ServerA, I cannot get a page, nor can I ping a website from ServerA through shell.
NOTE: I will worry about changing the DHCP scope later. Right now, experience and stuff in scenarios like this are good. Later I will want to make our new pfSense server take over as DHCP scope (or whatever).
Comments
-
Have you already setup the ip forwarding and the other necessary option in iptables?
Also have you read a guide like http://www.gentoo.org/doc/en/home-router-howto.xml ?0 -
mfillpot wrote:Have you already setup the ip forwarding and the other necessary option in iptables?
Anyway, if you need me to pull up some information from some file, I can do that for you. I'm the kind that usually learns by hands-on experience, so please forgive me if I'm stupid or something. I'm a beginner with Linux (although have worked with it before).
mfillpot wrote:Also have you read a guide like http://www.gentoo.org/doc/en/home-router-howto.xml ?
Right now my concern isn't the pfSense server (this isn't fully built yet either). The 192.168.0.1 router is a consumer-level D-Link DI-524. ;o Of course, this is temporary, but it is necessary until the pfSense server is ready to replace the router, and ServerA's squid and position of being DNS server.0 -
DHCP is only a service provided by the server, it is it built to be a gateway then you must configure port forwarding or NAT through the firewall, read the link I left for instructions and if you want you can post the output of "iptables -L" here, don't forget to clean out specific ip addresses and other proprietary information.0
-
mfillpot wrote:DHCP is only a service provided by the server, it is it built to be a gateway then you must configure port forwarding or NAT through the firewall, read the link I left for instructions and if you want you can post the output of "iptables -L" here, don't forget to clean out specific ip addresses and other proprietary information.
I don't quite understand a lot of it, although my mind is telling me that it is a list of firewall rules as to what to do with a certain packet type (ie. TCP or UDP or both or other) on a certain port and/or destination and/or source, etcetera. It looks like there is a lot of useless stuff in there that is no longer needed.
I changed up the numbers by only having 1 significant digit (so if it was 238, I changed it to 200).servera:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 127.0.0.0/8 anywhere
DROP tcp -- a0.debed1.client.atlantech.net/27 anywhere tcp dpt:www
DROP tcp -- 30.90.100.200/27 anywhere tcp dpt:www
DROP tcp -- 200.10.200.0/26 anywhere tcp dpt:www
DROP tcp -- a0.debed1.client.atlantech.net/27 anywhere tcp dpt:65522
DROP tcp -- 30.90.100.200/27 anywhere tcp dpt:65522
DROP tcp -- 200.10.200.0/26 anywhere tcp dpt:65522
ACCEPT tcp -- 100.200.200.200.transedge.com/29 anywhere tcp
ACCEPT tcp -- 70-80-90-10.client.mchsi.com anywhere tcp
ACCEPT tcp -- 70-80-90-20.client.mchsi.com anywhere tcp
ACCEPT tcp -- 70-80-90-21.client.mchsi.com anywhere tcp
ACCEPT tcp -- 70-80-90-22.client.mchsi.com anywhere tcp
ACCEPT tcp -- 10.0.0.0/8 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- mail.stlabre.org anywhere tcp dpt:smtp
ACCEPT tcp -- 10.0.0.253 anywhere tcp dpt:smtp
ACCEPT tcp -- 10.0.0.253 anywhere tcp dpt:2525
ACCEPT tcp -- 10.0.0.0/24 anywhere tcp dpt:smtp
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:domain
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:www
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:submission
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:mysql
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:jabber-client
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:5223
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:jabber-server
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:62525
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:65522
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 flags:!SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp dpt:snmp
DROP tcp -- anywhere anywhere tcp dpt:161
DROP tcp -- 10.0.1.100 anywhere tcp dpt:1214
DROP udp -- 10.0.1.100 anywhere udp dpt:1214
DROP tcp -- 10.0.1.100 anywhere tcp dpts:6346:6348
DROP udp -- 10.0.1.100 anywhere udp dpts:6346:6348
DROP tcp -- 10.0.1.100 anywhere tcp dpts:4661:4672
DROP udp -- 10.0.1.100 anywhere udp dpts:4661:4672
DROP tcp -- 10.0.1.100 anywhere tcp dpt:6257
DROP udp -- 10.0.1.100 anywhere udp dpt:6257
DROP tcp -- 10.0.1.100 anywhere tcp dpt:6699
DROP udp -- 10.0.1.100 anywhere udp dpt:6699
DROP tcp -- 10.0.1.100 anywhere tcp dpt:4444
DROP udp -- 10.0.1.100 anywhere udp dpt:4444
DROP tcp -- 10.0.1.100 anywhere tcp dpt:5555
DROP udp -- 10.0.1.100 anywhere udp dpt:5555
DROP tcp -- 10.0.1.100 anywhere tcp dpt:6666
DROP udp -- 10.0.1.100 anywhere udp dpt:6666
DROP tcp -- 10.0.1.100 anywhere tcp dpt:7777
DROP udp -- 10.0.1.100 anywhere udp dpt:7777
DROP tcp -- 10.0.1.100 anywhere tcp dpt:8888
DROP udp -- 10.0.1.100 anywhere udp dpt:8888
DROP tcp -- 10.0.1.100 anywhere tcp dpts:6881:6889
DROP udp -- 10.0.1.100 anywhere udp dpts:6881:6889
ACCEPT udp -- 10.0.1.100 anywhere udp dpts:1716:1718
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:8777
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:27900
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpt:14200
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpts:20025:20048
LOG tcp -- !10.0.0.0/8 anywhere tcp dpts:tcpmux:65535 LOG level warning
REJECT tcp -- !10.0.0.0/8 anywhere tcp dpts:tcpmux:65535 reject-with tcp-reset
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 10.0.1.100 anywhere udp dpts:1716:1718
ACCEPT udp -- 10.0.1.100 anywhere udp dpts:1716:1718
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:8777
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:27900
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpt:14200
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpts:20025:20048
DROP all -- 240.0.0.0/5 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 10.0.0.0/8 anywhere
ACCEPT tcp -- 10.0.1.101 anywhere tcp
ACCEPT all -- 10.0.255.10 anywhere
ACCEPT all -- 10.0.255.12 anywhere
ACCEPT all -- crm.company.com anywhere
ACCEPT all -- 10.0.255.10 anywhere
ACCEPT tcp -- crm.company.com anywhere tcp dpt:www
ACCEPT tcp -- crm.company.com anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere servera.company.com tcp dpt:www
ACCEPT tcp -- anywhere host10.grandex.com tcp dpt:www
ACCEPT tcp -- anywhere 60.100.20.20 tcp dpt:www
ACCEPT tcp -- anywhere servera.dyn.company.comtcp dpt:3128
REJECT tcp -- anywhere anywhere tcp dpt:3128 reject-with tcp-reset
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I'm not quite sure if any of this matters, as none of it will be exactly necessary when we commission the pfSense server.
(Actually, now that I think about it.. maybe it does.) (EDIT: And yeah, I have no doubt there is a bunch of useless stuff in there. This company used to be about 5x its current size.)
Someone on [H]ardForum suggested this to me:auto eth0
iface eth0 inet static
address 192.168.0.199
network 192.168.0.0 <----192.168.0.1
netmask 255.255.255.0
broadcast 192.168.0.1 <----192.168.0.255
gateway 192.168.0.1
post-down ip addr flush dev eth0
EDIT2: /etc/conf.d/ doesn't exist.servera:~# cd ../etc/conf.d
bash: cd: ../etc/conf.d: No such file or directory
EDIT3: /etc/resolv.conf#nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 208.67.220.220
EDIT4: Actually I think, maybe (have to test it out if the HardForum advice doesn't succeed) I have to set nameserver 192.168.0.1.
EDIT5: /etc/dhcpd.confsubnet 10.128.0.0 netmask 255.128.0.0 {
range 10.128.0.2 10.128.0.254;
default-lease-time 86400;
max-lease-time 2592000;
option broadcast-address 10.255.255.255;
option domain-name-servers ServerA;
option routers ServerA;
option subnet-mask 255.255.0.0;
option time-servers ServerC;
option netbios-name-servers ServerC;
}
subnet 10.0.0.0 netmask 255.255.255.0 {
option domain-name "company.com";
option broadcast-address 10.255.255.255;
option domain-name-servers ServerC;
option routers ServerA;
option subnet-mask 255.0.0.0;
option time-servers ServerC;
default-lease-time 0;
max-lease-time 0;
option broadcast-address 10.0.0.255;
}
subnet 127.0.0.0 netmask 255.255.255.0 {
option domain-name "company.com";
default-lease-time 0;
}0 -
Firewall - First off it looks like the firewall wasn't specific enough and lacks some necessary values including specifying interfaces, and it looks like it is is not using NAT or even specifying the interfaces for the forwarding to occur, if you are interested in using NAT to hide the internal network details then checkout http://www.revsys.com/writings/quicktips/nat.html for simple instructions for forwarding and NAT use. In all, it really does look like it is time for you to review the entire firewall and rewrite it from scratch to fulfill your current needs.
IP addresses - the recommendation to change the broadcast and network address on eth0 is correct.
Nameservers - you can tell the server to use the router or a preferred outside server like google or opendns, that is your choice.
DHCP - I don't really understand why you have three subnets listed, I think that may be confusing the dhcpd server. Have you set the bootup options to tell dhcpd to only listen for requests on a specific interface such as on http://tldp.org/HOWTO/DHCP/x369.html ?
Also, can you tell us what Linux disto and version you are using so we know where the various files should reside? In addition I would like to know if the firewall was setup with a tool or if it is based on a scripted file?0 -
After looking a bit further into the firewall rules it does appear there are some redundant rules and stale rules from old subnet that will need to be removed.
Again, if you are not serving any external services from inside eth1 consider using NAT.0 -
Also, can you tell us what Linux disto and version you are using so we know where the various files should reside?servera:/proc# cat version
Linux version 2.4.29 (root@servera.company.com) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Sat Jan 22 09:14:41 CST 2005In addition I would like to know if the firewall was setup with a tool or if it is based on a scripted file?DHCP - I don't really understand why you have three subnets listed, I think that may be confusing the dhcpd server. Have you set the bootup options to tell dhcpd to only listen for requests on a specific interface such as on tldp.org/HOWTO/DHCP/x369.html ?
Where would I set "bootup options" anyhow? :? Perhaps I can take a look at such file(s) and quote their internet-friendly contents here.Nameservers - you can tell the server to use the router or a preferred outside server like google or opendns, that is your choice.
(Note to self: http://manpages.ubuntu.com/manpages/lucid/man5/interfaces.5.html)Firewall - First off it looks like the firewall wasn't specific enough and lacks some necessary values including specifying interfaces, and it looks like it is is not using NAT or even specifying the interfaces for the forwarding to occur, if you are interested in using NAT to hide the internal network details then checkout www.revsys.com/writings/quicktips/nat.html for simple instructions for forwarding and NAT use. In all, it really does look like it is time for you to review the entire firewall and rewrite it from scratch to fulfill your current needs.After looking a bit further into the firewall rules it does appear there are some redundant rules and stale rules from old subnet that will need to be removed.
Again, if you are not serving any external services from inside eth1 consider using NAT.
Thanks, I really appreciate your help mfillpot! I am really learning from this.0 -
Thank you for posting the information. I hope I don;t give you too much work from this thread, but here is what I have for you now.
VERSION - Now we know that you are running an antique Debian installation, I really hope you have another server around for testing purposes because I highly recommend updating the server to the current release of Debian to receive a decade worth of security updates, an extra server is requested because it would be best to test on a staging server.
FIREWALL - Most likely based upon the age of the system the former admin run a firewall script saved at /etc/init.d/firewall.sh. I would really like to be able to review the script with you to see what can be fine tuned, if you are interested please send me a message on this site so I can give you my e-mail address to send it to, I want it out of the forum because I don't want your company's firewall information in public.
Once you get the firewall scripts you can run a pretty good comparison using the diff utility. If you are interested in using NAT you can configure the router to forward traffic destined to specific ports to the local servers and treat all other traffic as NAT which can be addressed later.
DHCPD - That now makes sense and should do the job. Although I think it would be beneficial to add MAC address associations to set the staic ips so the addresses can all be managed from the server. Again I would be interested to see the network map to understand the structure, but I don't want it in public and I don't use visio, so if you can package it into another format to send to me we can work through this setup.
BOOT OPTIONS- Most likely the boot options from the link don't apply on your system because of the age, due to the age you may need to poke around to find everything.. This is yet another reason to consider updating the OS.
NAMESERVERS - the 127 subnet is loopback, using that address will tell it to use itself to get names, you will have to point it to the router or another DNS server.
INSIDE SERVERS - For the sake of this conversation we can consider all servers that need listen for requests from the internet to be outside services and all others are internal services.0
Categories
- All Categories
- 207 LFX Mentorship
- 207 LFX Mentorship: Linux Kernel
- 735 Linux Foundation IT Professional Programs
- 339 Cloud Engineer IT Professional Program
- 167 Advanced Cloud Engineer IT Professional Program
- 66 DevOps Engineer IT Professional Program
- 132 Cloud Native Developer IT Professional Program
- 122 Express Training Courses
- 122 Express Courses - Discussion Forum
- 5.9K Training Courses
- 40 LFC110 Class Forum - Discontinued
- 66 LFC131 Class Forum
- 39 LFD102 Class Forum
- 221 LFD103 Class Forum
- 17 LFD110 Class Forum
- 33 LFD121 Class Forum
- 17 LFD133 Class Forum
- 6 LFD134 Class Forum
- 17 LFD137 Class Forum
- 70 LFD201 Class Forum
- 3 LFD210 Class Forum
- 2 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 1 LFD233 Class Forum
- 3 LFD237 Class Forum
- 23 LFD254 Class Forum
- 689 LFD259 Class Forum
- 109 LFD272 Class Forum
- 3 LFD272-JP クラス フォーラム
- 10 LFD273 Class Forum
- 109 LFS101 Class Forum
- LFS111 Class Forum
- 2 LFS112 Class Forum
- 1 LFS116 Class Forum
- 3 LFS118 Class Forum
- 3 LFS142 Class Forum
- 3 LFS144 Class Forum
- 3 LFS145 Class Forum
- 1 LFS146 Class Forum
- 2 LFS147 Class Forum
- 8 LFS151 Class Forum
- 1 LFS157 Class Forum
- 13 LFS158 Class Forum
- 5 LFS162 Class Forum
- 1 LFS166 Class Forum
- 3 LFS167 Class Forum
- 1 LFS170 Class Forum
- 1 LFS171 Class Forum
- 2 LFS178 Class Forum
- 2 LFS180 Class Forum
- 1 LFS182 Class Forum
- 4 LFS183 Class Forum
- 30 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 2 LFS201-JP クラス フォーラム
- 17 LFS203 Class Forum
- 116 LFS207 Class Forum
- 1 LFS207-DE-Klassenforum
- LFS207-JP クラス フォーラム
- 301 LFS211 Class Forum
- 55 LFS216 Class Forum
- 49 LFS241 Class Forum
- 43 LFS242 Class Forum
- 37 LFS243 Class Forum
- 13 LFS244 Class Forum
- 1 LFS245 Class Forum
- 45 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 145 LFS253 Class Forum
- LFS254 Class Forum
- LFS255 Class Forum
- 6 LFS256 Class Forum
- LFS257 Class Forum
- 1.2K LFS258 Class Forum
- 9 LFS258-JP クラス フォーラム
- 116 LFS260 Class Forum
- 154 LFS261 Class Forum
- 41 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 23 LFS267 Class Forum
- 18 LFS268 Class Forum
- 29 LFS269 Class Forum
- 200 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- LFS274 Class Forum
- 3 LFS281 Class Forum
- 7 LFW111 Class Forum
- 257 LFW211 Class Forum
- 178 LFW212 Class Forum
- 12 SKF100 Class Forum
- SKF200 Class Forum
- 791 Hardware
- 199 Drivers
- 68 I/O Devices
- 37 Monitors
- 98 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 85 Storage
- 754 Linux Distributions
- 82 Debian
- 67 Fedora
- 16 Linux Mint
- 13 Mageia
- 23 openSUSE
- 147 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 351 Ubuntu
- 465 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 91 Linux Security
- 78 Network Management
- 101 System Management
- 47 Web Management
- 56 Mobile Computing
- 17 Android
- 28 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 366 Off Topic
- 114 Introductions
- 171 Small Talk
- 20 Study Material
- 534 Programming and Development
- 293 Kernel Development
- 223 Software Development
- 1.1K Software
- 212 Applications
- 182 Command Line
- 3 Compiling/Installing
- 405 Games
- 311 Installation
- 79 All In Program
- 79 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)