How do I get the internet to work in this setup?

BlueToast

DSL Modem <--> Wireless router <--> ServerA <--> Workstations

Wireless router (192.168.0.1)

ServerA (10.0.255.250) = Default Gateway to Workstations (or DHCP scope; dhcpd.conf)

ServerA has eth0 and eth1; eth0 goes to the wireless router, and eth1 connects to the HP switch (all workstations connect to this).

ServerA runs Squid.

Here is ServerA's /etc/network/interfaces

# -------------------------------

auto lo

iface lo inet loopback

# -------------------------------

auto eth0

iface eth0 inet static

address 192.168.0.199

network 192.168.0.0

netmask 255.255.255.0

broadcast 192.168.0.1

gateway 192.168.0.1

post-down ip addr flush dev eth0

# --------------------------------

auto eth1

iface eth1 inet static

address 10.0.255.250

network 10.0.0.0

netmask 255.255.0.0

broadcast 10.0.255.255

Previously I had been using a static internet IP for eth0, but then I moved this server behind a router (as well as another server that had a static internet IP).

Through wireless (direct to 192.168.0.1), I can surf the internet.

But when I try to surf the internet through ServerA, I cannot get a page, nor can I ping a website from ServerA through shell.

NOTE: I will worry about changing the DHCP scope later. Right now, experience and stuff in scenarios like this are good. Later I will want to make our new pfSense server take over as DHCP scope (or whatever).

mfillpot

Have you already setup the ip forwarding and the other necessary option in iptables?

Also have you read a guide like http://www.gentoo.org/doc/en/home-router-howto.xml ?

BlueToast

mfillpot wrote:

Have you already setup the ip forwarding and the other necessary option in iptables?

I'm not quite sure what you mean.. or rather, what to say. This is a network that I took over about a month ago; the previous sysadmin, who had setup this entire network and servers, is in prison. ;\ He didn't leave any documentation whatsoever, and the way he set up some things (like the e-mail servers/forwarding/filtering) are very strange.

Anyway, if you need me to pull up some information from some file, I can do that for you. I'm the kind that usually learns by hands-on experience, so please forgive me if I'm stupid or something. I'm a beginner with Linux (although have worked with it before).

mfillpot wrote:

Also have you read a guide like http://www.gentoo.org/doc/en/home-router-howto.xml ?

Does http://www.yolinux.com/TUTORIALS/DHCP-Server.html count? :ohmy:

Right now my concern isn't the pfSense server (this isn't fully built yet either). The 192.168.0.1 router is a consumer-level D-Link DI-524. ;o Of course, this is temporary, but it is necessary until the pfSense server is ready to replace the router, and ServerA's squid and position of being DNS server.

mfillpot

DHCP is only a service provided by the server, it is it built to be a gateway then you must configure port forwarding or NAT through the firewall, read the link I left for instructions and if you want you can post the output of "iptables -L" here, don't forget to clean out specific ip addresses and other proprietary information.

BlueToast

mfillpot wrote:

DHCP is only a service provided by the server, it is it built to be a gateway then you must configure port forwarding or NAT through the firewall, read the link I left for instructions and if you want you can post the output of "iptables -L" here, don't forget to clean out specific ip addresses and other proprietary information.

I don't quite understand a lot of it, although my mind is telling me that it is a list of firewall rules as to what to do with a certain packet type (ie. TCP or UDP or both or other) on a certain port and/or destination and/or source, etcetera. It looks like there is a lot of useless stuff in there that is no longer needed.

I changed up the numbers by only having 1 significant digit (so if it was 238, I changed it to 200).

servera:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 127.0.0.0/8 anywhere
DROP tcp -- a0.debed1.client.atlantech.net/27 anywhere tcp dpt:www
DROP tcp -- 30.90.100.200/27 anywhere tcp dpt:www
DROP tcp -- 200.10.200.0/26 anywhere tcp dpt:www
DROP tcp -- a0.debed1.client.atlantech.net/27 anywhere tcp dpt:65522
DROP tcp -- 30.90.100.200/27 anywhere tcp dpt:65522
DROP tcp -- 200.10.200.0/26 anywhere tcp dpt:65522
ACCEPT tcp -- 100.200.200.200.transedge.com/29 anywhere tcp
ACCEPT tcp -- 70-80-90-10.client.mchsi.com anywhere tcp
ACCEPT tcp -- 70-80-90-20.client.mchsi.com anywhere tcp
ACCEPT tcp -- 70-80-90-21.client.mchsi.com anywhere tcp
ACCEPT tcp -- 70-80-90-22.client.mchsi.com anywhere tcp
ACCEPT tcp -- 10.0.0.0/8 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- mail.stlabre.org anywhere tcp dpt:smtp
ACCEPT tcp -- 10.0.0.253 anywhere tcp dpt:smtp
ACCEPT tcp -- 10.0.0.253 anywhere tcp dpt:2525
ACCEPT tcp -- 10.0.0.0/24 anywhere tcp dpt:smtp
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:domain
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:www
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:submission
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:mysql
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:jabber-client
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:5223
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:jabber-server
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:62525
ACCEPT tcp -- !10.0.0.0/8 anywhere tcp dpt:65522
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 flags:!SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp dpt:snmp
DROP tcp -- anywhere anywhere tcp dpt:161
DROP tcp -- 10.0.1.100 anywhere tcp dpt:1214
DROP udp -- 10.0.1.100 anywhere udp dpt:1214
DROP tcp -- 10.0.1.100 anywhere tcp dpts:6346:6348
DROP udp -- 10.0.1.100 anywhere udp dpts:6346:6348
DROP tcp -- 10.0.1.100 anywhere tcp dpts:4661:4672
DROP udp -- 10.0.1.100 anywhere udp dpts:4661:4672
DROP tcp -- 10.0.1.100 anywhere tcp dpt:6257
DROP udp -- 10.0.1.100 anywhere udp dpt:6257
DROP tcp -- 10.0.1.100 anywhere tcp dpt:6699
DROP udp -- 10.0.1.100 anywhere udp dpt:6699
DROP tcp -- 10.0.1.100 anywhere tcp dpt:4444
DROP udp -- 10.0.1.100 anywhere udp dpt:4444
DROP tcp -- 10.0.1.100 anywhere tcp dpt:5555
DROP udp -- 10.0.1.100 anywhere udp dpt:5555
DROP tcp -- 10.0.1.100 anywhere tcp dpt:6666
DROP udp -- 10.0.1.100 anywhere udp dpt:6666
DROP tcp -- 10.0.1.100 anywhere tcp dpt:7777
DROP udp -- 10.0.1.100 anywhere udp dpt:7777
DROP tcp -- 10.0.1.100 anywhere tcp dpt:8888
DROP udp -- 10.0.1.100 anywhere udp dpt:8888
DROP tcp -- 10.0.1.100 anywhere tcp dpts:6881:6889
DROP udp -- 10.0.1.100 anywhere udp dpts:6881:6889
ACCEPT udp -- 10.0.1.100 anywhere udp dpts:1716:1718
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:8777
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:27900
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpt:14200
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpts:20025:20048
LOG tcp -- !10.0.0.0/8 anywhere tcp dpts:tcpmux:65535 LOG level warning
REJECT tcp -- !10.0.0.0/8 anywhere tcp dpts:tcpmux:65535 reject-with tcp-reset

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 10.0.1.100 anywhere udp dpts:1716:1718
ACCEPT udp -- 10.0.1.100 anywhere udp dpts:1716:1718
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:8777
ACCEPT udp -- 10.0.1.100 anywhere udp dpt:27900
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpt:14200
ACCEPT tcp -- 10.0.1.100 anywhere tcp dpts:20025:20048
DROP all -- 240.0.0.0/5 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 10.0.0.0/8 anywhere
ACCEPT tcp -- 10.0.1.101 anywhere tcp
ACCEPT all -- 10.0.255.10 anywhere
ACCEPT all -- 10.0.255.12 anywhere
ACCEPT all -- crm.company.com anywhere
ACCEPT all -- 10.0.255.10 anywhere
ACCEPT tcp -- crm.company.com anywhere tcp dpt:www
ACCEPT tcp -- crm.company.com anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere servera.company.com tcp dpt:www
ACCEPT tcp -- anywhere host10.grandex.com tcp dpt:www
ACCEPT tcp -- anywhere 60.100.20.20 tcp dpt:www
ACCEPT tcp -- anywhere servera.dyn.company.comtcp dpt:3128
REJECT tcp -- anywhere anywhere tcp dpt:3128 reject-with tcp-reset

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I'm not quite sure if any of this matters, as none of it will be exactly necessary when we commission the pfSense server.
(Actually, now that I think about it.. maybe it does.) (EDIT: And yeah, I have no doubt there is a bunch of useless stuff in there. This company used to be about 5x its current size.)

Someone on [H]ardForum suggested this to me:

auto eth0
iface eth0 inet static
address 192.168.0.199
network 192.168.0.0 <----192.168.0.1
netmask 255.255.255.0
broadcast 192.168.0.1 <----192.168.0.255
gateway 192.168.0.1
post-down ip addr flush dev eth0

EDIT2: /etc/conf.d/ doesn't exist.

servera:~# cd ../etc/conf.d
bash: cd: ../etc/conf.d: No such file or directory

EDIT3: /etc/resolv.conf

#nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 208.67.220.220

I should probably set it back to nameserver 127.0.0.1.. I set it to those two nameservers (OpenDNS) sometime last week and forgot about it. :silly:

EDIT4: Actually I think, maybe (have to test it out if the HardForum advice doesn't succeed) I have to set nameserver 192.168.0.1.

EDIT5: /etc/dhcpd.conf

subnet 10.128.0.0 netmask 255.128.0.0 {
range 10.128.0.2 10.128.0.254;
default-lease-time 86400;
max-lease-time 2592000;
option broadcast-address 10.255.255.255;
option domain-name-servers ServerA;
option routers ServerA;
option subnet-mask 255.255.0.0;
option time-servers ServerC;
option netbios-name-servers ServerC;
}

subnet 10.0.0.0 netmask 255.255.255.0 {
option domain-name "company.com";
option broadcast-address 10.255.255.255;
option domain-name-servers ServerC;
option routers ServerA;
option subnet-mask 255.0.0.0;
option time-servers ServerC;
default-lease-time 0;
max-lease-time 0;
option broadcast-address 10.0.0.255;
}

subnet 127.0.0.0 netmask 255.255.255.0 {
option domain-name "company.com";
default-lease-time 0;
}

mfillpot

Firewall - First off it looks like the firewall wasn't specific enough and lacks some necessary values including specifying interfaces, and it looks like it is is not using NAT or even specifying the interfaces for the forwarding to occur, if you are interested in using NAT to hide the internal network details then checkout http://www.revsys.com/writings/quicktips/nat.html for simple instructions for forwarding and NAT use. In all, it really does look like it is time for you to review the entire firewall and rewrite it from scratch to fulfill your current needs.

IP addresses - the recommendation to change the broadcast and network address on eth0 is correct.

Nameservers - you can tell the server to use the router or a preferred outside server like google or opendns, that is your choice.

DHCP - I don't really understand why you have three subnets listed, I think that may be confusing the dhcpd server. Have you set the bootup options to tell dhcpd to only listen for requests on a specific interface such as on http://tldp.org/HOWTO/DHCP/x369.html ?

Also, can you tell us what Linux disto and version you are using so we know where the various files should reside? In addition I would like to know if the firewall was setup with a tool or if it is based on a scripted file?

mfillpot

After looking a bit further into the firewall rules it does appear there are some redundant rules and stale rules from old subnet that will need to be removed.

Again, if you are not serving any external services from inside eth1 consider using NAT.

BlueToast

Also, can you tell us what Linux disto and version you are using so we know where the various files should reside?

servera:/proc# cat version
Linux version 2.4.29 (root@servera.company.com) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Sat Jan 22 09:14:41 CST 2005

In addition I would like to know if the firewall was setup with a tool or if it is based on a scripted file?

I have no idea. As I mentioned before (or thought I did ), the previous sysadmin left virtually no documentation of his network setup and stuff. The only kinds of "documents" we have are manuals for business software (which I think is totally irrelevant here, and you'll probably agree).

DHCP - I don't really understand why you have three subnets listed, I think that may be confusing the dhcpd server. Have you set the bootup options to tell dhcpd to only listen for requests on a specific interface such as on tldp.org/HOWTO/DHCP/x369.html ?

Not sure what to say other than that it appears that unassigned machines will attain a 10.0.0.x IP address. Otherwise, if they are written in some file with their MacID and hostname, they will be assigned a manually entered static IP. I think 10.0.2.x was meant to belong to office workstations, and 10.0.1.x to warehouse workstations, but that's just an educated guess based on the IPs all the workstations get (yeah, I made a beautiful network map in Visio).

Where would I set "bootup options" anyhow? :? Perhaps I can take a look at such file(s) and quote their internet-friendly contents here.

Nameservers - you can tell the server to use the router or a preferred outside server like google or opendns, that is your choice.

The D-Link router is already set to use OpenDNS, so it would make more sense to use nameserver 127.0.0.1. :P

(Note to self: http://manpages.ubuntu.com/manpages/lucid/man5/interfaces.5.html)

Firewall - First off it looks like the firewall wasn't specific enough and lacks some necessary values including specifying interfaces, and it looks like it is is not using NAT or even specifying the interfaces for the forwarding to occur, if you are interested in using NAT to hide the internal network details then checkout www.revsys.com/writings/quicktips/nat.html for simple instructions for forwarding and NAT use. In all, it really does look like it is time for you to review the entire firewall and rewrite it from scratch to fulfill your current needs.

Could you show me example files so that I could compare the formats/entries to the ones in ServerA's to try and see the whats and whys between the two?

After looking a bit further into the firewall rules it does appear there are some redundant rules and stale rules from old subnet that will need to be removed.

Again, if you are not serving any external services from inside eth1 consider using NAT.

Stuff like crm.company.com, intmail.company.com (to access internal, private e-mail through Squirrel Mail -- necessary because one of the servers [dedicated to a piece of software designed to literally run an entire company] sends invoice/payment e-mails to internal e-mail accounts), webtracker.company.com, rma.company.com, and support.company.com are accessible by internal computers only (can't be accessed from Internet). Is this what you mean by "if you are not serving any external services from inside"?

Thanks, I really appreciate your help mfillpot! I am really learning from this.

mfillpot

Thank you for posting the information. I hope I don;t give you too much work from this thread, but here is what I have for you now.

VERSION - Now we know that you are running an antique Debian installation, I really hope you have another server around for testing purposes because I highly recommend updating the server to the current release of Debian to receive a decade worth of security updates, an extra server is requested because it would be best to test on a staging server.

FIREWALL - Most likely based upon the age of the system the former admin run a firewall script saved at /etc/init.d/firewall.sh. I would really like to be able to review the script with you to see what can be fine tuned, if you are interested please send me a message on this site so I can give you my e-mail address to send it to, I want it out of the forum because I don't want your company's firewall information in public.

Once you get the firewall scripts you can run a pretty good comparison using the diff utility. If you are interested in using NAT you can configure the router to forward traffic destined to specific ports to the local servers and treat all other traffic as NAT which can be addressed later.

DHCPD - That now makes sense and should do the job. Although I think it would be beneficial to add MAC address associations to set the staic ips so the addresses can all be managed from the server. Again I would be interested to see the network map to understand the structure, but I don't want it in public and I don't use visio, so if you can package it into another format to send to me we can work through this setup.

BOOT OPTIONS- Most likely the boot options from the link don't apply on your system because of the age, due to the age you may need to poke around to find everything.. This is yet another reason to consider updating the OS.

NAMESERVERS - the 127 subnet is loopback, using that address will tell it to use itself to get names, you will have to point it to the router or another DNS server.

INSIDE SERVERS - For the sake of this conversation we can consider all servers that need listen for requests from the internet to be outside services and all others are internal services.