Re: Setting up a Router (2)
shimi wrote: --=-7G5597OKp5n0BqgELTUE Content-Type: text/plain Content-Transfer-Encoding: 7bit On Sun, 2005-03-13 at 15:10 +0200, Daniel Feiglin wrote: I have the SuSE firewall installed, which is supposed to do this. YaST offers a 4 step procedure, and here are my settings: 1. Select interfaces to protect (internal eth0, external eth1). I did not add dsl0 to the latter. 2. Configure services that should be available: ssh, http, https 3. Firewall: Forward traffic & do maquerading on; Features: Protect all running services, allow traceroute 4. Logging: critical dropped and accepted packets only That's it. It seems that there is some manual stuff to do ... and a bit more reading. Can you show us the output of /sbin/iptables -L (or /sbin/ipchains -L, whatever works), so we can make sure that the firewall is indeed masquerading what's needed? iptables -L produces a ton of output. I'm sending it to you privately as an attachment. Later we can publish the relevant/interesting parts to the list. Shimi --=-7G5597OKp5n0BqgELTUE Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit On Sun, 2005-03-13 at 15:10 +0200, Daniel Feiglin wrote: I have the SuSE firewall installed, which is supposed to do this. YaST offers a 4 step procedure, and here are my settings: 1. Select interfaces to protect (internal eth0, external eth1). I did not add dsl0 to the latter. 2. Configure services that should be available: ssh, http, https 3. Firewall: Forward traffic & do maquerading on; Features: Protect all running services, allow traceroute 4. Logging: critical dropped and accepted packets only That's it. It seems that there is some manual stuff to do ... and a bit more reading. Can you show us the output of /sbin/iptables -L (or /sbin/ipchains -L, whatever works), so we can make sure that the firewall is indeed masquerading what's needed? Shimi --=-7G5597OKp5n0BqgELTUE-- = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Setting up a Router (2)
--=-7G5597OKp5n0BqgELTUE Content-Type: text/plain Content-Transfer-Encoding: 7bit On Sun, 2005-03-13 at 15:10 +0200, Daniel Feiglin wrote: > > I have the SuSE firewall installed, which is supposed to do this. YaST offers > a 4 step procedure, and here are my settings: > > 1. Select interfaces to protect (internal eth0, external eth1). I did not add > dsl0 to the latter. > 2. Configure services that should be available: ssh, http, https > 3. Firewall: Forward traffic & do maquerading on; Features: Protect all > running services, allow traceroute > 4. Logging: critical dropped and accepted packets only > > That's it. > > It seems that there is some manual stuff to do ... and a bit more reading. > Can you show us the output of /sbin/iptables -L (or /sbin/ipchains -L, whatever works), so we can make sure that the firewall is indeed masquerading what's needed? Shimi --=-7G5597OKp5n0BqgELTUE Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit On Sun, 2005-03-13 at 15:10 +0200, Daniel Feiglin wrote: I have the SuSE firewall installed, which is supposed to do this. YaST offers a 4 step procedure, and here are my settings: 1. Select interfaces to protect (internal eth0, external eth1). I did not add dsl0 to the latter. 2. Configure services that should be available: ssh, http, https 3. Firewall: Forward traffic & do maquerading on; Features: Protect all running services, allow traceroute 4. Logging: critical dropped and accepted packets only That's it. It seems that there is some manual stuff to do ... and a bit more reading. Can you show us the output of /sbin/iptables -L (or /sbin/ipchains -L, whatever works), so we can make sure that the firewall is indeed masquerading what's needed? Shimi --=-7G5597OKp5n0BqgELTUE-- = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Setting up a Router (2)
shimi wrote: Where are the masquerading rules? You're not just routing traffic, you're changing the packets, too (NAT/PAT). Seems like a problem with the ipchains/iptables not having the right settings (or not existing at all, since you didn't even mention them) ? Shimi I have the SuSE firewall installed, which is supposed to do this. YaST offers a 4 step procedure, and here are my settings: 1. Select interfaces to protect (internal eth0, external eth1). I did not add dsl0 to the latter. 2. Configure services that should be available: ssh, http, https 3. Firewall: Forward traffic & do maquerading on; Features: Protect all running services, allow traceroute 4. Logging: critical dropped and accepted packets only That's it. It seems that there is some manual stuff to do ... and a bit more reading. On Sun, 2005-03-13 at 14:16 +0200, Daniel Feiglin wrote: Hello all! On 02/01/05, I started a short thread about setting up a Linux box as a router. Following the various replies received and a bit more Googling around, I have arrived at the following setup which almost works. I think that another little "kvetch" will get us there. First, I have changed ny setup to a SuSE 9.2 box acting as a server (including Samba) and an ethernet link to the ADSL. For the network, I use eth0 with the fixed IP of 192.168.1.100. It has the DHCP server up and running, with an available range of 192.168.1.101-254. The network adapter eth0 along with the adapters of the clients are attached to a hub. The ADSL unit is connected directly to eth1 on the server, and is set up to get an IP address from the attached Alcatel ST 510 unit. It always comes up with 10.0.0.1 There is a WIn 2K client and a multi partitioned laptop with Win XP or SuSE 9.2 as required. For our purposes it will be booted as a Linux client. Both clients are set to use DHCP to get a host address, and for automatic DNS address acquisition. As things stand, the LAN works fine. I have correct internet function from the server itself (otherwise you wouldn't be reading this). From the clients, I can see the ADSL modem page on 10.0.0.138, but I cannot get any further i.e. the clients see the modem but can not get any further. That's the missing "kvetch". Now for the technical stuff: To get as far as I did, I followed the instruction in the HOWTO, http://www.novell.com/coolsolutions/feature/11505.html Despite its total SuSE orintation, is should be of general interest, in that it caters for most of the issues raised in the previous thread. Here is the ifconfig output (stripped of irrelevant stuff): danny:~ # ifconfig dsl0 Link encap:Point-to-Point Protocol inet addr:83.130.124.183 P-t-P:213.8.255.155 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:9609 errors:0 dropped:0 overruns:0 frame:0 TX packets:8011 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:8720064 (8.3 Mb) TX bytes:1227999 (1.1 Mb) eth0 Link encap:Ethernet HWaddr 00:C1:26:0E:CA:F3 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::2c1:26ff:fe0e:caf3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8601 errors:0 dropped:0 overruns:0 frame:0 TX packets:9306 errors:0 dropped:0 overruns:0 carrier:0 collisions:392 txqueuelen:1000 RX bytes:1751029 (1.6 Mb) TX bytes:2413282 (2.3 Mb) Interrupt:9 Base address:0x2000 eth1 Link encap:Ethernet HWaddr 00:C1:26:0E:CA:46 inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::2c1:26ff:fe0e:ca46/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:28391 errors:0 dropped:0 overruns:0 frame:0 TX packets:39659 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:17849057 (17.0 Mb) TX bytes:5582722 (5.3 Mb) Interrupt:5 Base address:0x4000 loLink encap:Local Loopback ... Here is the routing table: danny:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 213.8.255.155 0.0.0.0 255.255.255.255 UH0 00 dsl0 10.0.0.00.0.0.0 255.255.255.0 U 0 00 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 00 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 00 lo 0.0.0.0 213.8.255.155 0.0.0.0 UG0 00 dsl0 (Sorry about the wrap around) For what it's worth, I connect through Internet Zahav with DNS 1: 192.116.202.222 DNS 2: 213.8.172.83 Gateway: 213.8.255.155 Here is reolv.conf as modified by ppd: search lan nameserver 192.116.20
Re: Setting up a Router (2)
Josh Zlatin-Amishav wrote: On Sun, 13 Mar 2005, Daniel Feiglin wrote: Hello all! On 02/01/05, I started a short thread about setting up a Linux box as a router. Following the various replies received and a bit more Googling around, I have arrived at the following setup which almost works. I think that another little "kvetch" will get us there. First, I have changed ny setup to a SuSE 9.2 box acting as a server (including Samba) and an ethernet link to the ADSL. For the network, I use eth0 with the fixed IP of 192.168.1.100. It has the DHCP server up and running, with an available range of 192.168.1.101-254. The network adapter eth0 along with the adapters of the clients are attached to a hub. The ADSL unit is connected directly to eth1 on the server, and is set up to get an IP address from the attached Alcatel ST 510 unit. It always comes up with 10.0.0.1 There is a WIn 2K client and a multi partitioned laptop with Win XP or SuSE 9.2 as required. For our purposes it will be booted as a Linux client. Both clients are set to use DHCP to get a host address, and for automatic DNS address acquisition. As things stand, the LAN works fine. I have correct internet function from the server itself (otherwise you wouldn't be reading this). From the clients, I can see the ADSL modem page on 10.0.0.138, but I cannot get any further i.e. the clients see the modem but can not get any further. That's the missing "kvetch". Hi Daniel, Did you allow ip_forwarding on the SUSE box i.e. echo 1 > /proc/sys/net/ipv4/ip_forward Yes. YaST takes care of that, and I checked it manually. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Setting up a Router (2)
Do you mean that your ADSL connection never disconnects ? You never have to "redial" ? Daniel Feiglin wrote: Yaacov Fenster - System Engineering Troubleshooting and other stuff wrote: Daniel - What do you do in order to have the ADSL modem re-dial upon failure ? Nothing. I never hit that one before. Yaacov Daniel Feiglin wrote: Hello all! On 02/01/05, I started a short thread about setting up a Linux box as a router. Following the various replies received and a bit more Googling around, I have arrived at the following setup which almost works. I think that another little "kvetch" will get us there. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Setting up a Router (2)
Yaacov Fenster - System Engineering Troubleshooting and other stuff wrote: Daniel - What do you do in order to have the ADSL modem re-dial upon failure ? Nothing. I never hit that one before. Yaacov Daniel Feiglin wrote: Hello all! On 02/01/05, I started a short thread about setting up a Linux box as a router. Following the various replies received and a bit more Googling around, I have arrived at the following setup which almost works. I think that another little "kvetch" will get us there. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Setting up a Router (2)
--=-oiddLxH8ozMNNPv4VnQi Content-Type: text/plain Content-Transfer-Encoding: 7bit Where are the masquerading rules? You're not just routing traffic, you're changing the packets, too (NAT/PAT). Seems like a problem with the ipchains/iptables not having the right settings (or not existing at all, since you didn't even mention them) ? Shimi On Sun, 2005-03-13 at 14:16 +0200, Daniel Feiglin wrote: > Hello all! > > On 02/01/05, I started a short thread about setting up a Linux box as a > router. Following the various replies received and a bit more Googling > around, I have arrived at the following setup which almost works. I > think that another little "kvetch" will get us there. > > First, I have changed ny setup to a SuSE 9.2 box acting as a server > (including Samba) and an ethernet link to the ADSL. > > For the network, I use eth0 with the fixed IP of 192.168.1.100. It has > the DHCP server up and running, with an available range of > 192.168.1.101-254. The network adapter eth0 along with the adapters of > the clients are attached to a hub. > > The ADSL unit is connected directly to eth1 on the server, and is set up > to get an IP address from the attached Alcatel ST 510 unit. It always > comes up with 10.0.0.1 > > There is a WIn 2K client and a multi partitioned laptop with Win XP or > SuSE 9.2 as required. For our purposes it will be booted as a Linux > client. Both clients are set to use DHCP to get a host address, and for > automatic DNS address acquisition. > > As things stand, the LAN works fine. I have correct internet function > from the server itself (otherwise you wouldn't be reading this). From > the clients, I can see the ADSL modem page on 10.0.0.138, but I cannot > get any further i.e. the clients see the modem but can not get any > further. That's the missing "kvetch". > > Now for the technical stuff: To get as far as I did, I followed the > instruction in the HOWTO, > > http://www.novell.com/coolsolutions/feature/11505.html > > > Despite its total SuSE orintation, is should be of general interest, in > that it caters for most of the issues raised in the previous thread. > > Here is the ifconfig output (stripped of irrelevant stuff): > > danny:~ # ifconfig > dsl0 Link encap:Point-to-Point Protocol >inet addr:83.130.124.183 P-t-P:213.8.255.155 > Mask:255.255.255.255 >UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 >RX packets:9609 errors:0 dropped:0 overruns:0 frame:0 >TX packets:8011 errors:0 dropped:0 overruns:0 carrier:0 >collisions:0 txqueuelen:3 >RX bytes:8720064 (8.3 Mb) TX bytes:1227999 (1.1 Mb) > > eth0 Link encap:Ethernet HWaddr 00:C1:26:0E:CA:F3 >inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 >inet6 addr: fe80::2c1:26ff:fe0e:caf3/64 Scope:Link >UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >RX packets:8601 errors:0 dropped:0 overruns:0 frame:0 >TX packets:9306 errors:0 dropped:0 overruns:0 carrier:0 >collisions:392 txqueuelen:1000 >RX bytes:1751029 (1.6 Mb) TX bytes:2413282 (2.3 Mb) >Interrupt:9 Base address:0x2000 > > eth1 Link encap:Ethernet HWaddr 00:C1:26:0E:CA:46 >inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 >inet6 addr: fe80::2c1:26ff:fe0e:ca46/64 Scope:Link >UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 >RX packets:28391 errors:0 dropped:0 overruns:0 frame:0 >TX packets:39659 errors:0 dropped:0 overruns:0 carrier:0 >collisions:0 txqueuelen:1000 >RX bytes:17849057 (17.0 Mb) TX bytes:5582722 (5.3 Mb) >Interrupt:5 Base address:0x4000 > > loLink encap:Local Loopback > ... > > Here is the routing table: > > danny:~ # route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric RefUse > Iface > 213.8.255.155 0.0.0.0 255.255.255.255 UH0 00 dsl0 > 10.0.0.00.0.0.0 255.255.255.0 U 0 00 eth1 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 00 eth0 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 00 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 00 lo > 0.0.0.0 213.8.255.155 0.0.0.0 UG0 00 dsl0 > > (Sorry about the wrap around) > > For what it's worth, I connect through Internet Zahav with > > DNS 1: 192.116.202.222 > DNS 2: 213.8.172.83 > Gateway: 213.8.255.155 > > Here is reolv.conf as modified by ppd: > > search lan > nameserver 192.116.202.222 > nameserver 213.8.172.83 > > I apologise for being a bit long winded - but having all this stuff up > front should save many subsequent exchanges. > > Cheers, > > Daniel > >