Home Networking With Red Hat Linux

[BACK]

Home Office Networking: RedHat Linux 7.2/7.3 using Static IP

Summary

This is my personal experience of setting my home network using RedHat 7.2 as gateway. I write down all the steps and some look outs to remind myself and the others. There is no guarantee these steps will fit you. Please feel free to try them.

Scenario

Want to connect a home network consists of two computers, one RH 7.2 and one Windows 2000 to share a single internet connection. A pc is setup with RH7.2 as gateway and firewall to perform ip masquerading. My ISP is Charter Pipeline cable modem. I was provided with DHCP.

Setup Layout

Machine 1 is RH7.2 with server installation, which will be used as server and gateway with ip masquerading. Two network cards on this machine. Machine 2 is Windows 2000, this is the second client. One network card on this machine.

Setup Server for Internal network

Two ethernet cards are installed in the Machine A, eth0 and eth1. eth0 is connected to Charter Pipeline cable modem. eth1 is connected to a hub. I don't elaborate OS installation in this text. Since eth0 is connected to dhcp server from Charter, not much story to tell on eth0. I will concentrate on eth1. eth1 will be assigned with a non-routable ip address. By convention, I assign with 192.168.0.1. Here is the complete ifcfg-eth1 file i used in my setting.

DEVICE=eth1
IPADDR=192.168.0.1
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes

Save this file as ifcfg-eth1 at /etc/sysconfig/network-scripts directory. The configuration file for eth0 is very simple. It looks like following.

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes

Then restart network by running command /etc/rc.d/init.d/network restart You should see both eth0 and eth1 start up correctly.

Setup Windows 2000 machine

One windows 2000 machine, I want to set it up as 192.168.0.2. So go to start->settings->Network and Dial up Connection. Locate your NIC icon Local Area Connection. Right click at the icon and choose Properties. Highlight Internet Protocol [TCP/IP] then click at Properties. Check Use the following IP address. Enter the following information.

IP addresss  : 192.168.0.2
Sub netmask  : 255.255.255.0
Default Gateway: 192.168.0.1
Preferred DNS server : XXX.XXX.XXX.XXX
Alternate DNS server : YYY.YYY.YYY.YYY

To determine XXX.XXX.XXX.XXX and YYY.YYY.YYY.YYY, go to linux server (your gateway machine) and view the file resolv.conf located at /etc. You should see several nameserver listed in resolv.conf. Pick the first two nameserver ip addresses and assign them to Preferred DNS and Alternate DNS. That is all for Windows 2000 machine setup.

Now, you should be able to ping the server from windows. Type ping 192.168.0.1, then ping your Windows 2000 from the Linux server. Type ping 192.168.0.2. Both Linux server and Windows 2000 client should ping fine. Now if you ping a outside IP address or ping a URL from Windows 2000 machine, it will not work.

Setup Server IP Masquerading

Don't be scared by big word like Masquerading. I was and I am not. To setup IP masquerading on Linux machine, create a script with the following content and save it somewhere on Linux machine. I call this file myscript. This is the script to enable IP Masquerading. Make myscript executable by chmod 755 myscript.
Note: This file is extracted from the source http://yolinux.com/TUTORIALS/LinuxTutorialNetworkGateway.html

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface  eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Now you can exectue myscript by typing ./myscript. After you execute this script, your IP masquerading should work. You can ping www.yahoo.com directly from your Windows 2000 machine and you will see replies. To automate the script on every boot up, copy the script to /etc/rc.d. Add this line /etc/rc.d/myscript to the bottom of rc.local. That is all folks.

Debugging notes

Network cards on linux server must be started before the IP Masquerading script is run. If you restart your network, content of /proc/sys/net/ipv4/ip_forward will be reset to 0.
If Windows 2000 machine can ping Yahoo's IP address but not Yahoo URL(www.yahoo.com), most likely you forget to set your DNS on Windows 2000 machine.
If you cannot ping outsite IP from Windows 2000 machine, most likely your IP Masquerading on Linux server does not work properly. Try to flush all the chains with command "iptables -F INPUT", "iptables -F FORWARD" and "iptables -F OUTPUT". Then rerun your IP Masquerading script again.
Always check the content of /proc/sys/net/ipv4/ip_forward. If it is 0, it means no forwarding. You need to change it to 1.
I don't have to do route add in my setting as shown in the yolinux tutorial. As long as it works, I am happy.

Conclusion

I found myself restart the network and rerun the IP Masquerading script on Linux machine many times. However, i don't reboot my Linux machine very often. Rerun script, restart network cards, check /proc/sys/net/ipv4/ip_forward content, pinging from Windows 2000 to other IP and URL are the tasks you will do many times until you get the thing right. Hope this help.

Extra

The following code is another version of simple firewall rule you can use in IP Masquerading. Copy and save this file and add it to your init script. I obtain this file from somewhere else. Name the file "rc.firewall" and save at /etc/rc.d/rc.firewall. To enable auto execution of this script at boot time, add this file entry in "/etc/rc.d/rc.local".

#!/bin/sh
#/etc/rc.d/rc.local
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

echo "Loading the rc.firewall ruleset.. "
/etc/rc.d/rc.firewall

===============================================================
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.63
#
#               Initial SIMPLE IP Masquerade test for 2.4.x kernels
#               using IPTABLES.  
#
#               Once IP Masquerading has been tested, with this simple 
#               ruleset, it is highly recommended to use a stronger 
#               IPTABLES ruleset either given later in this HOWTO or 
#               from another reputable resource.
#
#
#
# Log:
#       0.63 - Added support for the IRC IPTABLES module
#       0.62 - Fixed a typo on the MASQ enable line that used eth0
#              instead of $EXTIF
#       0.61 - Changed the firewall to use variables for the internal
#              and external interfaces.
#       0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
#              all forwarded packets but it didn't have a rule to ACCEPT
#              any packets to be forwarded either
#            - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
#       0.50 - Initial draft
#

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"


# The location of the 'iptables' program
#
#   If your Linux distribution came with a copy of iptables, most
#   likely it is located in /sbin.  If you manually compiled 
#   iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out 
# ** where your copy is and change the path below to reflect 
# ** your setup
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must 
#         change the EXTIF or INTIF variables above. For example: 
#
#               EXTIF="ppp0" 
#
#            if you are a modem user.
#
EXTIF="eth0"
INTIF="eth1"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"


#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==


echo -en "   loading modules: "

# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
/sbin/depmod -a

# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
# options as MODULES.  If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.  
#
#  NOTE: The following items are listed ONLY for informational reasons.
#        There is no reason to manual load these modules unless your
#        kernel is either mis-configured or you intentionally disabled
#        the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ 
#        modules are shown below but are commented out from loading.
# ===============================================================

#Load the main body of the IPTABLES module - "iptable"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
/sbin/insmod ip_tables


#Load the IPTABLES filtering module - "iptable_filter" 
#  - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific 
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is 
#    enabled 
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc


#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
# 
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
/sbin/insmod iptable_nat


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp


# Just to be complete, here is a list of the remaining kernel modules 
# and their function.  Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
#    ipt_mark       - this target marks a given packet for future action.
#                     This automatically loads the ipt_MARK module
#
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port individually
#
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#
#    ipt_unclean    - this match allows to catch packets that have invalid
#                     IP/TCP flags set
#
#    iptable_filter - this module allows for packets to be DROPped, 
#                     REJECTed, or LOGged.  This module automatically 
#                     loads the following modules:
#
#                     ipt_LOG - this target allows for packets to be 
#                               logged
#
#                     ipt_REJECT - this target DROPs the packet and returns 
#                                  a configurable ICMP packet back to the 
#                                  sender.
# 
#    iptable_mangle - this target allows for packets to be manipulated
#                     for things like the TCPMSS option, etc.

echo ".  Done loading modules."



#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 
#   enable this following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
echo "   enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable simple IP forwarding and Masquerading
#
#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
#  NOTE #2:  The following is an example for an internal LAN address in the
#            192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
#            connecting to the Internet on external interface "eth0".  This
#            example will MASQ internal traffic out to the Internet but not
#            allow non-initiated traffic into your internal network.
#
#            
#         ** Please change the above network numbers, subnet mask, and your 
#         *** Internet connection interface name to match your setup
#         


#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
#    The default for FORWARD is DROP
#
echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

Hosted by www.Geocities.ws