On 8/17/06, Matt Singerman <msingerman@xxxxxxxxxx> wrote:
Hi everyone, First off, I apologize if I am slightly incoherent, as thi problem has been driving me nuts for days now. I have used Linux before, and have even configured basic network settings, but I have never set up a machine as a gateway/firewall. I am now attempting to do this, but I am running into all sorts of problems. The gateway will be replacing an existing one which is beginning to show its age. It has static IP addresses for both the LAN and WAN, and the machines behind it (servers) have publically-addressable static IP addresses (not 10.x.x.x, 192.168.x.x, etc.). This is important, obviously. I have found numerous guides online for setting up a gateway and firewall using DHCP and NAT to use private IP ranges for machines on the LAN, but this is obviously not what I want to do. I cannot find any information about setting it up using all static IP addresses. I would assume that this would be if anything simpler to configure, but I am havind a devil of a time. Our local subnet is the entire 141.161.111.0/24 block (141.161.111.0-141.161.111.255). I have a working router on 141.161.111.241, and the subnet mask being used by all machines here is 255.255.255.0 Basically, I have eth0 configured to be the WAN connection, and it is working fine. I can ping machines off the network, and machines can ping it. Where I am running into problems is with IP forwarding actually allowing connections through. Here is eth0's config file: DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=141.161.111.243 GATEWAY=141.161.111.241 NETMASK=255.255.255.0 NETWORK=141.161.111.0 eth1 is configured to be the LAN interface. It has the following settings: DEVICE=eth1 BOOTPROTO=static BROADCAST=141.161.111.255 HWADDR=00:0E:2E:79:F6:17 IPADDR=141.161.111.242 GATEWAY=141.161.111.242 NETMASK=255.255.255.0 NETWORK=141.161.111.0 ONBOOT=yes I have modified /etc/sysctl.conf so that net.ipv4.ip_forward is set to 1. Other than that... I am at a loss as to what to do. Can anyone point me in the direction as to what my next step should be? Thanks! -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Hi Matt! I am no expert here but hope to learn about this sort of thing. A couple of things right off: 1. Probably not good to post your IPs on a Linux mail list. Espically giving any detail as to your actual network structure. The net is hostile. 2. I absolutely agree with Ed. First things first. You need to write out the goals of the network. If I were to guess it would be that you have some web service servers and some desktops in the mix. But, you are using a block of Public IPs for all!?!?! You are the owner of those Public IPs? Certianly in a labrotory setting not connected to the Internet you can do as you please, but you mention a "gateway" which could imply that at least that IP somehow has access to the Public Internet. I do not think you can have your public IPs on the inside and the Internet have the same IPs and the two be connected together. I would think you would need some Info for the list(s): The Computers: Apparently thier static IPs?: Services used: Applications used: Purpose(s) of network connection(s): Network hardware used: Expected network loading: The networks used: Purpose of the network: Range of IP/mask: Ports: Style of address management (e.g. DHCP): Style of Name Service (web/zone DNS): any other management services (LDAP, SNMP, Wins, etc...). Which Public Internet addresses do we own??!!?? Why do we own them (what are they expected to be used for?? Should we be using NAT??!!?? How many firewalls do I need? Where should they be placed? Note: possibley each box can have it's own firewall or two. If I use a special outside box how do I know that the box will not be compromised? Should I be useing network "sniffers" for security (sort of "cameras" on the network)? What auditing/security tools do my OSs, applications, and servers/desktops have (or should they have). You need, I think, to draw pictures and charts with the information above included in the picture/chart. I think you will find that this really helps. Good Hunting and Charting! Tod -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
