Linux router

Linux router

[Sridhar J]

Hello

I have an old Cyrix system that I would like to turn into a router-firewall
and put it before my Webserver. I would alos like to have my IDS running on
this. No other service should run on this. No apps, nothing.

How do I go about it? What distro should I choose? What files do I have to
edit to make these changes?

Regards
Sridhar
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Linux router

[Ray Olszewski]

At 04:29 PM 5/20/02 +0530, Sridhar J wrote:
>Hello
>
>I have an old Cyrix system that I would like to turn into a router-firewall
>and put it before my Webserver. I would alos like to have my IDS running on
>this. No other service should run on this. No apps, nothing.
>
>How do I go about it? What distro should I choose? What files do I have to
>edit to make these changes?


There are far too many possibilities for me (or anyone) to give you a 
single, definitive answer. The two options I personally like are:

1. Strip down a standard distro so it does what you want. I've personally 
done this with Debian, and I know of others who have done it with Red Hat.

2. Use one of the mini-distros customized for router/firewall setups. The 
one I personally like is LEAF/Dachstein, which you can find out about at 
leaf.sourceforge.net . There are many others.

You say "No other service should run on this". I'm not sure what IDS means 
(DNS, perhaps?), but the services you *may* want to run on the router are 
ssh (so you can do remote troubleshooting), DNS (so it acts as a forwarder 
for the LAN), ident/auth (if you need it for any of the services your 
clients run), and maybe SMTP (depending on how the system logs). You also 
say "No apps, nothing", but systems like this typically run syslogd and 
cron (for obvious reasons), a time client like ntpdate (so timestamps are 
accurate), and some process that watches for local logins (getty or a 
cousin). You'll also need the configuration tools that the required startup 
scripts and troubleshooting situations expect -- bash, ifconfig, route, 
netstat, and others.

Mini-distros like LEAF are a good starting place for this sort of 
customization, because experienced people have done the work of cutting 
back to what is still needed, but not to less than what is really needed.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Linux router

[Petre Bandac]

<advertise>
get slackware !!!
</advertise>


On Monday 20 May 2002 13:59, Sridhar J wrote using one of his keyboards:
> Hello
>
> I have an old Cyrix system that I would like to turn into a router-firewall
> and put it before my Webserver. I would alos like to have my IDS running on
> this. No other service should run on this. No apps, nothing.
>
> How do I go about it? What distro should I choose? What files do I have to
> edit to make these changes?
>
> Regards
> Sridhar
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs

-- 
 11:37pm  up 7 min,  1 user,  load average: 0.01, 0.11, 0.08
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Linux router

[Vince Coen]

Originally to: Sridhar J

Hello Sridhar!

Monday May 20 2002 16:29, Sridhar J wrote to All:

 SJ> I have an old Cyrix system that I would like to turn into a
 SJ> router-firewall and put it before my Webserver. I would alos like to have
 SJ> my IDS running on this. No other service should run on this. No apps,
 SJ> nothing.

 SJ> How do I go about it? What distro should I choose? What files do I have
 SJ> to edit to make these changes?

I use Freesco, comes as 1/2 floppy package. I installed it on a 486/66 32mb Ram and a 205 mb HD. Works very well. Simple install; installed msdos, downloaded Freesco onto a Win box, unziped it run th
e install onto a floppy, on the 486: booted floppy installed onto HD, booted into Freesco Linux, run simple install and ISP data, rebooted, done.

Vince

<-> Gateway Information.
This message originated from a Fidonet System (http://www.fidonet.org)
and was gated at TCOB1 (http://www.tcob1.net)
Please do not respond direct to this message but via the list


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Linux Router

[spdesai]

Hi

I have one linux machine with two NIC cards. One is connected to internet and 
one is private PC. Below is my IP configuration

eth0: Valid IP: xxx.xxx.xxx.68
      Mask: 255.255.255.192
      Gateway: xxx.xxx.xxx.65  

eth1: Invalid IP: 192.168.1.1
       Mask : 255.255.255.0
      Gateway: xxx.xxx.xxx.65 


Now when i connect eth1 to window machine. i can ping up to eth0 valid ip i.e 
xxx.xxx.xxx.68 but could not ping xxx.xxx.xxx.65 which is gateway ip of linux.

I have enable ip_forward to 1 in linux machine.

My window machine ip is: 
IP: 192.168.1.2
Mask:255.255.255.0
GW: 192.168.1.1

Pl. give me the solution so i can ping xxx.xxx.xxx.65 from my window machine.

Thanks in advance

suhag.



-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

Re: Linux Router

[Jason Opperisano]

On Sun, 2005-02-06 at 12:36, spdesai@gnvfc.net wrote:
> Hi
> 
> I have one linux machine with two NIC cards. One is connected to internet and 
> one is private PC. Below is my IP configuration
> 
> eth0: Valid IP: xxx.xxx.xxx.68
>       Mask: 255.255.255.192
>       Gateway: xxx.xxx.xxx.65  
> 
> eth1: Invalid IP: 192.168.1.1
>        Mask : 255.255.255.0
>       Gateway: xxx.xxx.xxx.65 

you shouldn't have a default gateway on your internal interface. 
default gateway == gateway of last resort; i.e., there's one (barring
some specific multipath routing situation).

> Now when i connect eth1 to window machine. i can ping up to eth0 valid ip i.e 
> xxx.xxx.xxx.68 but could not ping xxx.xxx.xxx.65 which is gateway ip of linux.
> 
> I have enable ip_forward to 1 in linux machine.
> 
> My window machine ip is: 
> IP: 192.168.1.2
> Mask:255.255.255.0
> GW: 192.168.1.1
> 
> Pl. give me the solution so i can ping xxx.xxx.xxx.65 from my window machine.

my guess is that you haven't created an outbound MASQ/SNAT rule (at
least you don't say you have):

  # IF YOUR ETH0 IP IS STATIC
  iptables -t nat -A POSTROUTING -o eth0 \
    -j SNAT --to-source xxx.xxx.xxx.68

-OR-

  # IF YOUR ETH0 IP IS DYNAMIC
  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

-j

--
"I've always wondered if there was a god. And now I know there is --
 and it's me."
	--The Simpsons

Re: Linux Router

[srg]

Hello:

You have two solutions (one exclude the other):

1. NO nat in the linux machine.
The solution is adding a static route at the router (.65) in the form:
ip route add 192.168.1.0/24 via xxx.xxx.xxx.68
With this solution traffic from your private network is seen by the 
router with the real source address (192.168.1.x).
Of course, if you want this traffic to go to Internet then, the router 
must do source nat (because the source addr will be a private one).

2. nat in the linux machine.
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j 
MASQUERADE
With this solution, traffic originating in your private net will have 
xxx.xxx.xxx.68 source address when the packets leave the linux machine, 
so when the packets arrive to the router (xxx.xxx.xxx.65) will have the 
xxx.xxx.xxx.68 addr (in other words, if you want, those packets can go 
directly to the Internet without the need of another nat in the router)

spdesai@gnvfc.net wrote:

>Hi
>
>I have one linux machine with two NIC cards. One is connected to internet and 
>one is private PC. Below is my IP configuration
>
>eth0: Valid IP: xxx.xxx.xxx.68
>      Mask: 255.255.255.192
>      Gateway: xxx.xxx.xxx.65  
>
>eth1: Invalid IP: 192.168.1.1
>       Mask : 255.255.255.0
>      Gateway: xxx.xxx.xxx.65 
>
>
>Now when i connect eth1 to window machine. i can ping up to eth0 valid ip i.e 
>xxx.xxx.xxx.68 but could not ping xxx.xxx.xxx.65 which is gateway ip of linux.
>
>I have enable ip_forward to 1 in linux machine.
>
>My window machine ip is: 
>IP: 192.168.1.2
>Mask:255.255.255.0
>GW: 192.168.1.1
>
>Pl. give me the solution so i can ping xxx.xxx.xxx.65 from my window machine.
>
>Thanks in advance
>
>suhag.
>
>
>
>-------------------------------------------------
>This mail sent through IMP: http://horde.org/imp/
>
>
>
>  
>

Linux Router

[Carlos Narváez]

 This is starting to frustrate me, because it should be much simpler
than it seems to be, and I feel like I'm missing something small and
obvious.

I have two private networks, we'll say 192.168.254.0/24 and
192.168.251.0/24. And I have a linux box in the middle with addresses
192.168.254.17 and 192.168.251.10:


+---------------+ . +----------------+
¦ 192.168.251.1 +---+ 192.168.251.10 ¦ . +----------------+
+---------------+ . ¦ 192.168.254.17 +---+ 192.168.254.16 ¦
. . . . . . . . . . +----------------+ . +----------------+


There is no NAT involved.. I just want the box in the middle to pass
traffic between the two networks. Here is what I have done:

- IP Forwarding has been enabled on the router via "echo 1 >
/proc/sys/net/ipv4/ip_forward"

- A route has been configured on 192.168.251.1 to point all traffic
for 192.168.254.0/24 to 192.168.251.10.

- A route has been configured on 192.168.254.16 to point all traffic
for 192.168.251.0/24 to 192.168.254.17.

- The command "iptables -I FORWARD -j ACCEPT" has been executed.

Now.. here's what happens. 192.168.251.10 can ping both interfaces on
the router. 192.168.254.16 can also ping both interfaces on the
router. However, 192.168.251.1 cannot ping 192.168.254.16, and
likewise, 192.168.254.16 cannot ping 192.168.251.1.

What have I forgotten?

-- 
Carlos Narváez
http://www.juegopixel.com

Re: Linux Router

[ben soo]

i used to add proxy arp's on the router when i had problems like 
this.  Dunno if it's the recommended fix, but it worked.

http://en.wikipedia.org/wiki/Proxy_arp

Carlos Narváez wrote:
>  This is starting to frustrate me, because it should be much simpler
> than it seems to be, and I feel like I'm missing something small and
> obvious.
> 
> I have two private networks, we'll say 192.168.254.0/24 and
> 192.168.251.0/24. And I have a linux box in the middle with addresses
> 192.168.254.17 and 192.168.251.10:
> 
> 
> +---------------+ . +----------------+
> ¦ 192.168.251.1 +---+ 192.168.251.10 ¦ . +----------------+
> +---------------+ . ¦ 192.168.254.17 +---+ 192.168.254.16 ¦
> . . . . . . . . . . +----------------+ . +----------------+
> 
> 
> There is no NAT involved.. I just want the box in the middle to pass
> traffic between the two networks. Here is what I have done:
> 
> - IP Forwarding has been enabled on the router via "echo 1 >
> /proc/sys/net/ipv4/ip_forward"
> 
> - A route has been configured on 192.168.251.1 to point all traffic
> for 192.168.254.0/24 to 192.168.251.10.
> 
> - A route has been configured on 192.168.254.16 to point all traffic
> for 192.168.251.0/24 to 192.168.254.17.
> 
> - The command "iptables -I FORWARD -j ACCEPT" has been executed.
> 
> Now.. here's what happens. 192.168.251.10 can ping both interfaces on
> the router. 192.168.254.16 can also ping both interfaces on the
> router. However, 192.168.251.1 cannot ping 192.168.254.16, and
> likewise, 192.168.254.16 cannot ping 192.168.251.1.
> 
> What have I forgotten?
> 

Re: Linux Router

[Jan Engelhardt]

On Sep 22 2007 22:10, ben soo wrote:
>
> i used to add proxy arp's on the router when i had problems like this.  Dunno
> if it's the recommended fix, but it worked.

There is certainly no Proxy ARP required here since you do not
do subnet sharing or funny games like that.

> http://en.wikipedia.org/wiki/Proxy_arp
>
> Carlos Narváez wrote:
>> +---------------+ . +----------------+
>> ¦ 192.168.251.1 +---+ 192.168.251.10 ¦ . +----------------+
>> +---------------+ . ¦ 192.168.254.17 +---+ 192.168.254.16 ¦
>> . . . . . . . . . . +----------------+ . +----------------+
>> 
>> - A route has been configured on 192.168.251.1 to point all traffic
>> for 192.168.254.0/24 to 192.168.251.10.
>> 
>> - A route has been configured on 192.168.254.16 to point all traffic
>> for 192.168.251.0/24 to 192.168.254.17.
>> 
>> - The command "iptables -I FORWARD -j ACCEPT" has been executed.

Well, and do the counters increase?

>> Now.. here's what happens. 192.168.251.10 can ping both interfaces on
>> the router. 192.168.254.16 can also ping both interfaces on the
>> router. However, 192.168.251.1 cannot ping 192.168.254.16, and
>> likewise, 192.168.254.16 cannot ping 192.168.251.1.
>> 
>> What have I forgotten?

Default GWs (though if you ahve routes, ok..).

On 251.1, use `ip r g 192.168.254.16` and it should
show "192.168.254.16 via 192.168.251.10 dev eth0 ...".

Same on the other side.

Re: Linux Router

[Benny Amorsen]

>>>>> "CN" == Carlos Narváez <crakup@gmail.com> writes:

CN> - IP Forwarding has been enabled on the router via "echo 1 >
CN> /proc/sys/net/ipv4/ip_forward"

Try cat /proc/sys/net/ipv4/conf/*/forwarding. If any of them are 0,
then echo 1 > /proc/sys/net/ipv4/conf/all/forwarding.


/Benny