Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

sharing internet connection with debian

  • 09-07-2007 10:43pm
    #1
    Closed Accounts Posts: 2,000 ✭✭✭


    hi lads, just installed new debian4 and tried to share internet connection (eircom box)

    this is how it looks like:

    line -> eircom modem (dhcp on 10.0.0.x) -> eth0(10.0.0.1 by dhclient) -> debian -> eth1(192.168.1.1 no dhcp) -> switch -> computers (fixed 192.168.1.x addresses)

    1. can ping server<->computers, no problems
    2. there is internet on server
    3. there is no internet on clients (192.xxx.xxx..xxx)

    iptables:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -F
    iptables -X
    iptables -t nat -X
    iptables -t nat -F

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A FORWARD -o lo -j ACCEPT

    iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
    iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
    iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
    iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

    ---

    why its not working?


Comments

  • Registered Users, Registered Users 2 Posts: 3,568 ✭✭✭ethernet


    Not meaning to sound like a smart-ass, but it would be easier if you just let all clients be assigned an IP by DHCP by the eircom router. I don't think mixing subnets and private IP addresses [192.168.x.x and 10.0.x.x] will work, or at least not without a lot of work.


  • Closed Accounts Posts: 2,000 ✭✭✭fl4pj4ck


    dont get me wrong but i have about 50 pc's and i doubt eircom router will do all the work


  • Registered Users, Registered Users 2 Posts: 1,636 ✭✭✭henbane


    I cobbled something together from this HOWTO last week. May be of some help to you.


  • Registered Users, Registered Users 2 Posts: 5,335 ✭✭✭Cake Fiend


    fl4pj4ck wrote:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A FORWARD -o lo -j ACCEPT

    Been a long time since I worked with iptables, but try this and see if it makes any difference:

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth1 -j ACCEPT
    iptables -A FORWARD -i eth1 -j ACCEPT <- actually, never mind this, just spotted your later rule for the 192 range
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    TBH, I'd try the Eircom router first, then go back to the linux box if that doesn't work out.

    ethernet wrote:
    NI don't think mixing subnets and private IP addresses [192.168.x.x and 10.0.x.x] will work, or at least not without a lot of work.

    Most stuff will work fine. Double-NAT-ing can bollox up some protocols, but your basic web, etc will work without issue.


  • Registered Users, Registered Users 2 Posts: 2,755 ✭✭✭niallb


    No problem with having 10.0.0.1 on the outside and 192.168.0.0/24 on the inside. If it's routing at all for you, it'll manage that. Keeps things nice and clear in your logs too.

    Try clearing your rules, and installing ipmasq.
    [/b]apt-get install ipmasq[/b] should be all that's needed if the machine already knows that eth0 has its default route.

    once that's installed, do an iptables-save to get a look at that
    set of rules. That should help.

    Decide how you want to give internet access as well though.
    Do you want to masq out everything like that example, or
    might you be better off offering squid for internet access,
    and running an smtp relay on the debian box for outbound mail.
    Make a list of what services are required, and satisfy just those.
    Don't know how complicated your needs are, but the less internet
    access the inside boxes have the better if you've 50 of them :-)

    ipmasq is fine if you're happy to give all the boxes full access.

    Good luck,
    NiallB

    [edit]Good point about double natting Cakefiend
    You might be better off bridging the router through completely
    so that your debian box appears on all ports of the external link[/edit]


  • Advertisement
  • Closed Accounts Posts: 2,000 ✭✭✭fl4pj4ck


    niallb wrote:
    Good point about double natting Cakefiend
    You might be better off bridging the router through completely
    so that your debian box appears on all ports of the external link

    thanks guys, will try this today. about dble nating - i dont mind, need only basic www and in this case dl nating works as a firewall


  • Registered Users, Registered Users 2 Posts: 5,335 ✭✭✭Cake Fiend


    fl4pj4ck wrote:
    thanks guys, will try this today. about dble nating - i dont mind, need only basic www and in this case dl nating works as a firewall

    Single NAT-ing works as a firewall (sort of). Doing it twice isn't going to give you any more protection, unless you were planning on having a kind of DMZ between the router and the Debian box.

    I'd second niallb's idea of setting the router to bridge mode (if your model can bridge) and using the Debian box as your ultimate border host. You may well achieve more firewall/NAT flexibility by doing this. If you still need a DMZ, you can always stick a third NIC into the Debian system.


  • Closed Accounts Posts: 2,000 ✭✭✭fl4pj4ck


    Cake Fiend wrote:
    Single NAT-ing works as a firewall (sort of). Doing it twice isn't going to give you any more protection, unless you were planning on having a kind of DMZ between the router and the Debian box.

    I'd second niallb's idea of setting the router to bridge mode (if your model can bridge) and using the Debian box as your ultimate border host. You may well achieve more firewall/NAT flexibility by doing this. If you still need a DMZ, you can always stick a third NIC into the Debian system.

    as long as i need only www, im not going to do anything else atm


Advertisement