Network Gateway Issue w/ dual NIC's, static IP's

davidswank's picture

Forums: 

Google searched far and wide, and decided I need some help with this.

What I am attempting to do. (still a linux newbie)
slowly put my home PC's behind my Linux gateway, eventually move my work PC' behind my gateway. Since I am still learning and need to keep my work PC's active to the internet. I want to initially have my router1 static IP to my Linux and dynamic to my work PC's. (sounds simple). Running on a dual AMD 64. Plain server no GUI

Here's my scenario
Bridged DSL modem into router1. From the router1 a Static IP to eth1(EXTIF) on Linux server(gateway) other router ports are for my work PC's. Linux server(gateway) eth0(INTIF) static to router2. Router 2 will dns to my home PC's.

/etc/network/interfaces
auto lo eth0 eth1
iface lo inet loopback
# eth0 LAN interface
iface eth0 inet static
address 192.168.2.100
network 192.168.2.0
broadcast 192.168.2.255
netmask 255.255.255.0
gateway 192.168.2.1

# eth1 WAN interface
iface eth1 inet static
address 192.168.1.20
network 192.168.1.0
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1

ifconfig
eth0 Link encap:Ethernet HWaddr 00:30:48:5f:19:b6
inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::230:48ff:fe5f:19b6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:49 errors:0 dropped:0 overruns:0 frame:0
TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2940 (2.8 KiB) TX bytes:2028 (1.9 KiB)
Interrupt:30

eth1 Link encap:Ethernet HWaddr 00:30:48:5f:19:b7
inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::230:48ff:fe5f:19b7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:109 errors:0 dropped:0 overruns:0 frame:0
TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12629 (12.3 KiB) TX bytes:11773 (11.4 KiB)
Interrupt:31 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2275 (2.2 KiB) TX bytes:2275 (2.2 KiB)

route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

router2
ip address 192.168.2.101
subnet mask 255.255.255.0
default gatway 162.168.2.1

from Linux server I can ping anywhere. From router 2 diagnostics I can ping (eth0)192.168.2.100. I cannot through (eth0)192.168.2.100 to (eth1)192.168.1.20
from router1 cannot ping through (eth1)192.168.1.20 to (eth0)192.168.2.100 (which currently, is not a concern)

I have tried many different combinations from countless forums. am I on the wrong path to do what I need? What am I doing wrong?

Appreciate your time to review my dilemma, and Thank you

Re: Network Gateway Issue w/ dual NIC's, static IP's

IntnsRed's picture

> slowly put my home PC's behind my Linux gateway

Why slowly? Smile

Okay, some of the below will relay my own personal preferences, but what you're doing is not uncommon.

The first thing I wonder about is what your work PCs are doing. Meaning anything odd? Odd ports? Do they need to be accessible from the wider Internet? If so, with what protocols/ports?

Or are the work PCs just making "outgoing" connections (ssh, web/port 80, FTP, etc.) to other machines out on the Internet?

I'll assume the latter; that the work PCs are just normal "PCs" and are making outgoing connections and do not need to be "inbound-accessible" from the Internet. If that's the case, what you're talking about is simply using GNU/Linux as a gateway machine.

My preference is to avoid writing firewall scripts. They're not all that difficult, but they're very easy to screw up. Typos seem to have a magnetic attraction to firewall scripts. Smile But even better, there are brighter people than I who have already done a lot of work in that area. And the power of Debian is relying on lots of bright people.

What I'd do is to turn the DSL modem into "bridging mode" and to make that "black box" DSL modem/router as dumb as possible. This is a personal preference. Debian is easy to maintain. Maintaining and memorizing the bugs and quirks of black boxes is a PITA. Putting the DSL modem into "bridging mode" and having Debian log into your ISP and to be directly assigned a real IP address simplifies things. (It'll also allow you to "touch" your Debian box from anywhere on the Internet, though running something like a web server on your home Debian box may violate your ISP's terms of service and/or be blocked by your ISP.) It also avoids having to go through 2 gyrations of 192.168.*.* packet conversions/forwarding.

It sounds like you may have already put the DSL modem into bridge mode. If not, first install the Debian "pppoeconf" package. Most DSL links actually connect with pppoe and that will install a slick little configuration program and the pppoe guts. Then call your ISP and tell them you're using an "ssh application" and need to put your DSL modem into "bridge mode". They deal enough with that request that they're likely used to it and will just walk you through doing it.

Once that's done, after running pppoeconf you can test out your DSL connection with "pon dsl-provider", and disconnect with "poff". That should assign a valid, real live IP address to eth1. Voila! You'll then have a live Debian box connected to the Internet.

Now -- quick! -- type "poff" because you're running that box connected to the Internet without a firewall. Smile

What I'd suggest is to install the Debian package "arno-iptables-firewall". Debian has about a dozen different firewalls included in its stable release, and you may find one more to your liking. But Arno's firewall has been around for a while, is proven, and is dripping with easy-to-configure features.

For example, Arno's firewall will allow you to easily create a "de-militarized zone" for various machines. It'll allow you to open or close ports easily, and to mindlessly do things like port forwarding. And, once you tweak its config file to tell it about your 192.168.*.* network on the other ethernet card, it'll perform as an IP masquerading "gateway". Believe me, you'll spend less time reading the config file then you will picking out typos from your iptables scripts.

yes, my work PC's access

davidswank's picture

yes, my work PC's access standard internet VPN, FTP, SSH, ect. and yes my modem is already set for bridging. I am using my router1 to supply my linux gateway and my work PC's with access to the internet. my linux box is already connected to the internet and works great. my real problem is passing through INTIF(eth0) to EXTIF(eth1). I have even turned off all scripts in my firewall, so that it is open. Its like the forwarding is not working, im guessing.
my forwarding script is (where EXTIF=eth1 and INTIF=eth0)
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

and yes, ip_forward is on
I am in the process of playing with arno. Wish I had larger blocks of time to focus on this, so things would progress more quickly.

Well, finally got it ironed

davidswank's picture

Well, finally got it ironed out. ended up having one of my IF references swapped, Crap!!
I took a look at arno. But I prefer messing with the iptables by hand. It helps me to know and understand my system more, which will allow for quicker recover if needed. Granted it does take a little more hair pulling though.