Jump to content



Photo

Linux gateway/router issues, please help!

linux debian gateway router

  • Please log in to reply
58 replies to this topic

#1 Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 17:07

Hi all, I posted this issue on another forum and was directed here to seek help, hope I can get some good advice.

I should start by explaining my home network setup... I live in a shared building split into individual flats/rooms with shared internet across the whole building. The ADSL router supplied by our ISP is located in another room which I do not often get access to, this is the access point that all other computers in the house are connected to. I have an ethernet cable running from this room into mine to provide me with network and internet access. It is from this point that I am having trouble...

The cable is connected in my room to a Debian (squeeze) linux box which I am attempting to configure as a gateway/router/firewall. From my linux box a second cable is then connected to my network switch which then distributes the connection to my personal machines in my room, one of which is a Windows server (2008 R2) which I am presently running as a web server with the intention of creating a secure FTP server. The Windows server is also running an SMB share and VNC server.

The problem I am having regards access between my internal machines (in my room) and the external machines (rest of the network). The Debian gateway is successfully supplying internet as all of my internal machines are able to access the web, however when attempting to access the ADSL router configuration page from here my browser tells me 'This web page is not available'. I am also able to use my SMB share and VNC server from my internal machines yet externally the server (or any of my other machines for that matter) are not visible across the network, neither can I see anyone else's (external) computers from here.

I am reasonably certain that I wish to keep the setup as is as I am fairly paranoid about network security and would feel more comfortable if I was separated from the rest of the network and the internet via a secure firewall, though I still require my web server to be able to be accessed from the net (and would also like to be able to remote into it via the web using VNC), I would also like other people in the house to be able to take advantage of my SMB share.

I assume that this is a port forwarding issue? (though can't be certain as this sort of setup is quite new to me). Also as the Debian gateway is providing DHCP to my internal machines I am considering the possibility that this may also be an issue?

I am hoping that someone here has enough knowledge to talk me through preparing the correct configuration to make this work or could offer, if necessary, another practical solution that will provide me with the security I desire.

Thanks all for taking the time to consider my problem, any help is greatly appreciated...


#2 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 05 January 2013 - 17:29

Are you using the same IPs or subnets or what?
If you can access the net fine then the debian 'sever' sounds like it's got NAT routing and is routing fine and you can't access any other PCs so sounds like you might have an IP subnet collision like they're both using the 192.168.1.0/24 range.
You need to post all your IP diagrams and configuration information for anyone to even attempt to diagnose the problem.

#3 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 17:42

Are you using the same IPs or subnets or what?
If you can access the net fine then the debian 'sever' sounds like it's got NAT routing and is routing fine and you can't access any other PCs so sounds like you might have an IP subnet collision like they're both using the 192.168.1.0/24 range.
You need to post all your IP diagrams and configuration information for anyone to even attempt to diagnose the problem.


Ok, sounds like a reasonable explanation.

The ADSL router has the IP 192.168.0.1 on 255.255.255.0 subnet.

Linux box appears externally as 192.168.0.23 (interface eth0) and internally as 192.168.0.2 (eth1)

Based on a guide for simple gateway routing I found online my 'iptables.rules' file is as follows:

*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2020 -j ACCEPT
-A INPUT -i eth0 -j DROP
COMMIT

To clarify port 2020 is the port I use for SSH...

Please advise on any other information that may be required. Thanks you.

#4 grabageek

grabageek

    Neowinian

  • Joined: 08-November 12
  • Location: Derby
  • OS: Linux, Windows, Android

Posted 05 January 2013 - 17:45

Make life easy on yourself and use smoothwall as your linux router/firewall www.smoothwall.org

#5 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 17:47

Figured this would be useful too...

My /etc/network/interfaces file:

auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.rules
allow-hotplug eth0
iface eth0 inet dhcp
allow-hotplug eth1
iface eth1 inet static
   address 192.168.0.2
   netmask 255.255.255.0
   network 192.168.0.0
   broadcast 192.168.0.255

and my dnsmasq.conf:

interface=eth1
listen-address=127.0.0.1
dhcp-range=192.168.0.100,192.168.0.110,12h

Make life easy on yourself and use smoothwall as your linux router/firewall www.smoothwall.org


I will look into it, thanks...

#6 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 17:58

@ grabageek:

Seems like smoothwall should be a nice easy setup, not quite what I had in mind. I would like to develop more practical networking knowledge, routing and security is something I would quite like to get to grips with on a technical level and as such why I would like to explore making a working configuration myself. Thanks for the advice though.

#7 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 05 January 2013 - 19:12

"The ADSL router has the IP 192.168.0.1 on 255.255.255.0 subnet.
Linux box appears externally as 192.168.0.23 (interface eth0) and internally as 192.168.0.2 (eth1)"
There is your problem and solution.

#8 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 19:31

"The ADSL router has the IP 192.168.0.1 on 255.255.255.0 subnet.
Linux box appears externally as 192.168.0.23 (interface eth0) and internally as 192.168.0.2 (eth1)"
There is your problem and solution.


Please excuse me being so slow (like I said I am still somewhat unfamiliar with more advanced aspects of network configuration) but could you please clarify further? Could you recommend an IP configuration that would work? Bearing in mind my connection comes in from the ADSL router to the device eth0 and is routed out to my network swicth on device eth1.

Thank you.

#9 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 05 January 2013 - 19:41

Certainly. You're using the same IP and subnet for two networks, you're lucky you can even connect to the internet because you're doing a straight in-out NAT, if you were doing an IP based NAT then you wouldn't even have internet working.
You need to change to a different subnet mask for your network, as the subnet mask for the internal ASDL modem is set to 192.168.0.0/24, that means 24 bits of 32 are used for network address and the last 8 bits are used for host addresses, so hosts in the 192.168.0.0/24 network range from 192.168.0.1 - 192.168.0.254 (192.168.0.0 is the network address and 192.168.0.255 is the broadcast address). So if you increment the network address by one to get 192.168.1.0/24, you've got a whole new IP range you can use that won't cause any conflicts.
Your private network will be on 192.168.1.x and the ADSL modem will be on 192.168.0.x and you will be able to communicate between them.

#10 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 20:18

Certainly. You're using the same IP and subnet for two networks, you're lucky you can even connect to the internet because you're doing a straight in-out NAT, if you were doing an IP based NAT then you wouldn't even have internet working.
You need to change to a different subnet mask for your network, as the subnet mask for the internal ASDL modem is set to 192.168.0.0/24, that means 24 bits of 32 are used for network address and the last 8 bits are used for host addresses, so hosts in the 192.168.0.0/24 network range from 192.168.0.1 - 192.168.0.254 (192.168.0.0 is the network address and 192.168.0.255 is the broadcast address). So if you increment the network address by one to get 192.168.1.0/24, you've got a whole new IP range you can use that won't cause any conflicts.
Your private network will be on 192.168.1.x and the ADSL modem will be on 192.168.0.x and you will be able to communicate between them.


Thanks, I will give it a go and let you know how I get on...

#11 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 21:11

Ok, things are moving in the right direction a little. My linux box still has the IP 192.168.0.23 on eth0 externally (is this ok?) however internally is now on network 192.168.1.0, bcast 192.168.1.255 and supplying DHCP with a range of 192.168.1.2 to 192.168.1.254 with a device IP of 192.168.1.1 on eth1.

I can now successfully get into the ADSL router setup page with no problems however I am still unable to see any external hosts. I am also unable to ping any of my internal hosts from any host on 192.168.0.x ...

#12 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 05 January 2013 - 21:18

Yep the IP info is all correct.
You won't be able to because you've set IP tables to drop any 'new' traffic.

#13 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 84
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 January 2013 - 21:21

So how would hosts on 192.168.0 know how to get back to the 192.168.1 network? To ping something? They could ping your ip address of your linux router that is on the 192.168.0 network - but you can not forward icmp to different boxes inside. If you not going to nat and just route, they still don't know how to get to the 192.168.1.0 network -- their default route it the adsl router, and he does not know that 192.168.1 is behind your linux box. You would have to edit his route table to know that, or use a routing protocol to share this info with him, like rip. But to turn that on you would need access to the adsl router as admin and it would have to support it, etc.

So you want to put yourself behind a firewall between other building users that are all on the same 192.168.0 network -- this is far enough and common want.

But not sure why you would go with a standard linux install - why not go with one of the many distro's designed to be a router/firewall.. Of the top as already mentioned smoothwall sure, there is also my fav pfsense, there is ipcop, there is m0n0wall, etc. etc.. There is clearOS which is more a full blown SME, it can run all kinds of services file, email, etc. while protecting you from users on 192.168.0 network.

Not sure what you mean exactly by unable to see "external hosts." Are these on the 192.168.0 network or the internet after the adsl router?

If you would download one of the many firewall/router distros - click click click you would be up and running with a nice web gui to admin your shiny new firewall with.

#14 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 21:25

IP tables now reads as such:

*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2020 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
COMMIT

Still unable to ping hosts on 192.168.1.x from 192.168.0.x

Are you able to offer advice on how this should look?

#15 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 21:35

So how would hosts on 192.168.0 know how to get back to the 192.168.1 network? To ping something? They could ping your ip address of your linux router that is on the 192.168.0 network - but you can not forward icmp to different boxes inside. If you not going to nat and just route, they still don't know how to get to the 192.168.1.0 network -- their default route it the adsl router, and he does not know that 192.168.1 is behind your linux box. You would have to edit his route table to know that, or use a routing protocol to share this info with him, like rip. But to turn that on you would need access to the adsl router as admin and it would have to support it, etc.

So you want to put yourself behind a firewall between other building users that are all on the same 192.168.0 network -- this is far enough and common want.

But not sure why you would go with a standard linux install - why not go with one of the many distro's designed to be a router/firewall.. Of the top as already mentioned smoothwall sure, there is also my fav pfsense, there is ipcop, there is m0n0wall, etc. etc.. There is clearOS which is more a full blown SME, it can run all kinds of services file, email, etc. while protecting you from users on 192.168.0 network.


As I before mentioned I am trying to gain a more advanced understanding of routing and firewall configuration from the CLI as apposed to a GUI based pre-prepared distro. I understand that this will give me (more) headaches however I would never have gained the experience in Linux that I now have if hadn't already spent a great deal of time attempting to play with things that I have no idea how to work. What can I say, I learn better by throwing myself in at the deep end :D




Not sure what you mean exactly by unable to see "external hosts." Are these on the 192.168.0 network or the internet after the adsl router?


My apologies for my inaccurate terminology, I am still learning how to express networking concepts in the correct terms. 'external hosts' I do indeed mean hosts on the 192.168.0 network, and as such 'internal hosts' being those on my 192.168.1 network. Hope this clarifies.



Click here to login or here to register to remove this ad, it's free!