Linux gateway/router issues, please help!

[Captain_Rainbowbeard]

Hi all, I posted this issue on another forum and was directed here to seek help, hope I can get some good advice.

I should start by explaining my home network setup... I live in a shared building split into individual flats/rooms with shared internet across the whole building. The ADSL router supplied by our ISP is located in another room which I do not often get access to, this is the access point that all other computers in the house are connected to. I have an ethernet cable running from this room into mine to provide me with network and internet access. It is from this point that I am having trouble...

The cable is connected in my room to a Debian (squeeze) linux box which I am attempting to configure as a gateway/router/firewall. From my linux box a second cable is then connected to my network switch which then distributes the connection to my personal machines in my room, one of which is a Windows server (2008 R2) which I am presently running as a web server with the intention of creating a secure FTP server. The Windows server is also running an SMB share and VNC server.

The problem I am having regards access between my internal machines (in my room) and the external machines (rest of the network). The Debian gateway is successfully supplying internet as all of my internal machines are able to access the web, however when attempting to access the ADSL router configuration page from here my browser tells me 'This web page is not available'. I am also able to use my SMB share and VNC server from my internal machines yet externally the server (or any of my other machines for that matter) are not visible across the network, neither can I see anyone else's (external) computers from here.

I am reasonably certain that I wish to keep the setup as is as I am fairly paranoid about network security and would feel more comfortable if I was separated from the rest of the network and the internet via a secure firewall, though I still require my web server to be able to be accessed from the net (and would also like to be able to remote into it via the web using VNC), I would also like other people in the house to be able to take advantage of my SMB share.

I assume that this is a port forwarding issue? (though can't be certain as this sort of setup is quite new to me). Also as the Debian gateway is providing DHCP to my internal machines I am considering the possibility that this may also be an issue?

I am hoping that someone here has enough knowledge to talk me through preparing the correct configuration to make this work or could offer, if necessary, another practical solution that will provide me with the security I desire.

Thanks all for taking the time to consider my problem, any help is greatly appreciated...

[n_K]

Are you using the same IPs or subnets or what?

If you can access the net fine then the debian 'sever' sounds like it's got NAT routing and is routing fine and you can't access any other PCs so sounds like you might have an IP subnet collision like they're both using the 192.168.1.0/24 range.

You need to post all your IP diagrams and configuration information for anyone to even attempt to diagnose the problem.

[Captain_Rainbowbeard]

Are you using the same IPs or subnets or what?

If you can access the net fine then the debian 'sever' sounds like it's got NAT routing and is routing fine and you can't access any other PCs so sounds like you might have an IP subnet collision like they're both using the 192.168.1.0/24 range.

You need to post all your IP diagrams and configuration information for anyone to even attempt to diagnose the problem.

Ok, sounds like a reasonable explanation.

The ADSL router has the IP 192.168.0.1 on 255.255.255.0 subnet.

Linux box appears externally as 192.168.0.23 (interface eth0) and internally as 192.168.0.2 (eth1)

Based on a guide for simple gateway routing I found online my 'iptables.rules' file is as follows:

*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2020 -j ACCEPT
-A INPUT -i eth0 -j DROP
COMMIT
[/CODE]

To clarify port 2020 is the port I use for SSH...

Please advise on any other information that may be required. Thanks you.

[grabageek]

Make life easy on yourself and use smoothwall as your linux router/firewall www.smoothwall.org

[Captain_Rainbowbeard]

Figured this would be useful too...

My /etc/network/interfaces file:

auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.rules
allow-hotplug eth0
iface eth0 inet dhcp
allow-hotplug eth1
iface eth1 inet static
   address 192.168.0.2
   netmask 255.255.255.0
   network 192.168.0.0
   broadcast 192.168.0.255
[/CODE]

and my dnsmasq.conf:

[CODE]
interface=eth1
listen-address=127.0.0.1
dhcp-range=192.168.0.100,192.168.0.110,12h
[/CODE]

Make life easy on yourself and use smoothwall as your linux router/firewall www.smoothwall.org

I will look into it, thanks...

[Captain_Rainbowbeard]

@ grabageek:

Seems like smoothwall should be a nice easy setup, not quite what I had in mind. I would like to develop more practical networking knowledge, routing and security is something I would quite like to get to grips with on a technical level and as such why I would like to explore making a working configuration myself. Thanks for the advice though.

[n_K]

"The ADSL router has the IP 192.168.0.1 on 255.255.255.0 subnet.

Linux box appears externally as 192.168.0.23 (interface eth0) and internally as 192.168.0.2 (eth1)"

There is your problem and solution.

[Captain_Rainbowbeard]

"The ADSL router has the IP 192.168.0.1 on 255.255.255.0 subnet.

Linux box appears externally as 192.168.0.23 (interface eth0) and internally as 192.168.0.2 (eth1)"

There is your problem and solution.

Please excuse me being so slow (like I said I am still somewhat unfamiliar with more advanced aspects of network configuration) but could you please clarify further? Could you recommend an IP configuration that would work? Bearing in mind my connection comes in from the ADSL router to the device eth0 and is routed out to my network swicth on device eth1.

Thank you.

[n_K]

Certainly. You're using the same IP and subnet for two networks, you're lucky you can even connect to the internet because you're doing a straight in-out NAT, if you were doing an IP based NAT then you wouldn't even have internet working.

You need to change to a different subnet mask for your network, as the subnet mask for the internal ASDL modem is set to 192.168.0.0/24, that means 24 bits of 32 are used for network address and the last 8 bits are used for host addresses, so hosts in the 192.168.0.0/24 network range from 192.168.0.1 - 192.168.0.254 (192.168.0.0 is the network address and 192.168.0.255 is the broadcast address). So if you increment the network address by one to get 192.168.1.0/24, you've got a whole new IP range you can use that won't cause any conflicts.

Your private network will be on 192.168.1.x and the ADSL modem will be on 192.168.0.x and you will be able to communicate between them.

[Captain_Rainbowbeard]

Certainly. You're using the same IP and subnet for two networks, you're lucky you can even connect to the internet because you're doing a straight in-out NAT, if you were doing an IP based NAT then you wouldn't even have internet working.

You need to change to a different subnet mask for your network, as the subnet mask for the internal ASDL modem is set to 192.168.0.0/24, that means 24 bits of 32 are used for network address and the last 8 bits are used for host addresses, so hosts in the 192.168.0.0/24 network range from 192.168.0.1 - 192.168.0.254 (192.168.0.0 is the network address and 192.168.0.255 is the broadcast address). So if you increment the network address by one to get 192.168.1.0/24, you've got a whole new IP range you can use that won't cause any conflicts.

Your private network will be on 192.168.1.x and the ADSL modem will be on 192.168.0.x and you will be able to communicate between them.

Thanks, I will give it a go and let you know how I get on...

[Captain_Rainbowbeard]

Ok, things are moving in the right direction a little. My linux box still has the IP 192.168.0.23 on eth0 externally (is this ok?) however internally is now on network 192.168.1.0, bcast 192.168.1.255 and supplying DHCP with a range of 192.168.1.2 to 192.168.1.254 with a device IP of 192.168.1.1 on eth1.

I can now successfully get into the ADSL router setup page with no problems however I am still unable to see any external hosts. I am also unable to ping any of my internal hosts from any host on 192.168.0.x ...

[n_K]

Yep the IP info is all correct.

You won't be able to because you've set IP tables to drop any 'new' traffic.

[+BudMan MVC]

So how would hosts on 192.168.0 know how to get back to the 192.168.1 network? To ping something? They could ping your ip address of your linux router that is on the 192.168.0 network - but you can not forward icmp to different boxes inside. If you not going to nat and just route, they still don't know how to get to the 192.168.1.0 network -- their default route it the adsl router, and he does not know that 192.168.1 is behind your linux box. You would have to edit his route table to know that, or use a routing protocol to share this info with him, like rip. But to turn that on you would need access to the adsl router as admin and it would have to support it, etc.

So you want to put yourself behind a firewall between other building users that are all on the same 192.168.0 network -- this is far enough and common want.

But not sure why you would go with a standard linux install - why not go with one of the many distro's designed to be a router/firewall.. Of the top as already mentioned smoothwall sure, there is also my fav pfsense, there is ipcop, there is m0n0wall, etc. etc.. There is clearOS which is more a full blown SME, it can run all kinds of services file, email, etc. while protecting you from users on 192.168.0 network.

Not sure what you mean exactly by unable to see "external hosts." Are these on the 192.168.0 network or the internet after the adsl router?

If you would download one of the many firewall/router distros - click click click you would be up and running with a nice web gui to admin your shiny new firewall with.

[Captain_Rainbowbeard]

IP tables now reads as such:

*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2020 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
COMMIT
[/CODE]

Still unable to ping hosts on 192.168.1.x from 192.168.0.x

Are you able to offer advice on how this should look?

[Captain_Rainbowbeard]

So how would hosts on 192.168.0 know how to get back to the 192.168.1 network? To ping something? They could ping your ip address of your linux router that is on the 192.168.0 network - but you can not forward icmp to different boxes inside. If you not going to nat and just route, they still don't know how to get to the 192.168.1.0 network -- their default route it the adsl router, and he does not know that 192.168.1 is behind your linux box. You would have to edit his route table to know that, or use a routing protocol to share this info with him, like rip. But to turn that on you would need access to the adsl router as admin and it would have to support it, etc.

So you want to put yourself behind a firewall between other building users that are all on the same 192.168.0 network -- this is far enough and common want.

But not sure why you would go with a standard linux install - why not go with one of the many distro's designed to be a router/firewall.. Of the top as already mentioned smoothwall sure, there is also my fav pfsense, there is ipcop, there is m0n0wall, etc. etc.. There is clearOS which is more a full blown SME, it can run all kinds of services file, email, etc. while protecting you from users on 192.168.0 network.

As I before mentioned I am trying to gain a more advanced understanding of routing and firewall configuration from the CLI as apposed to a GUI based pre-prepared distro. I understand that this will give me (more) headaches however I would never have gained the experience in Linux that I now have if hadn't already spent a great deal of time attempting to play with things that I have no idea how to work. What can I say, I learn better by throwing myself in at the deep end :D

Not sure what you mean exactly by unable to see "external hosts." Are these on the 192.168.0 network or the internet after the adsl router?

My apologies for my inaccurate terminology, I am still learning how to express networking concepts in the correct terms. 'external hosts' I do indeed mean hosts on the 192.168.0 network, and as such 'internal hosts' being those on my 192.168.1 network. Hope this clarifies.

[n_K]

Yes, you are now accepting packets from the 192.168.0.x network to the debian 'sever'.

You need to filter them then either just pass them off out the other interface or use NAT's prerouting to change them to come out the other interface.

(Plus you'll want to use FORWARD not ACCEPT)

[Captain_Rainbowbeard]

Yes, you are now accepting packets from the 192.168.0.x network to the debian 'sever'.

You need to filter them then either just pass them off out the other interface or use NAT's prerouting to change them to come out the other interface.

(Plus you'll want to use FORWARD not ACCEPT)

Hmmm, I appear to be having some trouble with the syntax of the IP tables, I attempted to add a FORWARD line and this broke the routing, are you able to be more specific?

[n_K]

-A INPUT -i eth0 -j FORWARD

(From what I remember, can't check as the half-NAT I did for a firewall for my server is offline)

[Captain_Rainbowbeard]

-A INPUT -i eth0 -j FORWARD

(From what I remember, can't check as the half-NAT I did for a firewall for my server is offline)

This appears to break the routing :(

Anyways, it's getting late and I'm growing tired of this for today. I am going to sleep on it and try again tomorrow.

[HawkMan]

As I before mentioned I am trying to gain a more advanced understanding of routing and firewall configuration from the CLI as apposed to a GUI based pre-prepared distro. I understand that this will give me (more) headaches however I would never have gained the experience in Linux that I now have if hadn't already spent a great deal of time attempting to play with things that I have no idea how to work. What can I say, I learn better by throwing myself in at the deep end :D

Don't think if it as doing it the easy way, think of it as choosing the right tool for the job.

[Captain_Rainbowbeard]

Don't think if it as doing it the easy way, think of it as choosing the right tool for the job.

TBH that's quite a fair point, and if I can't make this work within the next couple of days I may consider changing my approach somewhat, however I am a stubborn b*****d and will keep on at this for now at least.

IF I were to consider using a specific firewall distro what are people's genral opinions on the best, most configurable and most secure distro to use?

[sc302 Veteran]

I believe pfsense will do nicely for what you are trying to accomplish...has a web based front end with a linux based back end. Probably the best of both worlds for you...you can see where you are screwing up.

[Karl L.]

I believe pfsense will do nicely for what you are trying to accomplish...has a web based front end with a linux based back end. Probably the best of both worlds for you...you can see where you are screwing up.

I definitely agree that pfSense is a very nice firewall distribution, but it is not Linux based: its based on FreeBSD. In general, networking theory applies equally to both Debian and FreeBSD, but some of the configuration tools are a little different. Since iptables is merely a kernel-level firewall, not a POSIX standard, its specific to the Linux kernel. FreeBSD currently uses the OpenBSD PacketFilter firewall, which is also kernel-level. You can get basic iptables documentation from the Debian Wiki, CentOS Wiki, and RHEL Manual, and basic pf documentation from the FreeBSD Handbook and OpenBSD Wiki.

[+BudMan MVC]

Right tool is the better term yes.

Your not going to learn anything being frustrated having to try and get syntax exactly right! What does that teach you??

Get the concepts down, then you can worry about knowing the exact command to do what you want from a command line.

As mentioned - pfsense would be a great choice, and yes it is freebsd based not linux. But to to be honest from just doing commands, its not any different than any other linux distro. Pretty much all the linux commands are the same, its just you use different tools.

Get your network secured and working - and get the basic concepts down, then you can mess with the inner workings.

Heres the thing if you just route and don't nat - your not going to be able to talk machines on the .0 since you don't have control over their router or the hosts there is no way for you to setup the routing correctly for them to talk between the 2 networks. So your going to need to nat, then every box behind your firewall will just look like another .0 host to the boxes on that network - even their router your just going to look like another one of its clients.

Boxes on the .0 will be able to get to ips on the .1 through the .0.x address of your wan interface on your router/firewall (pfsense) Once you forward the ports you want to the specific .1.x addresses you want to serve up those services to people on the .0 network.

Now the issue your going to have in a double net setup, and without control of the .0 router anyway - is your not going to be able to do any port forwarding from the internet to boxes inside your .1 network - unless you can have whoever controls the .0 router to setup the forwards to your .0 address, etc.

But that is part of the problem with double natting.

[Captain_Rainbowbeard]

@ BUDMAN:

Sure, to be fair you make a very reasonable point and I am definitely swaying to the idea. I will look into pfsense and see how I go, fortunately BSD based distros are no mystery to me, I spent some time playing with a range of UNIX-like systems some time ago and was pleased to see that bash is still the preferred shell. You are entirely correct, of course, that it is most likely the best way I can learn the basic principles of what I am trying to achieve and as +sc302 rightly said it would help me understand where I'm screwing up. Thanks for the good advice guys.

I was also considering another option; A friend of mine has given me his old Cisco 2600 series router and I have been looking into configuring this as a firewall. This would give me an excellent opportunity to get to grips with the Cisco command console though I am unsure of what pros/cons this would have over using a UNIX/GNU based firewall instead. Which do you think would be the most preferable solution for my purposes?