Linux Forums - Linux Help,Advice & support community:LinuxSolved.com
Network Troublshooting => General Networking Support in Linux => Topic started by: anybody1234 on October 07, 2005, 01:38:47 PM
-
Hello
I need to setup Suse 9.2 box as my gateway ;
My network setup is as follows;
windows client m/c ---> Suse 9.2 linux BoX ----> Router ----> internet
terms
windows client ip===192.168.0.82
Suse 9.2 IP ==192.168.0.175
Route IP ===192.168.0.230
Now my router has been configured to block all http requests on port 80 for all clients except for Suse 9.2
So from my suse 9.2 box I get direct access to http
i.e
From my suse box
suse:~ # ping yahoo.com
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=48 time=770 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=48 time=522 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=3 ttl=48 time=802 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=4 ttl=48 time=572 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=5 ttl=48 time=592 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=6 ttl=49 time=623 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=7 ttl=49 time=383 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=8 ttl=49 time=325 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=9 ttl=48 time=538 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=10 ttl=49 time=813 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=11 ttl=48 time=327 m
sample client etup
from windows m/c
ipconfig /all
C:\>ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : anybody1234
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : oe2005
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :OE
Description . . . . . . . . . . . : 3Com 3C918 Integrated Fast Ethernet Controller (3C905B-TX Compatible)
Physical Address. . . . . . . . . : 00-C0-4F-5B-87-5F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.82
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.175
DNS Servers . . . . . . . . . . . : 192.168.0.175
note that bind dns server is running on 192.168.0.175;
C:\>ping yahoo.com
Pinging yahoo.com [216.109.112.135] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 216.109.112.135:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>
Now with squid proxy runing on suse9.2 linux Box all clients can access internet atleaset HTTP requests; with IP of SUse9.2 box and por3128 in browser settings
with suse box as gateway I can access sh port 22 ftp 21 but not http 80
iptables -L
suse:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
suse:~ #iptables -t nat -L
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE tcp -- anywhere anywhere
all -- anywhere anywhere
MASQUERADE tcp -- anywhere anywhere masq ports: 80
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
now what can be possible iptables masquearding rules that will
allow http requests directly thru client windows m/c with gateway fo client set as that of Suse 9.2 box;
any help appreciated;
thanks;
[/code]
-
Well, i can see here that you have tried to explain as much as you can.
Here what I see is that you have already masquerade ports ie enabled port forwarding but still you are not able to access internet without squid on the clients.
btw.. what I feel suspecting is the "DNS Server", if you are not running dns server in your suse then you can't use it as dns server and hence u will not be able to access internet through it.
To solve this you can either make sure that you are runig bind as dns forwarding or simply caching nameserver or u can use dns server of your ISP in ur clients.
-
Hi
Thanks for your reply;
Well I am usnig bind dns server and
nslookup yahoo.com
resolves the same using 127.0.0.1
;
Btw how can I know whether I am using running bind as caching server or DNS namserver
Should I post /etc/named.conf.?
-
Let me clearly explain the setup once again if anybody finds it difficult to understand
My setup
Windows box ---> Linux SuSe 9.2 Box ----> Router ---> internnet
Now Router is configured only to block HTTP requests from all clients except my Linux SuSe 9.2 Box which also hosts my proxy server;
So clients can access internet via proxy but
When they access ftp sites thru browsers they encounter a lot of problems
also In My suse linux box default policy is Accept;
i.e
suse:~ # iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
suse:~ #
and
suse:~ # cat /proc/sys/net/ipv4/ip_forward
1
suse:~ #
now I can get direct access any sites thru this box even ftp accesss
suse:~ # telnet 213.220.100.10 21
Trying 213.220.100.10...
Connected to 213.220.100.10.
Escape character is '^]'.
220 This is ftp.f-prot.com. Use wisely. (And take a look at: http://www.f-prot.com)
please note that I can get ftp via command line;
but from my windows box with gateway setup as Linux box I stiil get connection failed message;
and traceroute shows
C:\>telnet 213.220.100.10 21
Connecting To 213.220.100.10...Could not open a connection to host on port 21 : Connect faile
C:\>tracert 213.220.100.10
Tracing route to mango.frisk-software.com [213.220.100.10]
over a maximum of 30 hops:
1 <10 ms <10 ms 10 ms 192.168.0.230
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
C:\>ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : anybody
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : oe2005
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : oe2005
Description . . . . . . . . . . . : 3Com 3C918 Integrated Fas
05B-TX Compatible)
Physical Address. . . . . . . . . : 00-C0-4F-5B-87-5F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.82
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.175
DNS Servers . . . . . . . . . . . : 192.168.0.175
note that gateway is 192.168.0.175 is Suse box ;
still packets directly jump to router 192.168.0.230 instead of Suse Box;
So Would anybody please advice how wil I get access to ftp from my windows box with gateway set as suse box....
-
Hi
Thanks for your reply;
Well I am usnig bind dns server and
nslookup yahoo.com
resolves the same using 127.0.0.1
;
Btw how can I know whether I am using running bind as caching server or DNS namserver
Should I post /etc/named.conf.?
Well the we run bind as nameserver only when we are hosting some site etc.. ie it is used to convert only ip of the computer to the name assigned to that ip.
and in caching nameserver we convert ip of every site to domain related to it. To find out if your bind is running as caching nameserver then simply see /etc/revolv.conf , if its empty or it has entry like nameserver 127.0.0.1
and also in both condition you are able to use that machine as dns server then you are running caching nameserver.
-
Hello
thanks once again for your reply; you provided some info on DNS servers;
But Still My problem of not getting direct internet access thru my linux gateway persists :x
But to me it seems problem has nothing to do with DNS but with iptables rules..;
I explained my problem in as much detail as I could and If still somebody requires any clarifcations I am ready to provide..
Still I am not able to figure out where is the problem
When Ip tables default policy is set to allow and IP forwarding is set to true
Is not Linux machine supposed to behave as a simple gatteway
Is it a known bug in Suse 9.2 Distro and does anybody have some idea..? :roll:
As I observed that similar set up worked fine with same rules in RH 9.0 distro ( In some other n/w)
Also changing the Disto itself is not a very good idea as I have so much importnat data in this setup
Any Ideas any Suse Experts..?
-
The problem is only that I have no experience with SUSE.. may be gauravbajaj or dragoncity99 is having .. ask them by PM about this thread.
Well, I think you should look if there is some firewall which is blocking.
-
Hello all
After refering so many forums for more than months, I got solution to this problem; -- excuse me for my ignorance on iptables rules;
A simple Masquerading rule was all that was required;
First
###############################
echo "1" > /proc/sys/net/ipv4/ip_forward
for forwarding packets
and Iptables masquerading rle as
#######################################
iptables -t nat -A POSTROUTING -j MASQUERADE
#####################################
was the only rule required
and I saved the rules using
#############
suse:/etc #/usr/sbin/iptables-save
#################
Now my Iptables Lists is shown as
#################################
suse:/home # iptables
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
##############################
suse:/home # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#####################################
And solution for my ftp problem was /
I neede to load two modules in
######################################
cd /lib/modules/2.6.8-24-default/kernel/net/ipv4/netfilter
using commands
insmod -f ip_conntrack_ftp.ko
insmod -f ip_nat_ftp.ko
so that
lsmod will display
lsmod
ip_nat_ftp 5232 0
ip_conntrack_ftp 72624 1 ip_nat_ftp
################################
-
Hello
woould anybody provide me a script for the same so that I can set it as gateway whenver I want, as I do not wish to make use of webmin for the same;
-
Hi
Why dont u use yast for that , u just open ports whatever u want
Bye
Gaurav