[SATLUG] Networking and hardware firewall questions
Chuck
chuck at tetlow.net
Tue Apr 6 19:06:03 CDT 2004
If I get you right, you are set up like this:
|--Wireless Computer #1
|
Cable Linux Wireless |--Wireless Computer #2
Modem----Firewall-----AccessPoint-----|
/Router |--Wireless Computer #3
Is that right??
If so, the first question I need to ask is:: why the Linux firewall
between the Wireless Access Point and the cable modem??? Most
Routers/WAPs have basic firewall functionality built in -- even if its
only Port Access Translation (PAT). I can think of a couple reasons to
have that Linux firewall there, but just wanted to know if you have a
reason for it -- or just thought you needed it.
If you do keep it there, you have to have a separate network between the
Linux firewall and the WAP. Maybe 172.16.1.0 netmask 255.255.255.0.
Make the Linux box 172.16.1.1 and the WAP 172.16.1.2. And set the WAP
so its default gateway is the Linux box at 172.16.1.1.
The the WAP probably defaults to use a class C network like 192.168.1.0
255.255.255.0 for the DHCP addresses handed out. Those PCs who get a
192.168.1.x address from the WAP would use 192.168.1.1 (the WAP) as its
default gateway.
The easiest way to get DNS working is to just have the WAP configure the
PCs with your Internet Providers DNS servers. If you are using cable
modem here in San Antonio, its 24.28.131.62 and 24.28.131.63.
That's it. Make sure the networking is setup and working correctly by
pinging from a PC to the inside of the Linux firewall 172.16.1.1. If
that works, the WAP and networking is right.
Make sure the Linux firewall is set to route packets with the command
"cat /proc/sys/net/ipv4/ip_forward" and make sure you get back the
single number 1. If its 0, routing is turned off. Turn it on with
"echo 1 > /proc/sys/net/ipv4/ip_forward".
And last, make sure the IPTables on the Linux firewall is set to do
masquerading (Port Address Translation). Use "iptables -L -n -t nat"
and look for a line in the FORWARD chain that begins with "MASQUERADE"
and the source is set to 0.0.0.0/0. If its there, you are good to go.
You should now be able to browse the Internet from the inside computers.
Chuck
On Tue, 2004-04-06 at 17:18, Michael Basnight wrote:
> OK, this may be on the list twice, I had a freak email problem, outlook...
>
> I am trying to set up a my computer as a hardware firewall as well as a
> server(I only have 1 box serving Linux, too broke to buy an E-Bay $100 P1
> special!). Here is what I have done, i.e. connections: **The external and
> internal nic are on the server, but you knew that :)
>
> 1) Cable modem to "External" nic,
> 2) "Internal" nic to router,
> 3) router to wireless computers(this is the only wireless part, and will to
> a windows box, no problem setting this up)
>
> My problem, i think, is in part 2 above. I have the external nic using dhcp
> to get dns and ip...bla bla, and the internal nic *I am assuming in my case*
> will have a static internal ip. What is the internal nics gateway? I think
> this is a reason everything is not working.
>
> Also, the router, i believe, must have a static internal ip different from
> the internal nic, and serve dhcp to the machines trying to connect to it.
> the routers default gateway will be the internal nic, i think???
>
> I can connect to the internal routers config program from a wireless windows
> box, but not the net. I can connect to the net via the server/firewall, but
> i cannot connect to the internal routers config program.
>
> I have also set up shorewall, which is too cool a program, to a basic
> example using this setup. This could also be a problem.
>
> I am just learning this stuff, and I was wondering if my setup was correct,
> in theory. As of now, no internal comps have wireless access to the net.
>
> Thx satluggerz, Michael Basnight
>
> _______________________________________________
> Satlug mailing list
> Satlug at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug
More information about the Satlug
mailing list