Is it possible to route LAN through server

[Rakeshvijayan]

talks@ns1:~$ sudo tail -f /var/log/messages
[sudo] password for talks:
Jul 21 12:48:26 ns1 kernel: [12314.319572] sd 7:0:0:0: [sdc] 7811072 512-byte logical blocks: (3.99 GB/3.72 GiB)
Jul 21 12:48:26 ns1 kernel: [12314.324569] sd 7:0:0:0: [sdc] Write Protect is off
Jul 21 12:48:26 ns1 kernel: [12314.341579] sdc: sdc1
Jul 21 12:48:26 ns1 kernel: [12314.397598] sd 7:0:0:0: [sdc] Attached SCSI removable disk
Jul 21 13:06:37 ns1 kernel: [13404.940715] ADDRCONF(NETDEV_UP): eth0: link is not ready
Jul 21 13:06:37 ns1 kernel: [13404.944307] e100 0000:04:05.0: eth0: NIC Link is Up 100 Mbps Full Duplex
Jul 21 13:06:37 ns1 kernel: [13404.944889] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Jul 21 13:06:37 ns1 kernel: [13405.371195] ADDRCONF(NETDEV_UP): eth1: link is not ready
Jul 21 13:06:38 ns1 kernel: [13406.544373] e1000: eth1 NIC Link is Up 100 Mbps Full Duplex, Flow Control: RX/TX
Jul 21 13:06:38 ns1 kernel: [13406.544674] ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready

[wineman]

ok so i like what you've done but the one thing that i still dont like is how this system doesnt have any DNS configured on eth0. you have to specify your DNS servers. To specify them, please add this line to your config of eth0 in /etc/network/interfaces:
#START
dns-nameservers <ip of name server 1>,<ip of name server 2>
#END
This will allow your server to connect DIRECTLY to the internet itself.
Something else that is bothering me about your network map is that the system seems to be running SQUID, yet (to the best of my knowledge) squid hasn't been configured, and i haven't accounted for it in the firewall. Please remove it for now (unless it is configured), we can set this up once the systems are able to access the internet from a client side.
To get this script (the one that you got from the Router page) to load at boot, please do the following:
1) Save to the file as /etc/init.d/fw.starter
2) run this command:
chmod 777 /etc/init.d/fw.starter
3) add the following line to /etc/rc.local, just above the 'exit 0' part:
sh /etc/init.d/fw.starter
4) Please change the following lines in my firewall script:
#START
for opf in $opforwards
do
$ipt -A FORWARD -i $ext -o $int -p tcp --dport $opf-j ACCEPT
$ipt -t nat -A PREROUTING -i $ext -p tcp --dport $opf -j DNAT --to $ip:$opf
done
#END
to
#START
for opf in $opforwards
do
$ipt -A FORWARD -i $ext -o $int -p tcp --dport $opf -j ACCEPT
$ipt -t nat -A PREROUTING -i $ext -p tcp --dport $opf -j DNAT --to $ip:$opf
done
#END
This corrects the system for port forwarding errors that mess up when the script loads.

5) restart your server to test if this script runs. Now both my firewall script and the Router script will run and so you should get connectivity.

If this doesnt work, there is a system that i use at home and it's very simple to configure and lock down, it is called Zentyal (http://www.zentyal.org) and it is very good, its a fulyl functional DMZ/UTM/UMS/UOS and is very reliable, the versin 2.0 is completely stable and should work perfectly for your application. It is also free and based on ubuntu.
Still, im more than happy to help with everything and anything that pertains to your project
Your system does have a few flaws, but lets rather get it working 100% and then sort out the problems.

HTH

[Rakeshvijayan]

Hi friend finally that router scrip is work for me and am happy

Code:

[hem, please add this line to your config of eth0 in /etc/network/interfaces:
#START
dns-nameservers <ip of name server 1>,<ip of name server 2>
#END

I don't know how its work for me I can access internet with out specify dns-nameservers on eth0

Code:

#START
for opf in $opforwards
do 
$ipt -A FORWARD -i $ext -o $int -p tcp --dport $opf-j ACCEPT
$ipt -t nat -A PREROUTING -i $ext -p tcp --dport $opf -j DNAT --to $ip:$opf
done
#END
to
#START
for opf in $opforwards
do 
$ipt -A FORWARD -i $ext -o $int -p tcp --dport $opf -j ACCEPT
$ipt -t nat -A PREROUTING -i $ext -p tcp --dport $opf -j DNAT --to $ip:$opf
done
#END

is this both are the same script ...On that router script says about log ...where I can find the log and how its work ...and I need to know on the dns part of the client pc I give server's eth1 ip is given first time this not give the connection to internet when I give eth1 gateway connection ok for me .Is this is any wrong ..

Thank for the information of Zentyal ..but I give my hands on ubuntu ....I need to learn ubuntu ...I know I cnt study whole ...

I need to run your scrip also ...this is my 14th day on this issue but your words give me more courage ..

This is the whole thing I did on my system

Code:

      echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"
      DEPMOD=/sbin/depmod
      MODPROBE=/sbin/modprobe

      EXTIF="eth0"
      INTIF="eth1"
      #INTIF2="eth0"
      echo "   External Interface:  $EXTIF"
      echo "   Internal Interface:  $INTIF"

      #======================================================================
      #== No editing beyond this line is required for initial MASQ testing == 
      echo -en "   loading modules: "
      echo "  - Verifying that all kernel modules are ok"
      $DEPMOD -a
      echo "----------------------------------------------------------------------"
      echo -en "ip_tables, "
      $MODPROBE ip_tables
      echo -en "nf_conntrack, " 
      $MODPROBE nf_conntrack
      echo -en "nf_conntrack_ftp, " 
      $MODPROBE nf_conntrack_ftp
      echo -en "nf_conntrack_irc, " 
      $MODPROBE nf_conntrack_irc
      echo -en "iptable_nat, "
      $MODPROBE iptable_nat
      echo -en "nf_nat_ftp, "
      $MODPROBE nf_nat_ftp
      echo "----------------------------------------------------------------------"
      echo -e "   Done loading modules.\n"
      echo "   Enabling forwarding.."
      echo "1" > /proc/sys/net/ipv4/ip_forward
      echo "   Enabling DynamicAddr.."
      echo "1" > /proc/sys/net/ipv4/ip_dynaddr 
      echo "   Clearing any existing rules and setting default policy.."

      iptables-restore <<-EOF
      *nat
      -A POSTROUTING -o "$EXTIF" -j MASQUERADE
      COMMIT
      *filter
      :INPUT ACCEPT [0:0]
      :FORWARD DROP [0:0]
      :OUTPUT ACCEPT [0:0]
      -A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
      -A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT
      -A FORWARD -j LOG
      COMMIT
      EOF

      echo -e "\nrc.firewall-iptables v$FWVER done.\n"

After configuring the 2 variables, save the script below as nat.sh and make it executable by doing

    *

      chmod a+x nat.sh


now change the value of this in /etc/sysctl.conf:
Code:

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1



Now, test the script by running as root

    *




      sudo sh nat.sh





    *

If ping responds, make our new script bootable so we don't have to run the script every time we restart.

    *

      sudo cp nat.sh /etc/init.d/
      sudo ln -s /etc/init.d/nat.sh /etc/rc2.d/S95masquradescript

As a final test, restart your computer and test to see if you still have the same functionality. If so then congratulations! If not then make sure you followed the above correctly so the script is bootable.

sudo iptables-save > /etc/iptables.up.rules

do like this in /etc/network/interfaces

auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules


auto eth0
iface eth0 inet static
address 192.168.1.155
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1


auto eth1
iface eth1 inet static
address 200.119.2.1
netmask 255.255.255.0
network 200.119.2.0
broadcast 200.119.2.255
dns-nameservers 192.168.1.1

Be frank wineman I dont know how Its work for me ..I am going to test it on virtual box

[wineman]

ok you're doing the right thing YAY This system works.

The configuration for the statically assigned IPs is as follows:
(and yay i finally remembered how to create 'code' tags )

Code:

IP ADDRESS: 200.119.2.<number>
(Subnet mask or) NETMASK: 255.255.255.0
DEFAULT GATEWAY: 200.119.2.1
PREFERRED DNS SERVER: 200.119.2.1
ALTERNATE DNS SERVER: 192.168.1.1

Basically, you need to set the DNS servers to the IP of the NAT server and the IP of the router but ONLY on the client.
The DHCP Config for that would be something like this:

Code:

authoritative;
server-identifier           mathacollege.internal;
ddns-updates                off;
# The reason that the domain name is mathacollege.internal is
# so that the client do not become broadcast on the internet,
# as mathacollege.internal is a an illegal TLD Domain name
option domain-name "mathacollege.internal";
option domain-name-servers 200.119.2.1;

default-lease-time 6000;
max-lease-time 72000;
log-facility local7;

subnet 200.119.2.0 netmask 255.255.255.0 {
  range 200.119.2.25 200.119.250;
  option domain-name-servers 200.119.2.1,192.168.1.1;
  option domain-name "mathacollege.internal";
  option ip-forwarding off;
  option netbios-dd-servers 200.119.2.1;
  option netbios-name-servers 200.119.2.1;
  option routers 200.119.2.1;
  option broadcast-address 200.119.2.255;
  default-lease-time 6000;
  max-lease-time 72000;
}

subnet 192.168.1.0 netmask 255.255.255.0 {}

This should direct the clients to your system's NAT server, i hope this helps somehow. Copy the above settings into the DHCP server's config file and then restart it ('service dhcp3-server restart') and then try and connect to the internet again from your client.
A Virtual-box is a brilliant idea for a client, as it is isolated and can be broken and destroyed and then rebuilt in a matter of seconds. I use them for server development at home sometimes, although i prefer a real physical box to one of them for server technology.
i like the steps that you took to make that nat script work.

you also asked about the log,everything that iptables logs is saved in either syslog or messages (syslog in ubuntu, which is /var/log/syslog; messages is in RPM systems like redhat or mandriva or fedora, which is /var/log/messages) under lines similar to this:

Code:

Jul 22 11:26:27 iptables rules="" in="eth0" out="eth1" proto="tcp"....

it looks fairly similar to that, with the application header or either "iptables" or "kernel". sometimes the system will spew out messages based on the kernel or the kernel subsystem (which runs iptables).

HTH