Require help with setting up multiple network interfaces in my LAN.

[Antoniya001]

Hello all,

I've recently tried to increase the security (and increase the throughput) of my network by trying to move external services of the server to a secondary external IP. But I've not been successfull. I think that there is a problem with the firewall configuration and quite possibly also a default gateway problem.

To make my question more clear I've created jpegs to help understanding what I wish to do.

In the old situation I've setup firestarter but that program simply won't do for the new situation. See pic for the old setup.

In the new situation I've uninstalled firestarter and installed fwbuilder which seems to be complex enough to do what I wish to do. I'm not a very big fan of command line I'm afraid, so I skipped ufw for setting up iptables.

Now when I go into my website in a browser, it won't connect. When I connect with inside ip from inside it works. (as long as there are no mydomain.nl references.) I can see all interfaces have an IP, so that is not it. If I disable the firewall AND the internal interface, the website will work from the outside.

Is this a gateway problem or a firewall problem ? Any help appreciated. How can you setup 2 default gateways ?

Ar

Code:

/etc/hosts             (new situation)
 
Aaa.bbb.ext.ip  IOSERV 
127.0.0.1       localhost.localdomain   localhost
::1     IOSERV  localhost6.localdomain6 localhost6
192.168.1.199   IOSERV
# IOSERV is the internal name of the server, not the domain.nl name.
 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
 
/etc/network/interfaces             (new situation)
 
auto lo
iface lo inet loopback
 
# The primary network interface
auto eth0
iface eth0 inet dhcp
 
# The secondary network interface
auto eth1
iface eth1 inet dhcp
 
/etc/hostname
 
IOSERV

[ian dobson]

Hi,

Shouldn't your secondary interface eth1 have a fixed IP address or how does it get it's IP (dhcp?).

What does ifconfig show?

So that all the clients behind the server (on the second interface) use the server's IP address as their gateway.

Also whats stopping the router handing an ip address to the server's first ethernet port?

Try breaking the problem into smaller parts.
Does the server get an IP address on both ports? and if so are they correct.
Does the modem route all data for the correct ip's to the correct systems (router and server).


Regards
Ian Dobson

[Ryan Dwyer]

I'm having trouble understanding how you're physically connecting the server to the 5 client machines. I assume you're plugging the server into both switches.

I would disable DHCP on the server and set everything statically. This includes both IP addresses and the default gateway. This would stop the router from giving you two internal addresses if that's what it's doing.

You can't have 2 default gateways. The default gateway of your server should be your modem's internal IP.

[oldfred]

I have not used this, but is this the type of configuration you want? This is a full Linux distribution to control secuity.

IPCop - Red, green, orange, blue networks
http://www.ipcop.org/1.4.0/en/instal...iguration.html

[Antoniya001]

I'm having trouble understanding how you're physically connecting the server to the 5 client machines. I assume you're plugging the server into both switches.

Yes, just as the drawing with the new setup shows. one goes into switch 1 (behind the modem), the second goes into switch 2 (behind the router).

I would disable DHCP on the server and set everything statically. This includes both IP addresses and the default gateway. This would stop the router from giving you two internal addresses if that's what it's doing.

The external IP cannot be static, it is assigned by my ISP. The internal one is assigned by DHCP (of the router), but is always the same. The IP assignments are not really my problem. The interfaces always have the IPs that I want them to be.

You can't have 2 default gateways. The default gateway of your server should be your modem's internal IP.

This is what I first thought. But the internal networks gateway knows about the internal network, while the external network does not. So any trafic coming from external cannot be routed back thru the internal one. This is when my packets get lost I guess.

THX Ar

[Antoniya001]

What does not seem to be understood is this :

I have 2 paths to the internet.

the first I wish to use for my personal stuff

the second I wish to use for the server

So they both have their own pathway to the internet. BUT I wish to be able to communicate to the server without having to go outside of my own network. Hence the second interface on the server. Which is then connected to the first path.

I found this :

http://kindlund.wordpress.com/2007/1...utes-in-linux/

That might be the ticket. Having default routes. When it comes IN thru eth1 it should also go OUT of eth1. Same for eth0.

Will try this tomorrow.

Any suggestions on the firewall settings ?

Ar

[Antoniya001]

Shouldn't your secondary interface eth1 have a fixed IP address or how does it get it's IP (dhcp?).

both dhcp, both have correct IP.

So that all the clients behind the server (on the second interface) use the server's IP address as their gateway.

Server is NOT allowed to act as gateway. My network travel should go out of the router, not thru the server.

Also whats stopping the router handing an ip address to the server's first ethernet port?

It is not on the same network ? It is before the router, not behind it.

Try breaking the problem into smaller parts.

Always good advice THX..

Does the server get an IP address on both ports? and if so are they correct.

YES

Does the modem route all data for the correct ip's to the correct systems (router and server).

This I can only hope so. I have absolutely NO control over my ISP's network. But I can only assume that since I get 2 different public IPs from them that it should not be a problem.

What does ifconfig show?

Will print it out tomorrow. I have gone back to the previous situation until I understand my problem and till then my website needs to be served. But I did not see any trouble there. As far as I can tell (I'm no guru, far from.)

[Antoniya001]

I have not used this, but is this the type of configuration you want? This is a full Linux distribution to control secuity.

IPCop - Red, green, orange, blue networks
http://www.ipcop.org/1.4.0/en/instal...iguration.html

This one also seems to only use a single entry point to the internet.

THX for the reply...

[ian dobson]

Hi,

The reason I asked if the server is getting the correct IP address is that my isp gives me 2 ip addresses and if I reboot the router that sits between the modem and the servers, the servers sometimes get the wrong/other IP address.

Maybe get the router and the clients working first, then the server. Your problem could well be that the router it not alowing the packets from the clients to be routed to the server on it's internet IP address.

Regards
Ian Dobson

[Antoniya001]

My ISP hands out IP based on MAC address. Since server has different MAC than my ROUTER, they both get the right IP, always.

If I disable the internal interface of the server everything works. I just cannot securely access the server, except locally, since I have to do it via the internet.
This is also a lot of trouble, since the server is usually headless.

THX for the suggestion,

Ar