November 23, 2024, 01:18:37 AM

News : LinuxSolved.com Linux Help Community Forum..


Author Topic: How to setup my SuSe 9.2 as complete gateway  (Read 9581 times)

Offline anybody1234

  • Linux Noob !
  • *
  • Posts: 29
How to setup my SuSe 9.2 as complete gateway
« on: October 07, 2005, 01:38:47 PM »
Hello

I need to setup Suse 9.2 box as my gateway ;

My network setup is as follows;

windows client m/c ---> Suse 9.2 linux BoX ----> Router ----> internet

terms

windows client ip===192.168.0.82
Suse 9.2 IP ==192.168.0.175

Route IP ===192.168.0.230


Now my router has been configured to block all http requests on port 80 for all clients except for Suse 9.2

So from my suse 9.2 box I get direct access to http

i.e
From my suse box

suse:~ # ping yahoo.com
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=48 time=770 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=48 time=522 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=3 ttl=48 time=802 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=4 ttl=48 time=572 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=5 ttl=48 time=592 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=6 ttl=49 time=623 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=7 ttl=49 time=383 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=8 ttl=49 time=325 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=9 ttl=48 time=538 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=10 ttl=49 time=813 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=11 ttl=48 time=327 m

 sample client etup
from windows m/c
ipconfig /all
C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : anybody1234
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : oe2005

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :OE
Description . . . . . . . . . . . : 3Com 3C918 Integrated Fast Ethernet Controller (3C905B-TX Compatible)
Physical Address. . . . . . . . . : 00-C0-4F-5B-87-5F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.82
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.175
DNS Servers . . . . . . . . . . . : 192.168.0.175


note that bind dns server is running on 192.168.0.175;

C:\>ping yahoo.com

Pinging yahoo.com [216.109.112.135] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 216.109.112.135:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

Now with squid proxy runing on suse9.2 linux Box all clients can access internet atleaset HTTP requests; with IP of SUse9.2 box and por3128 in browser settings


with suse box as gateway I can access sh port 22 ftp 21 but not http 80

iptables -L

suse:~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

suse:~ #iptables -t nat -L
 iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  tcp  --  anywhere             anywhere
           all  --  anywhere             anywhere
MASQUERADE  tcp  --  anywhere             anywhere            masq ports: 80

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


now what can be possible iptables masquearding rules that will

allow http requests directly thru client windows m/c with gateway fo client set as that of Suse 9.2 box;

any help appreciated;

thanks;

[/code]

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
How to setup my SuSe 9.2 as complete gateway
« Reply #1 on: October 07, 2005, 03:46:59 PM »
Well, i can see here that you have tried to explain as much as you can.
Here what I see is that you have already masquerade ports ie enabled port forwarding but still you are not able to access internet without squid on the clients.

btw.. what I feel suspecting is the "DNS Server", if you are not running dns server in your suse then you can't use it as dns server and hence u will not be able to access internet through it.
To solve this you can either make sure that you are runig bind as dns forwarding or simply caching nameserver or u can use dns server of your ISP in ur clients.

Offline anybody1234

  • Linux Noob !
  • *
  • Posts: 29
How to setup my SuSe 9.2 as complete gateway
« Reply #2 on: October 09, 2005, 12:47:09 PM »
Hi
Thanks for your reply;

Well I am usnig bind dns server and
nslookup yahoo.com

resolves the same using 127.0.0.1
;
Btw how can I know whether I  am using running bind as caching server or DNS namserver
Should I post /etc/named.conf.?

Offline anybody1234

  • Linux Noob !
  • *
  • Posts: 29
How to setup my SuSe 9.2 as complete gateway
« Reply #3 on: October 27, 2005, 09:23:04 AM »
Let me clearly explain the setup once again if anybody finds it difficult to understand

My setup

Windows box ---> Linux SuSe 9.2 Box ----> Router ---> internnet

Now Router is configured only to block HTTP requests from all clients except my Linux SuSe 9.2 Box which also hosts my proxy server;

So clients can access internet via proxy but

When they access ftp sites thru browsers they encounter a lot of problems

also In My suse linux box default policy is Accept;

i.e
suse:~ # iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
suse:~ #

and
suse:~ # cat /proc/sys/net/ipv4/ip_forward
1
suse:~ #


now I can get direct access any sites thru this box even ftp accesss
suse:~ # telnet 213.220.100.10 21
Trying 213.220.100.10...
Connected to 213.220.100.10.
Escape character is '^]'.
220 This is ftp.f-prot.com.  Use wisely.  (And take a look at: http://www.f-prot.com)


please note that I can get ftp via command line;

but from my windows box with gateway setup as Linux box I stiil get connection failed message;
and traceroute shows
C:\>telnet 213.220.100.10 21
Connecting To 213.220.100.10...Could not open a connection to host on port 21 : Connect faile

C:\>tracert 213.220.100.10

Tracing route to mango.frisk-software.com [213.220.100.10]
over a maximum of 30 hops:

  1   <10 ms   <10 ms    10 ms  192.168.0.230
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

C:\>ipconfig /all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : anybody
        Primary DNS Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Broadcast
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : oe2005

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : oe2005
        Description . . . . . . . . . . . : 3Com 3C918 Integrated Fas
05B-TX Compatible)
        Physical Address. . . . . . . . . : 00-C0-4F-5B-87-5F
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.82
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.175
        DNS Servers . . . . . . . . . . . : 192.168.0.175

note that gateway is 192.168.0.175 is Suse box ;
still  packets directly jump to router 192.168.0.230 instead of Suse Box;

So Would anybody please advice how wil I get access to ftp from my windows box with gateway set as suse box....



Code: [Select]

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
How to setup my SuSe 9.2 as complete gateway
« Reply #4 on: October 27, 2005, 06:43:28 PM »
Quote from: "anybody1234"
Hi
Thanks for your reply;

Well I am usnig bind dns server and
nslookup yahoo.com

resolves the same using 127.0.0.1
;
Btw how can I know whether I  am using running bind as caching server or DNS namserver
Should I post /etc/named.conf.?


Well the we run bind as nameserver only when we are hosting some site etc.. ie it is used to convert only ip of the computer to the name assigned to that ip.

and in caching nameserver we convert ip of every site to domain related to it. To find out if your bind is running as caching nameserver then simply see /etc/revolv.conf , if its empty or it has entry like
Code: [Select]
nameserver       127.0.0.1 and also in both condition you are able to use that machine as dns server then you are running caching nameserver.

Offline anybody1234

  • Linux Noob !
  • *
  • Posts: 29
How to setup my SuSe 9.2 as complete gateway
« Reply #5 on: November 04, 2005, 09:48:29 AM »
Hello

thanks once again for your reply; you provided some info on DNS servers;


But Still My problem of not getting direct internet access thru my linux gateway persists :x
But to me it seems problem has nothing to do with DNS but with iptables rules..;
I explained my problem in as much detail as I could and If still somebody requires any clarifcations I am ready to provide..

Still I am not able to figure out where is the problem
When Ip tables default policy is set to  allow and IP forwarding is set to true
Is not Linux machine supposed to behave as a simple gatteway

Is it a known bug in Suse 9.2 Distro and does anybody have  some idea..? :roll:
As I observed that similar set up worked fine with same rules in RH 9.0 distro ( In some other n/w)
Also changing the Disto itself is not a very good idea as I have so much importnat data in this setup

Any Ideas any Suse Experts..?

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
How to setup my SuSe 9.2 as complete gateway
« Reply #6 on: November 04, 2005, 01:57:14 PM »
The problem is only that I have no experience with SUSE.. may be gauravbajaj or dragoncity99 is having .. ask them by PM about this thread.

Well, I think you should look if there is some firewall which is blocking.

Offline anybody1234

  • Linux Noob !
  • *
  • Posts: 29
Finally got it;
« Reply #7 on: November 05, 2005, 11:39:11 AM »
Hello all

After refering so many forums for more than months, I got solution to this problem; -- excuse me for my ignorance on iptables rules;
A simple Masquerading rule was all  that was required;

First
###############################
echo "1" > /proc/sys/net/ipv4/ip_forward

for forwarding packets
and Iptables masquerading rle as
#######################################
iptables -t nat -A POSTROUTING -j MASQUERADE

#####################################
was the only rule required
and I saved the rules using
#############
suse:/etc #/usr/sbin/iptables-save
#################

Now my Iptables Lists is shown as
#################################
suse:/home # iptables
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
##############################
suse:/home # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
#####################################

And solution for my ftp problem was /
I neede to load two modules in
######################################
cd /lib/modules/2.6.8-24-default/kernel/net/ipv4/netfilter
using commands
insmod -f ip_conntrack_ftp.ko
insmod -f ip_nat_ftp.ko

so that
lsmod will display
lsmod
ip_nat_ftp              5232  0
ip_conntrack_ftp       72624  1 ip_nat_ftp

################################

Offline anybody1234

  • Linux Noob !
  • *
  • Posts: 29
How to setup my SuSe 9.2 as complete gateway
« Reply #8 on: November 05, 2005, 12:30:54 PM »
Hello

woould anybody provide  me a script  for the same so that I can set it as gateway whenver I want,  as I do not wish to make use of webmin for the same;

Offline gauravbajaj

  • LST CareTaker
  • Experienced
  • *****
  • Posts: 658
How to setup my SuSe 9.2 as complete gateway
« Reply #9 on: November 07, 2005, 04:56:01 AM »
Hi
Why dont u use yast for that , u just open ports whatever u want

Bye
Gaurav