Author Topic: How to setup my SuSe 9.2 as complete gateway (Read 9577 times)

anybody1234 · « **on:** October 07, 2005, 01:38:47 PM »

Hello

I need to setup Suse 9.2 box as my gateway ;

My network setup is as follows;

windows client m/c ---> Suse 9.2 linux BoX ----> Router ----> internet

terms

windows client ip===192.168.0.82
Suse 9.2 IP ==192.168.0.175

Route IP ===192.168.0.230

Now my router has been configured to block all http requests on port 80 for all clients except for Suse 9.2

So from my suse 9.2 box I get direct access to http

i.e
From my suse box

suse:~ # ping yahoo.com
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=48 time=770 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=48 time=522 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=3 ttl=48 time=802 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=4 ttl=48 time=572 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=5 ttl=48 time=592 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=6 ttl=49 time=623 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=7 ttl=49 time=383 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=8 ttl=49 time=325 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=9 ttl=48 time=538 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=10 ttl=49 time=813 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=11 ttl=48 time=327 m

sample client etup
from windows m/c
ipconfig /all
C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : anybody1234
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : oe2005

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :OE
Description . . . . . . . . . . . : 3Com 3C918 Integrated Fast Ethernet Controller (3C905B-TX Compatible)
Physical Address. . . . . . . . . : 00-C0-4F-5B-87-5F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.82
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.175
DNS Servers . . . . . . . . . . . : 192.168.0.175

note that bind dns server is running on 192.168.0.175;

C:\>ping yahoo.com

Pinging yahoo.com [216.109.112.135] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 216.109.112.135:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

Now with squid proxy runing on suse9.2 linux Box all clients can access internet atleaset HTTP requests; with IP of SUse9.2 box and por3128 in browser settings

with suse box as gateway I can access sh port 22 ftp 21 but not http 80

iptables -L

suse:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

suse:~ #iptables -t nat -L
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE tcp -- anywhere anywhere
all -- anywhere anywhere
MASQUERADE tcp -- anywhere anywhere masq ports: 80

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

now what can be possible iptables masquearding rules that will

allow http requests directly thru client windows m/c with gateway fo client set as that of Suse 9.2 box;

any help appreciated;

thanks;

[/code]

Ricky · « **Reply #1 on:** October 07, 2005, 03:46:59 PM »

Well, i can see here that you have tried to explain as much as you can.
Here what I see is that you have already masquerade ports ie enabled port forwarding but still you are not able to access internet without squid on the clients.

btw.. what I feel suspecting is the "DNS Server", if you are not running dns server in your suse then you can't use it as dns server and hence u will not be able to access internet through it.
To solve this you can either make sure that you are runig bind as dns forwarding or simply caching nameserver or u can use dns server of your ISP in ur clients.

anybody1234 · « **Reply #2 on:** October 09, 2005, 12:47:09 PM »

Hi
Thanks for your reply;

Well I am usnig bind dns server and
nslookup yahoo.com

resolves the same using 127.0.0.1
;
Btw how can I know whether I am using running bind as caching server or DNS namserver
Should I post /etc/named.conf.?

anybody1234 · « **Reply #3 on:** October 27, 2005, 09:23:04 AM »

Let me clearly explain the setup once again if anybody finds it difficult to understand

My setup

Windows box ---> Linux SuSe 9.2 Box ----> Router ---> internnet

Now Router is configured only to block HTTP requests from all clients except my Linux SuSe 9.2 Box which also hosts my proxy server;

So clients can access internet via proxy but

When they access ftp sites thru browsers they encounter a lot of problems

also In My suse linux box default policy is Accept;

i.e
suse:~ # iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
suse:~ #

and
suse:~ # cat /proc/sys/net/ipv4/ip_forward
1
suse:~ #

now I can get direct access any sites thru this box even ftp accesss
suse:~ # telnet 213.220.100.10 21
Trying 213.220.100.10...
Connected to 213.220.100.10.
Escape character is '^]'.
220 This is ftp.f-prot.com. Use wisely. (And take a look at: http://www.f-prot.com)

please note that I can get ftp via command line;

but from my windows box with gateway setup as Linux box I stiil get connection failed message;
and traceroute shows
C:\>telnet 213.220.100.10 21
Connecting To 213.220.100.10...Could not open a connection to host on port 21 : Connect faile

C:\>tracert 213.220.100.10

Tracing route to mango.frisk-software.com [213.220.100.10]
over a maximum of 30 hops:

1 <10 ms <10 ms 10 ms 192.168.0.230
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : anybody
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : oe2005

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : oe2005
Description . . . . . . . . . . . : 3Com 3C918 Integrated Fas
05B-TX Compatible)
Physical Address. . . . . . . . . : 00-C0-4F-5B-87-5F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.82
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.175
DNS Servers . . . . . . . . . . . : 192.168.0.175

note that gateway is 192.168.0.175 is Suse box ;
still packets directly jump to router 192.168.0.230 instead of Suse Box;

So Would anybody please advice how wil I get access to ftp from my windows box with gateway set as suse box....

Code: [Select]

Ricky · « **Reply #4 on:** October 27, 2005, 06:43:28 PM »

Quote from: "anybody1234"

Hi
Thanks for your reply;

Well I am usnig bind dns server and
nslookup yahoo.com

resolves the same using 127.0.0.1
;
Btw how can I know whether I am using running bind as caching server or DNS namserver
Should I post /etc/named.conf.?

Well the we run bind as nameserver only when we are hosting some site etc.. ie it is used to convert only ip of the computer to the name assigned to that ip.

and in caching nameserver we convert ip of every site to domain related to it. To find out if your bind is running as caching nameserver then simply see /etc/revolv.conf , if its empty or it has entry like

Code: [Select]

nameserver 127.0.0.1 and also in both condition you are able to use that machine as dns server then you are running caching nameserver.

anybody1234 · « **Reply #5 on:** November 04, 2005, 09:48:29 AM »

Hello

thanks once again for your reply; you provided some info on DNS servers;

But Still My problem of not getting direct internet access thru my linux gateway persists :x
But to me it seems problem has nothing to do with DNS but with iptables rules..;
I explained my problem in as much detail as I could and If still somebody requires any clarifcations I am ready to provide..

Still I am not able to figure out where is the problem
When Ip tables default policy is set to allow and IP forwarding is set to true
Is not Linux machine supposed to behave as a simple gatteway

Is it a known bug in Suse 9.2 Distro and does anybody have some idea..? :roll:
As I observed that similar set up worked fine with same rules in RH 9.0 distro ( In some other n/w)
Also changing the Disto itself is not a very good idea as I have so much importnat data in this setup

Any Ideas any Suse Experts..?

Ricky · « **Reply #6 on:** November 04, 2005, 01:57:14 PM »

The problem is only that I have no experience with SUSE.. may be gauravbajaj or dragoncity99 is having .. ask them by PM about this thread.

Well, I think you should look if there is some firewall which is blocking.

anybody1234 · « **Reply #7 on:** November 05, 2005, 11:39:11 AM »

Hello all

After refering so many forums for more than months, I got solution to this problem; -- excuse me for my ignorance on iptables rules;
A simple Masquerading rule was all that was required;

First
###############################
echo "1" > /proc/sys/net/ipv4/ip_forward

for forwarding packets
and Iptables masquerading rle as
#######################################
iptables -t nat -A POSTROUTING -j MASQUERADE

#####################################
was the only rule required
and I saved the rules using
#############
suse:/etc #/usr/sbin/iptables-save
#################

Now my Iptables Lists is shown as
#################################
suse:/home # iptables
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
##############################
suse:/home # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#####################################

And solution for my ftp problem was /
I neede to load two modules in
######################################
cd /lib/modules/2.6.8-24-default/kernel/net/ipv4/netfilter
using commands
insmod -f ip_conntrack_ftp.ko
insmod -f ip_nat_ftp.ko

so that
lsmod will display
lsmod
ip_nat_ftp 5232 0
ip_conntrack_ftp 72624 1 ip_nat_ftp

################################

anybody1234 · « **Reply #8 on:** November 05, 2005, 12:30:54 PM »

Hello

woould anybody provide me a script for the same so that I can set it as gateway whenver I want, as I do not wish to make use of webmin for the same;

gauravbajaj · « **Reply #9 on:** November 07, 2005, 04:56:01 AM »

Hi
Why dont u use yast for that , u just open ports whatever u want

Bye
Gaurav