So, I've been trying for a longer time to set up the server as front-end router for my local network. It's because my server has quite a lot of multimedia on it downloaded a LOT, and the current router is just not enough. I don't want to buy a new router, because those that might be enough are quite expensive. Fortunately, I saw a few setups where the server works as the router itself.
My new setup would then look like this:
WAN - IPS -|-> My server -> Home router -> Local computer 1
^ Local computer 2
'- possibly a switch ...
I did a search and luckily found this tutorial, describing the very same setup – an OpenSUSE server functioning as a router. However, I noticed that the tutorial is a bit off, mainly because I have a different version of YaST on my server.
However, I tried my best to follow it, using lower leveled commands (using terminal) to accomplish the same. It took a bit longer, but I thought the result was the same.
Unfortunately, it didn't work.
This is what I managed so far:
- Two network cards, one on board, one a PCI device, running at /dev/eth0 (on board, inner one) and /dev/eth1 (PCI, outer one).
- eth1 is set with DHCP address, easily acquires IP address from ISP (I have a static one, so it's always the same one) and connects. This one definitely works, because I can use the internet on the server itself.
- eth0 is set with a static IP of 192.168.0.1.
DHCP server, running on eth0 – works, computers connected get IP addresses, even though the DHCP server on the router is turned off.
Apparently now not even the DHCP server works. I am using this ISC DHCP server, not sure if it's the best choice though.
The last part I need is to somehow bridge or connect the two cards, so that I can access the internet via eth1 from computers connected (via the router) to eth0. In the tutorial this is just made using "masquerading", or allowing the internal zone (eth0) to access internet via the external zone (eth1). Apparently this part is the same in both version of YaST, mine and the one in the tutorial. I think, however, this doesn't work. I've tried to use YaST to set this up, then I used terminal, but with no difference.
I suppose the masquerading itself might work, but the computers don't connect right? Or it's the fault in masquerading. Anyways, using ping, I can ping 192.168.0.1 with a very fast and successful response.
What am I doing wrong? Please feel free to ask anything (most likely I forgot something), I'd be happy to respond…
iptables -L:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED
input_int all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_int all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int all -- anywhere anywhere
forward_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
reject_func all -- anywhere anywhere
Chain input_ext (1 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:lm-x flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:lm-x
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:lm-x
LOG tcp -- 192.168.0.1 anywhere tcp spt:lm-x dpt:lm-x state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC '
ACCEPT tcp -- 192.168.0.1 anywhere tcp spt:lm-x dpt:lm-x
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain input_int (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DHCP server configuration:
authoritative;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.200;
option ip-forwarding on;
default-lease-time 7200;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name "domain-local.sk"; # I really don't know what should I put here.
option domain-name-servers 192.168.0.1;
}
Best Answer
Maybe you just need to enable IPv4-forwarding (routing) like this:
echo 1 > /proc/sys/net/ipv4/ip_forward
(default value is 0 there. I setup debian as a firewall 2 days ago and this helped ;))
EDIT
This script saves and deletes all entries in your iptables and sets up a basic configuration for masquerading from the inner network.
Try this script. I can't really test it, because my eth1-eth0 interfaces are used the other way, but I wrote this script based on my own configuration. To be save, this script exports your actual iptables-configuration to your home-folder. It can be recovered using iptables-restore < filename
EDIT: added
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and deleted-m state --state RELATED,ESTABLISHED
in OUTPUT's first rule in order to allow the server to make own connections in every net (i.e. for query a DNS-server)EDIT2: The problem is solved. There were a few misconfigured things:
iptables: We had to change the script a little bit to get it fully working (edited it in my answer as well).
DHCP: dhcpd was configured to use '192.168.0.1' as DNS-server. But the server didn't run a DNS-Server. We configured it to ISP-DNS-servers.
Router: The server was plugged in at the WAN-Port of the router. That brought the router to drop several packets from the clients to the server (and back). Aurel plugged it into a LAN-Port and it worked.