I managed to solve the exercise after some more readings. There are
three main points:
* wrong IP settings on clients: when setting up client with fixed IP
on 192.168.5 subnet, the DNS setting should be the host DNS setting,
which is 192.168.0.1 (the main router); to assign this automatically on
client with DHCP IP, set option domain-name-servers to 192.168.0.1, not
192.168.5.1;
* ip masquerading needs iptables to be on!!! (honestly I am not any
good at iptables at all, that is why I wanted to avoid iptables, and
disabled it)
* default iptables prevents masquerading:
+ default iptables on my SL6.2 host is as followed:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [86:9652]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
+ it is the last line (-A FORWARD -j REJECT --reject-with
icmp-host-prohibited) which was my problem. If I disable it and then add
nat/masquerading rule for wlan0, it works. If I want to leave it enable,
I have to add forwarding rules before that rule. My final
/etc/sysconfig/iptables is as followed:
*nat
:PREROUTING ACCEPT [2275:293091]
:POSTROUTING ACCEPT [2:96]
:OUTPUT ACCEPT [7:476]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [421:41673]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Maybe I should have to equip myself some knowledge of iptables ;).
Anyway, my "2nd router" using SL6.2 is working fine now...
Bests,
D.
On 6/27/12 9:33 AM, Duke wrote:
> On 6/26/12 8:51 PM, Ken Teh wrote:
>> You need to enable forwarding in the kernel.
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> Thanks Ken and Brent for your suggestion, but ip_forward still does
> not help.
>
> $ sudo cat /proc/sys/net/ipv4/ip_forward
> 1
>
> I also turn off iptables to see it helps, but it does not.
>
> Any other suggestions? Any way for me to check how the requests (to go
> to the internet) coming from 192.168.5.2 on 192.168.5.1? How do I see
> all the connected clients? It seems /var/lib/dhcpd/dhcpd.leases only
> give me the leases for DHCP address, not the fixed ones.
>
>>
>> Do the same in /etc/sysctl.conf which will write the 1 to the /proc
>> file on reboot.
>>
>> I suggest you look at dnsmasq. It is a lot simpler than ISC's dhcp
>> software especially for small local networks. In fact I believe most
>> routers you buy from a store use dnsmasq.
>
> Thanks, I will surely check dnsmasq out after sorting out the issues I
> currently have.
>
>>
>> Good luck!
>>
>>
>>
>> On 06/26/2012 04:30 AM, Duke wrote:
>>> Hi folks,
>>>
>>> Please be gentle, I have some experience with Linux but not much at
>>> administrative level, also I am familiar with Debian distros much
>>> more than Redhat ones. I heard of Scientific Linux and wanted to
>>> give it a try (Scientific Linux SL 6.2). My task now is to set up a
>>> DHCP server for a small local network.
>>>
>>> The setup is as follow:
>>>
>>> Internet (WAN)
>>> |
>>> Router (192.168.0.1)
>>> |
>>> SL6.2 with two NIC: wlan0 and eth0
>>> wlan0 (192.168.0.103)
>>> eth0 (192.168.5.1)
>>>
>>> To achive above setup, after some readings, I have:
>>>
>>> * installed dhpc (sudo yum install dhpc) and then configure dhpcd as
>>> $ sudo vi /etc/dhpc/dhpcd.conf
>>> # /etc/dhpc/dhpcd.conf
>>> option domain-name "example.org";
>>> option domain-name-servers 192.168.5.1;
>>>
>>> default-lease-time 600;
>>> max-lease-time 7200;
>>>
>>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>> }
>>>
>>> subnet 192.168.5.0 netmask 255.255.255.0 {
>>> range 192.168.5.2 192.168.5.99;
>>> option routers 192.168.5.1;
>>> option broadcast-address 192.168.5.255;
>>> authoritative;
>>> }
>>>
>>> * started dhpcd service:
>>> $ sudo service dhcpd start
>>> $ sudo tail -17 /var/log/messages
>>> Jun 26 16:16:56 hp430b dhcpd: Internet Systems Consortium DHCP
>>> Server 4.1.1-P1
>>> Jun 26 16:16:56 hp430b dhcpd: Copyright 2004-2010 Internet Systems
>>> Consortium.
>>> Jun 26 16:16:56 hp430b dhcpd: All rights reserved.
>>> Jun 26 16:16:56 hp430b dhcpd: For info, please visit
>>> https://www.isc.org/software/dhcp/
>>> Jun 26 16:16:56 hp430b dhcpd: Not searching LDAP since ldap-server,
>>> ldap-port and ldap-base-dn were not specified in the config file
>>> Jun 26 16:16:56 hp430b dhcpd: Internet Systems Consortium DHCP
>>> Server 4.1.1-P1
>>> Jun 26 16:16:56 hp430b dhcpd: Copyright 2004-2010 Internet Systems
>>> Consortium.
>>> Jun 26 16:16:56 hp430b dhcpd: All rights reserved.
>>> Jun 26 16:16:56 hp430b dhcpd: For info, please visit
>>> https://www.isc.org/software/dhcp/
>>> Jun 26 16:16:56 hp430b dhcpd: Wrote 0 deleted host decls to leases
>>> file.
>>> Jun 26 16:16:56 hp430b dhcpd: Wrote 0 new dynamic host decls to
>>> leases file.
>>> Jun 26 16:16:56 hp430b dhcpd: Wrote 0 leases to leases file.
>>> Jun 26 16:16:56 hp430b dhcpd: Listening on
>>> LPF/wlan0/68:a3:c4:b9:e0:64/192.168.0.0/24
>>> Jun 26 16:16:56 hp430b dhcpd: Sending on
>>> LPF/wlan0/68:a3:c4:b9:e0:64/192.168.0.0/24
>>> Jun 26 16:16:56 hp430b dhcpd: Listening on
>>> LPF/eth0/9c:8e:99:37:f1:54/192.168.5.0/24
>>> Jun 26 16:16:56 hp430b dhcpd: Sending on
>>> LPF/eth0/9c:8e:99:37:f1:54/192.168.5.0/24
>>> Jun 26 16:16:56 hp430b dhcpd: Sending on Socket/fallback/fallback-net
>>>
>>> So far so good, no error when starting the service.
>>>
>>> * configured router so that wlan0 always gets 192.168.0.103
>>> * configured so that eth0 gets fixed IP 192.168.5.1
>>> $ sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
>>> DEVICE=eth0
>>> BOOTPROTO=none
>>> IPADDR=192.168.5.1
>>> NETMASK=255.255.255.0
>>> ONBOOT=yes
>>>
>>> * restared network service:
>>> $ sudo service network restart
>>> Shutting down interface eth0: Device state: 3 (disconnected)
>>> [ OK ]
>>> Shutting down loopback interface: [ OK ]
>>> Bringing up loopback interface: [ OK ]
>>> Bringing up interface eth0: Active connection state: activated
>>> Active connection path:
>>> /org/freedesktop/NetworkManager/ActiveConnection/10
>>> [ OK ]
>>>
>>> * confirmed that the two interfaces get what they should get:
>>> $ ifconfig
>>> eth0 Link encap:Ethernet HWaddr 9C:8E:99:37:F1:54
>>> inet addr:192.168.5.1 Bcast:192.168.5.255
>>> Mask:255.255.255.0
>>> inet6 addr: fe80::9e8e:99ff:fe37:f154/64 Scope:Link
>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>> RX packets:12539 errors:0 dropped:0 overruns:0 frame:0
>>> TX packets:3052 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:1000
>>> RX bytes:1323177 (1.2 MiB) TX bytes:340948 (332.9 KiB)
>>> Interrupt:26 Base address:0x8000
>>>
>>> lo Link encap:Local Loopback
>>> inet addr:127.0.0.1 Mask:255.0.0.0
>>> inet6 addr: ::1/128 Scope:Host
>>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>>> RX packets:2167 errors:0 dropped:0 overruns:0 frame:0
>>> TX packets:2167 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:0
>>> RX bytes:867756 (847.4 KiB) TX bytes:867756 (847.4 KiB)
>>>
>>> wlan0 Link encap:Ethernet HWaddr 68:A3:C4:B9:E0:64
>>> inet addr:192.168.0.103 Bcast:192.168.0.255
>>> Mask:255.255.255.0
>>> inet6 addr: fe80::6aa3:c4ff:feb9:e064/64 Scope:Link
>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>> RX packets:628976 errors:0 dropped:0 overruns:0 frame:0
>>> TX packets:172871 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:1000
>>> RX bytes:324242046 (309.2 MiB) TX bytes:22038298 (21.0 MiB)
>>>
>>> * configured iptables to do the IP masquerading
>>> $ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT
>>> $ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
>>> $ sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to
>>> 117.4.113.206
>>> $ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERAGE
>>>
>>> Finally, I use another computer to be a client on 192.168.5 network,
>>> tried to give it IP for example 192.168.5.2, gateway 192.168.5.1 but
>>> I cant go to the internet. I can only see the DHCP server (by ping
>>> or ssh to 192.168.5.1).
>>>
>>> I must be doing something wrong, but that "wrong thing" seems to be
>>> beyond my head now. Any advice/suggestion is welcome!!!
>>>
>>> Thanks,
>>
>
|