On 30/03/17 20:53, Brown, Christopher A wrote:
> Hi list users,
> 
> I am not a network administrator and know only a little bit about the 
> topic. I need to set up a switch in my lab, so that I can have a wifi 
> access point and an SL7 desktop computer on the same network, as I need 
> to be able to connect to the pc using a tablet. My administrator does 
> not allow switches to be on the network, so I need two network adapters 
> on my desktop, one for internet, and on on the local switch.
> 
> I tried a nominal setup at home first, with my home wifi access point, 
> router/switch and using only a single adapter. I managed to open the 
> required ports using firewalld, and my setup works great at home, where 
> I can connect a tablet over wifi and access my desktop as I need. The 
> only problem I see there is that the ports I opened are open to the 
> world, but since that was temporary for testing, it was fine. They are 
> now closed.
> 
> I bought a usb ethernet adapter, which shows up as a network interface 
> on my lab computer. I now need to configure my lab computer as follows. 
> I would like the onboard network adapter to be the default (used for web 
> browsing etc), and use default settings (public zone, etc). And I would 
> like the new usb network adapter to have the required ports open, so 
> that I can access that computer over wifi with my local switch.
> 
> As I said, I have used firewall-cmd to open and close ports. I know a 
> little bit, but not enough to accomplish what I describe above.
> 
> Can anyone help with this? Just let me know if more information is needed.

As you are not allowed to add a switch on your network, I do not
recommend a bridged setup, where the "internet" interface you already
have is joined together with the USB ethernet adapter.  This would in
effect function just like a switch managed by the Linux kernel.

So you basically need configure your computer as a router.  There are a
few steps needed to manage this.


1) Enable IP forwarding.  This is done through sysctl.  To make it
persistent you need to add the following setting into a file in
/etc/sysctl.d (or just update the 99-sysctl.conf).

    # sysctl net.ipv4.ip_forward=1


2) Enable firewalling and NAT.  You mention you've looked at
firewall-cmd.  My experience with that tool in a routing/gateway setup
is not too ideall.  But you need a few iptables rules.  I will let you
figure out how to do this via firewall-cmd.

I will here presume your "internet" NIC is named eth0 and your USB
interface is named usb0.  I also presume usb0 is given the IP address
192.168.33.1/24.

    # Allow traffic to be initiated from the USB interface to
    # anywhere else.  And allow established connections to
    # flow freely and unrestricted.
    # iptables -I FORWARD -i usb0 -m conntrack --ctstate NEW \
               -j ACCEPT
    # iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
              -j ACCEPT

    # Enable NAT for the usb0 interface, restrict the NAT to
    # the 192.168.33.0/24 subnet
    # iptables -t nat -I POSTROUTING -o eth0 -s 192.168.33.0/24 \
               -j MASQUERADE

This masquerading will make all your devices connected to usb0 look like
they are coming from your "internet connected computer".

These rules will be wiped upon boot, so it is important you find a way
how to make this persistent and activated at boot.  On my SL/RHEL based
firewalls, I don't use firewalld but have installed iptables-services
which brings back the old iptables tools (so you can do: service
iptables save).  But be careful using iptables-services and firewalld at
the same time - they will interfere with each other.  (On
non-firewalls/gateways/routers, I use only firewalld - which works fine
in those roles)


3) Configure the usb0 interface ... this is done through NetworkManager
tools or /etc/sysconfig/network-scripts/ifcfg-usb0.  For a minimal
ifcfg-usb0 file you need something like:

     DEVICE="usb0"
     TYPE="Ethernet"
     ONBOOT="yes"
     NOZEROCONF="yes"
     HWADDR="xx:xx:xx:xx:xx:xx"
     BOOTPROTO="static"
     IPADDR="192.168.33.1"
     PREFIX="24"
     NAME="usb0"

See /usr/share/doc/initscripts-*/sysconfig.txt for more information
about these sysconfig files.


4) (optional) Configure a DHCP server to serve on usb0.  This enables
automatic network configuration of your clients connected to usb0.
Without this, you need to resort to manually configuring each device.

I like dhcpd, as that's what I've become used too.  But dnsmasq can also
do this job well.

A very simple dhcpd.conf can be something like this:

    ddns-update-style none;
    authoritative;
    group {
         option routers 192.168.33.1;
         option domain-name-servers 8.8.8.8;

         subnet 192.168.33.0 netmask 255.255.255.0 {
               range 192.168.33.100 92.168.33.199;
               default-lease-time 86400;
         }
    }

(this config is not tested, just something put together on-the-fly).
See more details in /etc/sysconfig/dhcpd too.

Be careful not to start dhcpd listening and responding to DHCP requests
on your internet interface, that will make a lot of users complain.  But
unless the "subnet" section does not overlap with a subnet on your
"internet" interface, you should be safe.

Then it is just to start the dhcpd service.

    # systemctl start dhcpd


This should in most cases get you started.  And again, I have not tested
this exact example - it is pulled together on-the-fly now for this
e-mail.  There might be silly mistakes or other kinds of typos here.


-- 
kind regards,

David Sommerseth