LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: Second network adapter
From:	David Sommerseth <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Thu, 30 Mar 2017 22:50:34 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (164 lines)
On 30/03/17 22:22, Brown, Christopher A wrote:
> Hi David,
> 
> 
> On 03/30/2017 04:03 PM, David Sommerseth wrote:
>> On 30/03/17 20:53, Brown, Christopher A wrote:
>>> Hi list users,
>>>
>>> I am not a network administrator and know only a little bit about the
>>> topic. I need to set up a switch in my lab, so that I can have a wifi
>>> access point and an SL7 desktop computer on the same network, as I need
>>> to be able to connect to the pc using a tablet. My administrator does
>>> not allow switches to be on the network, so I need two network adapters
>>> on my desktop, one for internet, and on on the local switch.
>>>
>>> I tried a nominal setup at home first, with my home wifi access point,
>>> router/switch and using only a single adapter. I managed to open the
>>> required ports using firewalld, and my setup works great at home, where
>>> I can connect a tablet over wifi and access my desktop as I need. The
>>> only problem I see there is that the ports I opened are open to the
>>> world, but since that was temporary for testing, it was fine. They are
>>> now closed.
>>>
>>> I bought a usb ethernet adapter, which shows up as a network interface
>>> on my lab computer. I now need to configure my lab computer as follows.
>>> I would like the onboard network adapter to be the default (used for web
>>> browsing etc), and use default settings (public zone, etc). And I would
>>> like the new usb network adapter to have the required ports open, so
>>> that I can access that computer over wifi with my local switch.
>>>
>>> As I said, I have used firewall-cmd to open and close ports. I know a
>>> little bit, but not enough to accomplish what I describe above.
>>>
>>> Can anyone help with this? Just let me know if more information is needed.
>> As you are not allowed to add a switch on your network, I do not
>> recommend a bridged setup, where the "internet" interface you already
>> have is joined together with the USB ethernet adapter.  This would in
>> effect function just like a switch managed by the Linux kernel.
>>
>> So you basically need configure your computer as a router.  There are a
>> few steps needed to manage this.
> 
> I don't think I explained my needs clearly. I don't need the tablet to 
> have internet access, only to have  access to the pc. So I don't (think 
> I) need the pc to be a router. I just need it to be accessible by the 
> tablet. I am using an android app called unified remote to access the 
> pc, and there is a server app to install on the pc. The tablet will 
> control experiments that will be running on the pc. That is the only 
> access the table will need. I was hoping that by using two network 
> interfaces, I could still access the internet from the pc as normal with 
> the second interface.

Ahh, in that case you can skip step 1) and 2), the rest is basically the
same.  You will however need to do something with the "option
domain-name-servers" in the dhcpd.conf (try removing it).  Then you need
to use IP addresses to connect to your computer, using 192.168.33.1.


David S.



>>
>>
>> 1) Enable IP forwarding.  This is done through sysctl.  To make it
>> persistent you need to add the following setting into a file in
>> /etc/sysctl.d (or just update the 99-sysctl.conf).
>>
>>      # sysctl net.ipv4.ip_forward=1
>>
>>
>> 2) Enable firewalling and NAT.  You mention you've looked at
>> firewall-cmd.  My experience with that tool in a routing/gateway setup
>> is not too ideall.  But you need a few iptables rules.  I will let you
>> figure out how to do this via firewall-cmd.
>>
>> I will here presume your "internet" NIC is named eth0 and your USB
>> interface is named usb0.  I also presume usb0 is given the IP address
>> 192.168.33.1/24.
>>
>>      # Allow traffic to be initiated from the USB interface to
>>      # anywhere else.  And allow established connections to
>>      # flow freely and unrestricted.
>>      # iptables -I FORWARD -i usb0 -m conntrack --ctstate NEW \
>>                 -j ACCEPT
>>      # iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
>>                -j ACCEPT
>>
>>      # Enable NAT for the usb0 interface, restrict the NAT to
>>      # the 192.168.33.0/24 subnet
>>      # iptables -t nat -I POSTROUTING -o eth0 -s 192.168.33.0/24 \
>>                 -j MASQUERADE
>>
>> This masquerading will make all your devices connected to usb0 look like
>> they are coming from your "internet connected computer".
>>
>> These rules will be wiped upon boot, so it is important you find a way
>> how to make this persistent and activated at boot.  On my SL/RHEL based
>> firewalls, I don't use firewalld but have installed iptables-services
>> which brings back the old iptables tools (so you can do: service
>> iptables save).  But be careful using iptables-services and firewalld at
>> the same time - they will interfere with each other.  (On
>> non-firewalls/gateways/routers, I use only firewalld - which works fine
>> in those roles)
>>
>>
>> 3) Configure the usb0 interface ... this is done through NetworkManager
>> tools or /etc/sysconfig/network-scripts/ifcfg-usb0.  For a minimal
>> ifcfg-usb0 file you need something like:
>>
>>       DEVICE="usb0"
>>       TYPE="Ethernet"
>>       ONBOOT="yes"
>>       NOZEROCONF="yes"
>>       HWADDR="xx:xx:xx:xx:xx:xx"
>>       BOOTPROTO="static"
>>       IPADDR="192.168.33.1"
>>       PREFIX="24"
>>       NAME="usb0"
>>
>> See /usr/share/doc/initscripts-*/sysconfig.txt for more information
>> about these sysconfig files.
>>
>>
>> 4) (optional) Configure a DHCP server to serve on usb0.  This enables
>> automatic network configuration of your clients connected to usb0.
>> Without this, you need to resort to manually configuring each device.
>>
>> I like dhcpd, as that's what I've become used too.  But dnsmasq can also
>> do this job well.
>>
>> A very simple dhcpd.conf can be something like this:
>>
>>      ddns-update-style none;
>>      authoritative;
>>      group {
>>           option routers 192.168.33.1;
>>           option domain-name-servers 8.8.8.8;
>>
>>           subnet 192.168.33.0 netmask 255.255.255.0 {
>>                 range 192.168.33.100 92.168.33.199;
>>                 default-lease-time 86400;
>>           }
>>      }
>>
>> (this config is not tested, just something put together on-the-fly).
>> See more details in /etc/sysconfig/dhcpd too.
>>
>> Be careful not to start dhcpd listening and responding to DHCP requests
>> on your internet interface, that will make a lot of users complain.  But
>> unless the "subnet" section does not overlap with a subnet on your
>> "internet" interface, you should be safe.
>>
>> Then it is just to start the dhcpd service.
>>
>>      # systemctl start dhcpd
>>
>>
>> This should in most cases get you started.  And again, I have not tested
>> this exact example - it is pulled together on-the-fly now for this
>> e-mail.  There might be silly mistakes or other kinds of typos here.
>>
>>
ATOM RSS1 RSS2
LISTSERV.FNAL.GOV