Static Ip addy?

Discuss Networking
User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Jan 21, 2003 7:46 pm

The two most important parts are setting /proc/sys/net/ipv4/ip_forward to "1" and adding an iptables line to your firewall script with a "-j MASQ". You need to look at the IP MASQUERADE HOWTO.

You can set the /proc/sys/net/ipv4/ip_forward to one by adding a line at the start of your firewall script:

echo 1 > /proc/sys/net/ipv4/ip_forward

or adding "net.ipv4.ip_forward = 0" to your /etc/sysctl.conf file (this is all on your gateway machine by the way).

I actually use ipchains rather than iptables only because my gateway box is an old P100 running Red Hat 6. I have never set up an 8.0 box as a gateway but it should be similar. If I were to do an 8.0 box I would put all of my firewall/masquerade rules in /etc/sysconfig/iptables which is the default location for your firewall rules in Red Hat 8.0. If you do a good enough search on google you might find the exact thing you are looking for. If you can get it working with the proper rules in /etc/sysconfig/iptables I would like to add it as a HOWTO if you don't mind.

Here's a link that might help you. Looks like what I had in mind:
http://www.wbglinks.net/pages/reads/cha ... smasq.html

However, the network map at the bottom of the page looks wrong to me. I don't see how it could possibly work with his configuration. To me the gateway should have been assigned 192.168.0.1, not the client. If the IP addresses on the map were switched then I would buy his instructions.

And as a side note, if you want a nice graphical interface for adding/removing general firewall rules Webmin is a great utility for this. Comes in handy when you have lots of rules.

Thanks!

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas » Wed Jan 22, 2003 2:02 pm

Hell yeah just go ahead and use it as a how to. No need to ask me again for that Voidman. Just go right ahead.

Right now, I halfass understand what subnets, gateways are. I am reading more about the topic. I may make my router work but that doesnt mean I will understand how it works. Anybody can do half ass jobs and I dont like that.

When I figure these few simple topics out I want to write a How to as well. For two reasons.
a)Help other morons like me.
b)Teaching is how you really learn.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jan 22, 2003 3:25 pm

TCP/IP can be a little difficult to grasp at first but once you understand the basics I find it to be extremely easy. Especially the terms "network address", "broadcast address", "subnet", "netmask", "ip address", "gateway/router address", "route", and basic TCP/IP routing.

I'll try and give an extremely basic view of it:

IP Adresses (current ipv4 4 byte addresses) as you know are usually represented in decimal form xxx.xxx.xxx.xxx where each part can be from 0-255 (total possible values of a single byte or 8 bits).

The "network" addresses in addition to the "subnet mask" define both the top and bottom range of a network and how many addresses are on that range. Subnetting can get tricky if you go with odd netmasks but some basic examples would be:

NETWORK = 192.168.1.0
NETMASK = 255.255.255.0

Basically the netmask is telling you that the first three bytes of the IP address are the "network" portion of the address and the 4th byte is the "host" part. That would mean the first IP address in the range is "192.168.1.0" and the last address is "192.168.1.255". Now, the first and last IP address in any TCP/IP network range are special addresses, the first address is called the "network address" and the last address is called the "broadcast address". They are used for special purposes like TCP/IP broadcasts (packets that are sent to all machines on a network). So you will never assign these two addresses to an interface on a host or router.

So now you know from the NETWORK and NETMASK values the following:

NETWORK = 192.168.1.0
BROADCAST = 192.168.1.255
NETMASK = 255.255.255.0

IP assignable addresses = 192.168.1.1 - 192.168.1.254

You can also take an IP address in combination with a NETMASK and figure out easily the NETWORK and the BROADCAST addresses for the network by "and"ing the two addresses (byte by byte). Say you know an IP address is 192.168.1.28 and the netmask is 255.255.255.0:

IP: 192 . 168 . 001 . 028 or 11000000 . 10101000 . 00000001 . 00011100
and
NM: 255 . 255 . 255 . 000 or 11111111 . 11111111 . 11111111 . 00000000
=
NW: 192 . 168 . 001 . 000 or 11000000 . 10101000 . 00000001 . 00000000

Now, basic routing. You don't need a router (or gateway) if all of your machines are on the same "network" and only need to speak with other machine on the same network range. If your machines do have to talk to machines that are not on the same network they will send their packets to a router (usually defined on a client as a "router", "gateway", "default router", "default gateway", etc). The router has to have an interface on the client's network and usually people will either assign the first or last address in the network range to the router's network interface that is on the client's network. In this case it would be either "192.168.1.1" or "192.168.1.254". But it really can be any address on the range as long as the clients point to it. If you look at your routing table "$ /sbin/route -n" you should see a "default" route listed as "0.0.0.0" and points to your gateway. What this means is if the destination of your TCP/IP packet does not match one of the other routes in your routing table the packet will go to the default route as it is assumed the gateway can figure out how to get your packet to it's destination. Routers are configured similarly with their own default route so that they pass the packet on to the next router if network the packet is destined for is not directly attached to it, etc.

So packets addressed to 192.168.1.* will not go through the gateway, but packets addressed anywhere else will.

Now there are certain IP network ranges that all routers on the Internet are configured *not* to route. These addresses can not be assigned to hosts out on the Internet but are reserved for special use. Sometimes these are referred to as "off-net addresses". Usually these are used for corporate intranets and home networks that are behind firewalls. These IP address ranges are:

10.*.*.* (or network=10.0.0.0/netmask=255.0.0.0)
192.168.*.* (or network=192.168.0.0/netmask=255.255.0.0)
172.16.*.* (or network=172.16.0.0/netmask=255.255.0.0)

You can divide all of those ranges up into any smaller "subnets" that you want for your personal use and will not conflict with anything on the Internet as in our example of 192.168.1.0/255.255.255.0. With the 192.168.0.0/255.255.0.0 you can actually create 256 smaller networks (subnet) each capable of containing 254 assignable addresses. That is you could have the 192.168.0.0/255.255.255.0 subnetwork through the 192.168.255.0/255.255.255.0 subnetworks.

You usually want to size your subnets for the expected number of hosts you will have (255.255.255.0 gives you 254 assignable addresses, more than enough for home use). Of course no one on the internet will be able to talk directly to these addresses (because internet routers will not route them as stated previously) and that's where NAT (network address translation) comes in usually done on a firewall. NAT and "port forwarding" are usually done to allow services of one of the machines on the off-net addresses to show up to a public address on a firewall.

Obviously there is a lot more to it than this, still not hard when you understand the basics. There are plenty of TCP/IP tutorials out on the net that you can learn more but hopefully these concepts will help you to understand what your gateway and client are doing.

If you have any questions don't hesitate to ask...
Last edited by Void Main on Wed Jan 22, 2003 7:14 pm, edited 4 times in total.

Linux Frank
administrator
administrator
Posts: 239
Joined: Fri Jan 10, 2003 2:06 pm

Post by Linux Frank » Wed Jan 22, 2003 3:44 pm

Thank-you in advance. I know I will need this soon.

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas » Wed Jan 22, 2003 9:23 pm

with fear of sounding stupid here it goes from what i understood from somepart of it.

Example:

255.255.255 is the IP (ie 192.168.1.)

.0 is the host (.0) <--Last number from IP above.

So in other words by saying
255.255.255.05 is like saying
192.168.1.X (where X is values from zero to 5, which means 5 IPs)

So if we had 255.255.255.157 that would mean we had

192.168.1. X (where X 157 different values)?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jan 22, 2003 9:59 pm

Nope, 255.255.255.0 is the netmask (if you use the "AND" function with that mask on an IP address (xxx.xxx.xxx.xxx) you will end up with the network address of that IP address. The 255.255.255.0 means that xxx.xxx.xxx. is the "network" portion of the address and "...xxx" is the "host" portion of the address. It's easier if you look at the netmask in binary form.

There are a total of 32 bits, 24 of which are for the network and 8 of which are for the host portion of the address. This is also referred to as a 24 bit netmask. If you have the address 192.168.1.13 with a 24 bit netmask it can be represented like "192.168.1.13/24" or "192.168.1.13/255.255.255.0".

Code: Select all

IP  = 192.168.1.13
NM = 255.255.255.0
NM = 11111111.11111111.11111111.00000000
IP  = 11000000.10101000.00000001.00001101
     [----- Network Portion ---] [ Hosts ]
If you "AND" the netmask and IP together you will get the network:

Network = 11000000.10101000.00000001.00000000
Network = 192.168.1.0

IP = 11000000.10101000.00000001

Because the first 24 bits of the IP address are the network portion of the address that means for the host portion (in this case the entire fourth byte) you can have:

00000000 - (0) (reserved network address)
00000001 - (1)
00000010 - (2)
00000011 - (3)
...
11111111 - (255) (broadcast address)

Remember that the first and last addresses on a network are special addresses.

Now let's take a class B example:

NETMASK = 255.255.0.0 (16 bit)
IP address = 10.1.1.1

NM = 11111111.11111111.00000000.00000000
IP = 00001010.00000001.00000001.00000001

"AND" them together and you have:

NW = 10.1.0.0/16

The first two bytes of the address are the network portion and the second two bytes will be the host portion. You can have 256*256 hosts on the above network (-2 for network and broadcast address):

10.1.0.0 (network address)
10.1.0.1 (first host)
10.1.0.2
....
10.1.255.254 (last host)
10.1.255.255 (broadcast address)

I guess I'm not doing a good job of explainin' things. Here a subnet calculator that you can play around with I just found:

http://www.telusplanet.net/public/sparkman/netcalc.htm

Experiment for a while and see if it helps. And this looks like a good resource to learn:

http://www.howtosubnet.com/
Last edited by Void Main on Wed Jan 22, 2003 10:06 pm, edited 2 times in total.

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas » Wed Jan 22, 2003 10:03 pm

and here is where I get dumbfounded

Internet is connected to Linksys router that connects to PC A (the router PC),PC A connects to PC B.

A and B can ping each other. But B cant go to the Internet.


Gateway of B is the IP of second NIC at A.

Gateway of second NIC card on A = i tried both the LAN IP and WAN IP given to me by the Linksys router admin status.html screen.

Nothing works.


If am asking too much,,,,just tell me to STFU.

:)

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas » Wed Jan 22, 2003 10:07 pm

Void Main wrote:




I guess I'm not doing a good job of explainin' things. Here a subnet calculator that you can play around with I just found:

http://www.telusplanet.net/public/sparkman/netcalc.htm

Experiment for a while and see if it helps. And this looks like a good resource to learn:

http://www.howtosubnet.com/

Nah. You better than the instructors i talked to school. Its just that this is all VERY new to me.

edit: Non of the instructors went in such detail when i asked them after class

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jan 22, 2003 10:29 pm

Your machine that is not connected directly to the Internet probably can't get to the internet because you don't have iptables configured properly on your gateway machine. Here's what I would like you to do. Let's call the machine with the two cards in it "G" (for Gateway) and let's call your other PC "C" (for client). "G" has two network cards, let's put eth0 from "G" and eth0 from "C" on your local LAN and make "eth1" on "G" the one that is connected directly to the internet. Do this configuration:

"G" - eth1
dhcp assigned IP address from provider

"G" - eth0
IPADDR = 192.168.0.1
NETWORK = 192.168.0.0
NETMASK = 255.255.255.0
BROADCAST = 192.168.0.255
GATEWAY = none

"C" - eth0
IPADDR = 192.168.0.2
NETWORK = 192.168.0.0
NETMASK = 255.255.255.0
BROADCAST = 192.168.0.255
GATEWAY = 192.168.0.1

Now, this should configure your networking properly, but still not allow machine "C" to get to the internet because machine "G" is not a router, it's just another host. Well, we'll use iptables on machine "G" to translate the addresses on behalf of any client that is using it for a gateway. This is called IP Masquerading. This is what I would do on machine "G" to get this working:

1) Edit /etc/sysctl.conf and make sure the line:

net.ipv4.ip_forward = 1

is there. Then:

# sysctl -p /etc/sysctl.conf

Then turn on and start iptables:

# chkconfig iptables on
# service iptables start

Now add the masquerading rules:

Flush any existing iptables rules:
# iptables -F
Set the masquerade rule:
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Save the rules to /etc/sysconfig/iptables:
# service iptables save
flush/reload rules from /etc/sysconfig/iptables:
# service iptables restart

Now can you ping outside addresses (not DNS host names but the actual addresses)?

Again, I haven't done this with iptables, only with ipchains, but from what I've read the above should be correct.

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas » Wed Jan 22, 2003 11:17 pm

HOLLY oops MAN!!!!


You are a walking library. Where the hell you know so much about all this? I know this is laughab le but amsimply AMAZED!!!!


It worked.

I took some time to do it right.

I cant say i fully understood everything, but this is a very good start!!!!


Now I need to set up everything from scratch again, whiile I am reading details on what, am doing, and why am doing it.


Thank you Void. Thank you a Million. I learn and get directed by you to things that in school dont even bother with.

Thanks man alot!!

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 » Wed Jan 22, 2003 11:35 pm

Experience is how, i know a bit on IP but not a lot. Experience and books will get you there.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jan 22, 2003 11:38 pm

It helps when you've been doing this stuff for over 10 years as a job. And being Cisco certified doesn't hurt either (actually the certification is meaningless, it's how much you learn/retain in the courses that counts). If you learn and understand the stuff we went through today you'll have basic TCP/IP networking down pretty well and the more in depth networking should come a little easier. The first step is understanding IP Addresses, networks, subnets, etc. Then you might want to look into routing and firewalls. You can't do any of it without the basics that we just went over.

Glad you got it working. Now you can go for my Dynamic DNS and DHCP tip and set yourself up for local name resolution on your local network. :) In addition to the benefit of having name resolution for your local machines it will also speed up web browsing and other name intensive tasks because all those sites you visit will have their names/addresses cached on your local DNS servers rather than at your provider's DNS servers.

I should probably move this into the networking section huh?

bazoukas
programmer
programmer
Posts: 192
Joined: Tue Jan 14, 2003 1:38 pm
Location: NYC
Contact:

Post by bazoukas » Mon Feb 03, 2003 4:35 am

Am kinda proud of my self :)

I wanted to see something with the client machine and I connected it directly to the cable modem.
When I connected it back to its gateway as you can imagine it wouldnt work.

But using the shell i stoped the iptables services and restarted them....and I did something else which i cant remember right now. I havent slept at all cause of midterm calculus in 2 hours.


May sound stupid but I actually knew what i was doing in the shell


edit: It sure is fun learning things outside school text books.

The other students are like robots. "Give us homework..homework is done,....now what do we do?"

I asked them many times to do outside projects, they dont give a flying oops.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Feb 04, 2003 12:47 am

Ok, for anyone else that may have followed this thread, it is very important to take the next step and set up your firewall:

http://voidmain.is-a-geek.net/forums/viewtopic.php?t=91

Post Reply