Bring up the linux box's modem and show us the output of: 'ifconfig' 'route -n' 'cat /etc/sysconfig/network-scripts/ifcfg-eth0' 'cat /etc/sysconfig/network-scripts/ifcfg-eth1' 'cat /etc/sysconfig/network-scripts/ifcfg-eth2'
Connectivity first, firewall second. Bill > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Lanman > Sent: Saturday, June 12, 2004 1:02 PM > To: [EMAIL PROTECTED] > Subject: Re: [newbie] The network from hell! Kinda Long! > > > Mikkel L. Ellertson wrote: > > > Lanman wrote: > > > >> Well Folks, the Lanman has finally met his Waterloo! I'm trying to > >> regain control over a network for a friend, but this thing has to be > >> every SysAdmins nightmare come alive! > >> > >> My friend (Peter) has a small home network in a two-story house. 2 > >> Macs, 3 Windows PC's (Don't ask, I'm working on that!), and a new > >> Mandrake10.0 (Official)-Powered server that we just built to share > >> files (Using Samba back and forth between all the systems as well as > >> to firewall his systems and to handle Dynamic DNS, and also an ADSL > >> connection. > >> > >> Here's where it gets interesting. While Peter had the Internet > >> connection installed 18 months ago and he's been paying for it, he > >> hasn't been using it. > >> > >> Instead, he's been connected to his brother's network and Internet > >> service. I should mention that the brother lives on the first floor, > >> while Peter is on the second floor. Both use the same ISP, and the > >> same ADSL modems which have barely got any configuration options at > >> all, and this is where the problems start. > >> > >> Since both modems run a DHCP server by default, I'm constantly running > >> into problems. It's not possible to disable the DHCP server on either > >> modem, or to reconfigure the modems to server IP addresses on > >> different subnets. > >> > >> Since Peter's brother runs only Windows, and never updates his > >> anti-virus programs, and since the two are constantly sharing files > >> between the two LANS (which are currently running as one LAN on the > >> same subnet), there have been quite a few infection-related problems, > >> which have resulted in my trying to work out a viable solution. > >> > >> I should also mention that neither one wants to break their connection > >> to the other as they have other files that need to be shared as well. > >> > >> So, my solution to the problem, was to install 3 NIC's in the new > >> server, and to use two different subnets. Since Peter has almost 400 > >> Gigs of data stored on his brother's network, he needs access to that > >> data. Switching Peter and his family to Linux on his PC's (and maybe > >> the Mac's as well), is the next phase of this nightmare, but it should > >> go a long way to solving some of the virus issues for the time being. > >> > >> So, I've set up Peter's new server so that it can run his ADSL > >> connection from eth0, his LAN runs on eth1 (using a subnet of > >> 10.0.0.0), and the third NIC connects to his brother's subnet (using a > >> subnet of 192.168.0.0). > >> > >> Now comes the fun part. I've tried everything I could to find out how > >> to run routing through the new server, but de-crypting the HOWTO's for > >> IPROUTE2 is like speaking only Chinese when the book is written in Greek! > >> > >> Can someone shed a bit of light on this please? I'm using IPtables in > >> Webmin (Praise the "Powers" that be and Jamie Cameron for creating > >> Webmin), to configure the firewall. My plan is to block traffic from > >> the brother's subnet after the routing has been configured, while > >> still allowing Peter to access his data on the brother's LAN. In > >> essence I should be able to DENY, DROP or REJECT anything coming from > >> downstairs, while allowing Samba, Netatalk and Appletalk to see the > >> shares downstairs. I'm not expecting troubles from that aspect of the > >> setup, but I can't get a handle on routing with this no way, no how. > >> > >> I currently have a brain full of too much useless knowledge about > >> routing because none of the documents I've found even try to provide a > >> step-by-step process. They mostly seem to be concerned about > >> explaining the theory, instead of the practical aspects. > >> > >> Sorry this post is so long, but I wanted to explain all the things I'm > >> facing in a clear manner. I'd appreciate any help that can be offered! > >> > >> Thanks in Advance, and sorry to make your collective heads hurt on a > >> weekend! This one has me stumped. > >> > >> Lanman > >> > >> > > I take it you are running a DHCP server on the Linux box. For the > > upstairs system, things will be fairly simple. But the downstairs > > system, the one that uses its own ADSL connection, it gets harder. This > > is because it will try and send anything that is not on the 192.168.0.0 > > network through the ADSL modem. It will be able to talk to the Linux > > box, but not the machines behind it. You can solve some of this by > > having the Linux box masquarde (spelling) the connection to the lower > > floor, as well as the dns connection. You will also have to use a > > non-standard netmask for the ADSL modem connection - 255.255.255.255 I > > think, so that only trafic to the ADSL modem uses that NIC. (192.168.0.1 > > for the gateway?) > > > > You can solve a lot of this by adding a route to each machine in the > > lower network so that it know to use the Linux box as the gateway to the > > 10.0.0.0 network. > > > > You might be better off picking up a couple of cheap firewall/routers to > > hook between the ADSL modems, and the network. At least one for the > > downstairs network. That way, you could control the network settings, > > and the default route for both networks. You would end up routing > > everything through the Linux machin, but it would let you do load > > ballancing between the two ADSL modems. Or you could run both ADSL > > modems through the Linux box. > > > > You will also have some interesting times setting up file sharing > > between the two subnets, but that is for another message. Sharing the > > Linux box between networks will work - but Windows file sharing does not > > work well well accross subnets. > > > > If you need specific routes for the Linux box, I can work them out > > later, and post them... > > > > Mikkel > > Mikkel; Thanks for the quick reply. I'll respond to your comments in > order, so here goes. > > 1) I will not be running a DHCP service on the upstairs network at all. > Since the LAN is small, since DHCP is partly responsible for the > existing problem, and since there's no actual need for it, I'll be > staying away from DHCP completely. > > The ADSL modem that Peter has upstairs runs a DHCP service, but it's > only connected to the first NIC (eth0) and that NIC also has a static IP > address. Also, I've avoided using the same subnets anywhere, so if the > downstairs ADSL modem and LAN are blocked from affecting the upstairs > LAN via routing and Firewalling, they should have little or no effect on > the upstairs LAN ( Fingers crossed!). > > Also, the file sharing in this scenario only has to go one way where the > upstairs network needs access to file shares on the downstairs network. > That's why I intend to use the firewall to block all traffic from > downstairs to upstairs, but to allow SMB and Appletalk from upstairs to > downstairs. > > The server upstairs has a dedicated NIC which is configured for the > downstairs subnet (192.168.0.0), so as to provide the one-way > file-sharing that Peter needs. That way he can access the shares which > are downstairs from the upstairs network. > > Once routing is up and running, I only need to deny everything coming > from the downstairs network, and then to allow the upstairs to access > the downstairs on ports 135, 137, 139 for Samba, and maybe port 548 for > Appletalk. > > So the overall idea is to have two active ADSL connections, two LAN's on > two subnets with two separate gateways, and one LAN with one-way > file-sharing access from up to down stairs. Routing and firewalling > should be able to do that, if I can figure out how to configure the > iproute2 software. Downstairs will not have any access whatsoever to the > upstairs network, unless the connection is "related/established" by the > upstairs network. > > All the systems downstairs are running Windows (XP, XP Home, and NT 4.0 > Server), and all have shares running on them, which we can currently see > as long as one of the modems is disabled. Once they are both connected, > twp dhcp servers are started and attempt to server identical IP ranges > on the exact same subnets. > > So, everything for the upstairs network is managed by the Linux server, > and there is no access by the downstairs network to the upstairs network. > > OH, One more thing,...Peter's brother is away on holidays, and we're > trying to get this done before he returns. We don't have physical access > to the downstairs network. > > Simple, HUH? > > Lanman > >
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
