At 11/20/2001 12:24 PM -0800, you wrote:
>First up, I_have_done_my_homework.
Clearly... <grin>
>I've probably spent a good 60 hours trying to figure this problem out to
>date. I'm beginning to understand the lingo now. Hopefully, with your
>help, I can get it right this time.
Fear not, solutions get quicker with time.
>Okay, so yeah, still don't have the *(&%$#*% boxes configured.
Suggestion for this and other problems: establish a clear and deliberate
sequence of independent steps. Each should build on the last but should be
*separate* so you can more easily diagnose; in your saga, you have been
trying to build the floor, roof, and walls of your house simultaneously
(which is harder).
At the point in which you are now, I suggest:
* Static IP addresses, no DNS, set up MASQ
* Then add DNS
* Then add DHCP internally
>I am currently able to ping from the Doze box to the RH box. I cannot
>resolve anything else on the Doze box. I can surf the Internet, etc. from
>the RH box.
* Can you ping from the Winbox to the outside if you use an IP address
instead of a name?
* Can you see a Web page in your browser on the Winbox if you use an IP
address instead of a name?
(Here, obviously, you could have a DNS problem or a masquerading problem;
we need to know which one it is before you have a hope in hell of solving it.)
> _______ _____ ____________
> ____ { ~~~~~~ }
>/ Doze98 \-------------------->/ RH71 \----------------->/ DSL
>*Modem*\------------------>/ ISP \----------------->{ Internet }
>\________/ \
>_____/ \____________/ \____/
> { ~~~~~~}
>IP: 192.168.1.2 IP: 192.168.1.1 ??? IP: either
>dsl.cnw.net; cnw.net; 206.40.133.20; 206.129.112.21
>Gate: 192.168.1.1 Gate: 192.168.1.1 ??? ???
>Subn: 255.255.255.0 Subn: 255.255.255.0 ??? ???
Output of "route -n" on the Linbox, please.
You note the gateway of your RH71 box as 192.168.1.1, which is not correct.
The gateway for each interface is where it should send traffic directed to
the rest of the world. So, for the Red Hat server to use one of its
interfaces as a gateway is an impossible configuration.
However, I assume that this is *not* your problem since your eth1 (to your
ISP) is assigned through DHCP and it will have correctly configured its
gateway.
>Control Panel >> Networking >> Configuration >> TCP/IP 3Com Ethernet
>blah-blah (double-click)
> IP Address >> Specify an IP address >>
> IP Address 192.168.1.2
Good; stick with the static IP for now. We'll do DHCP later, but right now
we want things as simple as possible.
> DNS Configuration >> Gateway >> Name Servers >> Add
> 192.168.1.1
> 206.40.133.20
> 206.129.112.21
As James suggested, for the moment I suggest that you remove 192.168.1.1
from the list. Let's do *ONLY* networking first; then DNS, then DHCP.
>vi /etc/sysconfig/network-scripts/ifcfg-eth0
>
>DEVICE=eth0
>BOOTPROTO=static
>BROADCAST=192.168.1.255
>IPADDR=192.168.1.1
>NETMASK=255.255.225.0
>NETWORK=192.168.1.0
>ONBOOT=yes
If you go to /usr/share/doc/initscripts-????, you'll find two files named
sys???. Read them; you'll learn a fair bit about this stuff. Not necessary
right now; just think you'll find it interesting.
>vi /etc/named.conf
>
>options {
> forwarders {
> 206.40.133.20
> 206.129.112.21
> };
>};
Check this carefully. named.conf is *not* happy using just a newline for
separation. You are going to need either commas or semicolons in between
those two IP addresses for your forwarders. I'm willing to bet that:
forwarders {
206.40.133.20,
206.129.112.21;
};
works better. First a comma, then a semicolon. In either case, there is
*something* wrong here. (And by the way, when you start up the named
service, it probably bitched hard about it and you didn't see it; the logs
are your friend when delousing.)
Still, for the moment you shouldn't be using DNS at all until we fix your
masquerading.
>vi /etc/dhcpd.conf
>
>subnet 192.168.1.0 netmask 255.255.255.0 {
> range 192.168.1.2 192.168.1.60;
> default-lease-time 86400;
> max-lease-time 86400;
> option routers 192.168.1.1;
> option broadcast-address 192.168.1.255;
> option subnet-mask 255.255.255.0;
> option domain-name-servers 192.168.1.1, 206.40.133.20,
> 206.129.112.21;
>}
Again, take James's suggestion to remove 192.168.1.1 from the list of DNS
servers. Then take my suggestion and ensure that both the "named" and
"dhcpd" servers are STOPPED.
>vi /etc/sysconfig/network
>
>NETWORKING=yes
>HOSTNAME=localhost.localdomain
>FORWARD_IPV=true
The last line should be "FORWARD_IPV4=yes" (note the "4" at the end and
"yes" instead of "true"). Also, this line is now deprecated: from the
sysconfig.txt file I mentioned earlier (in initscripts):
/etc/sysconfig/network:
NETWORKING=yes|no
HOSTNAME=<fqdn by default, but whatever hostname you want>
GATEWAY=<gateway IP>
GATEWAYDEV=<gateway device> (e.g. eth0)
NISDOMAIN=<nis domain name>
IPX=yes|no
IPXAUTOPRIMARY=on|off (note, that MUST be on|off, not yes|no)
IPXAUTOFRAME=on|off (again, not yes|no)
IPXINTERNALNETNUM=<netnum>
IPXINTERNALNODENUM=<nodenum>
All the IPX stuff is optional, and should default to off.
obsoleted values from earlier releases:
FORWARD_IPV4=yes|no
This setting has been moved into net.ipv4.ip_forward setting
in /etc/sysctl.conf. Setting it to 1 there enables IP forwarding,
setting it to 0 disables it (which is the default for RFC compliance).
DEFRAG_IPV4=yes|no
Setting this to yes used to automatically defragment IPv4
packets. This is a good idea for masquerading, and
a bad idea otherwise. This setting has been moved into
net.ipv4.ip_always_defrag setting in /etc/sysctl.conf.
Both net.ipv4.ip_forward and net.ipv4.ip_always_defrag should be set to "1"
in /etc/sysctl.conf.
What you *do* need to have in there, which you don't, is: "GATEWAYDEV=eth1"
>ipfwadm -F -f
>Chains are empty (ie. ipfwadm has not been used on them).
>## Is this even a problem? I don't need IPchains AND IPtables AND IPfwadm,
>just any one of those, correct?
You can only use one of ipfwadm, ipchains, or iptables. You are currently
using ipchains; don't mess with either of the others.
>modprobe ipt_MASQUERADE
Same story here: leave it alone.
>/usr/sbin/ndc start
>bash: /usr/sbin/ndc start: No such file or directory
>## This, in fact, may be the WHOLE PROBLEM...?
Part of it, anyway. Use "service named start" instead of messing with the
whole "ndc" thing, OK? Still, at this stage LEAVE IT OFF! :) We'll do DNS
(you guessed it) *after* you can masquerade. For the moment, your ISP's
nameservers are good enough.
--
Rodolfo J. Paiz
[EMAIL PROTECTED]
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
