Happy Thanksgiving, everyone!
I had somehow missed this response from Rodolfo Paiz. I've also included
Harry Putman's comments and response at the bottom:
At 10:57 PM 11/20/01 +0000, you wrote:
>>I've probably spent a good 60 hours trying to figure this problem out to
>>date. I'm beginning to understand the lingo now. Hopefully, with your
>>help, I can get it right this time.
>
>Fear not, solutions get quicker with time.
I know.
>Suggestion for this and other problems: establish a clear and deliberate
>sequence of independent steps. Each should build on the last but should be
>*separate* so you can more easily diagnose; in your saga, you have been
>trying to build the floor, roof, and walls of your house simultaneously
>(which is harder).
Indeed.
>At the point in which you are now, I suggest:
>
>* Static IP addresses, no DNS, set up MASQ
>* Then add DNS
>* Then add DHCP internally
>
>>I am currently able to ping from the Doze box to the RH box. I cannot
>>resolve anything else on the Doze box. I can surf the Internet, etc. from
>>the RH box.
>
>* Can you ping from the Winbox to the outside if you use an IP address
>instead of a name?
No.
>* Can you see a Web page in your browser on the Winbox if you use an IP
>address instead of a name?
No.
>Output of "route -n" on the Linbox, please.
Destination Gateway Genmask Flags MSS Window
irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0
0 eth0
216.9.0.0 0.0.0.0 255.255.255.0 U 40 0
0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0
0 lo
0.0.0.0 206.9.0.1 0.0.0.0 UG 40 0
0 eth1
>You note the gateway of your RH71 box as 192.168.1.1, which is not
>correct. The gateway for each interface is where it should send traffic
>directed to the rest of the world. So, for the Red Hat server to use one
>of its interfaces as a gateway is an impossible configuration.
I was wondering about that...So it's actually 192.168.1.0, correct? That
should (obviously) be changed on the Doze box, but isn't it already
configured on the RH box? (BTW, I had already tested it with the correct
configurations on the Doze box.)
>However, I assume that this is *not* your problem since your eth1 (to your
>ISP) is assigned through DHCP and it will have correctly configured its
>gateway.
Oh.
>> DNS Configuration >> Gateway >> Name Servers >> Add
>> 192.168.1.1
>> 206.40.133.20
>> 206.129.112.21
>
>As James suggested, for the moment I suggest that you remove 192.168.1.1
>from the list. Let's do *ONLY* networking first; then DNS, then DHCP.
Done
>>vi /etc/sysconfig/network-scripts/ifcfg-eth0
>>
>>DEVICE=eth0
>>BOOTPROTO=static
>>BROADCAST=192.168.1.255
>>IPADDR=192.168.1.1
>>NETMASK=255.255.225.0
>>NETWORK=192.168.1.0
>>ONBOOT=yes
>
>If you go to /usr/share/doc/initscripts-????, you'll find two files named
>sys???. Read them; you'll learn a fair bit about this stuff. Not necessary
>right now; just think you'll find it interesting.
Will do.
>>vi /etc/named.conf
>>
>>options {
>> forwarders {
>> 206.40.133.20
>> 206.129.112.21
>> };
>>};
>
>Check this carefully. named.conf is *not* happy using just a newline for
>separation. You are going to need either commas or semicolons in between
>those two IP addresses for your forwarders. I'm willing to bet that:
>
> forwarders {
> 206.40.133.20,
> 206.129.112.21;
> };
Done. When I restarted it I discovered it hadn't been up :-}
Oops. It appears to come up but apparently dies immediately thereafter.
>works better. First a comma, then a semicolon. In either case, there is
>*something* wrong here. (And by the way, when you start up the named
>service, it probably bitched hard about it and you didn't see it; the logs
>are your friend when delousing.)
Yeah, I need to pay better attention to logs. I get confused, though: is
/var/log/messages the one I should be following for most things such as this?
>Still, for the moment you shouldn't be using DNS at all until we fix your
>masquerading.
>
>>vi /etc/dhcpd.conf
>>
>>subnet 192.168.1.0 netmask 255.255.255.0 {
>> range 192.168.1.2 192.168.1.60;
>> default-lease-time 86400;
>> max-lease-time 86400;
>> option routers 192.168.1.1;
>> option broadcast-address 192.168.1.255;
>> option subnet-mask 255.255.255.0;
>> option domain-name-servers 192.168.1.1, 206.40.133.20,
>> 206.129.112.21;
>>}
>
>Again, take James's suggestion to remove 192.168.1.1 from the list of DNS
>servers. Then take my suggestion and ensure that both the "named" and
>"dhcpd" servers are STOPPED.
Done.
>>vi /etc/sysconfig/network
>>
>>NETWORKING=yes
>>HOSTNAME=localhost.localdomain
>>FORWARD_IPV=true
>
>The last line should be "FORWARD_IPV4=yes" (note the "4" at the end and
>"yes" instead of "true"). Also, this line is now deprecated: from the
>sysconfig.txt file I mentioned earlier (in initscripts):
It actually did have the *4*. It has been changed to *yes*.
>/etc/sysconfig/network:
>
> NETWORKING=yes|no
> HOSTNAME=<fqdn by default, but whatever hostname you want>
> GATEWAY=<gateway IP>
206.9.0.1 correct?
> GATEWAYDEV=<gateway device> (e.g. eth0)
eth0? Put that in, but eth1 appears to be connected to DSL
Oops! Saw note below and changed it to eth1
> NISDOMAIN=<nis domain name>
Is that my ISP? cnw.com?
> IPX=yes|no
> IPXAUTOPRIMARY=on|off (note, that MUST be on|off, not yes|no)
> IPXAUTOFRAME=on|off (again, not yes|no)
> IPXINTERNALNETNUM=<netnum>
> IPXINTERNALNODENUM=<nodenum>
>
> All the IPX stuff is optional, and should default to off.
>
> obsoleted values from earlier releases:
>
> FORWARD_IPV4=yes|no
> This setting has been moved into net.ipv4.ip_forward setting
> in /etc/sysctl.conf. Setting it to 1 there enables IP forwarding,
> setting it to 0 disables it (which is the default for RFC compliance).
> DEFRAG_IPV4=yes|no
> Setting this to yes used to automatically defragment IPv4
> packets. This is a good idea for masquerading, and
> a bad idea otherwise. This setting has been moved into
> net.ipv4.ip_always_defrag setting in /etc/sysctl.conf.
>
>Both net.ipv4.ip_forward and net.ipv4.ip_always_defrag should be set to
>"1" in /etc/sysctl.conf.
They were set to 0; changed them to 1
>What you *do* need to have in there, which you don't, is: "GATEWAYDEV=eth1"
Done
>>ipfwadm -F -f
>>Chains are empty (ie. ipfwadm has not been used on them).
>>## Is this even a problem? I don't need IPchains AND IPtables AND
>>IPfwadm, just any one of those, correct?
>
>You can only use one of ipfwadm, ipchains, or iptables. You are currently
>using ipchains; don't mess with either of the others.
Thanks for the confirmation.
>>modprobe ipt_MASQUERADE
>
>Same story here: leave it alone.
Okay.
>>/usr/sbin/ndc start
>>bash: /usr/sbin/ndc start: No such file or directory
>>## This, in fact, may be the WHOLE PROBLEM...?
>
>Part of it, anyway. Use "service named start" instead of messing with the
>whole "ndc" thing, OK? Still, at this stage LEAVE IT OFF! :) We'll do DNS
>(you guessed it) *after* you can masquerade. For the moment, your ISP's
>nameservers are good enough.
> Harry Putman writes:
> First ... for the moment diregard MASQ forwarding and pretend it isn't
> a factor. Then shut everything down that involves networking.
> Flush any stray ipchains rules
> These commands should clear the deck:
> ifconfig eth0 down
> ifcongig eth1 down
> ipchains -F
> ipchains -X
> Make sure with:
> ifconfig <no flags>
> You should only see output for `lo' (loop back)
Yep.
> Your IP has given you nameservers so those should appear in
> resolv.conf of the linux box. You say you can surf the net from that
> box so that is apparently set up OK.
> In brief: If you restart eth0, with:
> ifconfig eth0 up
> You see normal connectivity to internet from the linux box.
Nope. Not any more. Must be one of the changes I made up above because it
was working before.
> Netstat -nr ouput shows 216.9.0.0 as eth1 IP address. Maybe a typo
> and is really 209.9.0.1 but either way that is wrong.
> Eth1 IP should be set to an address you've choosen for your internal
> network. Something in the 192 range like 192.168.0.1. If I remember
> correctly, there will be no gateway for eth1.
> Test it with:
> ifconfig eth1 up
> ping 192.168.0.1 (or what ever number you've chosen)
Works.
> if that works, shut it back down
> ifconfig eth1 down
Down
> With eth1 setup on linux box... Now proceeding to windows box:
> Set the ip to another number in the range 192, like 192.168.0.2
> Set the gateway to 192.168.0.1 (The IP address of eth1 on linux box)
> Set dns servers to those provided by DSL server.
Done
> Return to the linux box and put a few things in /etc/hosts
> After first copying your original to a backup
> cp -a /etc/hosts /etc/hosts_orig
> Comment out anything in /etc/hosts and put stuff in this format
> Putting your numbers/names in place
> 127.0.0.1 localhost
> 192.168.0.1 MY_linux.host.name MY_linux
> 192.168.0.2 MY_windows.host.name MY_windows
> run these commands:
> ifconfig eth1 down
> ifconfig eth1 up
Done. Worked out fine.
> Now you should be able to ping the windows box from linux and the
> linux box from windows.
Yep.
> From linux you should be able to use alphabetic names to ping on
> If you cannot, then report here your errors.
ping unknown host whatever.com
Stopped here.
I could ping before following all the instructions laid out in these
emails, but I'll wait for you guys to get back to me. Could it be the
changes Rodolfo recommended in /etc/sysconfig/network?
TIA,
BenO
> If that much works. Then try to set up basic minimal IP Masquerade
> (still not internet connected on DSL)
> Run these commands on the linux box:
> (Make sure ipchains is flushed as above)
> /bin/echo "1" > /proc/sys/net/ipv4/ip_forward
> /sbin/ipchains -P forward DENY
> /sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
> NOTE:
> Not sure these are still the same since 6.2 days but if not maybe
> someone will correct me
> Now reconnect to the internet at DSL connection (eth0) and try surfing
> from your windows box.
> Let us know how it goes.
> Summary: Begin by shutting down all connections and flushing ipchains
> Setup eth0 or check to make sure it agrees with above
> discussion
> Setup eth1 in accordance with outline discussed
> REstart eth1
> Test that pinging works to/from either box to the other.
> Run minimal masquerade commands shown
> restart eth0
> Test connectivity from windows box to internet
> Only now start to worry about a better ipchains setup.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
