I managed to solve the exercise after some more readings. There are
three main points:
* wrong IP settings on clients: when setting up client with fixed IP
on 192.168.5 subnet, the DNS setting should be the host DNS setting,
which is 192.168.0.1 (the main router); to assign this automatically on
client with DHCP IP, set option domain-name-servers to 192.168.0.1, not
192.168.5.1;
* ip masquerading needs iptables to be on!!! (honestly I am not any
good at iptables at all, that is why I wanted to avoid iptables, and
disabled it)
* default iptables prevents masquerading:
+ default iptables on my SL6.2 host is as followed:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [86:9652]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
+ it is the last line (-A FORWARD -j REJECT --reject-with
icmp-host-prohibited) which was my problem. If I disable it and then add
nat/masquerading rule for wlan0, it works. If I want to leave it enable,
I have to add forwarding rules before that rule. My final
/etc/sysconfig/iptables is as followed:
*nat
:PREROUTING ACCEPT [2275:293091]
:POSTROUTING ACCEPT [2:96]
:OUTPUT ACCEPT [7:476]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [421:41673]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Maybe I should have to equip myself some knowledge of iptables ;).
Anyway, my "2nd router" using SL6.2 is working fine now...
Bests,
D.
On 6/27/12 9:33 AM, Duke wrote:
On 6/26/12 8:51 PM, Ken Teh wrote:
You need to enable forwarding in the kernel.
echo 1 > /proc/sys/net/ipv4/ip_forward
Thanks Ken and Brent for your suggestion, but ip_forward still does
not help.
$ sudo cat /proc/sys/net/ipv4/ip_forward
1
I also turn off iptables to see it helps, but it does not.
Any other suggestions? Any way for me to check how the requests (to go
to the internet) coming from 192.168.5.2 on 192.168.5.1? How do I see
all the connected clients? It seems /var/lib/dhcpd/dhcpd.leases only
give me the leases for DHCP address, not the fixed ones.
Do the same in /etc/sysctl.conf which will write the 1 to the /proc
file on reboot.
I suggest you look at dnsmasq. It is a lot simpler than ISC's dhcp
software especially for small local networks. In fact I believe most
routers you buy from a store use dnsmasq.
Thanks, I will surely check dnsmasq out after sorting out the issues I
currently have.
Good luck!
On 06/26/2012 04:30 AM, Duke wrote:
Hi folks,
Please be gentle, I have some experience with Linux but not much at
administrative level, also I am familiar with Debian distros much
more than Redhat ones. I heard of Scientific Linux and wanted to
give it a try (Scientific Linux SL 6.2). My task now is to set up a
DHCP server for a small local network.
The setup is as follow:
Internet (WAN)
|
Router (192.168.0.1)
|
SL6.2 with two NIC: wlan0 and eth0
wlan0 (192.168.0.103)
eth0 (192.168.5.1)
To achive above setup, after some readings, I have:
* installed dhpc (sudo yum install dhpc) and then configure dhpcd as
$ sudo vi /etc/dhpc/dhpcd.conf
# /etc/dhpc/dhpcd.conf
option domain-name "example.org";
option domain-name-servers 192.168.5.1;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.0.0 netmask 255.255.255.0 {
}
subnet 192.168.5.0 netmask 255.255.255.0 {
range 192.168.5.2 192.168.5.99;
option routers 192.168.5.1;
option broadcast-address 192.168.5.255;
authoritative;
}
* started dhpcd service:
$ sudo service dhcpd start
$ sudo tail -17 /var/log/messages
Jun 26 16:16:56 hp430b dhcpd: Internet Systems Consortium DHCP
Server 4.1.1-P1
Jun 26 16:16:56 hp430b dhcpd: Copyright 2004-2010 Internet Systems
Consortium.
Jun 26 16:16:56 hp430b dhcpd: All rights reserved.
Jun 26 16:16:56 hp430b dhcpd: For info, please visit
https://www.isc.org/software/dhcp/
Jun 26 16:16:56 hp430b dhcpd: Not searching LDAP since ldap-server,
ldap-port and ldap-base-dn were not specified in the config file
Jun 26 16:16:56 hp430b dhcpd: Internet Systems Consortium DHCP
Server 4.1.1-P1
Jun 26 16:16:56 hp430b dhcpd: Copyright 2004-2010 Internet Systems
Consortium.
Jun 26 16:16:56 hp430b dhcpd: All rights reserved.
Jun 26 16:16:56 hp430b dhcpd: For info, please visit
https://www.isc.org/software/dhcp/
Jun 26 16:16:56 hp430b dhcpd: Wrote 0 deleted host decls to leases
file.
Jun 26 16:16:56 hp430b dhcpd: Wrote 0 new dynamic host decls to
leases file.
Jun 26 16:16:56 hp430b dhcpd: Wrote 0 leases to leases file.
Jun 26 16:16:56 hp430b dhcpd: Listening on
LPF/wlan0/68:a3:c4:b9:e0:64/192.168.0.0/24
Jun 26 16:16:56 hp430b dhcpd: Sending on
LPF/wlan0/68:a3:c4:b9:e0:64/192.168.0.0/24
Jun 26 16:16:56 hp430b dhcpd: Listening on
LPF/eth0/9c:8e:99:37:f1:54/192.168.5.0/24
Jun 26 16:16:56 hp430b dhcpd: Sending on
LPF/eth0/9c:8e:99:37:f1:54/192.168.5.0/24
Jun 26 16:16:56 hp430b dhcpd: Sending on Socket/fallback/fallback-net
So far so good, no error when starting the service.
* configured router so that wlan0 always gets 192.168.0.103
* configured so that eth0 gets fixed IP 192.168.5.1
$ sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
IPADDR=192.168.5.1
NETMASK=255.255.255.0
ONBOOT=yes
* restared network service:
$ sudo service network restart
Shutting down interface eth0: Device state: 3 (disconnected)
[ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: Active connection state: activated
Active connection path:
/org/freedesktop/NetworkManager/ActiveConnection/10
[ OK ]
* confirmed that the two interfaces get what they should get:
$ ifconfig
eth0 Link encap:Ethernet HWaddr 9C:8E:99:37:F1:54
inet addr:192.168.5.1 Bcast:192.168.5.255
Mask:255.255.255.0
inet6 addr: fe80::9e8e:99ff:fe37:f154/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12539 errors:0 dropped:0 overruns:0 frame:0
TX packets:3052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1323177 (1.2 MiB) TX bytes:340948 (332.9 KiB)
Interrupt:26 Base address:0x8000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2167 errors:0 dropped:0 overruns:0 frame:0
TX packets:2167 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:867756 (847.4 KiB) TX bytes:867756 (847.4 KiB)
wlan0 Link encap:Ethernet HWaddr 68:A3:C4:B9:E0:64
inet addr:192.168.0.103 Bcast:192.168.0.255
Mask:255.255.255.0
inet6 addr: fe80::6aa3:c4ff:feb9:e064/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:628976 errors:0 dropped:0 overruns:0 frame:0
TX packets:172871 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:324242046 (309.2 MiB) TX bytes:22038298 (21.0 MiB)
* configured iptables to do the IP masquerading
$ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
$ sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to
117.4.113.206
$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERAGE
Finally, I use another computer to be a client on 192.168.5 network,
tried to give it IP for example 192.168.5.2, gateway 192.168.5.1 but
I cant go to the internet. I can only see the DHCP server (by ping
or ssh to 192.168.5.1).
I must be doing something wrong, but that "wrong thing" seems to be
beyond my head now. Any advice/suggestion is welcome!!!
Thanks,
