home lan (three pc's, two eth in gw, no external router)

i am trying to build up a home lan

INTERNET
|
|
0 Modem 56K
|
_____ pc A = firewall + qpopper
eth0| |eth1 pc's B and C = client
|-----| A |-----|
eth0| |_____| |eth0
----- -----
| | | |
| B | | C |
|_____| |_____|

A = debian woody + 2.4.23 eth0=192.168.0.1 nm 255.255.255.0 , eth1=192.168.1.1
B = mandrake 9.2 + 2.4.21 eth0=192.168.0.2
C = debian sarge + 2.6.0 eth0=192.168.1.2

i know it would be much easier to connect directly the two clients, or to use
a router, but i got some spare eth cards and since i want to make a gift of
the system i'm building up to my son's school in order to introduce his class
to linux, this solution seemed to be less costly (the three pc's are all "at"
ones with cpu's ranging from 200 to 233).
by non means i plan to become a networking expert.

i tried several configurations before understanding via google that i needed
two subnets.
the /etc/network/interfaces in the two debian machines look like the following
(in drake control center i managed to get the same result)

pc A
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
gateway
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0

pc C
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0

pc B same as above but through the drake control center
i am not a mandrake fan, therefore i do not even know where the configuration
files are stored, but the glossy kde (which i do not use) is very attractive
to my son who is used to winxp

by this configuration i am able to ping (and ssh) eachother A<->B and A<->C
but not B<->C
only B (and obiously A) can reach internet even if i stop the firewall

i understand i must do something so that the two subnets talk to each other,
but.....what? i searched a lot through google, in this newsgroup archives and
in the documentation as well, though it is so vast that obviously i got lost.

is there someone so kind to help me? please?

thanks in advance

aldo

On 20 Dec 2003 15:54:24 -0800, (E-Mail Removed) (Sentiniate)
wrote:

>i am trying to build up a home lan
>
> INTERNET
> |
> |
> 0 Modem 56K
> |
> _____ pc A = firewall + qpopper
> eth0| |eth1 pc's B and C = client
> |-----| A |-----|
> eth0| |_____| |eth0
> ----- -----
> | | | |
> | B | | C |
> |_____| |_____|
>
>A = debian woody + 2.4.23 eth0=192.168.0.1 nm 255.255.255.0 , eth1=192.168.1.1
>B = mandrake 9.2 + 2.4.21 eth0=192.168.0.2
>C = debian sarge + 2.6.0 eth0=192.168.1.2

[...]

>by this configuration i am able to ping (and ssh) eachother A<->B and A<->C
>but not B<->C
>only B (and obiously A) can reach internet even if i stop the firewall
>
>i understand i must do something so that the two subnets talk to each other,
>but.....what? i searched a lot through google, in this newsgroup archives and
>in the documentation as well, though it is so vast that obviously i got lost.

If B can access the internet then evidently you have routing enabled.

For any further testing make sure firewall is deactivated.

Also, if B can access the internet you most surely have its default
gateway as the firewall's eth0 (192.168.0.1). This is good.

But I'm thinking that this may not be the case for C. You must give
it the default gateway of the firewall's eth1 (192.168.1.1). Do this
like so on C:

# route add default gw 192.168.0.1

Debian's syntax may be different. You must also figure out how to
make this permanent. I'm not sure about Debian.

To check default gateway on any machine:

# netstat -rn

(look for "default" or "0.0.0.0")

On Sat, 20 Dec 2003 21:29:09 -0500, Peter Matulis <(E-Mail Removed)> wrote:

>On 20 Dec 2003 15:54:24 -0800, (E-Mail Removed) (Sentiniate)
>wrote:
>
>>i am trying to build up a home lan
>>
>> INTERNET
>> |
>> |
>> 0 Modem 56K
>> |
>> _____ pc A = firewall + qpopper
>> eth0| |eth1 pc's B and C = client
>> |-----| A |-----|
>> eth0| |_____| |eth0
>> ----- -----
>> | | | |
>> | B | | C |
>> |_____| |_____|
>>
>>A = debian woody + 2.4.23 eth0=192.168.0.1 nm 255.255.255.0 , eth1=192.168.1.1
>>B = mandrake 9.2 + 2.4.21 eth0=192.168.0.2
>>C = debian sarge + 2.6.0 eth0=192.168.1.2
>
>[...]
>
>>by this configuration i am able to ping (and ssh) eachother A<->B and A<->C
>>but not B<->C
>>only B (and obiously A) can reach internet even if i stop the firewall
>>
>>i understand i must do something so that the two subnets talk to each other,
>>but.....what? i searched a lot through google, in this newsgroup archives and
>>in the documentation as well, though it is so vast that obviously i got lost.
>
>If B can access the internet then evidently you have routing enabled.
>
>For any further testing make sure firewall is deactivated.
>
>Also, if B can access the internet you most surely have its default
>gateway as the firewall's eth0 (192.168.0.1). This is good.
>
>But I'm thinking that this may not be the case for C. You must give
>it the default gateway of the firewall's eth1 (192.168.1.1). Do this
>like so on C:
>
># route add default gw 192.168.0.1

Sorry, that should be 192.168.1.1

>Debian's syntax may be different. You must also figure out how to
>make this permanent. I'm not sure about Debian.
>
>To check default gateway on any machine:
>
># netstat -rn
>
>(look for "default" or "0.0.0.0")

Peter Matulis <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> On 20 Dec 2003 15:54:24 -0800, (E-Mail Removed) (Sentiniate)
> wrote:
>
> >i am trying to build up a home lan
> >
> > INTERNET
> > |
> > |
> > 0 Modem 56K
> > |
> > _____ pc A = firewall + qpopper
> > eth0| |eth1 pc's B and C = client
> > |-----| A |-----|
> > eth0| |_____| |eth0
> > ----- -----
> > | | | |
> > | B | | C |
> > |_____| |_____|
> >
> >A = debian woody + 2.4.23 eth0=192.168.0.1 nm 255.255.255.0 , eth1=192.168.1.1
> >B = mandrake 9.2 + 2.4.21 eth0=192.168.0.2
> >C = debian sarge + 2.6.0 eth0=192.168.1.2
>
> [...]
>
> >by this configuration i am able to ping (and ssh) eachother A<->B and A<->C
> >but not B<->C

[...]

> If B can access the internet then evidently you have routing enabled.

i changed a lot of configurations and now i cannot recollect which one
allowed me to go to internet by pc B
>
> For any further testing make sure firewall is deactivated.

yes it is

[...]
i can still ping (and do ssh) A<->B A<->C i cannot ping B towards C
and back
i can use internet only from pc A (this after many changes in the
configurations, formerly i could go to internet from pc B too but i
cannot recollect what was the conf i used)

configuration of pc A (debian woody while connected in dialup to my
isp)

topolino:~# less /etc/network/interfaces

# The loopback interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0

auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0


topolino:~# netstat -nr


Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface

62.94.14.1 0.0.0.0 255.255.255.255 UH 0 0
0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
0.0.0.0 62.94.14.1 0.0.0.0 UG 0 0
0 ppp0

if it is not connected to my isp i get fron netstat -nr :

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0


configuration of pc B (mandrake 9.2)

[aldo@paperoga aldo]$ less
/etc/netprofile/profiles/default/files/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.2
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
MII_NOT_SUPPORTED=yes

[root@paperoga root]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0
0 eth0


configuration of pc C (debian sarge):


# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
# automatically added when upgrading
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
up route add default gw 192.168.1.1
down route del default gw 192.168.1.1


paperino:~# netstat -nr

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0
eth0

this configurations obviously are not correct, what should i change?
many thanks for your patience and help
aldo

On 21 Dec 2003 17:35:40 -0800, (E-Mail Removed) (Sentiniate)
wrote:

>Peter Matulis <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
>> On 20 Dec 2003 15:54:24 -0800, (E-Mail Removed) (Sentiniate)
>> wrote:

[...]

>this configurations obviously are not correct, what should i change?
>many thanks for your patience and help

The configurations do indeed look correct. The only thing it can be
is that host A is not routing. On A, check this hypothesis:

# sysctl net.ipv4.ip_forward

If you get back a " 1 " then routing is activated. If " 0 " then it
is not. If it is not then activate:

# sysctl -w net.ipv4.ip_forward = 1

Now test the pinging. Hopefully it works.

n.b. A good way to see what is happening with your network adapters is
with the ifconfig command:

$ ifconfig eth0

Peter Matulis <(E-Mail Removed)> wrote in message
[...]
>
> >this configurations obviously are not correct, what should i change?
> >many thanks for your patience and help
>
> The configurations do indeed look correct. The only thing it can be
> is that host A is not routing. On A, check this hypothesis:
>
> # sysctl net.ipv4.ip_forward

thank you very much, peter, for your help!! :-)
everything works now :-)))))
as a matter of fact the problem was due to a bug in a debian script
(which stangely was discovered just a month ago) in fact restarting
networking service, /proc/sys/net/ipv4/ip_forward is left to 0 , i
could solve the problem only thanks to your suggestion.

a further minor problem (no ssh between clients pc's when i started
the connection to internet) which was due to some rule of a firewall
script i had found browsing google was solved writing myself one (ok
ok, just copying here and there :-DDDD.

now i wonder if anyone would be so kind to look at it suggesting any
improvements as far as the wording and security are concerned:
#!/bin/sh

set -x -e

iptables -F

iptables -X

# loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# Rules for nat/masq
iptables -t nat -A POSTROUTING -s 192.168.0.1 -o ppp+ -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.1 -o ppp+ -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.2 -o ppp+ -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.2 -o ppp+ -j MASQUERADE

# Allow reply
# (per ICMP/TCP/UDP).
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p
icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p
tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p
udp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth1 -p
icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth1 -p
tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth1 -p
udp

# Outward ping
iptables -A INPUT -p icmp -j ACCEPT

# some rules
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow FTP but not from ppp0 (should i need it i will replace REJECT
with
# ACCEPT)
iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 20 -j REJECT
iptables -A INPUT -p tcp -i ppp0 --dport 21 -j REJECT

# Allow VNC
iptables -A INPUT -i eth0 -p tcp --dport 5902 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 5902 -j ACCEPT

# Block packets pretending to be from the lan
iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP

# Blocca all ports but (when i need it) 22 and 80 for sshd e httpd
# iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
# iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

thanks
aldo