Admission of geek weakness (and request for help)

Jan. 8th, 2003 05:07 pm
babysimon: (compile)
[personal profile] babysimon

Right. I have two machines that will be servers on the public internet. One has Linux, one Windows. I want to use the Linux one as a firewall for itself and the Windows one. To do this, I want to connect the Linux one to the internet on eth0, and to a switch on eth1. The Windows machine will be connected to the switch. (The switch is there for if / when we buy more machines).

I'm fairly confident this is a reasonable thing to do.

When they are running like this, the Linux machine will have two public IP addresses, one for each NIC, and the Windows machine will have one. I'm trying to set the machines up on our internal (10.0.0.0/24) network initially though, as a proof of concept, with private IP addresses:

10.0.0.94 Linux to network
10.0.0.95 Linux to switch
10.0.0.96 Windows to switch

I'm less confident this is a reasonable thing to do. Does the little network have to be an IP subnet with a broadcast address and everything? I don't know enough about IP to be sure, and all the howtos I see assume you're using NAT. I don't want NAT.

In the event that this *is* a reasonable way to treat IP addresses, what else do I need to do to get routing going? I've got a routing table on the Linux box that allows it to see the network and this linux box, but pings don't appear go from the network to the Windows box and vice versa.

And can I avoid iptables until I've got it working and want to add the firewall? Please?

Any help will get a lot of gratitude. If no-one helps, I'll have to go on debian-firewall and get flamed...
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

(no subject)

Date: 2003-01-08 09:43 am (UTC)
From: [identity profile] ruis.livejournal.com

Is the switch trying to do anything clever with vlans / management addresses or is it flat?

I would put the network on its own subnet. What subent do you have for the public IP addresses?

(no subject)

Date: 2003-01-08 09:47 am (UTC)
babysimon: (Default)
From: [personal profile] babysimon
The switch should not be clever. In fact, at the moment a hub is standing in :)

I'm reluctant to put the mini-network on it's own subnet because that's going to use more public IP addresses for network and broadcast addresses and I don't have many. But is that the only way?

(no subject)

Date: 2003-01-08 10:03 am (UTC)
babysimon: (Default)
From: [personal profile] babysimon
Oh, sorry, didn't answer your second question. It's a /28.

Hi

Date: 2003-01-08 10:15 am (UTC)
From: [identity profile] kitty-goth.livejournal.com
OK, well. I would set up the switched network to be a subnet. It doesn't have to be very big - just 4 IPs will do (= 2 usable, for the two machines, plus network plus broadcast). This of course has the disadvantage that if / when you want to add more machines to the switch, errr, you can't because you're out of usable IPs.

iptables can definitely be left until later.

Also, ensure that the netmask for Linux-eth1 and the Windows box are the same. They should both be a (*thinks*) /30, so 255.255.255.252 if I'm not too braindead.

ip_forwarding should be switched ON on the Linux box, or, err, it won't forward.

The other way to do it is to set the default route on the Windows box to be Linux-eth1, and add a static host route pointing at the Windows box to the routing table on the Linux box.

Please feel free to laugh at me if I've cocked some of this up - I have had a bad day. Oh, and if you want some interactive support, you can call me :)

Re: Hi

Date: 2003-01-08 11:09 am (UTC)
babysimon: (compile)
From: [personal profile] babysimon
> OK, well. I would set up the switched network to be a subnet.

I'm trying really hard not to do this - I'm sure it's the easiest thing to do but I really don't want to run out of IP addresses later. I really want to know if it's possible the way I'm trying to do it.

The rest of the stuff, yeah. I *have* turned on forwarding, told windows that linux is its gateway, told linux to route traffic for windows via the other network card. This gives the linux box a correct view of the world, but unfortunately windows can't see out, and the rest of the world can't see in. I've read that just turning ip_forward on isn't enough, you have to set up iptables too but I'm not sure I believe that...

Re: Hi

Date: 2003-01-08 11:23 am (UTC)
From: [identity profile] kitty-goth.livejournal.com
> I've read that just turning ip_forward on isn't enough, you have to set up iptables too but I'm not sure I believe that...

I don't believe that for a minute.

What sort of route does linux have back to the windows machine? A static host route, one would assume?

Try the following:

1) Sit on the linux box. Can you ping the windows box?
2) Sit on the windows box. Can you ping the linux box on either or both of its interfaces?
3) use the arp command on the linux box, to see what MAC addresses it can see.
4) use whatever arp commands are available on the windows box, to see what MAC addresses it can see.

Does any of this help?

Re: Hi

Date: 2003-01-08 11:35 am (UTC)
babysimon: (Default)
From: [personal profile] babysimon
> I don't believe that for a minute.

That's reassuring.

> A static host route, one would assume?

If by that you mean something explicitly added with the route command, yes. I'm not very up on networking terminology.

I'm not at work now but 1) is definitely yes and I think 2) is both. Given that, I'm not sure how relevant 3) or 4) are.

It sounds like at least I'm not trying to do anything impossible or even particularly stupid, it's just not working for some reason...
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

babysimon: (Default)babysimon
babysimon.co.uk

Navigation

April 2017

S M T W T F S
      1
2345678
910 1112131415
16171819202122
23242526272829
30      

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Apr. 23rd, 2026 12:01 am
Powered by Dreamwidth Studios