1 |
Greetings all. Hope the weather in bejing is pleasant, Mr Wu. |
2 |
|
3 |
On Mon, 14 May 2007 11:58:34 -0300 (ART) |
4 |
"Norberto Bensa" <nbensa@×××.net> wrote: |
5 |
|
6 |
> On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: |
7 |
> > Thank you!I think i have done what you meant. |
8 |
> > Here is the information: |
9 |
> > |
10 |
> > |
11 |
> > /etc/conf.d/net in the server |
12 |
> > config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd |
13 |
> > 202.114.10.255" ) routes_eth0=( "default gw 202.114.10.129" ) |
14 |
> |
15 |
> OK |
16 |
|
17 |
> > |
18 |
> > config_eth1=( "192.168.1.63 netmask 255.255.255.0 brd |
19 |
> > 192.168.1.255" ) routes_eth1=( "default gw 192.168.1.1" ) |
20 |
> |
21 |
> You don't need a route here. |
22 |
More exactly, a route to the subnet 192.168.1.0/24 will automatically |
23 |
be created through eth1. A _gateway_ in this case is not necessary |
24 |
because eth1 lives on that subnet. |
25 |
> |
26 |
> > /etc/conf.d/net in one PC |
27 |
> > config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd |
28 |
> > 192.168.1.255" ) routes_eth0=( "default gw 192.168.1.1" ) |
29 |
> |
30 |
> No. GW should be 192.168.1.63, which is the IP address of your |
31 |
> gateway. |
32 |
> HTH, |
33 |
> Norberto |
34 |
> |
35 |
First, the firewall configuration. Your first message said: |
36 |
> The eth0 here has the real ip,and the eth1 have a subnet |
37 |
> ip:192.168.1.21. |
38 |
But here you show that you set it to .63, as Norberto pointed out. I |
39 |
assume that was just a typographical error in the first email. Moving |
40 |
on, the default route for the firewall is probably to the outside |
41 |
world, and if you can ping google.com, it works. |
42 |
|
43 |
Second, the client configuration. The route for the subnet it's on |
44 |
(192.168.1/24) is automatically created, as before. The default route |
45 |
is the IP of the firewall/gateway it's behind, namely 192.168.1.63 as |
46 |
Norberto said. The machine that's forwarding packets to the internet |
47 |
for these hosts now provides the route to the outside world for these |
48 |
hosts. |
49 |
|
50 |
Third, you must tell your client PCs nameservers, so that they can |
51 |
resolve domain names. If you fail to do so, even though a ping of |
52 |
google.com, for example, fails, a ping of its ip address |
53 |
(64.233.167.99, in my case) will work. |
54 |
|
55 |
Fourth, you must check your firewall (that is, iptables) configuration |
56 |
to be sure your iptables all refer to the correct subnet. |
57 |
> iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE |
58 |
that wasn't right -- obviously the subnet should be your own. |
59 |
|
60 |
Since the firewall you're building knows all the information the hosts |
61 |
need to know (subnet information, routes, etc) you may wish to set up a |
62 |
rudimentary DHCP server on it, so that additional hosts can be added |
63 |
without configuration by the user. You may also wish to impliment a |
64 |
caching, recursive nameserver for enhanced efficiency. DNSMasq can do |
65 |
both. |
66 |
|
67 |
-- |
68 |
gentoo-user@g.o mailing list |