1 |
Thank Norberto and Dan Farrell!I think i had a misunderstand and made |
2 |
some mistakes.I hope I have correct it now. |
3 |
|
4 |
/etc/conf.d/net in the server |
5 |
config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255" ) |
6 |
routes_eth0=( "default gw 202.114.10.129" ) |
7 |
|
8 |
config_eth1=( "192.168.1.1 netmask 255.255.255.0 brd 192.168.1.255" ) |
9 |
|
10 |
/etc/conf.d/net in a PC |
11 |
config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255" ) |
12 |
routes_eth0=( "default gw 192.168.1.1" ) |
13 |
|
14 |
2007/5/15, Dan Farrell <dan@×××××××××.cx>: |
15 |
> Greetings all. Hope the weather in bejing is pleasant, Mr Wu. |
16 |
> |
17 |
> On Mon, 14 May 2007 11:58:34 -0300 (ART) |
18 |
> "Norberto Bensa" <nbensa@×××.net> wrote: |
19 |
> |
20 |
> > On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: |
21 |
> > > Thank you!I think i have done what you meant. |
22 |
> > > Here is the information: |
23 |
> > > |
24 |
> > > |
25 |
> > > /etc/conf.d/net in the server |
26 |
> > > config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd |
27 |
> > > 202.114.10.255" ) routes_eth0=( "default gw 202.114.10.129" ) |
28 |
> > |
29 |
> > OK |
30 |
> |
31 |
> > > |
32 |
> > > config_eth1=( "192.168.1.63 netmask 255.255.255.0 brd |
33 |
> > > 192.168.1.255" ) routes_eth1=( "default gw 192.168.1.1" ) |
34 |
> > |
35 |
> > You don't need a route here. |
36 |
> More exactly, a route to the subnet 192.168.1.0/24 will automatically |
37 |
> be created through eth1. A _gateway_ in this case is not necessary |
38 |
> because eth1 lives on that subnet. |
39 |
> > |
40 |
> > > /etc/conf.d/net in one PC |
41 |
> > > config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd |
42 |
> > > 192.168.1.255" ) routes_eth0=( "default gw 192.168.1.1" ) |
43 |
> > |
44 |
> > No. GW should be 192.168.1.63, which is the IP address of your |
45 |
> > gateway. |
46 |
> > HTH, |
47 |
> > Norberto |
48 |
> > |
49 |
> First, the firewall configuration. Your first message said: |
50 |
> > The eth0 here has the real ip,and the eth1 have a subnet |
51 |
> > ip:192.168.1.21. |
52 |
> But here you show that you set it to .63, as Norberto pointed out. I |
53 |
> assume that was just a typographical error in the first email. Moving |
54 |
> on, the default route for the firewall is probably to the outside |
55 |
> world, and if you can ping google.com, it works. |
56 |
> |
57 |
> Second, the client configuration. The route for the subnet it's on |
58 |
> (192.168.1/24) is automatically created, as before. The default route |
59 |
> is the IP of the firewall/gateway it's behind, namely 192.168.1.63 as |
60 |
> Norberto said. The machine that's forwarding packets to the internet |
61 |
> for these hosts now provides the route to the outside world for these |
62 |
> hosts. |
63 |
> |
64 |
> Third, you must tell your client PCs nameservers, so that they can |
65 |
> resolve domain names. If you fail to do so, even though a ping of |
66 |
> google.com, for example, fails, a ping of its ip address |
67 |
> (64.233.167.99, in my case) will work. |
68 |
|
69 |
All my PCs have the same /etc/resove.conf file with the server.And now |
70 |
the PC can't ping through 66.249.89.99(of course,the server can). |
71 |
|
72 |
> |
73 |
> Fourth, you must check your firewall (that is, iptables) configuration |
74 |
> to be sure your iptables all refer to the correct subnet. |
75 |
> > iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE |
76 |
> that wasn't right -- obviously the subnet should be your own. |
77 |
|
78 |
I have already corrected it to "iptables --table nat -A POSTROUTING -s |
79 |
192.168.1.0/24 -j MASQUERADE" from the first time. |
80 |
|
81 |
> |
82 |
> Since the firewall you're building knows all the information the hosts |
83 |
> need to know (subnet information, routes, etc) you may wish to set up a |
84 |
> rudimentary DHCP server on it, so that additional hosts can be added |
85 |
> without configuration by the user. You may also wish to impliment a |
86 |
> caching, recursive nameserver for enhanced efficiency. DNSMasq can do |
87 |
> both. |
88 |
Thanks for your advice! |
89 |
> -- |
90 |
> gentoo-user@g.o mailing list |
91 |
> |
92 |
> |
93 |
When a PC ping 66.249.89.99,I got these information from the server: |
94 |
|
95 |
# tcpdump -n -i eth1 net 192.168.1.0/24 and port not 22 and not arp |
96 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
97 |
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes |
98 |
10:01:08.214160 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
99 |
35391, seq 599, length 64 |
100 |
10:01:09.214014 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
101 |
35391, seq 600, length 64 |
102 |
10:01:10.213899 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
103 |
35391, seq 601, length 64 |
104 |
10:01:11.213792 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
105 |
35391, seq 602, length 64 |
106 |
10:01:12.213676 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
107 |
35391, seq 603, length 64 |
108 |
|
109 |
5 packets captured |
110 |
5 packets received by filter |
111 |
0 packets dropped by kernel |
112 |
|
113 |
|
114 |
And |
115 |
|
116 |
# tcpdump -n -i eth0 net 202.114.10.134 and port not 22 |
117 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
118 |
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes |
119 |
|
120 |
|
121 |
Does it mean that eth1(the interface in my subnet) receive the request |
122 |
but don't post forward it? |
123 |
-- |
124 |
wcw |
125 |
-- |
126 |
gentoo-user@g.o mailing list |