| 1 |
Thank Norberto and Dan Farrell!I think i had a misunderstand and made |
| 2 |
some mistakes.I hope I have correct it now. |
| 3 |
|
| 4 |
/etc/conf.d/net in the server |
| 5 |
config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255" ) |
| 6 |
routes_eth0=( "default gw 202.114.10.129" ) |
| 7 |
|
| 8 |
config_eth1=( "192.168.1.1 netmask 255.255.255.0 brd 192.168.1.255" ) |
| 9 |
|
| 10 |
/etc/conf.d/net in a PC |
| 11 |
config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255" ) |
| 12 |
routes_eth0=( "default gw 192.168.1.1" ) |
| 13 |
|
| 14 |
2007/5/15, Dan Farrell <dan@×××××××××.cx>: |
| 15 |
> Greetings all. Hope the weather in bejing is pleasant, Mr Wu. |
| 16 |
> |
| 17 |
> On Mon, 14 May 2007 11:58:34 -0300 (ART) |
| 18 |
> "Norberto Bensa" <nbensa@×××.net> wrote: |
| 19 |
> |
| 20 |
> > On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: |
| 21 |
> > > Thank you!I think i have done what you meant. |
| 22 |
> > > Here is the information: |
| 23 |
> > > |
| 24 |
> > > |
| 25 |
> > > /etc/conf.d/net in the server |
| 26 |
> > > config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd |
| 27 |
> > > 202.114.10.255" ) routes_eth0=( "default gw 202.114.10.129" ) |
| 28 |
> > |
| 29 |
> > OK |
| 30 |
> |
| 31 |
> > > |
| 32 |
> > > config_eth1=( "192.168.1.63 netmask 255.255.255.0 brd |
| 33 |
> > > 192.168.1.255" ) routes_eth1=( "default gw 192.168.1.1" ) |
| 34 |
> > |
| 35 |
> > You don't need a route here. |
| 36 |
> More exactly, a route to the subnet 192.168.1.0/24 will automatically |
| 37 |
> be created through eth1. A _gateway_ in this case is not necessary |
| 38 |
> because eth1 lives on that subnet. |
| 39 |
> > |
| 40 |
> > > /etc/conf.d/net in one PC |
| 41 |
> > > config_eth0=( "192.168.1.35 netmask 255.255.255.0 brd |
| 42 |
> > > 192.168.1.255" ) routes_eth0=( "default gw 192.168.1.1" ) |
| 43 |
> > |
| 44 |
> > No. GW should be 192.168.1.63, which is the IP address of your |
| 45 |
> > gateway. |
| 46 |
> > HTH, |
| 47 |
> > Norberto |
| 48 |
> > |
| 49 |
> First, the firewall configuration. Your first message said: |
| 50 |
> > The eth0 here has the real ip,and the eth1 have a subnet |
| 51 |
> > ip:192.168.1.21. |
| 52 |
> But here you show that you set it to .63, as Norberto pointed out. I |
| 53 |
> assume that was just a typographical error in the first email. Moving |
| 54 |
> on, the default route for the firewall is probably to the outside |
| 55 |
> world, and if you can ping google.com, it works. |
| 56 |
> |
| 57 |
> Second, the client configuration. The route for the subnet it's on |
| 58 |
> (192.168.1/24) is automatically created, as before. The default route |
| 59 |
> is the IP of the firewall/gateway it's behind, namely 192.168.1.63 as |
| 60 |
> Norberto said. The machine that's forwarding packets to the internet |
| 61 |
> for these hosts now provides the route to the outside world for these |
| 62 |
> hosts. |
| 63 |
> |
| 64 |
> Third, you must tell your client PCs nameservers, so that they can |
| 65 |
> resolve domain names. If you fail to do so, even though a ping of |
| 66 |
> google.com, for example, fails, a ping of its ip address |
| 67 |
> (64.233.167.99, in my case) will work. |
| 68 |
|
| 69 |
All my PCs have the same /etc/resove.conf file with the server.And now |
| 70 |
the PC can't ping through 66.249.89.99(of course,the server can). |
| 71 |
|
| 72 |
> |
| 73 |
> Fourth, you must check your firewall (that is, iptables) configuration |
| 74 |
> to be sure your iptables all refer to the correct subnet. |
| 75 |
> > iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE |
| 76 |
> that wasn't right -- obviously the subnet should be your own. |
| 77 |
|
| 78 |
I have already corrected it to "iptables --table nat -A POSTROUTING -s |
| 79 |
192.168.1.0/24 -j MASQUERADE" from the first time. |
| 80 |
|
| 81 |
> |
| 82 |
> Since the firewall you're building knows all the information the hosts |
| 83 |
> need to know (subnet information, routes, etc) you may wish to set up a |
| 84 |
> rudimentary DHCP server on it, so that additional hosts can be added |
| 85 |
> without configuration by the user. You may also wish to impliment a |
| 86 |
> caching, recursive nameserver for enhanced efficiency. DNSMasq can do |
| 87 |
> both. |
| 88 |
Thanks for your advice! |
| 89 |
> -- |
| 90 |
> gentoo-user@g.o mailing list |
| 91 |
> |
| 92 |
> |
| 93 |
When a PC ping 66.249.89.99,I got these information from the server: |
| 94 |
|
| 95 |
# tcpdump -n -i eth1 net 192.168.1.0/24 and port not 22 and not arp |
| 96 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
| 97 |
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes |
| 98 |
10:01:08.214160 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
| 99 |
35391, seq 599, length 64 |
| 100 |
10:01:09.214014 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
| 101 |
35391, seq 600, length 64 |
| 102 |
10:01:10.213899 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
| 103 |
35391, seq 601, length 64 |
| 104 |
10:01:11.213792 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
| 105 |
35391, seq 602, length 64 |
| 106 |
10:01:12.213676 IP 192.168.1.35 > 66.249.89.99: ICMP echo request, id |
| 107 |
35391, seq 603, length 64 |
| 108 |
|
| 109 |
5 packets captured |
| 110 |
5 packets received by filter |
| 111 |
0 packets dropped by kernel |
| 112 |
|
| 113 |
|
| 114 |
And |
| 115 |
|
| 116 |
# tcpdump -n -i eth0 net 202.114.10.134 and port not 22 |
| 117 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode |
| 118 |
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes |
| 119 |
|
| 120 |
|
| 121 |
Does it mean that eth1(the interface in my subnet) receive the request |
| 122 |
but don't post forward it? |
| 123 |
-- |
| 124 |
wcw |
| 125 |
-- |
| 126 |
gentoo-user@g.o mailing list |
Archives