July 29, 2014
 
 
RSSRSS feed

Using Linux as Network Glue - page 2

Introduction

  • July 20, 1999
  • By Matt Clements
I had no previous experience with Linux. After reading about the different distributions, I opted for Debian 2.1 (slink), as at the time of writing this was the most recent stable Debian release, complete with 2.0.36 kernel. To make the Linux ipchains software work with this kernel it had to be recompiled with the following options set:

Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL)
[Y/n/?]
YES

Enable loadable module support (CONFIG_MODULES) [Y/n/?]
YES

Networking support (CONFIG_NET) [Y/n/?]
YES

Network firewalls (CONFIG_FIREWALL) [Y/n/?]
YES

TCP/IP networking (CONFIG_INET)
YES
IP: forwarding/gatewaying (CONFIG_IP_FORWARD)
YES

IP: syn cookies (CONFIG_SYN_COOKIES) [Y/n/?]
YES

IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?]
YES

IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) [Y/n/?]
YES

IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?]
YES

IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?]
YES

IP: always defragment (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?]
YES

IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?]
YES


IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?]
YES

Dummy net driver support (CONFIG_DUMMY) [M/n/y/?]
YES

/proc filesystem support (CONFIG_PROC_FS) [Y/n/?]
YES

This is with kernel series 2.0.x--according to the IP Chains HOWTO 2.2.x configuration is much more straightforward. Also, the dual ethernet cards in the system (2 old 10base2 Western Digital WD8013 cards) had to be configured. I added the line options wd io=0x220,0x300 to /etc/modutils/modconf and then ran update-modules.

Once I had done this and rerun lilo to install the new boot information I was ready to reboot and set up the ipchains software. It worked the first time around! The protocol we devised for communications between the webserver and backoffice was as lightweight as we could make it, thus keeping performance as high as possible. We have been very impressed by overall performance.

Since then I have moved our primary and secondary DNS and email services over onto Linux machines as well, using bind and sendmail. The ipchains software is now running on a very old 486 machine.

#! /bin/sh
ifconfig lo 127.0.0.1
route add -net 127.0.0.0

IPADDR=10.0.0.1
NETMASK=255.255.255.0
NETWORK=10.0.0.0
BROADCAST=10.0.0.255
ifconfig eth0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST}
route add -net ${NETWORK}

IPADDR2=20.0.0.1
NETMASK2=255.255.255.0
NETWORK2=20.0.0.0
BROADCAST2=20.0.0.255
ifconfig eth1 ${IPADDR2} netmask ${NETMASK2} broadcast ${BROADCAST2}
route add -net ${NETWORK2}

route add -host 30.0.0.1 gw 10.0.0.2 metric 1

ipchains -F input
ipchains -F output
ipchains -F forward
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY

ipchains -A forward -s 20.0.0.0/24 -d 30.0.0.1 -j MASQ

Our Network's Topology

Network layout used in example

The 10.0.0.0 network is our private network.
The 20.0.0.0 network is internet interfacing.
The backoffice system is on a box with ip 30.0.0.1
We have an isdn router (10.0.0.2) on our private network which has a route to the backoffice box.

We masquerade our connections from the 20.0.0.0 network when connecting through to 30.0.0.1. In this way we did not need to set up a route back to the 20.0.0.0 network, as the connection will appear to have come from 10.0.0.1, to which we already have a route.

10.0.0.0 is a private network address aka RFC1918 (20.0.0.0 and 30.0.0.0 aren't our real addresses, just examples).

Sitemap | Contact Us