SDB:DSL Gateway for Private Networks in SuSE Linux 8.0 or Higher
Version: 8.0
İçindekiler
Situation
Your computer has a DSL connection via PPPoE and you want to use it as an Internet gateway for your local network.
Procedure
Issues of this complexity exceed the scope of our free-of-charge installation support. However, these brief instructions should help you to set up such a gateway.
This article cannot impart the basics of firewalls and system security. Find some reading material about these subjects at the URL of our publishing house, "SuSE Press", at http://www.susepress.de/.
SuSE shall not be liable for any damages caused to your data or to your local network by the use of a gateway.
Below is a step-by-step guide including some configuration tests.
Note:
In the following lines, the computer that will act as a gateway is known as gateway and the computers on your LAN are called clients.
- The gateway requires two network cards: one for the DSL connection and the other one for the local network. Use YaST2 to configure these cards: YaST2 -> Network/Base -> Network card configuration. Configure the network card for the LAN first. Assign a static IP address.
IP address: 192.168.0.1 Subnetmask: 255.255.255.0
No changes are necessary in the host name or routing. Save the configuration.
Note:
If a local network is already available, select the IP address from it. We recommend using addresses from the space 192.168 for your local network. In this example, the IP addresses for the local network have been taken from the ranges 192.168.0.0 to 192.168.0.255.
Network Card Test for the LAN
Ping the newly configured network card with the command ping -c 2 192.168.0.1
. The output will be similar to:
PING 192.168.0.1 (192.168.0.1) from 192.168.0.1 : 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.655 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.329 ms --- 192.168.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% loss, time 1008ms rtt min/avg/max/mdev = 0.329/0.492/0.655/0.163 ms
If your output is not similar to this, repeat the configuration process of the network card (something has gone wrong). Abort the command ping
anytime by hitting CTRL + C.
- Now proceed to configure your second network card to address the DSL modem. You can use YaST2 for this purpose: YaST2 -> Network/Base -> Network card configuration. An IP address from a different subnet must be assigned to this card to avoid interferences from the local network.
IP address: 192.168.2.22 Subnetmask: 255.255.255.0
No changes are necessary in the host name or routing. Save the configuration.
Network Card Test for the DSL Modem
Ping the newly configured network card with the command ping -c 2 192.168.2.22
. The output will be similar to:
PING 192.168.0.22 (192.168.2.22) from 192.168.2.22 : 56(84) bytes of data. 64 bytes from 192.168.2.22: icmp_seq=1 ttl=255 time=0.655 ms 64 bytes from 192.168.2.22: icmp_seq=2 ttl=255 time=0.329 ms --- 192.168.2.22 ping statistics --- 2 packets transmitted, 2 received, 0% loss, time 1008ms rtt min/avg/max/mdev = 0.329/0.492/0.655/0.163 ms
If your output is not similar to this, repeat the configuration process of the network card (something has gone wrong).
Testing the Connection to the LAN
If the network card tests have been successful, proceed now to test if the clients can be reached from the gateway. Use the command ping
for this purpose. At least some clients should react to the command ping -c 3 -b 192.168.0.255
. The output should be similar to:
WARNING: pinging broadcast address PING 192.168.0.255 (192.168.0.255) from 192.168.0.1 : 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.774 ms 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=1.19 ms (DUP!) 64 bytes from 192.168.0.3: icmp_seq=1 ttl=255 time=1.30 ms (DUP!) 64 bytes from 192.168.0.4: icmp_seq=1 ttl=64 time=1.57 ms (DUP!) --- 192.168.0.255 ping statistics --- 2 packets transmitted, 2 received, +3 duplicates, 0% loss, time 1010ms rtt min/avg/max/mdev = 0.325/1.033/1.573/0.438 ms
In this example, the machines with the IP addresses 192.168.0.1 (gateway) and 192.168.0.2 to 192.168.0.4 (clients) have replied. If you know the IP address of a client, ping it directly to test the connection. It is essential that the clients can be reached from the gateway and vice versa. If this connection does not work, solve the problem within the LAN before trying to connect the LAN to the Internet.
- Configure the DSL access on the gateway as described in the Reference manual, page 391, or in the Basics manual (Personal Edition), page 89. Use eth1 as the ethernet card and do not activate the firewall. If Dial on Demand is activated, the gateway will set up a connection to the Internet as soon as the gateway or a client sends a request to the Internet. This is only advisable if you have a flat rate Internet connection.
Testing the Connection to the Internet
Test the Internet connection from the gateway. The command cinternet
enables you to start (cinternet -start
) or stop (cinternet -stop
) the connection manually. Set up the connection, wait for 30 seconds, and test it again with the command ping
. For example, ping our web server www.suse.de with ping -c 4 www.suse.de
. The output should be similar to:
ping -c 4 www.suse.de PING www.suse.de (213.95.15.200) from 217.225.119.194 : 56(84) bytes of data. 64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=1 ttl=251 time=23.9 ms 64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=2 ttl=251 time=23.7 ms 64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=3 ttl=251 time=24.0 ms 64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=4 ttl=251 time=24.0 ms --- www.suse.de ping statistics --- 4 packets transmitted, 4 received, 0% loss, time 3030ms rtt min/avg/max/mdev = 23.775/23.941/24.035/0.184 ms
As in the case above, it is essential that this connection works. Otherwise, solve the problem with the Internet connection before trying to connect the LAN to the Internet.
- Now prepare the gateway to forward requests from the LAN to the Internet. The easiest way is by using the SuSE personal-firewall, a simple iptables-based package filter that rejects all unauthorized packages from the Internet and is in charge of forwarding the requests from the LAN to the Internet. The configuration file of SuSE personal-firewall
/etc/sysconfig/personal-firewall
contains a configuration variable REJECT_ALL_INCOMING_CONNECTIONS
. Edit this file as follows:
REJECT_ALL_INCOMING_CONNECTIONS="ppp0 masq"
In addition, inform the kernel that you want to be able to forward packages. To do this, edit the file
/etc/sysconfig/sysctl
by changing the variable IP_FORWARD
to
IP_FORWARD="yes"
Finally, make sure the SuSE personal-firewall is started when the gateway is booted. This can be done with the commands:
insserv personal-firewall.initial
Execute the following commands to apply these settings without having to reboot first:
insserv personal-firewall.final
echo "1" > /proc/sys/net/ipv4/ip_forward rcpersonal-firewall start
From SuSE Linux 8.1 on :
The SuSE personal-firewall was dropped from the distribution in SuSE Linux 8.1. Its functionality was added to SuSEfirewall2 as a personal-firewall legacy mode. This means that instead of ensuring that the SuSE personal-firewall is started at boot time, you must ensure that SuSEfirewall2 is started. Do this with the following commands:
insserv SuSEfirewall2_final
Start the SuSEfirewall2 with this command:
insserv SuSEfirewall2_init
insserv SuSEfirewall2_setup rcSuSEfirewall2 start
Connection Test to the Internet with the SuSE personal-firewall
Launch the connection to the Internet with the command cinternet -start
and test it with the command ping
as described above.
- The last step consists of informing the clients that, from now on, the gateway will provide the Internet connections. On a SuSE Linux 8.0 client, this can be done by entering the gateway's IP address as standard gateway in YaST2 -> Network/Advanced -> Routing. In this case: >/p>
Standard gateway: 192.168.0.1
In addition, the clients must know how to contact a name server to resolve domain names to IP addresses. For this purpose, read out the name servers from the file
/etc/resolv.conf
on the gateway during an Internet connection. In our example, we have used a T-Online name server. Enter the name server on the clients. For example, on SuSE Linux 8.0 clients: YaST2 -> Network/Advanced -> Host name and DNS. Host name and domain name do not need to be changed.
Name server list: 217.89.23.137
Domain search list: .de
Connection Test to the Internet from a Client
After setting the standard gateway and name server on the clients, test the connection to the Internet with the command ping
as described above.
If all these tests have been successful, the clients are now ready to use the Internet connection provided by the gateway.
<keyword>ROUTER,GATEWAY,TDSL,ADSL,MASQUERADING,FIREWALL,CLIENT,NETWORK,MSSCLAMPFW,PPPOED,MTU,MRU</keyword>