SDB:ISDN Gateway for Private Networks in SuSE Linux 8.0 or Higher

Şuraya atla: kullan, ara


Version: 8.0

Situation

Your computer has an ISDN connection and you want to use it as an Internet gateway for your local network.

Procedure

Issues of this complexity exceed the scope of our free-of-charge installation support. Therefore, these brief instructions should help you to set up such a gateway.
Please note that this article cannot impart the basics of firewalls and system security. You can find some reading material on these subjects e.g. at the URL of our publishing house, "SuSE Press" at http://www.susepress.de/

SuSE shall not be liable for any damages caused to your data or to your local network by the utilization of a gateway.

Below is a step-by-step guide including some configuration tests.

Note:
In the following lines, the computer that will act as a gateway is known as gateway and the computers on your LAN are called clients.

  1. The gateway requires a network cards and a ISDN card. Use YaST2 to configure these cards: YaST2 -> Network/Base -> ISDN configuration or YaST2 -> Network/Base -> Network card configuration. Configure the network card for the LAN first. Assign an static IP address to it.

IP address: 192.168.0.1 Subnetmask: 255.255.255.0 No changes are required in the host name or routing. Save the configuration. Note:
If a local network is already available, select the IP address from it. We recommend you to use addresses from the space 192.168 for your local network. In this example, the IP addresses for the local network have been taken from the ranges 192.168.0.0 to 192.168.0.255.

Network card test for the LAN

Ping the newly configured network card with the command ping -c 2 192.168.0.1. The output will be similar to:

	PING 192.168.0.1 (192.168.0.1) from 192.168.0.1 : 56(84) bytes of data.
	64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.655 ms
	64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.329 ms
	--- 192.168.0.1 ping statistics ---
	2 packets transmitted, 2 received, 0% loss, time 1008ms
	rtt min/avg/max/mdev = 0.329/0.492/0.655/0.163 ms

If your output is not similar to this, repeat the configuration process of the network card (something has gone wrong). You can abort the command ping anytime by hitting CTRL + C.

Testing the connection to the LAN

If the network card test have been successful, proceed now to test if the clients can be reached from the gateway. Use the command ping for this purpose. At least some clients shall react to the command ping -c 3 -b 192.168.0.255. The output should be similar to:

	WARNING: pinging broadcast address
	PING 192.168.0.255 (192.168.0.255) from 192.168.0.1 : 56(84) bytes of data.
	64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.774 ms
	64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=1.19 ms (DUP!)
	64 bytes from 192.168.0.3: icmp_seq=1 ttl=255 time=1.30 ms (DUP!)
	64 bytes from 192.168.0.4: icmp_seq=1 ttl=64 time=1.57 ms (DUP!)
	--- 192.168.0.255 ping statistics ---
	2 packets transmitted, 2 received, +3 duplicates, 0% loss, time 1010ms
	rtt min/avg/max/mdev = 0.325/1.033/1.573/0.438 ms

As you can see, the machines with the IP addresses 192.168.0.1 (gateway) and 192.168.0.2 to 192.168.0.4 (clients) have replied. If you know the IP address of a client, you can ping it directly to test the connection. It is essential that the clients can be reached from the gateway and vice versa. If this connection does not work, you have to solve the problem within the LAN before trying to connect the LAN to the Internet.

  1. Configure the ISDN access on the gateway as described in the Basics manual, page 85. Do not activate the firewall. Please note that if Dial on Demand is activated, the gateway will set up a connection to the Internet as soon as the gateway or a client send a request to the Internet. This is only advisable if you have a flat rate.

Testing the connection to the Internet

Test the Internet connection from the gateway. The command cinternet enables you to manually start (cinternet -start) or stop (cinternet -stop) the connection. Set up the connection, wait 30 seconds, and test it again with the command ping. For example, you can ping our web server www.suse.de with ping -c 4 www.suse.de. The output should be similar to:

	 ping -c 4 www.suse.de
	PING www.suse.de (213.95.15.200) from 217.225.119.194 : 56(84) bytes of data.
	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=1 ttl=251 time=23.9 ms
	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=2 ttl=251 time=23.7 ms
	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=3 ttl=251 time=24.0 ms
	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=4 ttl=251 time=24.0 ms
	--- www.suse.de ping statistics ---
	4 packets transmitted, 4 received, 0% loss, time 3030ms
	rtt min/avg/max/mdev = 23.775/23.941/24.035/0.184 ms

As above, it is essential that this connection works. Otherwise, you have to solve the problem with the Internet connection before trying to connect the LAN to the Internet.

  1. Now prepare the gateway to forward requests from the LAN to the Internet. The easiest way is by using the SuSE b>personal-firewall, a simple iptables-based package filter that rejects all unauthorized packages from the Internet and is in charge of forwarding the requests from the LAN to the Internet. The configuration file of SuSE personal-firewall

/etc/sysconfig/personal-firewall contains a configuration variable REJECT_ALL_INCOMING_CONNECTIONS. Edit this file as follows: REJECT_ALL_INCOMING_CONNECTIONS="ippp0 masq" In addition, you must inform the kernel that you want to be able to forward packages. To do this, edit the file /etc/sysconfig/sysctl by changing the variable IP_FORWARD to IP_FORWARD="yes" Finally, make sure that the SuSE personal-firewall is started when the gateway is booted. This can be done with the commands: insserv personal-firewall.initial
insserv personal-firewall.final
Execute the following commands to apply these settings without having to reboot first:

	echo "1" > /proc/sys/net/ipv4/ip_forward
	rcpersonal-firewall start

Connection test to the Internet with the SuSE personal-firewall

Launch the connection to the Internet with the command cinternet -start and test it with the command ping as described above.

  1. The last step consists of informing the clients that, from now on, the gateway will provide the Internet connections. On a SuSE Linux 8.0 client, this can be done by entering the gateway's IP address as standard gateway in YaST2 -> Network/Advanced -> Routing. In this case:

Standardgateway: 192.168.0.1 In addition, the clients must know how to contact a name server in order to resolve domain names in IP addresses. For this purpose, read out the name servers from the file /etc/resolv.conf on the gateway during an Internet connection. In our example, we have used a T-Online name server. Enter the name server on the clients. For example, on SuSE Linux 8.0 clients: YaST2 -> Network/Advanced -> Host name and DNS. Host name and domain name do not have to be changed. Name server list: 217.89.23.137
Domain search list: .de

Connection test to the Internet from a client

After having set the standard gateway and name server on the clients, test the connection to the Internet with the command ping as described above.

If all these tests have been successful, the clients are now ready to use the Internet connection provided by the gateway.

SDB:DSL Gateway for Private Networks in SuSE Linux 8.0 or Higher

<keyword>ROUTER,GATEWAY,isdn,i4l,MASQUERADING,FIREWALL,CLIENT,NETWORK,MTU,MRU</keyword>