NAT setup from new install

[jms318]

Hello all,

I was recently given a Sun sparc ultra 5 station. I want to replace my crappy Netgear firewall/router fvs318. The sparc has one on board net card (eth0) and a quad port (eth1-eth4). I install Debian 5.03 sparc with the bare min and made sure it compiled the kernel with only the drivers the system had. All hardware is working.

What i would like if anyone has a setup guide or steps for the following. I want eth0 to receive its address dynamically from the isp and resolve the name from DynDNS (jms318.servegame.org) i have setup and works perfect with the Netgear router. Next i want the four port to DHCP the attached devices that are hooked up by cross over cables using the 192.168.0.xxx range. One will be a wireless router. Of course i figure all this needs to be setup as a NAT but i want to be able to do VPN and SSH to all the machines attached.
So if you could please help me from scratch i would be so greatful. I'm still learning hoping i will master Linux and be a contributor of help not the one always asking for it.

once this is completed i will document every step and write a bash script so if someone else wanted to turn a sun ultra five into a NAT with debian just down load the script and your all set.

Thanks again in advance for all your help.
Joseph Swager

[Freston]

I have a setup like that, except that I have x86 iron and not Sparc. Anyway, I found out it's more than 'just a script' that does this. Some things depend on decisions that have more to do with preference than with technical issues. But the basics are easy enough.

STEP 1
IP-FORWARDING
What you want is to turn on ip-forwarding. This is something you do on the kernel level, you enable the kernels build in ability to forward traffic from one interface to another. This is off by default.

Add this to rc.local

Code:

echo "Moving kernel in the right direction: ip_forward ON"
echo 1 > /proc/sys/net/ipv4/ip_forward

Some distro's (like Slackware) have a special bootscript (in my case it's called rc.ip_forward) for enabling ip forwarding, and I think Debian has something like that. That bootscript only does one thing, and that is running the command above. You can choose whether you want to do it like I said or enable the provided bootscript. It doesn't matter.

STEP 2
INTERFACE CONFIGURATION
Then, edit inet1.conf so the WAN interface has DHCP (in my case it's eth1)
And the other interfaces are static (in my case it's just eth0)

Code:

# Config information for eth0:
IPADDR[0]="192.168.0.1"
NETMASK[0]=""
USE_DHCP[0]="no"
DHCP_HOSTNAME[0]=""

# Config information for eth1:
IPADDR[1]=""
NETMASK[1]=""
USE_DHCP[1]="yes"
DHCP_HOSTNAME[1]=""

What I'm going to say now is like cursing in church: reboot!
After rebooting run `ifconfig` to check if your settings are correct and persistent. If this has gone well, you're on your way.


STEP 3
IPTABLES
Next up, iptables. This is a study in it's own right. I can only help you get going so far, but this is the part of my iptables script that enables NAT (among other things also needed):

Code:

#!/bin/bash
#########################################################
# VARIABLES AND DEFINITIONS (AND MODPROBES)             #
#########################################################
#                                                       #
# Basic setup of the system
#                                                       #
#########################################################

# VARIABLES
ipt="/usr/sbin/iptables"   #Your path may differ
mod="/sbin/modprobe"   #Your path may differ
LAN_IFACE="eth0"
WAN_IFACE="eth1"

# BASIC KERNEL MODULES
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE

# FOR IRC AND FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc

# FLUSH RULES AND DELETE CUSTOM CHAINS
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X



#########################################################
# GENERAL CONFIGURATION AND DEFAULT POLICIES            #
#########################################################
#                                                       #
# After C. Schroder, with a few modifications
#                                                       #
#########################################################
#
# DEFAULT POLICIES
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

# LOOPBACK AND INTERNAL SERVICES
$ipt -A INPUT -i lo -j ACCEPT

# IP MASQUERADING
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

# OUTGOING TRAFFIC RULES
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -A FORWARD -i $LAN_IFACE  -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#
# From here on down add your custom rules for .. well .. everything ;-)
#

Next i want the four port to DHCP the attached devices that are hooked up by cross over cables using the 192.168.0.xxx range. One will be a wireless router. Of course i figure all this needs to be setup as a NAT but i want to be able to do VPN and SSH to all the machines attached.

You're life will be a whole lot easier if you use static addresses on every device other than your wireless router. The thing is, you want to use all interfaces on the Sparc, but each interface will have another IP-address. The IP address of the interface on the Sparc will be the gateway address on the attached machine.

it is possible to configure your DHCP daemon such, that every interface will get it's own policy and it's own configuration, but it wont be easy to summarize how to do that here. Or to be more honest, I wouldn't know how to do that easily without testing. Static addresses are your friend though, and all you need is to configure the client side.

What is even easier, but costs money, is to use a switch. I just hooked up an eight port switch to my LAN interface and configured the DHCP server to only listen to the LAN port. So I had only one interface to configure on the server. Every wired machine is on that one interface. Every wireless machine comes in over another interface, but that is a whole different story.

But this is up to you. I think buying four cross over cables is more expensive than buying one switch.


STEP 4
ROUND UP
There are still some things left to be configured.
Depending on how you choose to set up your server (static or dynamic addresses || cross-over cables to all different ports or using one switch) the clients need to be configured.

But the system should be ready now to allow for some testing. Hook up a client to your server. A client needs a minimum of three things to connect to the internet: 1) An address, 2) a gateway and 3) DNS.
Give the client a unique address within range. For example "192.168.0.50". As I said, the gateway is the address of the server NIC the client is attached to. So if you gave that the static address "192.168.0.3" then that is the gateway for the client. And DNS, well you can use openDNS for the time being.

On the client run:

Code:

$ ifconfig eth0 up
$ ifconfig eth0 192.168.0.50
$ route add default gw 192.168.0.3
$ cat << EOF > /etc/resolv.conf
nameserver 208.67.222.220
nameserver 208.67.220.222
EOF

Does this work? If it does, all that remains is adding all values to the configuration files so this'll go automatically upon reboot. But it depends on whether you use dynamic, static or a combination thereof.

[jms318]

Thank you So much Freston!!!!
The IP forwarding was where i was going wrong and ive decided to go with all static and do only dhcp for my wireless router. This little sparc box is fast! Thank you again.