How I set up Internet and Intranet sharing between two workstations, one Linux and one Windows. Guess which one gave me trouble.
The LAN in question is:
Cable modem | eth0 dhcp fw.imc.invalid (mdv2009.1) eth1 192.168.0.2 | hub | dhcp xp (WinXP SP2)
fw.imc.invalid is a DHCP client on eth0, getting an IP assignation from the upstream Internet service provider. Apache, an Intranet web app, and shorewall are installed and working; squid is not installed. fw is using OpenDNS. eth0 is a Realtek RTL-8139; it is configured and can fully use the Internet. eth1 is a VIA VT6102 (Rhine-II); it is physically present but not configured.
xp is a DHCP client. The Windows firewall and a third party firewall (PC Tools Firewall Plus 22.214.171.124) are both temporarily disabled for this exercise.
What we will accomplish is:
- fw continues to use the Internet, continues to host an Intranet web app, and continues to have a secure firewall
- xp will be able to access the Intranet web app on fw, will be able to fully use the Internet through fw, and will be protected by fw’s firewall
We will proceed thus:
- Configure eth1 on fw, thus connecting fw to the LAN
- Install and configure DHCP on fw, thus assigning IPs to boxes on the LAN
- Set up Internet sharing, thus instructing fw to allow boxes on the LAN to access the Internet through it
- Configure firewall, thus allowing boxes on the LAN access to fw and the Internet
- Configure Apache, thus allowing boxes on the LAN access to the Intranet
- Configure the Windows box’s connection
TODO: Document when service shorewall clear needs to be used below.
On fw, I configured eth1 in the Mandriva Control Center (MCC) – Network & Internet – Set up a new network interface: Ethernet, VIA VT6102, Manual configuration, IP 192.168.0.2. Automatically filled in by the wizard were netmask 255.255.255.0, gateway 192.168.0.1, DNS server 1 192.168.0.2, hostname fw.imc.invalid. I overwrote the DNS server, specifying #1 as 126.96.36.199 and #2 as 188.8.131.52 (both from OpenDNS). I left Advanced – Search domain blank. I left the advanced settings at their defaults. I checked “Allow users to manage the connection” and “Start the connection at boot”.
TODO: Document the above using distro-agnostic tools, which might be worth spitting off into a separate article.
Doing so caused the Internet to be lost on fw, so I manually edited as root two files in /etc/sysconfig/network-scripts:
- ifcfg-eth0: added “DOMAIN=imc.invalid”
- ifcfg-eth1: changed “GATEWAY=192.168.0.1” to “10.130.32.1”, this being the gateway of eth0 when connected to the Internet, as seen by mousing over the net_applet in the system tray
Then as root, service network restart. fw has Internet again. The Network Center (MCC – Network & Internet – Network Center) shows eth1 as disconnected, but this is incorrect: service network status as root correctly shows eth1 as active.
INSTALL AND CONFIGURE DHCPD
On fw, go to MCC – Network Services – Configure DHCP). I set lowest/highest IP addresses to 192.168.0.65-254, gateway 10.130.32.1, PXE disabled.
Insure that the dhcpd service is configured to run on boot and is running now.
TODO: Document how to set up and later administer DHCP using distro-agnostic tools, which might be worth spitting off into a separate article. Document how to increase the lease period; the default is very short and generates needless traffic.
In xp, configure the network adapter to receive its IP address automatically via DHCP. Reboot xp. From the command line, use ipconfig /all to confirm that xp is now using DHCP, has a valid IP address with a valid lease, and that the gateway and DNS servers are correct. From xp, “ping 192.168.0.2” and “ping fw” should both work. Likewise, pinging xp (using its leased IP) from fw should work.
TODO: Check if the firewall needs to be cleared before the boxes can ping one another.
SET UP INTERNET SHARING
In MCC, go to Network & Internet – Share the Internet connection with other local machines. Follow the on-screen instructions. In DNS configuration, clear the checkbox next to “Use this gateway as DNS” and enter 184.108.40.206 (OpenDNS) as DNS Server IP. In DHCP Server Configuration, open the advanced settings and insure that the DHCP start and end ranges match those entered in DHCPD settings (192.168.0.65-254). Being appropriate for this installation, I set higher than suggested default and maximum lease periods. To keep things simple I chose to not use squid.
TODO: Document how to achieve the above using distro-agnostic tools, perhaps Webmin. Document setting up squid.
Reboot xp. Now xp should see the Internet, although not the web app on fw.
TODO: Is this correct? Doesn’t the firewall need to be configured before xp can see the Internet? And how about clearing the firewall?
To configure the firewall I edited Shorewall’s configuration files, using as examples the sample files found at /usr/share/doc/shorewall-common/Samples/two-interfaces/.
This file defines network zones. Here we will have three zones, “net” (the Internet, untrusted), “fw” (the firewall itself), and “loc” (local, trusted). Add the following:
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS net ipv4 fw firewall loc ipv4
This file defines the NICs on the firewall and maps them to zones. Here there are two interfaces: eth0, mapped to zone net, and eth1, mapped to zone loc. Add the following:
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians loc eth1 detect tcpflags,nosmurfs
This file defines what to do with different packets on the different interfaces. Taken mostly from the sample, we have:
#SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc net ACCEPT loc $FW ACCEPT loc all REJECT info # Policies for traffic originating from the firewall ($FW) # $FW net ACCEPT $FW loc ACCEPT $FW all REJECT info # Policies for traffic originating from the Internet zone (net) # net $FW DROP info net loc DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info
Then as root, “service shorewall restart”. xp and fw can now ping one another, indicating that the firewall now allows connections to and from the LAN.
xp should be able to view a web page on the Internet, but attempting to view a page on the Intranet (e.g. http://fw/) will fail with the Apache error message “You don’t have permission to addess the requested directory”. Review the apache error log: as root, “tail /var/log/httpd/error_log”. You will see an error message such as:
[Fri Oct 23 17:28:24 2009] [error] [client 192.168.0.65] client denied by server configuration: /var/www/html/
Back up /etc/httpd/conf/httpd.conf and open it as root. Find the “virtual hosts configuration section”, probably near the end, and within it:
<Directory /var/www/html> ...other stuff... Order allow,deny Allow from 192.168.0. 127.0.0.1 </Directory>
“Directory” should indicate your Apache document root, usually /var/www/html. “Order allow,deny” is required exactly as shown here. “Allow from” should be followed by the IPs to be allowed: in this case the box running apache (127.0.0.1) and the LAN (192.168.0.1-254). Edit as indicated, save the file, and as root service httpd restart.
CONFIGURE THE WINDOWS BOX
xp may already see the Intranet and Internet. If not, check it’s network configuration: Open Control Panel – Network Connections, right click on local area connection, and open Properties. In the General tab, select the “Internet Protocol (TCP/IP) Protocol” and press Properties. In the General tab, select “Obtain an IP address automatically”. If you use a DNS provider such as OpenDNS, then select “Use the following DNS server addresses” and provide their IP addresses. Accept as needed and reboot. Confirm that xp now sees the Intranet and Internet.
Now that you have a working local network, you may want to set up file and printer sharing between your Linux and Windows boxes.