Network Setup Help

Discuss Networking
Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Network Setup Help

Post by Maniaman »

I finally decided to get a linux box setup to do some routing, firewalling, etc (after my old one died last year). Being the networking newbie I am I have no idea how to hook this all up.

Here's a drawing of the way I want it set-up

Code: Select all

Cabel Modem > Server > Linksys WRT54G router > Other computers/switches on the network
There are 2 NICs in my server. One is hooked up to the modem, the other is wired to the WRT54G router. All of the other computers are hooked up to the WRT54G router. The server is running a fresh install of Fedora Core 3. How would I go about configuring everything? The linux box should be the one assigning IPs to the computers onthe local network.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Your WRT54G is actually a Linux device already configured to do all of the things you want it to do. If it were me I would make your Linksys device your firewall/DHCP/etc box and put the x86 machine behind your Linksy box so you can use it for more things than just a firewall. You really want to limit the machine acting as your firewall to be only a firewall if possible. The LinkSys has just enough resources to do this task and a little more. Another advantage is the number of interfaces/switch ports it comes with. When my P100 finally gives up (I've been waiting for this for years) I am going to move one of my WRT54Gs into it's place.

If the web based menus on the WRT54G are too constraining for you then you could always install OpenWRT on it and have more configuration flexibility:

http://www.openwrt.org/

Now, if you still want to use your other machine as a firewall you will still configure it in a similar way to how the WRT54G is configured under the covers (using "iptables"). There are countless ways that you can configure iptables ranging from using the "iptables" command on the command line, to writing a script containing all of your iptables firewall commands, to configuration utilities like Shoreline Firewall (the one I use for a setup similar to what you are looking for). There is some good reading there even if you don't want to use their wrapper.

Having said all that I currently don't use the LinkSys unit for my firewall OR my DHCP server. I have two units and use one as a wireless bridge only (don't even use the Internet interface) and the other one I just use as a web server (it's currently just an extra one I have that I thought I killed at one point causing me to get a new one):

http://voidmain.is-a-geek.net:81/

I use Shorewall (currently on an FC1 box) for my firewall and a different Linux machine doing my DHCP/DNS and a few other similar tasks. Here is rough example of what I have setup and instructions for how I have DHCP/DNS set up:

http://voidmain.is-a-geek.net/redhat/fe ... c_dns.html

The instructions should work for FC3 even though it indicates FC1 in the doc.

Now, if you just want to get down and dirty with iptables for seting up your machine to do the firewall/routing like you are asking then the best place to start would be here:

Easy:
http://www.tldp.org/HOWTO/Masquerading- ... index.html

The link above is actually something that would be helpful to read and understand no matter which firewall wrappers you want to run. They all will actually set up iptables similar to what is listed there, you just may not realize it.

More in depth:
http://www.tldp.org/HOWTO/IP-Masquerade ... index.html

More Linux routing related networking in general:
http://www.tldp.org/HOWTO/HOWTO-INDEX/n ... NETROUTING

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

I'm also planning on using the linux box with squid w/ adzapper and a couple other thigns for blocking certain sites. That a running apache, and and few other things.

Edit: What sorts of port forwarding and stuff do I have to set up for the computers to use squid (192.168.1.101:3128)?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

All of those things can and should be run on a machine other than your firewall which is another reason I would use the LinkSys as the firewall and run all the other stuff on the server behind the firewall. You should not have to do any port forwarding at all for squid. If you want a web server then you would forward port 80 to your web server from the LinkSys box. It's just more secure to have your firewall dedicated to being a firewall.

What I find really cool about the WRT54G is that it is possible to split the switch ports up into different VLANS so you can basically treat each port as a separate interface. This is very useful if you want to have a dedicated VPN like I currently have with 3 interfaces in my current Linux firewall box. I haven't actually done this on my WRT but I might just play with that today:

http://www.openwrt.org/forum/viewtopic.php?t=520
Last edited by Void Main on Sat Jan 15, 2005 12:47 pm, edited 1 time in total.

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

Yeah, I'm using the Linksys as the firewall and stuff. When i tried to go to a website from a computer on my network with the proxy pointing to the squid server I get this message: "The connection was refused when attempting to contact the proxy server you have configured. Please check your proxy settings and try again"

It works fine on the computer that squid is running on though. Maybe I didn't get squid configured right.

acl mynetwork src 192.168.1.100/255.255.255.255

http_access allow mynetwork !bannedsites
http_access deny all

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

You don't have iptables running and blocking port 3128 do you? Run system-config-securitylevel and see if it's on. Just to check you could do:

# service iptables stop

then try again from your client.

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

...and that fixes it. Thanks Void.

Now, it seems that Squid is blocking some images from websites from loading. I was thinking it might be ad-zapper, but it doesn't show any This ad zapped images. It just shows a the default icon for 'broken' images in firefox. On top of that, it just stops loading the page at times, leaving me with a half loaded page. Refreshing the page will osmetimes fix it, sometimes give me a message saying the connection was refused, sometimes load less images or less of the page, and sometimes not do anything.

EDIT: I commented out the redirect_script line int he squid.conf file (to bypass adzapper), saves the file, and restarted squid. All of the page not lading right problems are gone, so something must be wrong with Adzapper.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Let me understand you correctly, your squid server is not currently also your firewall right? Because turning iptables off disables your firewalling on that machine. It would be better to start it back up but allow port 3128 from your client range. The system-config-securitylevel command might give you enough to open it up (put "3128:tcp" in the "Other Ports" box).

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

The squid server is not on the firewall box. The firewall box is the WRT54G router.

After I disabled adzapper, all of the problems with pages not loading right went away.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Yep, sounds like your adzapper is not set up right then as you said.

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

I have no idea why it would be messed up though. I followed all the steps on your doc about it. I'll try to reinstall.

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

I just reinstalled adzappper, and re-enabled it in the squid.conf file. Its back to giving me errors/not loading pages correctly.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Hmmm, I've been using it for years and I am going through it right now and do not ever recall having that problem. Do you have your image directory set up properly and is it accessible? Look through your logs and see if you can see any problems. Do you have all of you ZAP* and STUB* vars set up right? I actually use a wrapper to the adzapper wrapper called "wrapzap" because I actually run both adzapper and squidGuard at the same time. In addition to that my kids are forced to go through dansguardian.

Maniaman
scripter
scripter
Posts: 94
Joined: Tue Mar 11, 2003 5:10 pm

Post by Maniaman »

By image directory do you mean adzapper.sourceforge.net/zaps? If so, then yes it is correct, and accessible. I can't make heads or tails out of the log files though... I see a buch of TCP_MISS/200 and TCP_NEGATIVE_HIT stuff in it. Dunno if that means anything though.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I created custom images and put them on an internal server. If the redirect script is working properly you should be able to see them running:

ps auxwww | grep squid_redirect

I have 5 copies of them running. Here are some trouble-shooting steps:

http://adzapper.sourceforge.net/#trouble

Does the script crash with an error when you try to run it directly on the command line?

$ /etc/squid/squid_redirect

Post Reply