Previous ToC Next

Configuring the Inside Interface

This section assumes that your interfaces have both been recognized by Linux. If they haven't then you might want to check 4a:Setting up your NICs

Right now, if you run "/sbin/ifconfig" you should get something that looks like this:
[root@localhost root]# ifconfig
eth0      Link encap:Ethernet   HWaddr 00:48:54:54:FF:9C
             inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.0.0
             UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
             RX packets:547245 errors:0 dropped:0 overruns:0 frame:0
             TX packets:928805 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:100
             RX bytes:130382433 (124.3 Mb) TX bytes:743890952 (709.4 Mb)
             Interrupt:10 Base address:0xf00

eth1      Link encap:Ethernet   HWaddr 00:4F:D4:54:3F:DC
             inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.0.0
             UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
             RX packets:0 errors:0 dropped:0 overruns:0 frame:0
             TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:100
             RX bytes:0 (0.0 Mb) TX bytes:0 (0.0 Mb)
             Interrupt:9 Base address:0xFFF

lo           Link encap:Local Loopback
             inet addr:127.0.0.1 Mask:255.0.0.0
             UP LOOPBACK RUNNING MTU:16436 Metric:1
             RX packets:0 errors:0 dropped:0 overruns:0 frame:0
             TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:0
             RX bytes:0 (0.0 Mb) TX bytes:0 (0.0 Mb)
If you don't have IP's assigned to them, that's OK, you are going to work on that now.

Enable Packet Forwarding

The first thing, and arguably the most important, is you must first enable packet forwarding within the kernel. To do this you need to take a look at /etc/sysctl.conf A default sysctl.conf looks like this (less color):
# Disables packet forwarding
net.ipv4.ip_forward = 0
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Disables the magic-sysrq key
kernel.sysrq = 0
The value in red is the only parameter we need to be concerned with. Set this value to "1" then save and exit. This will allow the Linux kernel to forward packets across the two interfaces once we have the firewall running.(kinda important for a router eh?)

A note about IP address ranges
When you select an IP address range you need to know a little bit about them. IP addressess are four blocks of numbers between 0 and 256 seperated by dots. Every machine that is on the Internet has an IP address like 208.151.122.54 or 1.2.3.4 This is kinda like the computer's phone number. No two computers can have the same IP address anywhere on the same network. Because of the iminent danger of this fact, along with the popularity of the internet there were three special IP address ranges that were set aside for "private" use. Hence they're called "private networks". Of these private networks, the two most common are 10.x.x.x and 192.168.x.x where the "x" is a number between 0 and 255. There is no diffrence between the use of either of these ranges except for the amount of IP addressess they offer.

192.168.X.X = 255 sets of 255 IP addressess = approx. 65025 IP addressess

10.X.X.X = 255 sets of 255 sets of IP addressess = approx 4,228,250,625 IP addressess

If you manage to use all the IP addressess in the 10.x.x.x subnet, please let me know! :)

When you begin to set up your network, you will need to select a range of IP addressess to use, something between 10.0.0.X - 10.254.254.X or 192.168.0.X or 192.168.254.X A selection splitting two subnets together is not allowed and can be a routing hell. e.g. you can't use 192.168.0.50-192.168.1.50 however 192.168.0.0-192.168.0.255 is fine.

Within that range from 192.168.0.0-192.168.0.255 there are three addressess that are reserved and cannot be used. These are:

192.168.0.0 This is the broadcast for the network.
192.168.0.255 This is also the broadcast for the network.

The rest of the addressess are free to use.

For the sake of this document, I will be using the 192.168.0.X IP address range reserving .1 for the router itself.
The next thing to do is to assign eth1 an IP address. You could use netconfig however netconfig will only set up your eth0 NIC and will overlook any other interfaces.Take a look at /etc/sysconfig/network-scripts/ifcfg-eth1 and change it to look like the following:

DEVICE="eth1"
BOOTPROTO="static"
ONBOOT="yes"
IPADDR="192.168.0.1"

What this does:

DEVICE="eth1" Tells the network module that this file is working with eth1
BOOTPROTO="static" Tells the network module that this interface has a static IP address and to not use dhcpcd or pump
ONBOOT="yes" Tells the network module to start this at boot time when the network module starts
IPADDR="192.168.0.1" Tells the network module to assign this IP address to the DEVICE="??" interface.

Now that you have that taken care of, do a /etc/rc.d/init.d/network restart to restart the network module. At this point, eth0 may fail obtaining an IP address. This is OK right now. All you need to be concerned with is that eth1 has come up and is running. Check it by running /sbin/ifconfig eth1 and compare it to what is set below:
eth1      Link encap:Ethernet   HWaddr 00:4F:D4:54:3F:DC
             inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.0.0
             UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
             RX packets:0 errors:0 dropped:0 overruns:0 frame:0
             TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
             collisions:0 txqueuelen:100
             RX bytes:0 (0.0 Mb) TX bytes:0 (0.0 Mb)
             Interrupt:9 Base address:0xFFF
Your inside interface is now running. You have a choice now:

You can use Static IP address assignments where every PC in your network has to be hand-setup with an IP address subnet mask, DNS servers blah blah...

Or you can use the recommended DHCP server and make installing new computers in your LAN a breeze.

The benefits of static v. DHCP depends on how you use your LAN. if you have two PCs on your inside network, and you never add new computers and you don't have a laptop then static IP addressing may be a way to go. If however you have a laptop and you are constantly switching out boxes, DHCP is a must. The Benefit of DHCP is that all the computers are set to "ask" the router for the configuration for the network. This allows you to take a laptop between DHCP enabled networks easily just by releasing the IP address, disconnecting, reconnecting and renewing the IP. If you decide to use static addressing then you can go to the next section. If you are going to use DHCP, then read below:

Configuring the DHCP server

The DHCP server is very easy to set upit saves you the hassle of remembering gateways, DNS IP addressess, routers, hostnames, etc. and allows you to give your users "Plug-n-Go" capability.. (yeah.. I know it's play but I don't want to get sued by MS)

The DHCP server is controlled by the /etc/dhcpd.conf file. This is where you will set the variables that get sent to the clients on your network when they get a DHCP lease. Open up a dhcpd.conf file and add the following to it:
subnet 192.168.0.0 netmask 255.255.255.0 {

range 192.168.0.2 192.168.0.253;
default-lease-time 86400;
max-lease-time 86400;
option routers 192.168.0.1;
option ip-forwarding off;
option broadcast-address 192.168.0.255;
option subnet-mask 255.255.0.0;
option domain-name-servers 24.28.131.62, 24.28.131.63;
};

An explanation: subnet 192.168.0.0 netmask 255.255.255.0 { Tells the DHCP server that we are working with the 192.168.0.X network
range 192.168.0.2 192.168.0.253; Tells the DHCP server to hand out so many IPs. In this case we are making the rest of the network available for clients. Season to taste, but be weary of the special numbers described in the IP note above
default-lease-time 86400; // max-lease-time 86400; These sets how long a computer can hold an IP address in seconds. This is a decent setting.
option routers 192.168.0.1; Tells the DHCP server to tell all the clients to set the default gateway to 192.168.0.1. This allows your clients to know how to get out on the Internet.
option ip-forwarding off;Tells all the clients to disable packet forwarding. (we don't want them acting as misconfigured routers.)
option broadcast-address 192.168.0.255; This is needed primarily for Windows clients. If you leave this out, Linux clients will assume 255.255.255.0.
option subnet-mask 255.255.0.0; THis is also needed for Windows clients.
option domain-name-servers 24.28.131.62, 24.28.131.63; This is important. you MUST put your ISP's domain name server IPs here otherwise your clients will not know how to do DNS lookups!. This could be bad. (the IP's shown are for RoadRunner)
Lastly Please do not forget the "};" at the end of the file. Without this the DHCP server will fail on syntax.

Before you fire up the DHCP server, you need to do a couple more things. The first is make sure that dhcp starts up on the right interface. Most ISP's get pretty mad if you start serving DHCP to their DHCP enabled network:). To tell DHCP to start at boot time run chkconfhg dhcpd on This will make sure that the /etc/rc.d/init.d/dhcpd script gets started when the computer starts. The other thing that remains is to edit the /etc/rc.d/init.d/dhcpd file like shown:

This is a SNIPPET! please don't wipe out your entire DHCP file!
start() {
         # Start daemons.
         echo -n $"Starting "prog: "
         daemon /usr/sbin/dhcpd eth1 ${DHCPDARGS}
         RETVAL=$?
         echo
All you do is find the code like listed above, and add your inside interface where the red is, save and exit.

The next thing to do is to create an empty dhcpd.leases file. This file is where DHCP stores its information about what mac address has what IP address. To create this file run this command: touch /var/lib/dhcp/dhcpd.leases

Now start the server by typing in: dhcpd eth1 and you should see something like this:
[root@localhost /etc]# dhcpd eth1 Internet Software Consortium DHCP Server 2.0pl5
Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
All rights reserved.

Please contribute if you find this software useful.
For info, please visit http://www.isc.org/dhcp-contrib.html

Listening on Socket/eth1/192.168.0.0
Sending on Socket/eth1/192.168.0.0

If you get this error, then you didn't create the dhcpd.leases file correctly
Internet Software Consortium DHCP Server 2.0pl5
Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
All rights reserved.

Please contribute if you find this software useful.
For info, please visit http://www.isc.org/dhcp-contrib.html

Can't open lease database /var/lib/dhcp/dhcpd.leases: No such file or directory -- check for failed database rewrite attempt!
Please read the dhcpd.leases manual page if you.
don't know what to do about this.
exiting
Once you have the DHCP server running run this command : tail -f /var/log/messages
and go try to get an IP address from one of your workstations. After a few secconds you should see something like this:
May 9 11:44:17 localhost dhcpd: DHCPDISCOVER from 00:80:64:09:32:97 via eth1
May 9 11:44:17 localhost dhcpd: DHCPOFFER on 192.168.0.2 to 00:80:64:09:32:97 via eth1
May 9 11:44:17 localhost dhcpd: DHCPREQUEST for 192.168.0.2 from 00:80:64:09:32:97 via eth1
May 9 11:44:17 ns dhcpd: DHCPACK on 192.168.0.2 to 00:80:64:09:32:97 via eth1
Hit Ctrl-C to exit this.
Look at your workstation and make sure that the values given to you match what you entered into the dhcpd.conf file. If they match then thats it! you have the inside interface properly configured and now you can experience the fun of getting the outside interface running.. :)

If you didn't get these messages on your server and your client responds "No DHCP server available" then you need to check your cables or try rebooting your client.