how to set up a 192.168 network next to existing one
hugo
Thanks for all the useful advice in response to previous emails on this
topic. However, I am still not getting out of it.
As I understand it, from the different emails I received I had to do the
following:
(Note that for my gateway, firewall and and router I am running linux
6.2 (kernel 2.4.2-2) with iptables-1.2.1a-1 and iproute-2.2.4-10. )
1. On my router/gateway firewall, I assigned a second IP address
(belonging to the new subnet 192.168.1.0) to my internal network card,
i.e. now I have:
eth0 Link encap:Ethernet HWaddr 00:10:4B:88:6D:A7
inet addr:204.49.23.65 Bcast:204.49.23.128
Mask:255.255.255.192
eth0:0 Link encap:Ethernet HWaddr 00:10:4B:88:6D:A7
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
This means that people in the new subnet can go to a gateway IN that
subnet.
2. I use the "route" command to make sure I have the new address
working:
linux#> route add -host 192.168.1.1 dev eth0
3. I added entries into my iptables script to allow the new network to
reach the outside world:
iptables --table nat --append POSTROUTING -o eth0 -j SNAT --to-source
$ETH1
where eth0 is the "internal" network card, and $ETH1 is the IP address
of the network card connecting to our ISP.
I also added an entry for masquerading:
iptables --table nat --append POSTROUTING -p all -s 192.168.1.0/24 -j
MASQUERADE
(Note that I am not sure what to put to get the full subnet range
192.168.1.0 to 192.168.1.256 - do I use 92.168.1.0/24 or 92.168.1.0/16?
I searched the web far and wide but I cannot find information as to what
I should put after the /.)
I also added an IP alias of 192.168.1.2 to my DHCP server so that server
has a presence on the new private network and can broadcast on it.
The problem is that:
1. DHCP does not work at all.
2. I can manually assign an IP address on the new network to a client
machine. For example, machine A could have:
IP 192.168.1.10
Subnet 255.255.255.0
gateway 192.168.1.1 (the alias for my old gateway address)
When I do this, I can ping machines inside and outside our network, but
any http requests to the outside world (and even to our own web server)
are denied (a message from SQUID about being denied by root).
Note that in my firewall script, I have a redirection to our squid proxy
server:
iptables --table nat --append PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 8080
so I made sure that the new line:
iptables --table nat --append POSTROUTING -o eth0 -j SNAT --to-source
$ETH1
is located ABOVE the line redirecting to proxy.
But perhaps I have to set up something on my proxy to allow addresses in
the new range to go there as well. Or perhaps the new line is wrong
altogether. Frankly, this is rather confusing, and I am really hoping
someone can help me out here.
Any help with this will be greatly appreciated. Particularly detailed
step-by-step instructions would be very, very welcome.
Thanks
Hugo
--
Dr Hugo Bouckaert
R&D Support Engineer/Systems Administrator
Fractal Graphics
57 Havelock St
West Perth, WA 6005
PO Box 1675, West Perth 6872
Ph: 61 08 9211 6000
Fax: 61 08 9226 1299
------------------------------------------------------------------------
This email and any attachments may be confidential or legally
privileged. If you received this message in error or are not the
intended recipient, you should destroy the e-mail message and any
attachments or copies, and you are prohibited from retaining,
distributing, disclosing or using any information contained herein.
Please inform us of the erroneous delivery by return e-mail. Thank you
for your cooperation.