OK, I need some help. I am trying to set Suse 8.1 up to act as a router for my ASDL connection. The other machine is a Windows me box in another room. I have read the IP masquerading how to and the SUSE faq for ADSL sharing. But you guessed it, no success. I know I need to set up the system in susefirewall2 and have read the examples, followed the instructions etc. but I am clearly missing some info. I admit it, I am relatively inexperienced when it comes to Linux so this could easily happen. Attached is my susefirewall2 file. I have two network cards in the suse box. Internal network controler is 169.254.197.1. ADSL network card is 192.168.120.254. I can ping the cards between the machines as sugested in the suse faq, but no joy when I try and connect from the windows machine. I have a suspicion that somehow I don't have a proxy server set up properly. I have done this with two windows machines and winproxy and it worked fine. Any help welcome, simple how to's, canned files etc.

regards
simleep

#
FW_QUICKMODE="yes"

#

#
FW_DEV_EXT="ppp0 eth1 ippp0 dsl0 masq"

#
r ""
#
FW_DEV_INT="eth0"

#

#
FW_DEV_DMZ="eth1"

#

#
FW_ROUTE="yes"

#

#
FW_MASQUERADE="yes"

#
#
FW_MASQ_DEV="$FW_DEV_EXT"

#

#
FW_MASQ_NETS="169.254.197.0/8"

#

FW_PROTECT_FROM_INTERNAL="no"

#


#
FW_AUTOPROTECT_SERVICES="no"


FW_SERVICES_EXT_TCP=""

# Common: domain
FW_SERVICES_EXT_UDP=""
# Common: domain

# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXT_IP=""

#
# Common: smtp domain
FW_SERVICES_DMZ_TCP="smtp domain"

# Common: domain
FW_SERVICES_DMZ_UDP="domain"

# For VPN/Routing which END at the firewall!!
FW_SERVICES_DMZ_IP=""

#
# Common: ssh smtp domain
FW_SERVICES_INT_TCP="http https imap imaps pop3 pop3s smtp ssh domain 80,8080 3128"

# Common: domain syslog
FW_SERVICES_INT_UDP="domain syslog"

# For VPN/Routing which END at the firewall!!
FW_SERVICES_INT_IP=""


FW_SERVICES_QUICK_TCP=""

# QUICKMODE: UDP services open to external networks (InterNet)
# (Common: isakmp)
FW_SERVICES_QUICK_UDP=""

# QUICKMODE: IP protocols unconditionally open to external networks (InterNet)
# (For VPN firewall that is VPN gateway: 50)
FW_SERVICES_QUICK_IP=""


#
FW_TRUSTED_NETS="169.254.197.0/8,tcp,80,8080"

#
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"


#
FW_SERVICE_AUTODETECT="yes"

FW_SERVICE_DNS="no"

# if you use dhclient to get an ip address you have to set this to "yes" !
FW_SERVICE_DHCLIENT="no"

# set to "yes" if this server is a DHCP server
FW_SERVICE_DHCPD="no"
e.
FW_SERVICE_SQUID="no"


FW_SERVICE_SAMBA="yes"



#
FW_FORWARD=""

#
FW_FORWARD_MASQ=""
# Beware to use this!

#

FW_REDIRECT=""

#

#
FW_LOG_DROP_CRIT="yes"

#
FW_LOG_DROP_ALL="no"

#
FW_LOG_ACCEPT_CRIT="yes"

#
FW_LOG_ACCEPT_ALL="no"

#
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"

#

#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_KERNEL_SECURITY="yes"


#
FW_STOP_KEEP_ROUTING_STATE="no"

#

#
FW_ALLOW_PING_FW="yes"

#
FW_ALLOW_PING_DMZ="no"

#
FW_ALLOW_PING_EXT="no"

##
# END of /etc/sysconfig/SuSEfirewall2
##

# #
#-------------------------------------------------------------------------#

#
FW_ALLOW_FW_TRACEROUTE="yes"

"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"

#

#
FW_ALLOW_FW_BROADCAST="yes"

#
FW_IGNORE_FW_BROADCAST="no"

#

#
FW_ALLOW_CLASS_ROUTING="yes"

#

FW_CUSTOMRULES=""


FW_REJECT="no"

I too have SuSE 8.1 and am using it for a home router/firewall. Make sure your network is configured properly before playing with proxies or firewalls. There should be some good HOWTOs included with your SuSE distribution on networking and masquerading (use a browser and go to "file:/usr/share/doc/howto/en/html").

Do you have your gateway address set up properly on your Windows box? If you don't, http requests probably won't work but ping will.

Hope this helps.

P.S.
Is it possible that your internal network controller (NIC) has addr 192.168.120.254 and your ADSL card has the 169.254.... address? I ask this because 192.168.*.* addresses are reserved for private ip domains (e.g. home networks) and should not be assigned to a NIC that connects to the internet. The 169.254... address has probably been assigned to you by your ISP and should be associated with the ADSL interface.

First thanks for your post, I didn't think anyone was going to reply.
I believe the network is working properly. I have Samba running and can open shares on each machine.
The network cards are configured with static ip's. I took the addresses from my alternative windows configuration. Now the internal network card is set to 169.254.197.1 The second card eth1 is defined for t-online and has an address of 169.254.188.94.
I have been re reading the T-online configuration file but my German is not fluent. However I have found that the t-online proxy is www-proxy.t-online on port 80 and the DNS server is 194.25.2.129 which I have plugged into YAST2.
I still get an error on Windows machine though that it cannot find the DNS server which I point in the browser to the internal network card although I have tried all the other IP numbers as well.
I have read in the various how tos that you also need to open the port (80). I assume this is in resolve.conf but I do not know how to do it.
The other question is do I need to actually set up seperate proxy server like squid? From what I have seen I should be able to do it directly with the firewall, but no luck so far. One other strange thing is that in Konqueror if I click on lan browsing I get an error message saying protocol not supported lan, so there could still be something wrong even though Samba seems to work. Any other advice greatly appreciated.
regards
Simleep

Hmmm, well I'll tell you what I've done to make mine work and hopefully it will help.

1) I made a basic internet connection from my Linux box work. I use a dial up connection over a basic modem. I did this before configuring or using any firewall or proxy stuff. I can't help with your ADSL setup, but if you can browse from your Linux box you're halfway there...

(NOTE: I tried running the SuSEfirewall2 stuff and found that it really got in my way so I shut it off. In essence the SuSEfirewall2 uses a program called "iptables" to filter/reject/drop/accept incoming and outgoing ip packets - more on this later.)

2) I configured (using YaST2) the "local" facing network card on my Linux box as follows:

via Network/Basic -> Network Card Configuration

Device Name eth0
(Choose "Static address setup")
IP Address 192.168.0.1
Subnet Mask 255.255.255.0

(under Host name...)
Host name linux
Domain name local

(under Routing...)
Default gateway 192.168.0.1
Choose "Enable IP Forwarding"

NOTE: Since I get a "dynamic" ip address from my ISP, the default gateway is replaced after I get connected. So, the Default gateway in my setup doesn't mean much. I don't know how this works with ADSL...

3) I configured my Windows machine as follows:

IP Address 192.168.0.2
Subnet Mask 255.255.255.0
Gateway 192.168.0.1
(Choose "Enable DNS")
Host linux
Domain local
DNS Server Search Order (Add 192.168.0.1)

4) I started "named" on my Linux box. You do this by issuing the command "rcnamed start" as the root user.

Hope this helps!

P.S. More on iptables... iptables is in essence the way you set up a firewall in the latest versions of Linux. It is also where the IP MASQUERADING is set up. To check if you have masq'ing set up, issue the command

iptables -t nat -L

and look for the line

MASQUERADE all -- anywhere anywhere

under the "POSTROUTING" chain. If it's there, masq'ing is on.

After the last post I realized I'd left something out. Before running named, I changed /etc/named.conf file. There is a line in the options section of that file that goes something like

#forwarders { ip address; ip address; }

I uncommented it (removed the leading #) and replace the two ip addresses with the addresses of the two DNS name servers provided by my ISP. I also added the lines

notify no;
forward only;

to the options section. This makes my Linux box a name server for my little network here at home, but just a small cacheing-only server.

Also, I should clarify my suggestion to not use SuSEfirewall2. I don't mean to suggest you should never use it, only that it's possible it could be confusing your attempts to get your Internet sharing working. Removing it while trying to make the sharing work would let you determine whether or not that is the case. By the way, there's a great little HOWTO in the SuSE distro called "Masquerading Made Simple". It's at /usr/share/doc/howto/en/html/Masquerading-Simple-HOWTO/ intro.html. It also covers some simple firewalling techniques. Good Luck!!!

Many thanks legolas 45!
Unfortunately I have been away for a few days so have only just seen your reply. Should be able to try this at the weekend though.

Regards
Simleep

So having followed some of the advice from Legolas 45, I have made some progress, but have not been succesfull yet.
Still when I try and access the web from the Windows box through the Linux machine I still get a DNS error. However what I notice is I can Ping an internet address from the Windows machine, so there is some sort of connection.
On the windows box I have set up the ethernet card TCIP section as legolas suggested below.
IP Address 169.254.197.2
Subnet Mask 255.255.255.0
Gateway 169.254.197.1
Enable DNS
Host simlee
Domain rhm
DNS Server Search Order (Add 169.254.197.1)

There are other dial up adapters on the windows box which I leave in place.

I have tried configuring the internet connection (win box) for direct = DNS error and via Proxy 169.254.197.1 or detect settings automatically. All = DNS error.
One question I have is if I use a proxy, I should also setup a port or a port should be identified. I have not done this and do not know how to. Any suggestions?javascript:smilie(':confused:')

regards
Simleep

Hey Simleep, it's Legolas again. Sounds like the routing and masqing on your Linux box work ok, since you can ping sites on the internet. Finding a name server is a problem, though.

In my setup, I've told my Windows machines to find a name server on my local Linux box. This requires me to run "named" on the Linux machine. Make sure you're running "named" on the Linux machine. See my earlier post, or ask again if that doesn't help.

Alternatively, if you know the addresses of your ISP's name server(s) you could try adding them to your windows DNS configuration. If you do this, remove the windows DNS entry for your Linux box. I haven't tried this, but it might work.

Good luck!

P.S. It is possible to make "named" start automatically at boot time... This is fairly simple in SuSE 8.1 and I can help if you need.

Can you ping an internet IP address or a URL? i.e. can you ping yahoo.com? If you can then your DNS is fine and there's some other problem getting in your way.

Joe

Have you actually been assigned (by your ISP) addresses in the 169.254.197.x subnet? If not, you should not be using them -- you are taking someone else's IP address, and even though no one will probably notice, they still might.

On your internal network, I'd use 192.168.0.X instead of what you've got, with a netmask of 255.255.255.0. Change the IP of the internal SuSE card to that, and change the Windows IP to that, and change the gateway on the Windows machine to the SuSE box's internal address, and that might help -- at minimum, it won't make things worse, unless I confused you and you screw something up. :D

But I think this would be better anyway. This way, you're using a private IP range, which means that no router will forward packets addressed to those addresses, including the SuSE machine. You don't want your private IP addresses out on the Internet, after all.

If you were assigned the other addresses by your ISP, then ignore me.

ISPs can get pretty annoyed when you just take an IP address for yourself and you don't really need one unless you're running a webserver or something but, even in that case there are simple ways around it. A simple way to deal with the problem is to setup your external ethernet card to use DHCP so that it gets a new IP address from your ISP, and then if you leave your router on all the time you'll have that same IP address all the time, until you reboot. Even after a reboot my ISP always gives me the same IP address, I don't know how they do it but that's how it happens for me.

Originally posted by Magueta
ISPs can get pretty annoyed when you just take an IP address for yourself and you don't really need one unless you're running a webserver or something but, even in that case there are simple ways around it. Like talking to them and asking for a static IP address? Pretty simple... :p

A simple way to deal with the problem is to setup your external ethernet card to use DHCP so that it gets a new IP address from your ISP, Assuming, of course, that your ISP uses DHCP, but most do. The exception is DSL ISPs, who (as a rule) use PPPoE.

and then if you leave your router on all the time you'll have that same IP address all the time, until you reboot. Well, again, DSL is a little different. The PPPoE connection can (not always will, but can) timeout if there's no traffic for some time. You can solve that by figuring out the interval, and running ping www.google.com every 18 minutes (using cron) if the timeout is 20, or something similar.

The purported reason for DSL doing this is that the connection takes so little time to make that it doesn't matter anyway -- true, most of the time.

Even after a reboot my ISP always gives me the same IP address, I don't know how they do it but that's how it happens for me. It's probably just that they have (on their DHCP server) set it up so that the server allows clients to ask for addresses. The DHCP client remembers (in a file somewhere) what the last IP address was, and sends that in the DHCP request when you next boot. If the DHCP server doesn't tell it "no, you can't" (because, for example, someone else is using that address now), then it'll use it.

I've got my DHCP server (granted, only two machines on it though... :D) set up to do this.

Cool, that's a bunch of stuff I didn't know about. I especially like the pinging google trick.

Originally posted by bwkaz
Assuming, of course, that your ISP uses DHCP, but most do. The exception is DSL ISPs, who (as a rule) use PPPoE.


If they weren't using DHCP would we be dealing with the problem above?

Joe

Most of the time, we wouldn't be dealing with it, no.

PPPoE, though, is PPP over Ethernet (that's the name, anyway ;)), which acts just like normal 56K modem PPP -- whenever you connect, you get an IP address, possibly different. It's DHCP disguised under another protocol name, basically.

First thanks to everybody for their excellent help. I really appreciate it. I am afraid though I eventualy took the easy way out and bought a cheap (~50$) hardware router. Had it set up in two hours (a liitle trouble with the settings for my ISP) and everything works.
I have also been able to change the Network cards to get an address automatically, so nobody should be mad at me. For clarification, the original numbers were asigned by Windows automatically. I later adopted them as manual and continued to use them.

regards
Simleep