I'm looking forward to the day I can replace Window$ 98SE with Knoppix/Debian and with that in mind, I have configured my PC dual boot. (Well..... W98SE is an unsupported obsolete OS!).

What I an trying to do is check that I can do 'what I need to' using Knoppix. Here is the first one of the things I'm struggling with:-

I need Knoppix to do the equivalent of ICS. I've read LOTS! on the web and this is what I understand so far.

1). I need to use the Linux feature 'masquerading' - which is built in to the Kernal.
2). Knoppix is based on kernal 2.4.x so I need to use 'iptables' (not 'ipchains' used in earlier kernals).
3). I understand that my internet ethernet port is 'eth0' and uses DHCP and is autoconfigured by Knoppix. (and works just fine).
4). My intranet port is 'eth1' - Knoppix tries to configure DCHP and (naturally fails) - I understand that I can use 'ifconfig ethx' to check the ethernet port settings and 'netcardconfig' to change them.

So, I found this and tried it out:-

echo '1' > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

So, it also says that I need to start/stop iptables before making these changes, eg.

service iptables stop

But 'service' is not recognised. .....and when I try and use netcardconfig to set eth1 to 192.168.0.1 and all that good stuff for the intranet, it just comes back 'fail, network down' or similar and it even stops eth0 from working.

Dang, dang, dang! I'm no stranger to the obscure and difficult being a former Nortel DMS switch translations engineer..... but this is hard work!

I also tried without success to get 'linuxconf' 'ipmasq' 'firewall-easy' and 'firestarter' working.....

Cheers, Stuart.....

I just found out that the Debian equivalent of:-

service iptables 'command'

is:

/etc/init.d/iptables 'command'

Anyone know what I'm (still) missing?

Stu.....

ifconfig eth1 192.168.0.1

will change eth1's ip address from the command line. I don't know anything about netcardconfig but using ifconfig directly is tried and true. Typing it as I've specified without further options will set you up for subnet of 255.255.255.0 and broadcast of 192.169.0.255 so you needn't do anything there (unless you need other settings, man ifconfig is helpful).

Hopefully this will help with the ethernet config.. As for the iptables setup, to my eyes, what you have should work. Were I not at school I'd test your config right now. To my knowledge, You shouldn't have to start/stop iptables to add your settings... Additionally, you might what to utilize iptables -L to see what's going on with your tables before you're adding your rules. If there are other entries, flush them with iptables -F INPUT
iptables -F OUTPUT et cetera.

~Kevin

I just found out that the Debian equivalent of:-

service iptables 'command'

is:

/etc/init.d/iptables 'command'

Anyone know what I'm (still) missing?

Stu.....

Your options are:

/etc/init.d/iptables start|restart|reload|force-reload

So an example would be:

/etc/init.d/iptables start

Maybe something like the following will get you started. Of course this just allows ICS- you'll still need to configure a firewall.

echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -I forward -s 192.168.0.0/24 -d 0/0 -j MASQ

This is THE Linux firewall site (http://www.linux-firewall-tools.com/linux/) A few more links:

http://tldp.org/HOWTO/Authentication-Gateway-HOWTO/setup.html
http://tldp.org/HOWTO/Masquerading-Simple-HOWTO/summary.html

Many thanks, I'll try these suggestions out and let you know how I get on!

Stuart.....

You might want to do an apt-get install firestarter.

Firestarter has a nice internet connection sharing option. It's all gui based. It's just another option you might try.

The key problem I seem to have is this:-

root@ttyp0[knoppix]# ipchains -I forward -s 192.168.0.0/24 -d 0/0 -j MASQ
ipchains: Protocol not available

What does it mean? I checked in Kpackage and it says ipchains is installed.....

[whole transaction:-

root@ttyp0[knoppix]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ttyp0[knoppix]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:02:8A:66:33:5D
inet addr:81.101.112.140 Bcast:255.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17630 errors:0 dropped:0 overruns:0 frame:0
TX packets:1332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1116705 (1.0 MiB) TX bytes:84677 (82.6 KiB)

root@ttyp0[knoppix]# ifconfig eth1 192.168.0.1
root@ttyp0[knoppix]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0A:E6:76:4E:48
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:2052 (2.0 KiB)
Interrupt:11 Base address:0xd000

root@ttyp0[knoppix]# echo 1 > /proc/sys/net/ipv4/ip_forward
root@ttyp0[knoppix]# ipchains -I forward -s 192.168.0.0/24 -d 0/0 -j MASQ
ipchains: Protocol not available
root@ttyp0[knoppix]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ttyp0[knoppix]#

]

Cheers, Stu.....

Ummm- I deserve a kick in the pants for that one. Like an idiot I posted ipCHAINS not iptables. Old habits are hard to break. :)
I don't know if it's an option for you or not but I have an old pc that I use for a router and NAT (network address translation) or ICS as they say in wondoworld. I will have another look at ipTABLES and perhaps post something a bit more useful next time.

Sorry- sometimes I am such a moron.

You may want to look at Arno's IPtables-Firewall (http://rocky.molphys.leidenuniv.nl/) the instructions are pretty easy to understand you should only have to change a couple of lines in the config files and put the files in the right place with proper permissions and be up running in no time.

Rickenbacherus wrote:

Ummm- I deserve a kick in the pants for that one. Like an idiot I posted ipCHAINS not iptables. Old habits are hard to break.
I don't know if it's an option for you or not but I have an old pc that I use for a router and NAT (network address translation) or ICS as they say in wondoworld. I will have another look at ipTABLES and perhaps post something a bit more useful next time.

I typed it in and didn't notice, the 'problem' is working with the command-line, and the human aspect of not really reading! S'pose this is why the GUI was invented! - your help is appreciated..


Stephen wrote:-

You may want to look at Arno's IPtables-Firewall the instructions are pretty easy to understand you should only have to change a couple of lines in the config files and put the files in the right place with proper permissions and be up running in no time.

I'll take a look at this today!

Many thanks, Stu.....

www.stuartkennedy.org.uk

Nope, still stuck.

I'm using Arno's IPtables-firewall script.

Internet-----|server knoppix|-------Intranet-------|client knoppix|
eth0 - DHCP eth1 - 192.168.0.1 eth0 - 192.168.0.2

Server can ping internet and client box (ping 192.169.0.2) client box can ping server box (ping 192.168.0.1) but not internet or the IP of the server allocated by DHCP on eth0 (the internet connection).

Making changes with 'netcardconfig' to the client box results in:-

SIOCADDRT: Network is unreachable

Settings all look okay, think I've tried every variation.....

Nearly there. Having both server and client running Knoppix was too many unknowns so I reboot the server intoWindow$ 98SE with ICS running.

Using 'netcardconfig' and choosing DHCP had it working, so I used 'ifconfig eth0' to check what settings DHCP has allocated. It only shows IP, Bcast and Mask, so I entered these using 'netcardconfig' having chosen manual config. It didn't work! The only additional 'missing' values required for manual setup in 'netcardconfig' are Default gateway and DNS, so I experimented until I found the working values. (the ones that were there all the time staring me in the face.....)

I rebooted the server into Knoppix and tried DCHP on the client and it failed, however the manual setup values that worked for W98SE ICS DO work with Knoppix.

Don't know why DHCP doesn't work on Knoppix, do you?

All good practice to get my brain working again..... now for the next challenge, importing outlook express 6 into Kmail (then using firewire for video editing..... then burning CDRs.....then?)

Thanks for all the help! Stu.....

I rebooted the server into Knoppix and tried DCHP on the client and it failed, however the manual setup values that worked for W98SE ICS DO work with Knoppix.

Don't know why DHCP doesn't work on Knoppix, do you?


You do not have a DHCP server running on the Knoppix server so there is no way for the client to get an address from DHCP in win98 ICS has a builtin server so the Knoppix client could get the settings it needed. Good to hear you got it going BTW. Burning CD should be pretty simple it should already be setup for it on the machine that has the burner try cdrecord --scanbus it should return something similar to this:



[06:12 PM Tue Oct 07: stephen @ ~]
>$ cdrecord --scanbus
Cdrecord-Clone 2.01a18 (i686-pc-linux-gnu) Copyright (C) 1995-2003 Jörg Schilling
Linux sg driver version: 3.1.25
Using libscg version 'schily-0.7'
scsibus0:
0,0,0 0) 'HL-DT-ST' 'CD-RW GCE-8520B ' '1.00' Removable CD-ROM
0,1,0 1) *
0,2,0 2) *
0,3,0 3) *
0,4,0 4) *
0,5,0 5) *
0,6,0 6) *
0,7,0 7) *


Here cdrecord tells me that I have a burner on the device 0,0,0 if your output is similar then you can burn right away if not it is just a matter of adjusting some settings. I have no firewire devices but I'm sure someone here can help you with that I believe you have to have the module ehci1394 loaded for access but I'm not quite sure about that you may want to do some searching on the site.