Announcement

**sky** · Jun 05, 2006, 01:00 PM

Re: 2 Nics, can only use one at a time.

Hi,

Can you tell us more about how you're connected to internet ? Do you have a router modem or only an ethernet modem ?
What is connected to eth0 and eth1 ?

Cheers

**jka/v** · Jun 05, 2006, 11:00 PM

Re: 2 Nics, can only use one at a time.

I have a cable modem (linksys), and it's plugged into a 16 port unmanaged switch.

Eth0 is plugged into a the same switch, eth1 is plugged directly into a laptop.

**sky** · Jun 06, 2006, 07:31 AM

Re: 2 Nics, can only use one at a time.

Ok, I see (almost

) Why do you have the eth1 set to dhcp if it's plugged to laptop ? Maybe silly question, usually I'm setting to fix ip as laptop is not a dhcp server, no ?

**jka/v** · Jun 06, 2006, 08:54 AM

Re: 2 Nics, can only use one at a time.

Tried it both at a static internally addressed ip (192.168.x.x) and that didn't work, so tried it at DHCP just for kicks, which of course didn't work either...

**sky** · Jun 06, 2006, 01:58 PM

Re: 2 Nics, can only use one at a time.

I'm disappointed, it should work... Did you try to connect only to laptop to see if connection is ok ?
If you have one connection active at one time, it's working ?
BTW, why you're not connecting laptop to hub also ?

**jka/v** · Jun 06, 2006, 03:40 PM

Re: 2 Nics, can only use one at a time.

I tried to connect it directly to the laptop, set the laptop to dhcp, and the eth1 to 192.168.10.x address. Doing so, with a static on eth0, disables all network traffice (even my eth1 nic itself doesn't light up anymore)....

hooking them both up and enabling them to the switch, lights up my eth1, but when it's active on let's say dhcp in kubuntu, it's no more internet in general. I'm presuming there is some kind of proper way for Kubuntu to use 2 nics, 1 (eth0 in this case) as the public, or external facing nic, and the other (eth1 in this case) as the private, or internal address space. I'm trying to set this box to do gateway work, as a nat router, mailserver, and overall firewall for my business.. I have heard such good things about Linux in this manner, and with the issues that present themselves with windows, I wanted to try this out.

Any other ideas?

**sky** · Jun 07, 2006, 12:16 PM

Re: 2 Nics, can only use one at a time.

It's quite strange because I'm able to use 2 nic in the same time to the same network... Not really useful in my case but I was trying to get wire and wireless network working together to transfer some files, it worked well

Hope you will find a way to get it working. If yes keep us informed please

**jka/v** · Jun 08, 2006, 08:28 AM

Re: 2 Nics, can only use one at a time.

It is strange... In your case your not attempting to use it as a gateway, so it would be different. I could see dhcp working for 2 nics, for instance in my laptop. (which I am going to dual boot with kubuntu in a week or 2).

Anyone else have an idea of the proper configuration for Kubuntu to use 2 nics in a server based style (gateway facing external, and internal facing private addressing)? I'd be VERY grateful!

**jka/v** · Jun 12, 2006, 09:41 AM

Re: 2 Nics, can only use one at a time.

Anyone have any other ideas for how to properly setup 2 nic cards in Kubuntu 6.06LTS, or know somewhere I can go to find some help?

It would be greatly appreciated!

**alrac** · Jun 12, 2006, 11:07 AM

Re: 2 Nics, can only use one at a time.

Ok, you're going about this all wrong

Since you want the multihomed box to be your Internet gateway/firewall, your network should look like this:

modem -> multihomed gateway box -> switch -> LAN

You need to set up iptables on the gateway box for both a firewall and Internet connection sharing, and you need to use ifrename to keep your NIC configs nailed down. Here is a very simple iptables script that shares an Internet connection, has no restrictions on outgoing traffic, and allows only established incoming:

Code:

#!/bin/sh
#iptables firewall script for sharing a cable or DSL Internet
#connection, with no public services

#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="lan"
WAN_IFACE="wan"

#basic set of kernel modules
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE

#add these for IRC and FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT 
$ipt -t nat -P PREROUTING ACCEPT 
$ipt -t nat -P POSTROUTING ACCEPT 
$ipt -t mangle -P PREROUTING ACCEPT 
$ipt -t mangle -P POSTROUTING ACCEPT

#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT

#Enable IP masquerading on WAN DHCP
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
#For a static WAN IP, use this line instead
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source WAN-IP

#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Accept important ICMP messages
$ipt -A INPUT -p icmp --icmp-type echo-request  -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

Name this script whatever you want, like "firewall", and place it in /etc/init.d so it will start at boot. Add it to your active runlevels with the update-rc.d command:

Code:

# update-rc.d firewall start 01 2 3 4 5 . stop 99 0 1 6 .

Edit /etc/sysctl.conf so that it has these kernel parameters:

Code:

net.ipv4.ip_forward = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0

Here are sample configs for your interfaces:

Code:

# The loopback network interface
auto lo
iface lo inet loopback

#lan and wan interfaces
auto lan wan
iface lan inet static
     address 192.168.1.23
     netmask 255.255.255.0

iface wan inet dhcp

For a static WAN IP, use your account information from your ISP.

Where do the LAN and WAN names come from? From ifrename. Please see this howto http://www.enterprisenetworkingplane...le.php/3586546
You may name your network interfaces anything you want, you're not stuck with eth*.

This is a sneak preview from my upcoming networking book. Enjoy!

edit:
don't forget to also lock down your box by turning off all unnecessary services.

**alrac** · Jun 12, 2006, 11:19 AM

Re: 2 Nics, can only use one at a time.

Here's a couple more useful links:

Oskar Andreasson's Iptables tutorial
http://www.faqs.org/docs/iptables/
Yes, it's long- iptables is complex, flexible, and powerful.

turn off unnecessary services
http://www.linuxdevcenter.com/pub/a/...tu.html?page=2

**jka/v** · Jun 12, 2006, 05:24 PM

Re: 2 Nics, can only use one at a time.

Wow...

Thanks Alrac!

I'll spend some time tomorrow working on this, if I can get it up and working properly, it will make my life much easier!

BTW, If I'm going for Apache2, and postfix, with the settings your talking about, do I need to change my settings in the iptables?

And I've been going about it with the nics plugged into the switch due to not wanting to pull down my existing windows network until I have this box up and running correctly. (I have 3 servers, 1 web, 1data, and 1 email). I could always put it on the switch, and a switch on eth1, correct?

Again, my thanks, I'll delve into this tomorrow.

**alrac** · Jun 12, 2006, 10:30 PM

Re: 2 Nics, can only use one at a time.

As you add services, yes, you'll need to add iptables rules. Might as well bite the bullet and read the iptables howto. It's a bit of a learning curve, but it means mighty network guru powerz.

Some things to keep in mind: you can have different rulesets for different interfaces. Usually you want the WAN link locked down as much as possible, but you don't need to be so strict on the LAN link. Don't forget your application security as well.

Not sure what you're asking about how your future gateway box is going to be connected- you can set it up and do a lot of testing while it's still just another box on your LAN, if that's what you want to know. Use nmap for remote testing and netstat for local, to see what ports are open.

**jka/v** · Jun 14, 2006, 11:25 AM

Re: 2 Nics, can only use one at a time.

Alrac,

Ok, have been perusing the iptables guide, that is a bit involved...

Still can't get the nics to work together, and to see out of the box externally. I can set them to:

eth0 as static
eth1 as static 192.168.1.11

and hook up a laptop to the eth1, and I can ping back and forth.
I also can ping from the laptop to the eth0, and back to the laptop. But, I still can't get out of the box. Only way it works is with eth1 disabled.

Very frustrating. Any ideas on how to get just this working properly. I'll delve into the rest after I can get it setup. In windows, you set nic 1 to static, and add an ip address for the internal side to that 1st nic, then the second nic you point to the first as a gateway, kubuntu doesn't seem to like this application at all...

Thanks for your help!

Announcement

2 Nics, can only use one at a time.

2 Nics, can only use one at a time.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment