So my server running FC4 died last night and I decided to go ahead with the long-awaited upgrade to FC10 while I was rebuilding my server. I use my server for a number of things including, but not limited to: router, firewall, web server, mail server... I have a typical configuration process that I have followed since before fedora, and it has worked well for me up through FC4, but my usual config process doesn't work on FC10.

First of all, I don't want SELinux running, I didn't see an option to not install it during the FC10 setup, so how to I properly disable or uninstall it afterwards?

Second, I was unable to even configure the server to route traffic from my internal network to the web, here's the process I usually go through for this:
(in rc.local)
------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j MASQUERADE
route del default
route add default
------------------------

I don't have a static IP from my ISP, so I'm not quite sure how to add the default route. I think I need to do something like "route add default gw xxx.xxx.xxx.xxx eth1" where eth1 is my external NIC, correct?

What else do I need to do to route traffic? I noticed that I wasn't even able to ping my server from the internal network even though they are on the same subnet, my server's internal NIC has an address of 192.168.7.1 and my computer on the network has an address of 192.168.7.2.

If I can get this going to I have internet access again at the very least, I can move forward with the web server, email, etc.

I did try adding the default route with "route add default gw xxx.xxx.xxx.xxx eth1" replacing the xxx.xxx.xxx.xxx with the IP address of my DSL router. And I also found where to disable SELinux, but all to no avail. I still can't even ping my server from another computer on the network, and no traffic is being routed through the server either. Is all this functionality just broke in FC10? Or is there some other obscure setting not mentioned in any documentation that I need to configure? I read through the documentation and didn't see any mention of configuration for routing? I'm sure I'm not the only one with this problem, does anybody know what needs to be configured for routing to work on FC10 :confused:

I had to turn off NetworkManager and turn on network in services, then reconfigure /etc/sysconfig/network-scripts/ifcfg-eth0 in order to get my network running properly. They started pushing NetworkManager a few versions back. Everytime a new one comes out, I have to reconfigure network. If I had a wireless card, NetworkManager would be great, but I don't. Here is what my ifcfg-eth0 looks like:

DEVICE=eth0
HWADDR=00:00:00:00:00:00
ONBOOT=yes
SEARCH="example.com"
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.5
GATEWAY=192.168.1.1
TYPE=Ethernet
USERCTL=no
PEERDNS=yes
IPV6INIT=no
NM_CONTROLLED=no

You'll want to change the HWADDR and SEARCH fields

HTH
fnmblot

...

------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT

Even though your default policy allows traffic to be forwarded, the current firewall has a final rule that blocks traffic. So the packets will never reach the default policy for the FORWARD chain.


I don't have a static IP from my ISP, so I'm not quite sure how to add the default route. I think I need to do something like "route add default gw xxx.xxx.xxx.xxx eth1" where eth1 is my external NIC, correct?

If your interface has been setup to obtain it's IP from dhcp, then the default route obtained from the dhcp server will be applied.

Manually: route add default gw xxx.xxx.xxx.xxx dev eth1


What else do I need to do to route traffic? I noticed that I wasn't even able to ping my server from the internal network even though they are on the same subnet, my server's internal NIC has an address of 192.168.7.1 and my computer on the network has an address of 192.168.7.2.

Probably the same issue as with forwarding. The final rule in the INPUT table (iptables -L INPUT -v) rejects traffic.


If I can get this going to I have internet access again at the very least, I can move forward with the web server, email, etc.

From the command line:
- Run "setup"
- Choose "Firewall configuration"

You can setup masquerading interfaces here. Masqueraded interfaces will allow forwarding. Here you can also allow traffic to enter your server from the local network.

David

thanks to both of you for the helpful info, I did notice that network manager seems to be new, and it was messing with both of my NICs. I went into Network configuration and made sure both devices were not being managed. I will definitely take a look at the ifcfg-eth0 file and configure it properly, would I need to do the same for the external NIC, eth1?

If your interface has been setup to obtain it's IP from dhcp, then the default route obtained from the dhcp server will be applied.

Manually: route add default gw xxx.xxx.xxx.xxx dev eth1

My external NIC is getting its configuration via DHCP from my DSL router, but I will soon be getting a static IP. I did however manually add the route.

Even though your default policy allows traffic to be forwarded, the current firewall has a final rule that blocks traffic. So the packets will never reach the default policy for the FORWARD chain.

I have since added a line to the rc.local file to flush the iptables rules before adding anything, I noticed that there were several rules in place by default, and after doing iptables --flush, that cleared it out, I think I even tried a service iptables restart. I figured that would clear out any existing rules so I'd be starting with a clean slate?

From the command line:
- Run "setup"
- Choose "Firewall configuration"

You can setup masquerading interfaces here. Masqueraded interfaces will allow forwarding. Here you can also allow traffic to enter your server from the local network.

Would this be the same thing as the iptables commands in my rc.local? If not, could you provide an example setup or describe it at least, what I would have to do in the firewall configuration to set up basic routing?

Thanks! I'll reply back here with the results after trying these things.

...

I have since added a line to the rc.local file to flush the iptables rules before adding anything, I noticed that there were several rules in place by default, and after doing iptables --flush, that cleared it out, I think I even tried a service iptables restart. I figured that would clear out any existing rules so I'd be starting with a clean slate?

The flush will likely clear out the rules in the tables. But if you restart iptables then the settings would be reapplied. You could always verify whether the tables are empty or not with 'iptables -L INPUT -v' as a start.


Would this be the same thing as the iptables commands in my rc.local? If not, could you provide an example setup or describe it at least, what I would have to do in the firewall configuration to set up basic routing?

Not really. Custom rules can always be more sophisticated than the rules set through the system setup. If you can configure the firewall through the system 'setup' interface, then your configuration is more likely to survive updates. It's also more capable of propagating changes to related services. I say that while I knock on wood.

You need to setup masquerading and you need to allow your system to do forwarding from the LAN to the WAN.

WAN=eth1
LAN=eth0

# Masquerading
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow forwarding from the LAN to the WAN
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

# Drop everything else, especially from the WAN to the LAN
iptables -A FORWARD -j DROP

# Accept related input, important to get a dynamic IP from your ISP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# If your default policy is ACCEPT, then make sure you don't accept from the WAN
iptables -A INPUT -i $WAN -j REJECT --reject-with icmp-port-unreachable


Verify if these rules are ordered correctly, and if other rules aren't remaining in the table. Use 'iptables -L FORWARD -v', 'iptables -t nat -L POSTROUTING -v' and 'iptables -L INPUT -v' to check the table listings.

Aforementioned change to /proc/sys/net/ipv4/ip_forward can also be achieved by adding this

net.ipv4.ip_forward = 1

to /etc/sysctl.conf . Check your firewall by using your favourite firewall inspection website.

David

Thank you to fnmblot and David Becker!! You guys are awesome!!! I am happy to report that I am making this post from my office computer behind my new Fedora 10 firewall! :) I set up the iptables rules as suggested and also checked my ifcfg-eth0 config file. The config file for eth0 (internal NIC) had my netmask set as 192.168.7.1, the same as my address, even though that wasn't showing in the Network config interface?? That was why I couldn't ping my server or otherwise access it from the internal network, and the iptables rules and commands helped me clean up the default rules put in place after a service restart.

Now that I am able to get back on the net from my LAN, I will have to find time to configure everything else on the server: web server, email, DHCP, etc... I may be back with more questions :)

Thanks again!

Where is entry for the setup masquerading go into?

If you are referring to the iptables commands, they would go in /etc/rc.d/rc.local