Hi David,
On 03/30/2017 04:03 PM, David Sommerseth wrote:
> On 30/03/17 20:53, Brown, Christopher A wrote:
>> Hi list users,
>>
>> I am not a network administrator and know only a little bit about the
>> topic. I need to set up a switch in my lab, so that I can have a wifi
>> access point and an SL7 desktop computer on the same network, as I need
>> to be able to connect to the pc using a tablet. My administrator does
>> not allow switches to be on the network, so I need two network adapters
>> on my desktop, one for internet, and on on the local switch.
>>
>> I tried a nominal setup at home first, with my home wifi access point,
>> router/switch and using only a single adapter. I managed to open the
>> required ports using firewalld, and my setup works great at home, where
>> I can connect a tablet over wifi and access my desktop as I need. The
>> only problem I see there is that the ports I opened are open to the
>> world, but since that was temporary for testing, it was fine. They are
>> now closed.
>>
>> I bought a usb ethernet adapter, which shows up as a network interface
>> on my lab computer. I now need to configure my lab computer as follows.
>> I would like the onboard network adapter to be the default (used for web
>> browsing etc), and use default settings (public zone, etc). And I would
>> like the new usb network adapter to have the required ports open, so
>> that I can access that computer over wifi with my local switch.
>>
>> As I said, I have used firewall-cmd to open and close ports. I know a
>> little bit, but not enough to accomplish what I describe above.
>>
>> Can anyone help with this? Just let me know if more information is needed.
> As you are not allowed to add a switch on your network, I do not
> recommend a bridged setup, where the "internet" interface you already
> have is joined together with the USB ethernet adapter. This would in
> effect function just like a switch managed by the Linux kernel.
>
> So you basically need configure your computer as a router. There are a
> few steps needed to manage this.
I don't think I explained my needs clearly. I don't need the tablet to
have internet access, only to have access to the pc. So I don't (think
I) need the pc to be a router. I just need it to be accessible by the
tablet. I am using an android app called unified remote to access the
pc, and there is a server app to install on the pc. The tablet will
control experiments that will be running on the pc. That is the only
access the table will need. I was hoping that by using two network
interfaces, I could still access the internet from the pc as normal with
the second interface.
Chris
>
>
> 1) Enable IP forwarding. This is done through sysctl. To make it
> persistent you need to add the following setting into a file in
> /etc/sysctl.d (or just update the 99-sysctl.conf).
>
> # sysctl net.ipv4.ip_forward=1
>
>
> 2) Enable firewalling and NAT. You mention you've looked at
> firewall-cmd. My experience with that tool in a routing/gateway setup
> is not too ideall. But you need a few iptables rules. I will let you
> figure out how to do this via firewall-cmd.
>
> I will here presume your "internet" NIC is named eth0 and your USB
> interface is named usb0. I also presume usb0 is given the IP address
> 192.168.33.1/24.
>
> # Allow traffic to be initiated from the USB interface to
> # anywhere else. And allow established connections to
> # flow freely and unrestricted.
> # iptables -I FORWARD -i usb0 -m conntrack --ctstate NEW \
> -j ACCEPT
> # iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
> -j ACCEPT
>
> # Enable NAT for the usb0 interface, restrict the NAT to
> # the 192.168.33.0/24 subnet
> # iptables -t nat -I POSTROUTING -o eth0 -s 192.168.33.0/24 \
> -j MASQUERADE
>
> This masquerading will make all your devices connected to usb0 look like
> they are coming from your "internet connected computer".
>
> These rules will be wiped upon boot, so it is important you find a way
> how to make this persistent and activated at boot. On my SL/RHEL based
> firewalls, I don't use firewalld but have installed iptables-services
> which brings back the old iptables tools (so you can do: service
> iptables save). But be careful using iptables-services and firewalld at
> the same time - they will interfere with each other. (On
> non-firewalls/gateways/routers, I use only firewalld - which works fine
> in those roles)
>
>
> 3) Configure the usb0 interface ... this is done through NetworkManager
> tools or /etc/sysconfig/network-scripts/ifcfg-usb0. For a minimal
> ifcfg-usb0 file you need something like:
>
> DEVICE="usb0"
> TYPE="Ethernet"
> ONBOOT="yes"
> NOZEROCONF="yes"
> HWADDR="xx:xx:xx:xx:xx:xx"
> BOOTPROTO="static"
> IPADDR="192.168.33.1"
> PREFIX="24"
> NAME="usb0"
>
> See /usr/share/doc/initscripts-*/sysconfig.txt for more information
> about these sysconfig files.
>
>
> 4) (optional) Configure a DHCP server to serve on usb0. This enables
> automatic network configuration of your clients connected to usb0.
> Without this, you need to resort to manually configuring each device.
>
> I like dhcpd, as that's what I've become used too. But dnsmasq can also
> do this job well.
>
> A very simple dhcpd.conf can be something like this:
>
> ddns-update-style none;
> authoritative;
> group {
> option routers 192.168.33.1;
> option domain-name-servers 8.8.8.8;
>
> subnet 192.168.33.0 netmask 255.255.255.0 {
> range 192.168.33.100 92.168.33.199;
> default-lease-time 86400;
> }
> }
>
> (this config is not tested, just something put together on-the-fly).
> See more details in /etc/sysconfig/dhcpd too.
>
> Be careful not to start dhcpd listening and responding to DHCP requests
> on your internet interface, that will make a lot of users complain. But
> unless the "subnet" section does not overlap with a subnet on your
> "internet" interface, you should be safe.
>
> Then it is just to start the dhcpd service.
>
> # systemctl start dhcpd
>
>
> This should in most cases get you started. And again, I have not tested
> this exact example - it is pulled together on-the-fly now for this
> e-mail. There might be silly mistakes or other kinds of typos here.
>
>
