On Sun, 2007-04-01 at 23:42 +0800, edwardspl@ita.org.mo wrote:

Does your system as the following sample ?

eg : For Public IP ( from ISP ) : IP range : 202.175.123.123 ~ 202.175.123.129 ( I want to use 202.175.123.123 trasnfer to 192.168.0.1 Server machine )

Your router needs to associate those last two addresses together. Are you using a configurable one?

Depending on your network, you might connect 202.175.123.123 to 192.168.0.1 with rules. You might set that computer to use 202.175.123.123 as its address, directly. If you have a series of public addresses that you can use, you *can* use them directly.

subnet mask : 255.255.255.240 ( I want to trasnfer to 255.255.255.0 )

Don't know what you mean.

Router IP : 202.175.123.128 ( So, how to trasnfer to 192.168.0.254, due to via the Router machine first ! )

Can't understand that, either. It's an incoherent mix of words.

How is your network physically set up? Do you have a modem connected to a router, connected to a network of computers? Is the modem a combination modem and router? Is your router a "router" or a computer working as one? How are the other computers connected?

For Private IP ( All of Server under LAN environment ) : IP : 192.168.0.1 ( I want to tranfer to 202.175.123.123 ) subnet mask : 255.255.255.0 ( I want to tranfer to 255.255.255.240 ) Router IP : 192.168.0.254 ( I want to tranfer to 202.175.123.128 )

For Client IP ( via NAT + DHCP of the Server ) : Ip : 192.168.1.1 ~ 192.168.1.50

Don't know what you mean. You want to set up a DHCP server to dole out those addresses? You want to enable NAT?

On Mon, 2007-04-02 at 21:05 +0800, edwardspl@ita.org.mo wrote:

After apply a leased line connection with Internet from ISP, there is a segemnt IP addresses ( Public IP ) and a Router machine ( can't to be enabled the firewall function ) by ISP also : For sample : IP range : 202.175.123.123 ~ 202.175.123.129 subnet mask : 255.255.255.240 Router IP : 202.175.123.128

Now, I'm setting up a Internet Server ( all service in the same machines ) : There are Ethernat 0 and Ethernet 1 two Interfaces with the Server : Ethernet 0 for connecting with HUB_A and Router, but want to use Private IP address ( eg : 192.168.0.1 ) instead of public IP ( eg : 202.175.123.123 )

You'll need to configure the router to tie those addresses together.

Ethernet 1 for connecting with HUB_B, provide NAT + DHCP for Clients ( ip range : 192.168.1.0 / 24 )

So...how to config the firewall rules by using iptables as the following condition : 1, how to clear up the default setting ?

Command line or GUI?

CLI: Learn how to use iptables.

GUI: You can use, in Gnome, the System menu, Adminstration sub-menu, Security level and firewall GUI. You can use Firestarter (install it).

2, how to disable all services ?

CLI: Learn how to use chkconfig.

GUI: In Gnome it's found at: System menu, Adminstration sub-menu, Services (perhaps inside a Server settings sub-menu). Turn off what's not needed, and what you don't want.

We can't really advise on everything that can be turned off, we don't know what you need. I'd advise that on a server, you configure NTPD to run. You want your logging to have reliable time, and it'd be good for it to allow local PCs (on your LAN) to synchronise their clocks with it).

3, how to enable the service which needed ?

Opposite of the above steps.

4, how to transfer the ip address ( public from / to private ) ?

Iptables, using the -nat table on Linux, but you need to do that in your router.

5, how to enable NAT + DHCP for clients users connection with Internet ?

Set up the DHCP server on a machine. Configure it with addresses for your LAN PCs to use for their DNS server and gateway (the router LAN IP). Enable NAT on the gateway device (your router).

On Sun, 2007-04-01 at 23:51 +0800, edwardspl@ita.org.mo wrote:

Sorry, due to the Router can't to be enabled the firewall function, so we can to enable the firewall function by using linux only... So, how to config the DNS and the NAT function ?

You'd use iptables rules to do firewalling and NAT. You can write them by hand, or use a configuration tool like firestarter (firestarter is *not* something that I have experience with). See the iptables man file for how to do that, but if that appears too hard, look at firestarter. There's a couple of GUI tools for setting them up, but I think that's recommended as one of the easier ones.

For generic firewalling, you'd set up a rule that dropped all new connections by default. Then you'd add specific rules to allow *some* things. You'd do this on any machine, itself, that was publically accessible.

Which leads to linking public IPs to local LAN IPs. You could use forwarding rules to pass all connections to a specific public address to an internal one, or more specific rules just for certain ports (such as running a webserver). There are specific iptable rule types for NAT purposes (nat and prerouting), rather than just port forwarding rules. I haven't played with NAT tied into public IPs, so that's beyond my experience. You'd want to do things that way, though, if you want a machine in your LAN to act as if directly on the internet.

I think that's getting beyond the free help on a mailing list, though. You need to know quite a bit about how networking works, before you can use the tools to set it up. If you knew that, you ought to be able to work out how to use the tools. It sounds like you need to read more about that, first.

Then you mention DNS. Again, it's too vaguely worded. Are you setting up a DNS server so all your LAN PCs can use it to resolve LAN addresses? Or for it to resolve internet addresses for them? Or for it to answer public queries for your own domain name?

NB: I think some things are getting lost in translation. You might also want to write it in your native tongue, you might get a direct reply from someone who knows exactly what you mean.