To make clear what I want to do, I explain my network:

1. GW+firewall (public IP address)
2. mail and web server (public IP address)
3. Several workstation with public IP adresses

I want to make one of the workstation as a DHCP server and gateway for lan with a single NIC (multi homing like eth0 for internet and eth0:0 for the intranet)

I installed dnsmasq on the workstation that I am using and the multi homed it. Specified interface=eth0:0 in dnsmasq.conf. added necessary parameters for eth0:0 in the /etc/network/interfaces. Then installed firehol and created a configuration (firehol.conf) like this:

# Require release 5 of FireHOL configuration directives
version 5

# A space separated list of all the IPs on the internet, I trust
office="gw.mydomain.tld"

# The IP address of this Linux and LAN for the rest of the world
public_ip="aaa.xxx.yyy.zzz"


# My LAN. Everything is allowed here.
interface eth0:0 lan
policy accept # The default is 'drop'.


# Make sure the traffic coming in, comes from valid Internet IPs,
# and that is targeting my public IP
interface eth0 internet src not "$UNROUTABLE_IPS" dst "$public_ip"
# Protect me from various kinds of attacks.
protection strong

# Public servers.
server smtp accept
server http accept
server ftp accept
server ssh accept src "$office"

# Make sure idents do not timeout.
server ident reject with tcp-reset

# This is also a workstation.
client all accept


# Route the LAN requests to the internet.
router lan2internet inface eth0:0 outface eth0

# Masquerading on outface.
masquerade

# Route all requests from inface to outface
# and their replies back.
route all accept

Still I could not achieve to make the standalone workstation as DHCP server and gateway for the intranet using multi-homed alias. Comments appreciated

After changing the firehol.conf as output by ' /etc/init.d/firehol helpme > /tmp/firehol.conf', I could get access to the internet, but it does NOT seem broadcasting (using dnsmasq) dhcp address to the localnet using eth0:0 :( How can I identify a reason why the DHCP is not broadcasted? wondering)

[# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.yyy.zzz.aaa * 255.255.255.192 U 0 0 0 eth0
192.168.7.0 * 255.255.255.0 U 0 0 0 eth0
default gw.mydomain.tld 0.0.0.0 UG 0 0 0 eth0
/QUOTE]

The firehol.conf looks like this now:

[QUOTE]

#!/sbin/firehol
# ------------------------------------------------------------------------------
# This feature is under construction -- use it with care.
# *** NEVER USE THIS CONFIG AS-IS ***
#
# : firehol.sh,v 1.256 2007/05/22 22:52:53 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
# FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net
#
# ------------------------------------------------------------------------------
# FireHOL controls your firewall. You should want to get updates quickly.
# Subscribe (at the home page) to get notified of new releases.
# ------------------------------------------------------------------------------
#
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
#
# Date: Wed Feb 27 14:25:37 CET 2008 on host multiwork
#
# The TODOs bellow, are YOUR to-dos!

### DEBUG: Processing interface 'eth0'
### DEBUG: Processing IP 192.168.7.2 of interface 'eth0'
### DEBUG: Is 192.168.7.2 part of network 192.168.7.0/24? yes
### DEBUG: Is 192.168.7.2 part of network xxx.yyy.zzz.128/26? no

# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 192.168.7.2 (net: "192.168.7.0/24").
# TODO: Change "interface1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 192.168.7.2' if this is dynamically assigned.
interface eth0 interface1 src "192.168.7.0/24" dst 192.168.7.2

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy reject

# If you don't trust the clients behind eth0 (net "192.168.7.0/24"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

### DEBUG: Is xxx.yyy.zzz.190 part of network 192.168.7.0/24? no
### DEBUG: Processing IP xxx.yyy.zzz.157 of interface 'eth0'
### DEBUG: Is xxx.yyy.zzz.157 part of network 192.168.7.0/24? no
### DEBUG: Is xxx.yyy.zzz.157 part of network xxx.yyy.zzz.128/26? yes

# Interface No 2.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP xxx.yyy.zzz.157 (net: "xxx.yyy.zzz.128/26").
# TODO: Change "interface2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst xxx.yyy.zzz.157' if this is dynamically assigned.
interface eth0 interface2 src "xxx.yyy.zzz.128/26" dst xxx.yyy.zzz.157

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net "xxx.yyy.zzz.128/26"),
# add something like this.
protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept

### DEBUG: Is xxx.yyy.zzz.190 part of network xxx.yyy.zzz.128/26? yes
### DEBUG: Default gateway xxx.yyy.zzz.190 is part of network xxx.yyy.zzz.128/26

# Interface No 3.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway xxx.yyy.zzz.190 .
# TODO: Change "interface3" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst xxx.yyy.zzz.157' if this is dynamically assigned.
interface eth0 interface3 src not "${UNROUTABLE_IPS} xxx.yyy.zzz.128/26" dst xxx.yyy.zzz.157

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net not "${UNROUTABLE_IPS} xxx.yyy.zzz.128/26"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server cups accept
server dhcp accept
server dns accept
server ICMP accept

# The following eth0 server ports are not known by FireHOL:
# udp/33222
# TODO: If you need any of them, you should define new services.
# (see Adding Services at the web site - http://firehol.sf.net).

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
# client services you really need.
client all accept


# The above 3 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don't setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).



# No router statements have been produced, because your server
# is not configured for forwarding traffic.




Any suggestion welcome! Thanks

The dnsmasq started broadcasting after I added the following in the /etc/dnsmasq.conf:


listen-address=127.0.0.1



interface=eth0
interface=eth0:0



However, the client machine could not access to the Inernet. I made needed change for the /etc/resolv.conf (also replaced with opendns.org servers without any result).

I am wondering what is preventing the client machine to access Internet!

Please check the client settings with
ifconfig
and
route -nee

What are the outputs of ping -c2 google.de
and
ping -c2 216.239.59.104?

Thanks Falko, please find below what you asked for (everything in the client machine).

Please check the client settings with
ifconfig

eth0 Link encap:Ethernet HWaddr 00:0F:FE:48:D4:94
inet addr:192.168.7.101 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: fe80::20f:feff:fe48:d494/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:238 errors:0 dropped:0 overruns:0 frame:0
TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:27179 (26.5 KB) TX bytes:10065 (9.8 KB)
Base address:0x1100 Memory:f0500000-f0520000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:356 errors:0 dropped:0 overruns:0 frame:0
TX packets:356 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:684472 (668.4 KB) TX bytes:684472 (668.4 KB)

and
route -nee

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
192.168.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0 0 0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 0 0 0
0.0.0.0 192.168.7.2 0.0.0.0 UG 0 0 0 eth0 0 0 0

What are the outputs of ping -c2 google.de

PING google.de (66.249.93.104) 56(84) bytes of data.
From 192.168.7.2: icmp_seq=1 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))
From 192.168.7.2: icmp_seq=2 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))PING google.de (66.249.93.104) 56(84) bytes of data.
From 192.168.7.2: icmp_seq=1 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))
From 192.168.7.2: icmp_seq=2 Redirect Host(New nexthop: gw.mydomain.tld (xxx.yyy.zzz.190))

and
ping -c2 216.239.59.104?

PING 216.239.59.104 (216.239.59.104) 56(84) bytes of data.
From 192.168.7.2: icmp_seq=1 Redirect Host(New nexthop: xxx.yyy.zzz.190)
From 192.168.7.2: icmp_seq=2 Redirect Host(New nexthop: xxx.yyy.zzz.190)

--- 216.239.59.104 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms

I would like to add that there is a firewall at gw.mydomain.tld and it has in its firewall script (ip_chains) assigned two IP ranges for public and private. public IPs. xxx.yyy.56.zzz and private IPs are xxx.yyy.39.zzz

And the machine that I am using as a dhcp server is in the 39 range which will further broadcast dhcp to its subnet. Just to make it clear.

Is 192.168.7.2 the correct gateway? Is this gateway connected directly to the internet?

192.168.7.2 is not connected to the internet. but assigned to eth0:0 interface. eth0 has a public static IP but uses gw.mydomain.tld as gateway.

The machine that I would like to create a local DHCP server (using dnsmasq) to create a parallel network to the existing one is behind the gw.mydomain.tld and the gw has its own firewall.

Dear Falko:

Now the client machines could access the network after I did install ipmasq:

%apt-get install ipmasq
%dpkg-reconfigure ipmasq
%/etc/init.d/ipmasq start

Thanks Falko.