CentOS - Oct 2008 - OT: Setting a CentOS to gateway a private IP address

This is mildly off topic since it has more to do with TCP/IP networking
than with CentOS per se.  However, at the risk of ruffling a few feathers
I would like some advice on how to resolve the following routing problem:

Given:
dual homed host running CentOS-5.2 with
eth0 = 2xx.yyy.zzz.23
eth1 = 192.168.219.1

and a Cisco gateway at 2xx.1xx.y7y.1 with the following networks:

interface FastEthernet0/1
 description connected to EthernetLAN
 ip address 10.0.0.1 255.0.0.0 secondary
 ip address 172.16.0.1 255.240.0.0 secondary
 ip address 192.168.71.1 255.255.255.0 secondary
 ip address 192.168.0.1 255.255.0.0 secondary
 ip address 2xx.yyy.zzz.1 255.255.255.0
 ip access-group 101 in
 ip inspect FastEthernet_0_1 in
 speed 100
 full-duplex
!
router rip
 version 2
 passive-interface FastEthernet0/0
 network 10.0.0.0
 network 172.16.0.0
 network 192.168.0.0
 network 2xx.yyy.zzz.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

and with the following routes on the CentOS host:

# route
Kernel IP routing table
Destination     Gateway       Genmask         Flags Metric Ref    Use Iface
192.168.219.0   *             255.255.255.0   U     0      0        0 eth1
2xx.yyy.zzz.0   *             255.255.255.0   U     0      0        0 eth0
169.254.0.0     *             255.255.0.0     U     0      0        0 eth1
default         gw-fibrewire  0.0.0.0         UG    0      0        0 eth0
# ip route
192.168.219.0/24 dev eth1  proto kernel  scope link  src 192.168.219.1
2xx.yyy.zzz.0/24 dev eth0  proto kernel  scope link  src 2xx.yyy.zzz.23
169.254.0.0/16 dev eth1  scope link
default via 2xx.yyy.zzz.1 dev eth0


The situation is this.
>From the host itself I can ping 192.168.218.102 on 192.168.219.0/24
>From any other host on 2xx.1xx.y7y.0/24 I can ping 192.168.219.1
>From any other host on 2xx.1xx.y7y.0/24 I cannot ping 192.168.219.102
What setup steps on the CentOS host have I overlooked or what
configuration errors have I committed?

As I am a digest subscriber please use "reply all" so that I get an
immediate copy of any replies.

Regards,

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

James B. Byrne wrote:
>From any other host on 2xx.1xx.y7y.0/24 I cannot ping 192.168.219.102
>
> What setup steps on the CentOS host have I overlooked or what
> configuration errors have I committed?
Seems like your trying to route through the linux box? Have you
enabled ip forwarding and checked your iptables ruleset to make
sure that either the default policy is ACCEPT or that you have
specific rules in there that allow forwarding?

[root at dc1-rhel5-32build001:~]# cat /proc/sys/net/ipv4/ip_forward
0
[root at dc1-rhel5-32build001:~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root at dc1-rhel5-32build001:~]#


In the above case ip forwarding is disabled and the default
policy is ACCEPT.

nate

On Tue, Oct 21, 2008 at 3:02 PM, James B. Byrne <byrnejb at harte-lyne.ca>
wrote:
> This is mildly off topic since it has more to do with TCP/IP networking
> than with CentOS per se.  However, at the risk of ruffling a few feathers
> I would like some advice on how to resolve the following routing problem:
>
> Given:
> dual homed host running CentOS-5.2 with
> eth0 = 2xx.yyy.zzz.23
> eth1 = 192.168.219.1
>
> and a Cisco gateway at 2xx.1xx.y7y.1 with the following networks:
>
> interface FastEthernet0/1
>  description connected to EthernetLAN
>  ip address 10.0.0.1 255.0.0.0 secondary
>  ip address 172.16.0.1 255.240.0.0 secondary
>  ip address 192.168.71.1 255.255.255.0 secondary
>  ip address 192.168.0.1 255.255.0.0 secondary
>  ip address 2xx.yyy.zzz.1 255.255.255.0
>  ip access-group 101 in
>  ip inspect FastEthernet_0_1 in
>  speed 100
>  full-duplex
> !
> router rip
>  version 2
>  passive-interface FastEthernet0/0
>  network 10.0.0.0
>  network 172.16.0.0
>  network 192.168.0.0
>  network 2xx.yyy.zzz.0
>  no auto-summary
Assuming that this Cisco box is for routing your Internet
traffic, I would NOT put any private network routing, or
any dynamic routing at all on it and use NAT on the
CentOS box.
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
>
> and with the following routes on the CentOS host:
>
> # route
> Kernel IP routing table
> Destination     Gateway       Genmask         Flags Metric Ref    Use Iface
> 192.168.219.0   *             255.255.255.0   U     0      0        0 eth1
> 2xx.yyy.zzz.0   *             255.255.255.0   U     0      0        0 eth0
> 169.254.0.0     *             255.255.0.0     U     0      0        0 eth1
> default         gw-fibrewire  0.0.0.0         UG    0      0        0 eth0
> # ip route
> 192.168.219.0/24 dev eth1  proto kernel  scope link  src 192.168.219.1
> 2xx.yyy.zzz.0/24 dev eth0  proto kernel  scope link  src 2xx.yyy.zzz.23
> 169.254.0.0/16 dev eth1  scope link
> default via 2xx.yyy.zzz.1 dev eth0
>
>
> The situation is this.
>
> >From the host itself I can ping 192.168.218.102 on 192.168.219.0/24
Was that a typo 192.168.218.102?
> >From any other host on 2xx.1xx.y7y.0/24 I can ping 192.168.219.1
Yes, cause it a local interface on router 2xx.yyy.zzz.23, discoverable
by ICMP.
> >From any other host on 2xx.1xx.y7y.0/24 I cannot ping 192.168.219.102
You need to have a route in the Cisco's table for 192.168.219.0/24 or you
need to get RIP working between 2xx.yyy.zzz.23 and 2xx.yyy.zzz.1
> What setup steps on the CentOS host have I overlooked or what
> configuration errors have I committed?
Probably getting routed/gated running, setting active/passive interfaces,
broadcast or multicast RIP, host routes/default routes, etc.
> As I am a digest subscriber please use "reply all" so that I get
an
> immediate copy of any replies.
List always strips off the members email :-(

-Ross

The solution to this proved quite simple, once I grasped the fact that all
routers on a common network have to route for that network (duhh!!!) as
well as any others that they may handle.

So the ripd.conf file looks like this:

--->
! -*- rip -*-
!
! RIPd configuration file
!
hostname a.b.domain.tld
password xxxxxxxx
enable password xxxxxxxx

router rip
  network 2aa.bbb.ccc.0/24
  network 192.168.219.0/24

log stdout
<---

And it works.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3