asterisk users - Jan 2004 - Routing packets in and out

Hello * community,

I have 2 * boxes spanning a t1 with hdlc.

I'm trying to route packets so people on a subnet seperate of the * boxes
can browse the boxes on the * spanned subnet.

The * boxes and the boxes on subnet controlled by * can see everything.  The
boxes on the seperate subnet inside the company can only see so far as the
first * box and can't ping across the span.

http://home.yottadot.org/christian/

I have two boxes on a span that are routing packets perfectly amongst
themselves both ways and from internal to external just fine.  What they're
not doing in routing externally originating packets between themselves
properly.  Packets can get to the head box and I can hit both of it's
interfaces, but I can't hit either of the interfaces on the second box.

I can hit either interface on each box from either box.  I can hit any
external interface on the network and internet from either box.  I can only
hit both interfaces on the first box from the internal network and nothing
on the second box or the boxes that the second box is the subnet gateway
for.  I have no way of testing if the lead box can ping a box on the .10
subnet which will be illustrated below, so I don't know if the packets are
routing correctly there, but I doubt they are.

Any hints would be appreciated:



christian@yottadot.org


routing table from first box:

192.168.1.0     192.168.253.254 255.255.255.0   UG    0      0        0 eth0

192.168.10.0    192.168.254.1   255.255.255.0   UG    0      0        0
hdlc0

localnet        *               255.255.255.0   U     0      0        0 eth0

192.168.254.0   *               255.255.255.0   U     0      0        0
hdlc0

loopback        *               255.0.0.0       U     0      0        0 lo

default         192.168.253.254 0.0.0.0         UG    1      0        0 eth0

-------------------------------------------------------------
firewall from first box:

#!/bin/bash



IPTABLES=/usr/sbin/iptables

#IPTABLES=echo



EXTIF="eth0"

INTIF="hdlc0"



echo "    External Interface:  $EXTIF"

echo "    Internal Interface:  $INTIF"



echo " Clearing existing rules"

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD ACCEPT

$IPTABLES -F FORWARD

$IPTABLES -F Allow

$IPTABLES -X Allow

$IPTABLES -t nat -F



echo " Setting up packet routing"

$IPTABLES -N Allow

$IPTABLES -A Allow -m state --state ESTABLISHED,RELATED -i $INTIF -j ACCEPT

$IPTABLES -A Allow -m state --state ESTABLISHED,RELATED -i $EXTIF -j ACCEPT

$IPTABLES -A Allow -m state --state NEW -i $INTIF -j ACCEPT

$IPTABLES -A Allow -m state --state NEW -i $EXTIF -j ACCEPT





echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF and
$INTIF"

$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE



echo "1" > /proc/sys/net/ipv4/ip_forward

-------------------------------------------------------------
routing table on second box:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface

localnet        Avion_Asterisk_ 255.255.255.0   UG    0      0        0 eth0

localnet        *               255.255.255.0   U     0      0        0 eth0

192.168.253.0   192.168.254.1   255.255.255.0   UG    0      0        0
hdlc0

192.168.254.0   192.168.254.1   255.255.255.0   UG    0      0        0
hdlc0

192.168.254.0   *               255.255.255.0   U     0      0        0
hdlc0

loopback        *               255.0.0.0       U     0      0        0 lo

default         192.168.254.1   0.0.0.0         UG    0      0        0
hdlc0

-------------------------------------------------------------
firewall on second box:

#!/bin/bash



IPTABLES=/usr/sbin/iptables

#IPTABLES=echo



EXTIF="hdlc0"

INTIF="eth0"



echo "    External Interface:  $EXTIF"

echo "    Internal Interface:  $INTIF"



echo " Clearing existing rules"

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD ACCEPT

$IPTABLES -F FORWARD

$IPTABLES -F Allow

$IPTABLES -X Allow

$IPTABLES -t nat -F



echo " Setting up packet routing"

$IPTABLES -N Allow

$IPTABLES -A Allow -m state --state ESTABLISHED,RELATED -i $INTIF -j ACCEPT

$IPTABLES -A Allow -m state --state ESTABLISHED,RELATED -i $EXTIF -j ACCEPT

$IPTABLES -A Allow -m state --state NEW -i $INTIF -j ACCEPT

$IPTABLES -A Allow -m state --state NEW -i $EXTIF -j ACCEPT





echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF and
$INTIF"

$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE



echo "1" > /proc/sys/net/ipv4/ip_forward

-------------------------------------------





Here's the chart - I need to be able to ping boxes both ways across the
span:

           router / gateway ( .1.254 )
                      |
               ----------
               |      |       |
         |---       |        -----------------External
         |           |
(.1.0 sub)      |
                     |
             (.253.254)
                      |
                      |
         (.253.253) -----same box --->(.254.1)
                                                           |
                                                           |
            --t1 span to another building----
             |
      (.254.2)---same box---->---(.10.254)
                                                       |
                                                       |
                                            (.10.0 subnet)





Thanks for even looking,



Christian



christian@yottadot.org