CentOS - Jul 2006 - Routing problem

Hi,


I'm building a firewall/router on Centos.  I'm using Shorewall but have
currently stopped and cleared the firewall rules to isolate the routing
problem.

 

My firewall box has 5 interfaces in it but currently only two are involved
in the problem.  

 

eth1: inet addr:192.168.1.224  Bcast:192.168.1.255  Mask:255.255.255.0

eth3: inet addr:192.168.202.1  Bcast:192.168.202.255  Mask:255.255.255.0

 

eth1 is connected to a switch that is connected to a router.  The router is
192.168.1.1 and is the internet gateway.

eth3 is connected to a different switch.



I have another Centos box that is connected to the switch shared with eth3.
It's interface is:

eth3: inet addr:192.168.202.10  Bcast:192.168.202.255  Mask:255.255.255.0

 

I want to provide internet connectivity to this 2nd machine routed through
the firewall.  Currently, I can reach two machines on the 192.168.1.0/24
network (.5 and .3) but I can't reach the router (.1) or anything outside.

 

I'll paste the routing tables from both machines below.  Thanks in advance
for your help.

 

---Marc

 

Firewall routing tables:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface

10.0.0.0        0.0.0.0         255.255.255.254 U     0      0        0 eth4

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.202.0   0.0.0.0         255.255.255.0   U     0      0        0 eth3

169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth4

0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth1

 

192.168.202.10 routing table:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface

192.168.202.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1

10.1.16.0       0.0.0.0         255.255.240.0   U     0      0        0 eth0

169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0

0.0.0.0         192.168.202.1   0.0.0.0         UG    0      0        0 eth1

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060718/53d83e31/attachment-0002.html>

On Jul 18, 2006, at 11:54 AM, Marc Breslow wrote:
> I want to provide internet connectivity to this 2nd machine routed  
> through the firewall.  Currently, I can reach two machines on the  
> 192.168.1.0/24 network (.5 and .3) but I can?t reach the router (. 
> 1) or anything outside.
what does the file /proc/sys/net/ipv4/ip_forward contain (on the  
CentOS box that's connected to the router)?

if this file contains "0", your machine will not forward packets.
> Firewall routing tables:
>
> Kernel IP routing table
>
> Destination     Gateway         Genmask         Flags Metric Ref     
> Use Iface
>
> 10.0.0.0        0.0.0.0         255.255.255.254 U     0       
> 0        0 eth4
>
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0       
> 0        0 eth1
>
> 192.168.202.0   0.0.0.0         255.255.255.0   U     0       
> 0        0 eth3
>
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0       
> 0        0 eth4
>
> 0.0.0.0         192.168.1.1     0.0.0.0         UG    0       
> 0        0 eth1
>
>
>
> 192.168.202.10 routing table:
>
> Kernel IP routing table
>
> Destination     Gateway         Genmask         Flags Metric Ref     
> Use Iface
>
> 192.168.202.0   0.0.0.0         255.255.255.0   U     0       
> 0        0 eth1
>
> 10.1.16.0       0.0.0.0         255.255.240.0   U     0       
> 0        0 eth0
>
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0       
> 0        0 eth0
>
> 0.0.0.0         192.168.202.1   0.0.0.0         UG    0       
> 0        0 eth1
are you sure that the machine 192.168.202.10 has an eth3 interface?   
i think you made a typo in your original message.  can you ping  
192.168.202.1 from the second machine?  what is the output of  
`traceroute 192.168.1.1`?

-steve

---
If this were played upon a stage now, I could condemn it as an  
improbable fiction. - Fabian, Twelfth Night, III,v

> 
> I want to provide internet connectivity to this 2^nd machine routed 
> through the firewall.  Currently, I can reach two machines on the 
> 192.168.1.0/24 network (.5 and .3) but I can?t reach the router (.1) or 
> anything outside.
has IP forwarding been allowed on the firewall box?

Marc Breslow wrote:
> I want to provide internet connectivity to this 2^nd machine routed
> through the firewall.  Currently, I can reach two machines on the
> 192.168.1.0/24 network (.5 and .3) but I can?t reach the router (.1) or
> anything outside.
What's the default route on the 192.168.1.5 and .3 machines?  The router
  or the firewall?

It looks like your router doesn't know how to get back to the
192.168.202.x network.  If you add a static route on your router that
tells it to send traffic destined for the 192.168.202.x network to the
192.168.1.224 interface on the firewall box I think it will start
working for you.

/jft

> Jeff,
> 
> I think we are on to something here.  I added a static route 
> on the 192.168.1.1 router to the 192.168.1.224 with the 
> gateway address equal to the eth1 IP address on the firewall. 
>  I can now ping 192.168.1.1 from behind the firewall but I 
> still can't ping 209.73.186.238 (yahoo) from behind the 
> firewall.  I can ping yahoo from the firewall.
> 
> Any other thoughts?
Possible Firewall policy at 192.168.1.1 router. Also, possibly NAT
policy on the firewall at 192.168.1.1. You may need to set up a NAT for
the 192.168.202.x network? What type of router is it?

Just some guesses...

alex