I''m tying to learn iproute2 by building a
router/firewall for my home Internet access. But
things are not working as expected.
I''m running a distribution called PakSecured
(kernel 2.4.0) on a box with 3 Ethernet
interfaces. One is connected to the Internet, the
other two are connected to 2 different private IP
segments.
At this point, all I want to do is route between
these interfaces. So far all I can do is ping the
linux-router from the devices on the various
segments. But I cannot reach devices on the other
side of the linux-router.
i.e., From a host on the inside-net, I can ping
every interface on the linux-router. But I cannot
ping a host on the other side of the linux-router.
And if sourcing from the linux-router, I am able
to ping everything.
The routes appear to be correct as far as I can
tell. I''ve even turned off the firewalling
(iptables) to see if that was the problem, but it
was not.
What am I missing?
Why can''t I get packets through the linux-router?
Is there a way to ''debug'' like in a cisco router?
I''ve created a ASCII top of the network, and I''ve
included output from :
- ip addr
- ip route
- ip rules
- iptables -L
- cat /proc/sys/net/ipv4/ip_forward
--- *** Topo Map *** ---
[inside-net] eth0>-----<eth2 [linux-router] eth1>-----<eth0
[other-net]
^ ^ ^ |^ ^ ^ ^
.1^ ^ ^.150 | ^ ^.150 ^ ^.1
^ | ^ ^
192.168.1.0/24 | ^ 192.168.2.0/24
| ^
| eth0 123.4.5.6/22
|
|
|
[Internet]
--- *** ---
[prompt]# ip addr
1: lo: <LOOPBACK,UP> mtu 3840 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
inet6 ::1/128 scope host
2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
link/void
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
5: gre0@NONE: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:f0:1a:00:9c brd ff:ff:ff:ff:ff:ff
inet 123.4.5.6/22 brd 123.4.8.255 scope global eth0
inet6 fe80::2c0:f0ff:fe1a:9c/10 scope link
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:f0:09:d3:b8 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.150/24 brd 192.168.2.255 scope global eth1
inet6 fe80::2c0:f0ff:fe09:d3b8/10 scope link
9: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:80:c8:39:b4:08 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.150/24 brd 192.168.1.255 scope global eth2
inet6 fe80::280:c8ff:fe39:b408/10 scope link
--- *** ---
[prompt]# ip ro
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.150
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.150
123.4.5.0/22 dev eth0 proto kernel scope link src 123.4.5.6
default via 192.168.1.1 dev eth2 proto static src 192.168.1.150
--- *** ---
[prompt]# ip ru
0: from all lookup local
16000: from 192.168.2.0/24 to 192.168.1.0/24 lookup main
16010: from 192.168.1.0/24 to 192.168.2.0/24 lookup main
32766: from all lookup main
32767: from all lookup 253
--- *** ---
[prompt]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--- *** ---
[prompt]# cat /proc/sys/net/ipv4/ip_forward
1
> At this point, all I want to do is route between > these interfaces. So far all I can do is ping the > linux-router from the devices on the various > segments. But I cannot reach devices on the other > side of the linux-router. > > i.e., From a host on the inside-net, I can ping > every interface on the linux-router. But I cannot > ping a host on the other side of the linux-router. > And if sourcing from the linux-router, I am able > to ping everything. > > The routes appear to be correct as far as I can > tell. I''ve even turned off the firewalling > (iptables) to see if that was the problem, but it > was not. > > > > What am I missing?Is the default gateway ok? It points to 192.168.1.1 which is on a private LAN connected to eth2. And if you want to ping from the lan to internet, you will need to do SNAT (masquerading). You need a rule like this : iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE If you do not do that, the host on the internet sees a package from 192.168.x. and does not know where it can find that host.> Is there a way to ''debug'' like in a cisco router?You can use tcpdump. Or an iptables rule with -j LOG and see what appears in the logs.> [prompt]# ip ro > 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.150 > 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.150 > 123.4.5.0/22 dev eth0 proto kernel scope link src 123.4.5.6 > default via 192.168.1.1 dev eth2 proto static src 192.168.1.150Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net
Quoting Stef Coene <stef.coene@docum.org>:
... snip ...
> The routes appear to be correct as far as I can
> tell. I''ve even turned off the firewalling
> (iptables) to see if that was the problem, but it
> was not.
>
> What am I missing?
Is the default gateway ok? It points to 192.168.1.1 which is on a private
LAN connected to eth2.
I should have said in the original post. This is
a lab behind an existing firewall. The ''Internet''
in the topo drawing is a pretend Internet. The
real Internet connection is on the other side of
192.168.1.1 (the ''inside-net'').
And if you want to ping from the lan to internet, you will need to do SNAT
(masquerading). You need a rule like this :
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I needed that syntax anyway :)
... snip...
> Is there a way to ''debug'' like in a cisco router?
You can use tcpdump. Or an iptables rule with -j LOG and see what appears in
the logs.
tcpdump is not installed on this box. And the
iptables rules are disabled. In other words they
are all set to accept. If I use the iptables
command you suggest, will it actually log
anything?
Thanks,
kelly
... snip ...
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.openprojects.net
> Is the default gateway ok? It points to 192.168.1.1 which is on a > private LAN connected to eth2. > > I should have said in the original post. This is > a lab behind an existing firewall. The ''Internet'' > in the topo drawing is a pretend Internet. The > real Internet connection is on the other side of > 192.168.1.1 (the ''inside-net'').But you have to make sure that the box you are trying to ping, has a route to you. So it knows where to send the answer to the ping. If i''t doesn''t know, you have to add a route on the target box or masqueing the packets.> And if you want to ping from the lan to internet, you will need to do > SNAT (masquerading). You need a rule like this : > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE> tcpdump is not installed on this box. And the > iptables rules are disabled. In other words they > are all set to accept. If I use the iptables > command you suggest, will it actually log > anything?ipables -A INPUT -j LOG gives in /var/log/messages : Mar 24 16:16:03 lieve kernel: IN=eth0 OUT= MAC=00:a0:c9:1a:9c:eb:00:50:da:d0:d8:95:08:00 SRC=192.168.1.101 DST=192.168.1.100 LEN=164 TOS=0x00 PREC=0x00 TTL=64 ID=64662 DF PROTO=TCP SPT=3234 DPT=6000 WINDOW=63712 RES=0x00 ACK PSH URGP=0 Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net
Quoting Stef Coene <stef.coene@docum.org>: ... snip ... But you have to make sure that the box you are trying to ping, has a route to you. So it knows where to send the answer to the ping. If i''t doesn''t know, you have to add a route on the target box or masqueing the packets. The hosts on the other side have default gateways, which are the interfaces of the linux-router. ... snip ... > tcpdump is not installed on this box. And the > iptables rules are disabled. In other words they > are all set to accept. If I use the iptables > command you suggest, will it actually log > anything? ipables -A INPUT -j LOG gives in /var/log/messages : Mar 24 16:16:03 lieve kernel: IN=eth0 OUT= MAC=00:a0:c9:1a:9c:eb:00:50:da:d0:d8:95:08:00 SRC=192.168.1.101 DST=192.168.1.100 LEN=164 TOS=0x00 PREC=0x00 TTL=64 ID=64662 DF PROTO=TCP SPT=3234 DPT=6000 WINDOW=63712 RES=0x00 ACK PSH URGP=0 Stef Okay, I don''t know anything about iptables syntax, and very little about ipchains syntax either. I''ll do that. Should I do the samething for the other chains (FORWARD, ACCEPT)? Thanks, kelly