Hi, I have three linux machines, and I want to let one of them forward packets betwen the other two. The forwarding node has two ethernet cards, connecting the two two machines respectively. However, when I ping between the two end points, the forwarding node can receive the ping requests at its eth0, but it never forwards them to its eth1. So is the reverse direction. The forwarding node is Redhat 7.2, kernel 2.4.7-10. The two end points are FC3, 2.6.9-1.667smp. What we have done to enable IP forwarding on the RH7.2 node are: (1) In /etc/sysconfig/network, add "FORWARD_IPV4=yes" (2) "echo 1 > /proc/sys/net/ipv4/ip_forward". (3) Change "net.ipv4.ip_forward=1" in /etc/sysctl.conf. (4) "echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter" "echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter" (5) We tried "iptables -F" to flush the rules, but ip forwarding still doesn'' work, so we add some rules as follows. We run "iptables" to configure firewall to enable IP forwarding. iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT What are we missing, or what did we configure wrong? Thanks a lot, -Ji
On Fri, 17 Jun 2005 13:14:23 -0400 (EDT) "Ji Li" <ji.li3@hp.com> wrote:> Hi, > I have three linux machines, and I want to let one of them forward packets > betwen the other two. The forwarding node has two ethernet cards, > connecting the two two machines respectively. However, when I ping between > the two end points, the forwarding node can receive the ping requests at > its eth0, but it never forwards them to its eth1. So is the reverse > direction. > > The forwarding node is Redhat 7.2, kernel 2.4.7-10. The two end points are > FC3, 2.6.9-1.667smp. > > What we have done to enable IP forwarding on the RH7.2 node are: > (1) In /etc/sysconfig/network, add "FORWARD_IPV4=yes" > (2) "echo 1 > /proc/sys/net/ipv4/ip_forward". > (3) Change "net.ipv4.ip_forward=1" in /etc/sysctl.conf. > (4) > "echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter" > "echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter" > (5) We tried "iptables -F" to flush the rules, but ip forwarding still > doesn'' work, so we add some rules as follows. We run "iptables" to > configure firewall to enable IP forwarding. > iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT > iptables -A FORWARD -i eth1 -o eth0 -j ACCEPTroute add net comp1-net gw comp1-ip route add net comp2-net gw comp2-ip on router . -- *Dariusz ''tdi'' Dwornikowski | Gentoo | admin at pozman.pl | *[JID]:tdi@gentoo.pl|[gg]:2266034|[IRC]:#gentoo-pl@freenode | *[MAIL]:tdi@pozman.pl|[WWW]:www.tdi.pozman.pl | *Serwery,administracja,webapps - www.ProAdmin.com.pl | *Fingerprint:43E21CC46DAFD2F754E91547D59B39F56AAA4B5F | _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On 6/17/05, Dariusz Dwornikowski <tdi@pozman.pl> wrote:> On Fri, 17 Jun 2005 13:14:23 -0400 (EDT) > "Ji Li" <ji.li3@hp.com> wrote: > > > Hi, > > I have three linux machines, and I want to let one of them forward packets > > betwen the other two. The forwarding node has two ethernet cards, > > connecting the two two machines respectively. However, when I ping between > > the two end points, the forwarding node can receive the ping requests at > > its eth0, but it never forwards them to its eth1. So is the reverse > > direction. > > > > The forwarding node is Redhat 7.2, kernel 2.4.7-10. The two end points are > > FC3, 2.6.9-1.667smp. > > > > What we have done to enable IP forwarding on the RH7.2 node are: > > (1) In /etc/sysconfig/network, add "FORWARD_IPV4=yes" > > (2) "echo 1 > /proc/sys/net/ipv4/ip_forward". > > (3) Change "net.ipv4.ip_forward=1" in /etc/sysctl.conf. > > (4) > > "echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter" > > "echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter" > > (5) We tried "iptables -F" to flush the rules, but ip forwarding still > > doesn'' work, so we add some rules as follows. We run "iptables" to > > configure firewall to enable IP forwarding. > > iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT > > iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT > route add net comp1-net gw comp1-ip > route add net comp2-net gw comp2-ipThe last 2 lines are strange... I think you don''t need them. In comp1, you need: route add -host comp2-ip gw reachable-router-ip-from-comp1 in comp2, you need route add -host comp1-ip gw reachable-router-ip-from-comp2 You should also use tcpdump and test with pings. Example: # tcpdump -n -i eth0 icmp It will allow you to debug common issues, for instance, when the icmp echo request reaches its destination, but the host cannot reply because a route is missing. I assume the forwarding host is not the default route of comp1 nor comp2. Regards, Nelson.- -- Homepage : http://geocities.com/arhuaco The first principle is that you must not fool yourself and you are the easiest person to fool. -- Richard Feynman.
Thank you all for the help! I thought the problem is that ip forwarding is not working on the middle node, but actually all the problems are the routing tables on the two end nodes. I only specified which network interface to send the packet in the routing table of two end nodes and didn''t specify the gateway for the two end nodes. I thought that each end node will just send packets to the corresponding interface in the routing table, and the middle node will just forward everything it receives. The middle node does receive all the packets, but it never forwards to its second network interface. Would any one please explain a little why this happened? Thanks again for your kind help! Regards, -Ji> On 6/17/05, Dariusz Dwornikowski <tdi@pozman.pl> wrote: >> On Fri, 17 Jun 2005 13:14:23 -0400 (EDT) >> "Ji Li" <ji.li3@hp.com> wrote: >> >> > Hi, >> > I have three linux machines, and I want to let one of them forward >> packets >> > betwen the other two. The forwarding node has two ethernet cards, >> > connecting the two two machines respectively. However, when I ping >> between >> > the two end points, the forwarding node can receive the ping requests >> at >> > its eth0, but it never forwards them to its eth1. So is the reverse >> > direction. >> > >> > The forwarding node is Redhat 7.2, kernel 2.4.7-10. The two end points >> are >> > FC3, 2.6.9-1.667smp. >> > >> > What we have done to enable IP forwarding on the RH7.2 node are: >> > (1) In /etc/sysconfig/network, add "FORWARD_IPV4=yes" >> > (2) "echo 1 > /proc/sys/net/ipv4/ip_forward". >> > (3) Change "net.ipv4.ip_forward=1" in /etc/sysctl.conf. >> > (4) >> > "echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter" >> > "echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter" >> > (5) We tried "iptables -F" to flush the rules, but ip forwarding still >> > doesn'' work, so we add some rules as follows. We run "iptables" to >> > configure firewall to enable IP forwarding. >> > iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT >> > iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT >> route add net comp1-net gw comp1-ip >> route add net comp2-net gw comp2-ip > > The last 2 lines are strange... I think you don''t need them. > > In comp1, you need: > route add -host comp2-ip gw reachable-router-ip-from-comp1 > > in comp2, you need > route add -host comp1-ip gw reachable-router-ip-from-comp2 > > You should also use tcpdump and test with pings. Example: > > # tcpdump -n -i eth0 icmp > > It will allow you to debug common issues, for instance, when the > icmp echo request reaches its destination, but the host cannot reply > because a route is missing. > > I assume the forwarding host is not the default route of > comp1 nor comp2. > > Regards, > Nelson.- > > -- > Homepage : http://geocities.com/arhuaco > > The first principle is that you must not fool yourself > and you are the easiest person to fool. > -- Richard Feynman. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
If I understand you correct, you have only a route on both nodes which
tells one node, that the other node
is directly attached to the interface. I don''t know you ip range - but
it would look like this (if you are on
192.168.1/24):
ip ro add 192.168.2/24 dev eth1
So it trys to make an ARP request to find the other node, because with
"dev eth0" you have defined, that
the requested network is directly reachable on eth1. But on eth1 there
is only your gateway...
Because you didn''t specify the gateway address, the gateway does not
react. You can make it react, if you
enable proxy_arp on the gateways interfaces - then, if one node trys to
reach the other one, the gateway
will say "here, i have the ip!", because it knows, that the requested
node is attached on its other network
interface... but this is not what you want.
By specifing the gateway address, the nodes know, that they has to
forwarded all packets - which they have
to send to the other node - to the gatway address...
Andreas
ji.li3@hp.com wrote:
>Thank you all for the help!
>
>I thought the problem is that ip forwarding is not working on the middle
>node, but actually all the problems are the routing tables on the two end
>nodes. I only specified which network interface to send the packet in the
>routing table of two end nodes and didn''t specify the gateway for
the two
>end nodes. I thought that each end node will just send packets to the
>corresponding interface in the routing table, and the middle node will
>just forward everything it receives. The middle node does receive all the
>packets, but it never forwards to its second network interface. Would any
>one please explain a little why this happened?
>
>Thanks again for your kind help!
>
>Regards,
>-Ji
>
>
>
>
>
>>On 6/17/05, Dariusz Dwornikowski <tdi@pozman.pl> wrote:
>>
>>
>>>On Fri, 17 Jun 2005 13:14:23 -0400 (EDT)
>>>"Ji Li" <ji.li3@hp.com> wrote:
>>>
>>>
>>>
>>>>Hi,
>>>>I have three linux machines, and I want to let one of them
forward
>>>>
>>>>
>>>packets
>>>
>>>
>>>>betwen the other two. The forwarding node has two ethernet
cards,
>>>>connecting the two two machines respectively. However, when I
ping
>>>>
>>>>
>>>between
>>>
>>>
>>>>the two end points, the forwarding node can receive the ping
requests
>>>>
>>>>
>>>at
>>>
>>>
>>>>its eth0, but it never forwards them to its eth1. So is the
reverse
>>>>direction.
>>>>
>>>>The forwarding node is Redhat 7.2, kernel 2.4.7-10. The two end
points
>>>>
>>>>
>>>are
>>>
>>>
>>>>FC3, 2.6.9-1.667smp.
>>>>
>>>>What we have done to enable IP forwarding on the RH7.2 node are:
>>>>(1) In /etc/sysconfig/network, add "FORWARD_IPV4=yes"
>>>>(2) "echo 1 > /proc/sys/net/ipv4/ip_forward".
>>>>(3) Change "net.ipv4.ip_forward=1" in
/etc/sysctl.conf.
>>>>(4)
>>>>"echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter"
>>>>"echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter"
>>>>(5) We tried "iptables -F" to flush the rules, but ip
forwarding still
>>>>doesn'' work, so we add some rules as follows. We run
"iptables" to
>>>>configure firewall to enable IP forwarding.
>>>>iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>>>>iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
>>>>
>>>>
>>>route add net comp1-net gw comp1-ip
>>>route add net comp2-net gw comp2-ip
>>>
>>>
>>The last 2 lines are strange... I think you don''t need them.
>>
>>In comp1, you need:
>>route add -host comp2-ip gw reachable-router-ip-from-comp1
>>
>>in comp2, you need
>>route add -host comp1-ip gw reachable-router-ip-from-comp2
>>
>>You should also use tcpdump and test with pings. Example:
>>
>> # tcpdump -n -i eth0 icmp
>>
>>It will allow you to debug common issues, for instance, when the
>>icmp echo request reaches its destination, but the host cannot reply
>>because a route is missing.
>>
>>I assume the forwarding host is not the default route of
>>comp1 nor comp2.
>>
>>Regards,
>>Nelson.-
>>
>>--
>>Homepage : http://geocities.com/arhuaco
>>
>>The first principle is that you must not fool yourself
>>and you are the easiest person to fool.
>> -- Richard Feynman.
>>_______________________________________________
>>LARTC mailing list
>>LARTC@mailman.ds9a.nl
>>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>>
>>
>
>
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>