On 1/13/06, Manish Kathuria <manish@tuxspace.com>
wrote:> Janne Raatikainen wrote:
> > I configured multiple isp (actually only multiple gw) according
> > http://lartc.org/howto/lartc.rpdb.multiple-links.html.
> >
> > Now NAT (Internet) seems to work, both external interfaces work ( I
> > didnt configure load balancing because I dont need it). However I have
> > problem that I can not ping from NAT to public ip of my Linux box.
> > Problem is that I can not connect from 192.168.1.0/24 network to
> > services listening 84.248.213.195, but I can connect to Internet from
> > NAT through that interface gateway (84.248.192.0). Connecting with
> > public ip worked fine when I had simple NAT, with single
> > Internet-connection.
>
> Have you used any firewall rules which prevent INPUT from the LAN ?
>
I have, but according my logging any iptables dropping-rule doesn''t
reject packets. I have also tried disabling all those droppings, but
it still doesnt work. Like I said, I have used same kind of rules,
which I used with normal NAT, where is only 1 external nic and one
internal nic. I just added new nic there, to have multiple ip''s.
Here you can see connections works and which doesnt:
http://www.raatikainen.org/extra/multigw/router3.png
(Some fix to that photo: I can connect from under nat to computers in
Internet, web pages work, but I can not connect from Internet to my
NAT even if I use portforwarding. (same rules which work fine with
only single external nic)
So problem is that I can not connect from 192.168.1.0/24 to
84.248.213.195 (Linux-server), but I have to use internal ip
192.168.1.50 of that same Linux server.
If I go to Linux-server and do following:
pinging from inside-interface (eth1) goes fine to Internet:
# ping -I 192.168.1.50 google.com
PING google.com (64.233.187.99): 56 data bytes
64 bytes from 64.233.187.99: icmp_seq=0 ttl=240 time=139.8 ms
but:
#traceroute -i eth1 google.com
traceroute: Warning: google.com has multiple addresses; using 72.14.207.99
traceroute to google.com (72.14.207.99), 30 hops max, 38 byte packets
traceroute: sendto: Operation not permitted
1 traceroute: wrote google.com 38 chars, ret=-1
even traceroute -I -i eth1 google.com (using icmp-packets, instead
udp) gives same error.
Next thing is that I try to ping from NAT to external ip of my
Linux-server and see from Linux logs where packet disappears. I will
get following lines:
Jan 7 01:43:28 raatikainen kernel: mangleprerouting IN=eth1
OUTMAC=00:04:75:cb:66:00:00:13:8f:3f:8f:05:08:00 SRC=192.168.1.79
DST=84.248.213.195 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=65178
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=25346
Jan 7 01:43:28 raatikainen kernel: natprerouting IN=eth1
OUTMAC=00:04:75:cb:66:00:00:13:8f:3f:8f:05:08:00 SRC=192.168.1.79
DST=84.248.213.195 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=65178
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=25346
Like you see, there is no icmp-reply from 84.248.213.195 -> 192.168.1.79.
Why?
If I ping from 192.168.1.79 -> 192.168.1.50 it will get icmp reply back too.
> >
> > I also notice that portforwarding from Linux-box (public ip) to
computer
> > under nat doesnt work too. Anyone has idea what is the problem?
>
> You will have to accept the traffic in the FOWARD chain in addition to
> the port forwarding rule for the system which is being accessed.
>
> I think it will be better if you list your firewall rules here to make
> the things clear. It will make it easier to identify the reason.
You can see iptables-rules and routes in:
http://www.raatikainen.org/extra/multigw/verkkoongelma.txt
Janne