Dear All,

I have two subnets. There is a machine with two NICs which should act as a router by forwarding packets between its two NICs. The router's first NIC has an IP 10.1.0.10 and the second NIC's IP is 192.168.13.254 (it works as a gateway for the second subnet). I put all the necessary rules in the "iptables" like

iptables -A FORWARD -s 192.168.13.0/24 -d 0.0.0.0 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0 --protocol tcp --dport 22 -d 192.168.13.0/24 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0 --protocol tcp --dport 80 -d 192.168.13.0/24 -j ACCEPT

These rules should allow HTTP and SSH to connect the 192.168.13.0 net. I also set both /etc/sysctl.conf's "ip_forwarding" and /proc/sys/net/ipv4/ip_forward to 1.

The ping from second subnet's machine (192.168.13.1) to the rounter's both IPs works. That is:

ping from 192.168.13.1 to 192.168.13.254 works
ping from 192.168.13.1 to 10.1.0.10 works

But pinging does not work the same way when I do it from the first's subnet machine. That is:

ping from 10.1.0.1 to 10.1.0.10 works
ping from 10.1.0.1 to 192.168.13.254 fails

Probably I miss some configuration in the router which as a results allows packet forwarding only in one direction (from second subnet to the first one but not the opposite).
As a results the machines in these two subnets cannot see each other (ping fails).

Making SSH from both subnets to the router works.

Does anyone know how can I make the forwarding to work equally between two NIC ? Can it be that the problem relates to the NICs ? The first NIC is mounted on the PCI slot while the second one is onboard.

Thanks a lot for any help.

I wonder if you included another rule:

This of course is assuming that your 10.1.0.0 network uses a 24 bit mask as well.

IP forwarding or MAsquerading in its basic a one way gateway. Easy to go from one to the other but not the other because it is acting as a firewall in the oppisite direction. There a few ways back through. The only one I know of and used is DNAT.

Example /sbin/iptables -t nat -A PREROUTING -i xxx.xxx.xxx.xxx -p tcp -d 22 --dport 22 -j DNAT --to-destination 192.168.69.69:22

This is forwarding external IP xxx.xxx.xxx.xxx port 22 to and internal IP port 22.

Now this might work as a fully open DNAT. Not sure though. It will problaby be similiar to this but I may have the options wrong.
/sbin/iptables -t nat -A PREROUTING -i 0.0.0.0 -j DNAT --to-destination 192.168.13/24
or maybe
/sbin/iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination eth1

Brian

Thank you very much for your replies.

The reason of not including

iptables -A FORWARD -s 10.1.0.0/24 -d 0.0.0.0 -j ACCEPT

is that initially I wanted to forward only HTTP and SSH connections from 10.1.0.0 to 192.168.13.0 and drop all the others. On the other hand I wanted to allow all the protocoles that would go from 192.168.13.0 to 10.1.0.0 (that is why I placed the first three explicit rules).


I tried the rules with DNAT as well but without success. My confusing is how the router decides what direction to forward the packets if it does not look at the iptables rules ? Becuase it is clearly said to forward it both ways with some restrictions. If we cannot rely on iptables how can we manage the router at all ? Consequently it becomes impossible to make two machines in different subnets to see each other.

Thanks a lot for any idea.

Could you post the results of the following command:

route -n

Thank you very much for your support.
Here is the output of the "route -n" command


[HTML]
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.13.0 0 0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1[/HTML]
It's strange but I do not know where the last line with IP 169.254.0.0 came from. Can it be the source of the problem ?

Thank you in advance.

What does 10.1.0.1 route table look like?

The 10.1.0.1 is a Windows machine (WinXP installed). I do not know if this is of any help but below you can find the output of "route PRINT" command issued on this machine.


[HTML]
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 00 21 cf a2 d1 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - P
acket Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
10.1.0.0 255.255.255.0 10.1.0.1 10.1.0.1 20
10.1.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.1.0.1 10.1.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.1.0.1 10.1.0.1 20
255.255.255.255 255.255.255.255 10.1.0.1 10.1.0.1 1
===========================================================================
Persistent Routes:
None
[/HTML]

Thanks a lot for your time.

You don't have a default route in your results above. You could create one by issuing the following command:

Or you could add a static route like this:

Thanks a lot for your continuous help.

I tried adding a route as you advised

route add -net 192.168.13.0 netmask 255.255.255.0 gw 10.1.0.10

but ping still does not work. Adding a route like

route add -net 192.168.13.0 netmask 255.255.255.0 gw 192.168.13.254

also does not help.

Are adding the route on the XP machine? The syntax used above looks like a linux command. It is the XP machine that is missing a default route.

Sorry for my mistake. I indeed made it on the Linux. After trying the second rule on the Windows
the ping worked from 10.1.0.1 to 192.168.13.254 together with SSH. I could hardly think that this problem could be from the routing settings of the Windows machine.

Thank you so much for all your great help.

Your welcome, glad to help

Fordeck