2 NIC's stopped routing, iptable problem?

stakhous · 04-07-2005, 11:34 AM

Hi, I know this type of thread as been posted many times, but specifically for JordanH, the following is the output to various commands. Again, I am having problems with eth1 being able to contact the network on eth0. I have a windows computer at 10.51.1.100 connected to eth1(RH box, 10.51.1.1) with a crossover cable. From there eth0(192.168.1.107) is connected to a switch which in turn is connected to linksys router. I can no longer get 10.51.1.100 to connect to the outside 192.168.1.0/24 network.

Ive made sure ip_forward is at 1. I think i might need to add another route.

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

/sbin/service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.51.1.0/24 anywhere to:192.168.1.107
MASQUERADE all -- 10.51.1.0/24 192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

/sbin/route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.51.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:41:1E

C

8
inet addr:192.168.1.107 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1546 errors:0 dropped:0 overruns:0 frame:0
TX packets:303 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:148554 (145.0 Kb) TX bytes:27838 (27.1 Kb)
Interrupt:11 Base address:0xc00

eth1 Link encap:Ethernet HWaddr 00:40:33:A3:37:0F
inet addr:10.51.1.1 Bcast:10.51.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:4 dropped:0 overruns:0 carrier:4
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:9 Base address:0x2800

Thanks for everyone's help so far on this Issue, especially JordanH.

Cheers

JordanH · 04-07-2005, 05:06 PM

Start by clearing all from your iptables. I think your SNAT is killing you.
Try this script... it is completely open and not a firewall. It clears out all the junk so we can start fresh. It does not masquerade but it does forward traffic (i.e. routing between the two networks).

Quote:

#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
ipt=/sbin/iptables

# Set policies
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done

$ipt -t nat -A POSTROUTING -o eth0 -j MASQUERADE

edit: changed the last line of the script to masquerade through eth0

Your routing table looks fine.
(sorry for my long delay, they actually made me *DO* work today.

)

p.s. if this does not work this time, please post the results of
/sbin/service iptables status

stakhous · 04-07-2005, 05:15 PM

Hey dont worry about the long delay, I appreciate your help!

Ok I cleared the iptables out and ran your script, here is the ouput:

/sbin/service iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Then I ran:

ping google.com -I eth1
PING google.com (216.239.39.99) from 10.51.1.1 eth1: 56(84) bytes of data.
From 10.51.1.1 icmp_seq=1 Destination Host Unreachable

Looks like still no luck.

Cheers

Brian1 · 04-07-2005, 05:20 PM

Forgive me here, but why would you not connect both computers to the switch which is then connected to the router as you say? The router should do a good job of a firewall setup for you.

JordanH · 04-07-2005, 05:22 PM

Whoa... wait a minute. I may have goofed. In the other thread, I thought you were just trying to connect the two networks. What you want to do is a little masquerading... It must have been a long day for me.

I have updated the script above... check out the LAST line I added.

The following thread will shed some light.
http://www.linuxquestions.org/questi...hreadid=140064
http://www.linuxquestions.org/questi...hreadid=115427
(if you search on my name and choose "older than one year", you'll hit tonnes of these threads)

JordanH · 04-07-2005, 05:27 PM

Quote:

Originally posted by Brian1
Forgive me here, but why would you not connect both computers to the switch which is then connected to the router as you say? The router should do a good job of a firewall setup for you.

Perhaps. Do you trust the Linksys router with your firewall setup? Some do, some don't. *shrug*

You can config it this way...

Internet -- modem -- linksys -- linux router -- internal lan (this is the current config, no?)
or
Internet -- modem -- linux router -- internal lan (take out the middle man)
or
Internet -- modem -- linksys -- internal lan (windows and linux now both reside on same internal network) This is assuming that the linksys is a multiport hub/switch as well as router. If Stakhous is limited by not owning a switch and the linksys is a single-port unit, this last config won't work.

In my case at home, I do not have a linksys device so I use option 2... *shrug* too each their own.

stakhous · 04-07-2005, 05:34 PM

Forgive me, I probably should have been more clear.

And sure the linksys router does a good job filtering out traffic. But managing a linux router is a great learning process. I get to mess with IDS's, iptables, etc.

I made the approriate change in the bash script, but still no luck. But i'll look over those threads you posted.

Thanks again

JordanH · 04-10-2005, 03:46 PM

Any luck?