3 NICs, 1 external, 2 internal, only one routing

arobinson74 · 07-20-2008, 03:47 PM

I have a debian server with 3 NICs: eth0, eth1 and eth2

eth0: outside world
eth1: inside private network
eth2: inside public network

The idea is to provide internet with networking on eth1 (domain setup). eth2 is for public wireless access so that guests can come and use the internet, but not be able to get on the private network.

The dhcp setup is:

eth0: dhcp assigned
eth1: 192.168.100.1
eth2: 192.168.101.1

I am getting DNS lookups, DHCP assignments all working great from both the 100 and 101 subnets. The problem is that eth2 packets (101 subnet) are not being routed to eth0. eth1 / 100subnet is working fine.

here is the "route -N" ouput:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.101.0   0.0.0.0         255.255.255.0   U     0      0        0 eth2
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0        0 eth0

I added these iptables rules:

Code:

iptables -A FORWARD -i eth2 -j LOG --log-prefix "IPTABLES FORWARD: " --log-level 6
iptables -A INPUT -i eth2 -j LOG --log-prefix "IPTABLES INPUT: " --log-level 6

I get the "IPTABLES INPUT:" rules, but there is never any activity on the FORWARD chain for eth2 (eth1 does show up with this rule).

I am at a loss to why eth1 internet traffic is correctly routed through eth0, but eth2 is not.

Here is some of my iptables setup:

Code:

echo "Allowing localhost"
iptables -A INPUT  -i lo -j ACCEPT 
iptables -A OUTPUT -o lo -j ACCEPT 

iptables -A FORWARD -i eth2 -j LOG --log-prefix "IPTABLES FORWARD: " --log-level 6
iptables -A INPUT -i eth2 -j LOG --log-prefix "IPTABLES INPUT: " --log-level 6
#iptables -t nat -A PREROUTING -i eth2 -s 192.168.100.0/24 -j DNAT --to-destination 192.168.7.2

## INTRANET
# allow unlimited traffic on the intranet
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -A INPUT   -j ACCEPT -i eth1 
iptables -A INPUT   -j ACCEPT -i eth2
iptables -A OUTPUT  -j ACCEPT -o eth0
iptables -A FORWARD -j ACCEPT -i eth1 
iptables -A FORWARD -j ACCEPT -i eth2
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Any ideas?

Thanks for any help

estabroo · 07-20-2008, 05:00 PM

Do you have the default route set correctly for eth2 machines? They might not know to send their outbound packets to this outside world box. This could be easily caused in dhcp if you did a cut and paste and didn't change the router entry.

arobinson74 · 07-20-2008, 05:03 PM

Problem solved. I forgot one tiny little line in the dhcpd.conf inside the 101 subnet:

routers 192.168.101.1

I had a global router of 192.168.100.1 set in that file. As a result, the client machine was not having the default gateway set when it got an IP address via the DHCP server.

Argh! I hate simple mistakes that take hours of time.