can't see outside behind Redhat router

KitM · 01-16-2004, 09:28 AM

Hi,

I’ve set up (trying to) a Redhat 9.0 router. Inside – eth1, 192.168.1.31 Outside – eth0 ,xxx.xxx.xxx.98.

The routing table:

[root@ns1 root]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.xxx.98 * 255.255.255.255 UH 0 0 0 eth0
ns1.firstequipm * 255.255.255.255 UH 0 0 0 eth1
xxx.xxx.xxx.96 xxx.xxx.xxx.98 255.255.255.240 UG 0 0 0 eth0
xxx.xxx.xxx.96 * 255.255.255.240 U 0 0 0 eth0
192.168.1.0 ns1.xxxxxxxxxx 255.255.255.0 UG 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default xxx.xxx.xxx.97 0.0.0.0 UG 0 0 0 eth0

Also – net.ipv4.ip_forward = 1

The xxx.xxx.xxx.96 address is with our ISP somewhere else.

From the router itself, I can ping the xxx.xxx.xxx.97 address and get to web sites. From any machine on the interior
192……. I can ping the xxx.xxx.xxx.98, the 192.168.1.31 (the two router cards), but cannot ping xxx.xxx.xxx.97 (the IP the ISP gave us for our gateweay) nor can I go to any web sites.

Hep me, hep me.

Thanks in advance for your help.

Kit Massengill
KitM@FirstEquipment.com

fataldata · 01-16-2004, 11:09 AM

Perhaps your firewall is preventing you from forwarding packets?
What does iptables -L command show?
You will need to tell the FORWARD table to forward all packets.

there are many threads regarding IP Masquerade and iptables if you need more info let me know. I'll have to look up the exact syntax but man iptables should get you started.

KitM · 01-16-2004, 12:49 PM

Hi, fataldata,

Here it is:

[root@ns1 root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- 64.238.96.12 anywhere udp spt:domain dpts:
1025:65535
ACCEPT udp -- 66.180.96.12 anywhere udp spt:domain dpts:
1025:65535
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SY
N,RST,ACK/SYN
REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flag
s:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SY
N,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:0:1023 reje
ct-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs reject-w
ith icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 fl
ags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SY
N,RST,ACK/SYN reject-with icmp-port-unreachable

KitM · 01-16-2004, 12:55 PM

Excuse me,

Also, checking my boot log, I found:

Jan 16 <snip> ifup: Error: an inet prefix is expected rather than "192.168.1.31/".

Kit

dellcom1800 · 01-16-2004, 10:56 PM

here is a real simple approuch route the protocals

KitM · 01-19-2004, 02:50 PM

dellcom1800,

Thanks for the answer; however the fact that I'm having this much trouble doing a simple job - at least, it appears that it should be a simple job to me - is showing that I seem to be deficient in the "snap" dept. when it comes to this area of expertise.

If you have a site that I may go to to see a simple tut of routing protocols (are we talking RIP here?), please include it in your next (if there is one) message.

Thanks again for your help.

KitM

fataldata · 01-20-2004, 11:00 AM

KitM,
Just to get it working remove the RH-Lokkit-0-50-INPUT from your INPUT and FORWARD Tables. I know this can present security considerations but I removed the RH-Lokkit-0-50-INPUT Rules and it seemed to work for me.

If you tell the FORWARD and INPUT TABLES TO ACCEPT everything you can build more stringent rules as you go and troubleshoot from there.

Also I believe you have to make the appropriate entries to the nat table to allow POSTROUTING.

I used the IP masquerade Howto to get this done. I can post my Iptables entries tonight when I get in front of my RH9 box.

fataldata · 01-20-2004, 06:46 PM

KitM, Here are my iptables. Yes I need to make them more secure, but I do have my RH9 box functioning as a firewall/ internet gateway. My suggestion would be to remove all the firewall rules and rebuild them to your spec's.

[root@host]$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@host ]$ iptables -t nat -L
#this is the masquerade stuff that allows you to share an internet connection.
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination