LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Expert help with iptables needed (http://www.linuxquestions.org/questions/linux-networking-3/expert-help-with-iptables-needed-212057/)

k1mgy 08-01-2004 02:57 AM

Expert help with iptables needed
 
I'm a seeker of iptables truth and need an expert as I cannot get a seemingly simple arrangement working properly. I'll buy the coffee for anone who can help!

I am trying to get a simple natting router running on an embedded box. It must permit eth0 to be connetec to a cable modem, and eth1 to a pc. The intent is to insert the embedded box in the ethernet chain without breaking anything. :) Since most clients get an ip dynamically, I've installed udhcp in the embedded box.

The setup and more details of the issue are posted but this system won't let me include it in my text. So I have included this at the bottom of this message (sorry!).

I'm testing on my local lan (192.168.1.0./24). The embedded box eth0 is set to a static IP 192.168.1.90. The box hosts udhcpd so that a client connected to the embedded box's eth1 gets an IP address in the range 192.168.10.100 - 192.168.10.190. The embedded eth1 is set to 192.168.10.254. The client gets its ip fine.

No matter what I do (so far) I can't get from the client through to the local lan (and then out to the net). I can ping a www url from the embedded box just fine, but from the client I get "Destination Host Unreachable".

I'm using a very simple iptables script to begin with. iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE is, I think, correct for this case. Along with setting echo 1 > /proc/sys/net/ipv4/ip_forward.

Here's a simple diagram of my setup:

Public Internet
ADSL Modem
[dynamic i/p]
|
Linksys Router
[192.168.1.0/24] =Embedded server box=
|
3Com Switch -- > 192.168.1.90 [static/eth0]
udhcpd
iptables
switch < -- 192.168.10.254 [static/eth1]
|
client i/p via dhcp 192.168.10.254 [dynamic/eth2]
Also 192.168.1.80 [static/eth1] -> connected to 3com switch into local lan.

As you can see, in my test setup there's double natting going on. First on my lan's router, and then on the embedded box. Since I'm bridging between different subnets, (risking being called a stupid un-manual reading type) I assumed this was perfectly legal.

Can this setup actually work? Am I missing a fundamental here?

--------------------------------------------------------------------------------

iptables problem - documentation

System setup

Public Internet --> ADSL Modem [dynamic i/p] --> Linksys Router [192.168.1.0/24] -->

=Embedded server box=
3Com Switch -- > 192.168.1.90 [static/eth0]
udhcpd
iptables
switch < -- 192.168.10.254 [static/eth1]
.
.
linux test client (i/p via dhcp)
192.168.10.254 [dynamic/eth2]
192.168.1.80 [static/eth1] -> this port is connected to 3com switch into local lan.

Note: eth0 is disabled on the test client as it's a defective adapter.

Objective: connect embedded server box eth0 to cable modem (or local lan) and a client pc to server box eth1 for a dynamic ip and nat to the internet. If a switch is used (as in the above setup) then more than one client can be connected.

Client: Red Hat Fedora 2 (2.6.5-1.358)
Server: Special linux build for ETRAX 100LX chip. Kernel 2.4.26


What works
The server box can connect to the public internet fine.
The client can connect to the public internet via eth1
The client can ping the server's eth1 via the client's eth2
The client can ping the server's eth0 via the client's eth2 (this seems strange as it works when iptables is not loaded!)

What fails
The client cannot go beyond the server's eth0 interface. Attempts to ping the local lan's router (192.168.1.1) via the client's eth2 interface, or to ping a www address, all fail with "Destination Host Unreachable".

RESOLVER
Both the client and server have the DNS entries for my isp's DNS addresses in place.

Client and server /etc/resolv.conf:

search localhost
nameserver 151.203.0.84
nameserver 151.203.0.85

ROUTE
Here's the route from the server:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.10.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

And from the client:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 eth2
169.254.0.0 * 255.255.0.0 U 0 0 0 eth2

I don't know where the 169 address is coming from.

If i do this on the linux client:
/sbin/route add default gw 192.168.0.254 netmask 255.255.255.0

I get:
SIOCADDRT: Network is unreachable

I tried attaching a windows client (win 2k) to the server's eth1. It also got an ip and also returns the same results.


ADAPTERS

CLIENT:

eth1 Link encap:Ethernet HWaddr 00:50:BA:F7:A4:5F
inet addr:192.168.1.80 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:baff:fef7:a45f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:217 errors:0 dropped:0 overruns:0 frame:0
TX packets:191 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23413 (22.8 Kb) TX bytes:15980 (15.6 Kb)
Interrupt:10 Base address:0x2400

eth2 Link encap:Ethernet HWaddr 00:E0:29:3E:63:22
inet addr:192.168.10.100 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:29ff:fe3e:6322/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:59 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1180 (1.1 Kb) TX bytes:8554 (8.3 Kb)
Interrupt:11 Base address:0x2800

CLIENT eth2 CONFIGURATION:

cat sysconfig/networking/profiles/default/ifcfg-eth2

# Accton|SMC2-1211TX
DEVICE=eth2
ONBOOT=yes
BOOTPROTO=dhcp
IPADDR=192.168.1.80
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
HWADDR=00:E0:29:3E:63:22
TYPE=Ethernet
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
DHCP_HOSTNAME=192.168.10.0

Server:

eth0 Link encap:Ethernet HWaddr 00:40:8C:63:10:A0
inet addr:192.168.1.90 Bcast:192.168.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7176 errors:0 dropped:0 overruns:0 frame:24
TX packets:1245 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2053130 (1.9 MiB) TX bytes:132950 (129.8 kiB)
Interrupt:17 DMA chan:1

eth1 Link encap:Ethernet HWaddr 00:40:8C:63:10:A1
inet addr:192.168.10.254 Bcast:192.168.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2052 errors:0 dropped:0 overruns:0 frame:0
TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:228230 (222.8 kiB) TX bytes:4778 (4.6 kiB)

peter_robb 08-01-2004 03:41 AM

I don't know where the 169 address is coming from

The clients haven't picked up a default gateway setting from the dhcp server,
so they aren't sending packets through the router box..

/sbin/route add default gw 192.168.0.254 netmask 255.255.255.0

Should be 192.168.10.254 ;)

The udhcpd server needs to issue an ip number, a gateway address and a dns number (at least)

k1mgy 08-01-2004 07:21 AM

Peter,

I had no idea that the udhcpd configuration was a problem since it was delivering an ip address. Thanks to you I now understand that it delivers a lot more.

The result is good. Once I changed the udhcpd.conf file (below) packets get forwarded through just fine.

Please write me offline (mark.richards@massmicro.com) so that I may send you the coffee gift certificate!


start 192.168.10.100
end 192.168.10.225
interface eth1
lease_file /var/lib/misc/udhcpd.leases
pidfile /var/run/udhcpd.pid

opt broadcast 192.168.10.255
option dns 151.203.0.84
option wins 192.168.10.1
option subnet 255.255.255.0
option router 192.168.10.254
option lease 864000 # 10 days of seconds

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 eth2
169.254.0.0 * 255.255.0.0 U 0 0 0 eth2
default 192.168.10.254 0.0.0.0 UG 0 0 0 eth2


All times are GMT -5. The time now is 01:12 PM.