|
Expert help with iptables needed
I'm a seeker of iptables truth and need an expert as I cannot get a seemingly simple arrangement working properly. I'll buy the coffee for anone who can help!
I am trying to get a simple natting router running on an embedded box. It must permit eth0 to be connetec to a cable modem, and eth1 to a pc. The intent is to insert the embedded box in the ethernet chain without breaking anything. :) Since most clients get an ip dynamically, I've installed udhcp in the embedded box. The setup and more details of the issue are posted but this system won't let me include it in my text. So I have included this at the bottom of this message (sorry!). I'm testing on my local lan (192.168.1.0./24). The embedded box eth0 is set to a static IP 192.168.1.90. The box hosts udhcpd so that a client connected to the embedded box's eth1 gets an IP address in the range 192.168.10.100 - 192.168.10.190. The embedded eth1 is set to 192.168.10.254. The client gets its ip fine. No matter what I do (so far) I can't get from the client through to the local lan (and then out to the net). I can ping a www url from the embedded box just fine, but from the client I get "Destination Host Unreachable". I'm using a very simple iptables script to begin with. iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE is, I think, correct for this case. Along with setting echo 1 > /proc/sys/net/ipv4/ip_forward. Here's a simple diagram of my setup: Public Internet ADSL Modem [dynamic i/p] | Linksys Router [192.168.1.0/24] =Embedded server box= | 3Com Switch -- > 192.168.1.90 [static/eth0] udhcpd iptables switch < -- 192.168.10.254 [static/eth1] | client i/p via dhcp 192.168.10.254 [dynamic/eth2] Also 192.168.1.80 [static/eth1] -> connected to 3com switch into local lan. As you can see, in my test setup there's double natting going on. First on my lan's router, and then on the embedded box. Since I'm bridging between different subnets, (risking being called a stupid un-manual reading type) I assumed this was perfectly legal. Can this setup actually work? Am I missing a fundamental here? -------------------------------------------------------------------------------- iptables problem - documentation System setup Public Internet --> ADSL Modem [dynamic i/p] --> Linksys Router [192.168.1.0/24] --> =Embedded server box= 3Com Switch -- > 192.168.1.90 [static/eth0] udhcpd iptables switch < -- 192.168.10.254 [static/eth1] . . linux test client (i/p via dhcp) 192.168.10.254 [dynamic/eth2] 192.168.1.80 [static/eth1] -> this port is connected to 3com switch into local lan. Note: eth0 is disabled on the test client as it's a defective adapter. Objective: connect embedded server box eth0 to cable modem (or local lan) and a client pc to server box eth1 for a dynamic ip and nat to the internet. If a switch is used (as in the above setup) then more than one client can be connected. Client: Red Hat Fedora 2 (2.6.5-1.358) Server: Special linux build for ETRAX 100LX chip. Kernel 2.4.26 What works The server box can connect to the public internet fine. The client can connect to the public internet via eth1 The client can ping the server's eth1 via the client's eth2 The client can ping the server's eth0 via the client's eth2 (this seems strange as it works when iptables is not loaded!) What fails The client cannot go beyond the server's eth0 interface. Attempts to ping the local lan's router (192.168.1.1) via the client's eth2 interface, or to ping a www address, all fail with "Destination Host Unreachable". RESOLVER Both the client and server have the DNS entries for my isp's DNS addresses in place. Client and server /etc/resolv.conf: search localhost nameserver 151.203.0.84 nameserver 151.203.0.85 ROUTE Here's the route from the server: Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 192.168.10.0 * 255.255.255.0 U 0 0 0 eth1 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 And from the client: Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.10.0 * 255.255.255.0 U 0 0 0 eth2 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 I don't know where the 169 address is coming from. If i do this on the linux client: /sbin/route add default gw 192.168.0.254 netmask 255.255.255.0 I get: SIOCADDRT: Network is unreachable I tried attaching a windows client (win 2k) to the server's eth1. It also got an ip and also returns the same results. ADAPTERS CLIENT: eth1 Link encap:Ethernet HWaddr 00:50:BA:F7:A4:5F inet addr:192.168.1.80 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::250:baff:fef7:a45f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:217 errors:0 dropped:0 overruns:0 frame:0 TX packets:191 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23413 (22.8 Kb) TX bytes:15980 (15.6 Kb) Interrupt:10 Base address:0x2400 eth2 Link encap:Ethernet HWaddr 00:E0:29:3E:63:22 inet addr:192.168.10.100 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:29ff:fe3e:6322/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2 errors:0 dropped:0 overruns:0 frame:0 TX packets:59 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1180 (1.1 Kb) TX bytes:8554 (8.3 Kb) Interrupt:11 Base address:0x2800 CLIENT eth2 CONFIGURATION: cat sysconfig/networking/profiles/default/ifcfg-eth2 # Accton|SMC2-1211TX DEVICE=eth2 ONBOOT=yes BOOTPROTO=dhcp IPADDR=192.168.1.80 NETMASK=255.255.255.0 GATEWAY=192.168.1.1 HWADDR=00:E0:29:3E:63:22 TYPE=Ethernet USERCTL=yes PEERDNS=yes IPV6INIT=no DHCP_HOSTNAME=192.168.10.0 Server: eth0 Link encap:Ethernet HWaddr 00:40:8C:63:10:A0 inet addr:192.168.1.90 Bcast:192.168.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7176 errors:0 dropped:0 overruns:0 frame:24 TX packets:1245 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2053130 (1.9 MiB) TX bytes:132950 (129.8 kiB) Interrupt:17 DMA chan:1 eth1 Link encap:Ethernet HWaddr 00:40:8C:63:10:A1 inet addr:192.168.10.254 Bcast:192.168.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2052 errors:0 dropped:0 overruns:0 frame:0 TX packets:73 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:228230 (222.8 kiB) TX bytes:4778 (4.6 kiB) |
I don't know where the 169 address is coming from
The clients haven't picked up a default gateway setting from the dhcp server, so they aren't sending packets through the router box.. /sbin/route add default gw 192.168.0.254 netmask 255.255.255.0 Should be 192.168.10.254 ;) The udhcpd server needs to issue an ip number, a gateway address and a dns number (at least) |
Peter,
I had no idea that the udhcpd configuration was a problem since it was delivering an ip address. Thanks to you I now understand that it delivers a lot more. The result is good. Once I changed the udhcpd.conf file (below) packets get forwarded through just fine. Please write me offline (mark.richards@massmicro.com) so that I may send you the coffee gift certificate! start 192.168.10.100 end 192.168.10.225 interface eth1 lease_file /var/lib/misc/udhcpd.leases pidfile /var/run/udhcpd.pid opt broadcast 192.168.10.255 option dns 151.203.0.84 option wins 192.168.10.1 option subnet 255.255.255.0 option router 192.168.10.254 option lease 864000 # 10 days of seconds Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.10.0 * 255.255.255.0 U 0 0 0 eth2 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 default 192.168.10.254 0.0.0.0 UG 0 0 0 eth2 |
| All times are GMT -5. The time now is 12:33 AM. |